“qwerty”, “monkey”, and “abc123”. These are the 4th, 5th, and 6th most-used passwords of 2011, according to a study [http://splashdata.com/splashid/worst-passwords/index.htm] released by password management software company Splashdata. Also on the list are classics like “123456” and, of course, “password”. It should be obvious to just about anyone that passwords like these are not especially good ones, so why do people keep using them? The mere fact that a password is present is no guarantee of security. Hackers and those wishing to gain unauthorized access to a system have any number of tools at their disposal to help them discover and thus bypass passwords. This does not mean that placing password protection in the way is futile, however. The better the password, the longer it will take for hackers to go through or around it.
So what makes a good password? Cracking passwords is a matter of time, and the time depends on how many characters the program doing the cracking is required to guess. Consider a password with nothing but lowercase letters (a bad idea, but one that will be covered later). There are 26 letters, and thus 26 possibilities for each character. A one-character password thus has 26 possibilities, and for every character past that, the number of potential passwords is increased by 26. A password with five characters has over eleven million possible combinations. Keep in mind, however, that it is a computer doing the cracking in most cases, a machine capable of performing millions of calculations in seconds. That five character, lowercase letters only password would be broken in mere moments by a dedicated hacker. But now consider adding a single uppercase letter in place of a lowercase one. This doubles the number of potential values per character, so that the time-to-crack is increased by a factor of thirty. Adding numbers to the mix triples that time. Then we have what are known as “special characters”, the set including things like punctuation, brackets, symbols, and the like. Since there are tons of these characters, and no pattern to guess which one might be inserted where, the resulting delay in cracking is huge. Special characters can make any password vastly harder to break.
Up to this point, we’ve been discussing a mere five character password, but now we come to one of the most important points: length. Even when using only lowercase letters, increasing the length of the password by one letter multiplies the field of potential passwords by 26. A long password, even without variation in the characters, is much harder to crack by brute force. There are other types of password crackers to worry about, however. The dictionary cracker, for instance, runs through a dictionary stored in its memory and tries every word. Using “elephant” as your password might befuddle a brute force cracker, but the dictionary hacker would figure you out in no time at all. Don’t try to play around with substituting numbers for letters in common words (“passw0rd”) either, as hackers have long since grown wise to this trick and programmed their tools to check for such substitutions; the same goes abbreviations (“trustno1”) and common character sequences (“123456”, “abcde”) . Nonsense passwords, or those which have meaning only to you, are better choices; you won’t find “18kaff?kaff!92cake” in any dictionary, and a brute-force cracker would take months, if not years, to bypass it.
The last point of importance is less about passwords and more about how you use them. While it might be tempting to come up with one good password and use it for all your important business, keep in mind that not all websites are equal in terms of security. If a single site turns out to be less trustworthy than you thought, and hackers gain access to their databases, your password could be handed to them on a silver platter, potentially allowing them access to any accounts, like your facebook or email, using the same password. If you’re really concerned about security, it’s best to change your passwords every few months, ensuring that even if someone got access to old account records, their information would be obsolete and useless.