We’ve been given incorrect strong password advice for so long that we almost all fall for it. In reality, numbers and unpronounceable symbols are hacked as fast as words you and I can easily memorise. The secret of strong password advice: just make it LONGER.
Strong password advice
Make it longer
The more characters, the longer it takes to hack
Use a password manager
Definitely do NOT write it on a post-it note!
Different every time
Never recycle the same password for different applications
What’s the strongest type of password?
You would be forgiven for thinking it should have a number, a special symbol, a mix of upper case and lower case characters and ideally be something unpronounceable. We are accustomed to being forced to do this when creating passwords. When we try a word that we might actually be able to remember, we’re told it’s “weak”.
Unfortunately this supposed strong password advice is wrong. You should use a random passphrase instead.
Our strong password advice
Use a random passphrase. Random passphrases provide the best combination of memorability and security.
What is a random passphrase?
This means a random list of four words, with gaps, that do NOT make a meaningful phrase. Here are some examples:
- gibberish jump rainy loss
- earn bridge central profit
- sciences remotely disease eating
- delay chips asset bundle
- centers gradual hasten split
- rarely efforts meat interesting
- billed whose fonts section
Here’s some strong password advice you’ll already have heard that is definitely true: use a different passphrase for every site.
What is the benefit of using a random passphrase?
People are awful at making secure passwords. The more complex we try to make our passwords, the harder they are for us to remember – but unfortunately they are just as easy for computers to crack.
No matter how hard we try, when making passwords, most people end up utilising one of a few predictable patterns. We build them on information that we can recall, such as people, places, dates, or simple English words. A capital letter, some numerals, or a symbol are then added to give it some flavour and follow incorrect strong password advice.
Weak passwords which can be cracked in MILLISECONDS
Is your password one of the types listed here? If your password resembles any of these examples, it is instantly crackable.
- A typical word: january
- A letter pattern that’s easy to type: qwerty or xxxxx
- The family pet: charlie
- An important number, such as a date or phone number: 03261981
- A word with letters replaced by lookalike numbers: 3v3ryth1ng
Even a mix of these patterns, such as [common word]+[number] will be straightforward to crack.
Compare those to a passphrase of four or more randomly chosen words. Such a passphrase takes 6,000,126 centuries to crack. No kidding.
How are passwords cracked?
Our strong password advice makes sense when you know how computers crack passwords.
1 – Hackers begin with wordlists
Starting with the top 10,000 passwords is popular. Top of the list is “password” and you might be shocked how often it still works! Additionally, listings of all names, dates, and English words are available. Thirty percent of all passwords will be broken in less than a second.
2 – They try each word again using common variations
This could mean capitalising the first letter (september September), changing letters to numbers (february f3bruary), and others.
3 – The previous wordlists are then combined
For example, they try dates with names (e.g. jack08112001) or dates with common separators and names (e.g. jack.08112001 jack-08-11-2001).
4 – They try every character combination
This literally means they try a, then b, then c … eventually aa, ab, ac … eventually 3d2b^hi8, 3d2b^hi9, 3d2b^hi0, and so on. This sounds difficult until you realise modern computers can make between 10,000 and 350 BILLION guesses of this type every second.
If your password is based on any pattern whatsoever, some combination of these steps will eventually crack it.
What else can I do to increase my security?
Use a password manager.
At work, you should use IT Glue. This manages passwords – amongst many other functions – for all users in your organisation and is the best way to safely share passwords between users where appropriate.
For personal use, Firefox, Chrome, Safari and Internet Explorer all have built in password managers. If you want to use your passwords across all devices, you could try:
- 1Password, which works with Windows, Mac, iOS and Android.
- LastPass for iOS, Android; Chrome plugin works on Windows, Mac and Linux.
- KeePass can be used with Linux, Windows, Mac and Android.
Flywheel IT Services has teams of highly qualified and experienced IT engineers and consultants around the UK.
For over 20 years we have partnered with businesses, schools and major construction companies to provide IT services and to guide and support their IT projects, tech strategies and day-to-day operations.