Passwords are one of the easiest ways to breach a persons digital security. A lot of websites opt for the recommended NIST system of requiring 8 characters with at least one uppercase, at least one lowercase, at least one number and at least one special character. Using this system, it would mean a password would look something like 'Pas$w0rd'.
This is not secure.
They are often broken through either guessing (social engineering), malware (keylogging), brute force or by using a pre-existing list of known username and passwords.
There are 6.63 quadrillion different possible 8 character passwords and at the Passwords^12 convention in 2012, Jeremi Gosney demonstrated a machine that broke all 6.63 quadrillion passwords in 5.5 hours. That equates to 350 billion password guesses per second. Password cracking has significantly improved since 2012.
Password security can always be broken. Always. It simply all depends on how long and how much effort it would take. For example, most people's router username and password is still admin/password. That would take about 4 seconds to enter with next to no effort.
Password strength is called password entropy and entropy is based on the character set used (uppercase, lowercase, numbers and symbols) as well as length. Password entropy predicts how hard a password is to crack using guesses, brute force methods, dictionary attacks or other methods.
If a password uses numbers (0-9), uppercase (A-Z), lowercase (a-z) and special characters (!"£ etc), there are 95 possible choices for a one character password. If the password is two characters long there are 9025 possible choices and for three characters there are 857375 possible choices (and so on with the equation being expressed as 95^n (with n being the number of characters in the password)).
As a species, humans make terrible choices for passwords. Even if a person chooses a 'random' password, we have a bias towards certain letters and numbers. This is called letter frequency and can easily be seen in the game Scrabble. There are more letter E (12) then Q (1). Nobody wants to get the Q or the Z. In addition, humans are notoriously bad at remembering random strings of letters and numbers, so we either write it down (which is a very bad idea for a password) or we make it easy to remember.
- "Pas$w0rd" is a bad password as it's easy to guess.
- "0il;vSHJ" is a better stronger password however has the same entropy and is hard to remember
Both have the same amount of entropy but it would take less than 6 hours to guess either password with Gosney's machine. As such, neither password is secure.
Securing your Password
Because you can't change the option of accepted characters, you can secure your password through the amount of characters used on your password. This is where the 95^n comes in and that means 95 multiplied by itself however many characters are in your password. That means the password entropy on an (8) eight character password is worked out by;
- 95 x 95 x 95 x 95 x 95 x 95 x 95 x 95 (and is written as 95^8)
This equates to 6.63 quadrillion different possible passwords. A more secure password would be at least 20 characters long (95^20) and would equate to 10.24 decillion possible different passwords. For reference:
- 6,630,000,000,000,000 = 6.63 Quadrillion
- 10,240,000,000,000,000,000,000,000,000,000,000 = 10.24 Decillion
Using Gosney's machine on a twenty character password could potentially take up to 9,277,379,140 years to crack a single password...
Using a 20 digit password, it will take over 9 billion years for someone to crack a single password, but a chain is only as strong as the weakest link. Hackers were able to access the Equifax database in 2017 because the username and password to the data base was Admin according to court filings.
Industry practice states to have a different password for every site. However, due to human nature, it is difficult to remember a single twenty character password, let alone a different twenty character for every single site.
Luckily there is software which nullifies this issue: Password Managers.
A password manager is software which stores all the secure passwords in an encrypted database which can only be accessed with the correct password (which should still be twenty characters or more). This may seem like a weak part of the plan having all the secure passwords stored in a single place secured with a single password, however this can be further overcome with the addition of Two-Factor Authentication (2FA). This is where a hardware device is used to authenticate that you are the correct holder of the account and you're authorised access (such as a Yubikey or Mooltipass).
This ensures that all your passwords are secure, encrypted and still easy for you to access. Granted even this isn't 100% secure, but it's as possible to secure.
My little trick for a completely random master password that's easy to remember? Get a dictionary and open it to a random page. Close your eyes and stick your finger on the page and the closest word is chosen. Do this 4 or 5 more times. This can be used as your master password (and should be changed periodicially).