The idea of an unhackable password is beyond the realm of possibility, but there are ways to protect yourself and make your password harder to guess than the average password. Cybersecurity professionals lay strict rules on not reusing passwords, picking long, complex ones, and making sure your passwords are safe because if there is a will, there’s a way. The first step to understanding how to pick a password is to understand how password cracking works.

How to crack a password

Let’s say that a certain website requires you to make a four-digit password consisting of only digits, meaning 0-9. As a hacker, how many passwords would I have to try to get into your account? Well, there are 10 possible digits that you could have picked for your first number, 10 for the second, 10 for the third, and 10 for the fourth. So, to calculate the total number of combinations, we multiply together the number of options for each slot. So, in this case, we would have:

10*10*10*10 = 10^4 = 10,000 different combinations

When I asked my everyday laptop to generate and print out these possible combinations, it took 0.120 seconds.

Hackers and cybercriminals take these lists of possible combinations and write a script to have computers try every single combination until they find the right one, called a brute force attack. Brute force attacks work exceptionally well when password requirements have a limited set of combinations, or people create short uncomplex passwords. However, brute force attacks are still frequent occurrences for other systems, running on there own for days, weeks, and possibly years, if there are no additional security measures in place by cybersecurity professionals.

Now, if we say that the password has to be at least 8 characters long, include at least 1 uppercase letter, 1 lowercase letter, 1 number, and 1 symbol. Now, instead of having ten possibilities for each slot in the password, there are 94 possible values for each one:

  • 26 lowercase letters it could be
  • 26 uppercase letters it could be
  • 10 numbers it could be
  • 32 symbols it could be (just counting the ones on a standard QWERTY keyboard)

26+26+10+32 = 94  

For an 8 character password, this means there are 94^8 = 6,095,689,385,410,816. That is six quadrillion possible values for your password. Even if my computer can process a million possible passwords every second (which isn’t very many), it could take up to 6,095,689,385 seconds or 193 years to find your password. If you want to check how long it would take to crack your password or any generic string of characters, try this website:

Which passwords are the most secure?

We can see from the examples above that it is best to make the possible values for each character of your password the most significant number we can. The ideal password would include upper and lowercase letters, numbers, and symbols. Also, notice that in the password example above, we only covered eight-character passwords. What would happen if you added a ninth character? Each additional character multiples the total by 94. Just imagine that every character you add to your password makes it 94 times as difficult to generate your password!

Tip 1: Longer passwords are better and harder to hack! Just make sure you or a password saving system can remember them.

Let’s say we have the option to make our password 13 numbers long or can choose to make it 5 lowercase letters long. Notice here that 13 numbers with 10 slots is 1310 = 130 and 26 letters with 5 slots is 265 = 130. So, there is the same number of choices to make. We have to pick from the 26 letters 5-times or 10 numbers 13-times. Which of these options results in a larger number of possible combinations? Well, the 13 number password would be 10^13 or 10,000,000,000,000 or 10 trillion different combinations. The 5 letter password would be 26^5 or 11,881,376 or roughly 12 million combinations.

Tip 2: Utilize special characters and symbols to make a more complex password.

Putting it to the test

I found this list of password requirements online:

  1. MUST contain at least 8 characters (12+ recommended)
  2. MUST contain at least one uppercase letter
  3. MUST contain at least one lowercase letter
  4. MUST contain at least one number
  5. MUST contain at least one special character (!”#$%&'()*+,-./:;<=>?@[]^_`{|}~ )
  6. MAY NOT contain more than two identical characters in a row
  7. MAY NOT contain first name, last name, email address mailbox or domain, company name or commonly used passwords
  8. MAY NOT match commonly used password character patterns

While I have explained the math behind some of these, we should examine the remainder of them. The first requirement is a length requirement, which we just showed makes it much more difficult to brute force your password. The 2-5 requirements are there to increase the number of possible characters your password contains, which is excellent for longer passwords.

The remaining requirements are unusual:

  • MAY NOT contain more than two identical characters in a row
  • MAY NOT contain first name, last name, email address mailbox or domain, company name or commonly used passwords
  • MAY NOT match commonly used password character patterns

Let’s look at our PIN example again. If we enforce the rule that 2 identical characters cannot appear next to each other in our 4 digit password, then our options get a little more limited. The first number can still be any of the 10 numbers, but the second number only has 9 options because it cannot be the same as the first digit. The third number and fourth also only have 9 options because it can’t be the same as the preceding one. So, now, our possible combinations look like this:

10*9*9*9 = 7290

This set of instructions removed nearly 3000 possible combinations! Why would this rule be enforced? Well, it’s because humans tend to use passwords that are easy to remember. When hackers go about trying to hack passwords, they understand there is a high chance people will reuse old passwords, makes them easy to remember, and not be creative when they should.

Commonly used passwords

Most hackers do not immediately resort to generating all possible combinations of symbols for brute force attacks. Instead, they look for easy targets, like the ones mentioned above, and start by guessing the easy things like your name, email, domain, or company name. This rule prevents those tricks from working.

Common passwords (like “Password”, “Password1”, “1234”, “0000”, etc.), are found on lists used by hackers. These lists are commonly called rainbow tables. The passwords in these files can be run against your account to see if any common ones will work before the hacker has to resort to brute-force generating every possible combination.

Tip 3: Do not repeat passwords, and do not use common ones! 

So, to summarize, there is no sure-fire way to prevent hackers from gaining access to your accounts, but there are ways to protect yourself and make it difficult for them. If you make your password long, complex, and unique, and change it often, the hacker constantly has to restart their attempt, and you’ll be less likely to be a victim of password hacking.

Did you enjoy this content? Follow our linkedin page!