Passwords have played a key role in protecting digital information since the dawn of modern computing. Perhaps unsurprisingly, however, passwords were also among the first things to be exploited by computer hackers. After all, a weak password is practically an open invitation to attackers wanting to get their hands on your personal data. This remains the case, and as evidenced by the dark web markets and forums, cybercriminals routinely sell huge lists of stolen login credentials to everything from email to social media to online banking accounts.
Before we delve into what constitutes a strong password, it is important to explain how hackers can misappropriate passwords in the first place. Here are some of the most common methods:
More advanced password cracking tools tend to use a combination of the first two. They often start with a basic dictionary attack before moving on to try every possible combination. However, even if all the supercomputers in the world were working together to crack a password, it would still take an impractically long time to find the right combination. For example, cracking a 256-bit encryption key, of which there are 2255 possible combinations, would take exponentially longer than the lifespan of the universe. In other words, it is probably safe to assume the hacker will run out of patience when trying to brute-force attack a strong password or encryption key!
That said, a strong password alone will not protect against threats like phishing scams, which use social engineering tactics to dupe unsuspecting victims into giving away confidential data. Furthermore, many passwords, like those stored by most browser-based password managers, are stored unencrypted on the local device. This is why passwords should ideally be backed up with a secondary authentication measure, which we will look at later.
Longer and more complex passwords are inherently stronger to the point they are practically immune to brute-force or dictionary attacks and are almost impossible to guess.
When choosing a strong password, the most important thing is to stay clear of the obvious. A password that consists only of words found in the dictionary or a sequential list of numbers is an extremely bad idea. However, even adding a digit or two to a word in the dictionary will not protect you from a brute-force attack in most cases.
Making a password practically immune to a brute-force hack requires taking a few extra steps, including the following:
At the same time, we realize that a password should be easy enough for its owner to remember without having to risk entering it so many times that their account gets flagged for suspicious activity. If you can come up with a phrase or sentence that gives you a mental image, albeit one that no one else would ever be able to guess, then that is a good start. That said, it is still a good idea to incorporate some numbers and symbols too.
It is important to remember that, no matter how long or complex your passwords are, they only provide one layer of security. Moreover, every password is potentially vulnerable to phishing scams. For example, if you are duped into entering login information on a fake website that masquerades as the real thing, no amount of password complexity will protect you. Because of this, you need to bolster your defenses, ideally by using a secondary authentication method in addition to your passwords. Most high-value online accounts, such as those used for online banking, require this.
In technical terms, this is known as multifactor authentication (MFA). MFA combines two (or sometimes even three) methods to verify the user’s identity. These factors are a combination of two or more of the following:
One example of MFA that we use regularly is when you withdraw money from an ATM. While the bank card itself is something you have, the PIN code is something you know. As such, to gain access to your account, a thief would have to have your card and know the PIN code. On top of that, you may have noticed that many banks will automatically put a temporary block on your card if it is used in an unusual location, such as a foreign county, which serves as a third authentication factor. Other common authentication factors include smartphone apps or SMS messages.
Another way to boost the effectiveness of your passwords is to use a password manager, like those built into most modern web browsers. However, using a standalone third-party tool like Dashlane or 1password offers a more comprehensive solution. These services can generate a random password for each online account that even you will not know. Instead, they enter the login credentials automatically, making them practically immune from social engineering attacks. You will still need a highly complex master password though, but password managers can save a lot of time while also improving your online safety.