What is a strong password?
A password that contains special characters? Yes and no. It's actually the size that matters most. Explanations.
The strength of a password corresponds to the average time it will take a hacker to find it.
Some examples:
- If you use the password “123456“, the hacker will find it immediately because it is the most used password in the world, and therefore it is the first password he will test.
- If you use personal information (date of birth, first name of a child, name of the city where you are vacationing), your password will also be very easy to guess because this information can be easily found on the internet.
The different hacking techniques
Theoretical case: brute force attack
Let’s take the theoretical case of a not-so-smart hacker who wants to find the password you use on a site by testing each possible password one by one. Obviously he doesn’t do this manually, he uses a script that can test a very large number of passwords per second.
The number N of passwords of length L that can be formed from a number C of different characters is N=C^L. For example, the number of 5-character passwords containing only lowercase letters (26 letters) is 26^5 = 11,881,376.
On average, the hacker will have to test half of the passwords before finding the right one (after having tested half of them, he is more likely to have already found the password than to have not already found it). The number of tests that the hacker will have to do is therefore C^L/2.
The question is how many passwords the hacker can test per second. This will depend on several conditions (the computing power of the hacker, the storing method for the password), but let’s take for example the case of a hacker using modern computers. Each computer has 8 cores running at 2.6 GHz. It can therefore perform roughly 20 billion tests per second under the best conditions. The most organized hackers will probably have computing powers 10,000 times higher. We then obtain the following breaking times:
| Number of characters | Digits only (10 chars.) | Lowercase letters (26 chars.) | Lowercase and uppercase letters (52 chars.) | Numbers, lowercase and uppercase letters (62 chars.) | Symbols, numbers, lowercase and uppercase letters (90 chars.) |
|---|---|---|---|---|---|
| 4 | Instantly | Instantly | Instantly | Instantly | Instantly |
| 5 | Instantly | Instantly | Instantly | Instantly | Instantly |
| 6 | Instantly | Instantly | Instantly | Instantly | 1 ms |
| 7 | Instantly | Instantly | 3 ms | 9 ms | 120 ms |
| 8 | Instantly | Instantly | 134 ms | 546 ms | 11 s |
| 9 | Instantly | 14 ms | 7 s | 34 s | 16 min |
| 10 | Instantly | 353 ms | 6 min | 35 min | 1 d |
| 11 | Instantly | 9 s | 5.2 h | 1.5 d | 3month |
| 12 | 3 ms | 4 min | 11.3 d | 3.1month | 22 years |
| 13 | 25 ms | 1.7 h | 2 years | 16 years | 2 000 years |
| 14 | 250 ms | 1.9 d | 84 years | 983 years | 181 000 years |
| 15 | 3 s | 1.6month | 4 000 years | 61 000 years | 16 M years |
| 16 | 25 s | 3 years | 227 000 years | 4 M years | 1 Billion years |
| 17 | 4 min | 90 years | 12 M years | 234 M years | 132 Billion years |
If you start from a password with 9 alphanumeric characters, i.e. without special characters (resistance 33 seconds), it is more effective to add a tenth character (resistance 35 minutes) than to replace a character in the password with a special character (resistance 2 minutes).
A good password today must contain at least 12 alphanumeric and special characters. This is also what state agencies, such as ANSSI in France, recommend.
A 16-character password containing alphanumeric characters will be very strong, even if the hacker is a million times stronger than the assumption we made(it would be very, very expensive to have so much computing power...).
Obviously, the less a password allows access to sensitive resources, the less economic interest the hacker has in hacking it and the more you can theoretically afford to choose it weak.
Real case: dictionary attack
In practice, hackers rarely use brute force because there is a much more effective technique: the dictionary attack. The idea is simple: rather than testing passwords randomly, the hacker uses lists of passwords that have already leaked. These lists contain several hundred million passwords actually used by Internet users and sorted by number of occurrences. The hacker will therefore start by testing the most used password in the world, that is to say “123456”. Then it will test “123456789”, then “azerty”, etc. If you’re using one of these passwords, you’re really asking for trouble.
The cybercriminal then tests variations of these passwords, with the classic mechanisms of replacing letters with numbers or symbols.For example, an “a“ becomes an “@“, an “o“ becomes a “0“, etc. Passwords composed of sequences, such as abcd, 1234, azerty, or with a root containing the name of the site or personal information are also tested.
With this technique, even a fairly long and complex password may not be strong enough... The passwordP@$$w0rd! is therefore barely stronger than the password password.
How to make your password “strong”?
Although a password is always breakable, fortunately it is possible to limit and slow down these attacks. Here are some effective solutions to strengthen your passwords and avoid these intrusions.
Ideally use random and long passwords
The ideal is of course to use a random password generator. This type of password is insensitive to dictionary attacks and the hacker must therefore use brute force, which is completely unacceptable because the password generated will often be very long. This type of password makes it mandatory to use a password vault because they are impossible to remember.
And for strong but easy to remember passwords
The following techniques generate passwords that are easier to remember, stronger than a regular code but less than a random password. They are particularly suitable for Windows session passwords and the master password of your password vault.
Passphrases
In case you need to remember your password yourself, you can use the passphrase technique. The idea is to combine various words, with or without spaces, to form a series of characters. Ideally, your sentence should contain 4 words and 15 characters at least. Avoid: famous quotes and expressions. A passphrase would look like: officefeltplantcurtain.
Simplifying a sentence
Another technique for generating relatively strong passwords is to start with a fairly long sentence and choose the initials or phonetic spellings of the words in that sentence. For example, let’s start with the sentence “Here is a password containing special characters and numbers.“. This could result in the following password: “Hia$csc&nbs”.
In practice, use a phrase that is not a famous quote and that results in a password containing a combination of all the characters so that your password meets the usual criteria required by sites. These kinds of passwords are probably slightly more difficult to type than those in the previous method, but are in theory stronger than a passphrase.
Conclusion
Remember that the best way to get a strong password is to use a random password generator and choose a length greater than 16.
Obviously, this involves using a password vault like UpSignOn to store them.