This is Part 1 of a 2-Part article. In Part 1, I’ll explain why most passwords are not very strong and the methodology hackers use to crack passwords. In Part 2, I’ll explain how you can create passwords that are much harder to crack, how to measure a password’s real strength, and how strong a password should be.
Using a password manager is an essential part of internet security. Password managers give users the ability to have strong and unique passwords for each site they visit on the internet. Two good cloud-based password managers are Bitwarden and 1Password. I personally have a premium subscription to Bitwarden, while Jim Hillier recommends Bitwarden’s free version if you do not need the premium features. If you prefer a password manager with local credential storage, the DCT recommended KeePass is an excellent choice – I used it for years before switching to Bitwarden.
However, the key to the secure use of any password manager is a strong master password. The master password is not just any password, it is the key to your kingdom. It is the one password you need to memorize. With the recent breaches of LastPass, Norton Lifelock, as well as other password managers, a strong master password is more important than ever. But how do you create a strong password? How do you measure password strength? How strong is strong enough?
To measure a password’s strength, we need to know its entropy. Password entropy is a measure of how unpredictable a password is. Password entropy predicts how difficult a given password would be to crack. Password entropy is usually expressed in bits. A password that is already known has zero bits of entropy. A password that can be guessed half the time on the first try would have one bit of entropy. Increasing the entropy of the password by one bit doubles the number of guesses required, making an attacker’s task twice as difficult. Increasing the entropy by ten bits makes it 1,000 times more demanding to crack. A 20-bit increase in entropy is 1 million times harder to break. The formula for this is:
E = L * log2(R)
- R – Size of the pool (the unique character set used)
- L – Password length
A pool using lower case (26), upper case (26), numbers (10), and special characters (13) is a 75-character set pool.
n5A*&VqW?XZj is a uniquely and randomly generated 12-character-long password that uses the entire pool. Its entropy is 12 * log2(75) = 74.745.
- UK^aR2$b = 49.830
- P@ssw0rd = 49.830
As we can see, both of these have the same entropy but the first is clearly better than the second.
How A Hacker Cracks A Password
There are many theories on how to make a password strong and memorable. Here are a few:
- Make the password look complex by using l33t substitutions – @ for a, and 0 (zero) for 0. (eg, P@ssw0rd for Password)
- Use song lyrics, quotes from books, and common phrases. (eg, Call_Me_Ishmael tobeornottobe)
- Use the first letter of each word from a phrase
The reason these do not work well is because of the way a hacker will try to crack a password. For example:
- The hacker checks the lists of the top passwords. There are lists of real passwords that have been breached.
- The hackers check wordlists. Lists of English words, foreign words, names, dates, sports teams, celebrities, pet names, TV/film characters, places, countries, cities, landmarks, hobbies, animal names, etc.
- Next, they may try all the words again with common substitutions: capitalizing the first letter (sesame → Sesame), making common letter-for-number swaps (sesame→ s3s@me), etc.
- Next, they may use various number, date, and pattern combinations.
- If all else fails, they will be forced into a brute-force search.
If your password is based on any kind of pattern, using some combination of the above steps will eventually crack it. Some password hash cracking rigs can perform over 100 trillion password hash guesses per second. Attackers can even purchase the ability to perform many trillions of guesses per second at low dollar rates using popular cloud providers. Many nation-states are believed to be capable of many hundreds of trillions of guesses per second. Even a single modern home computer can make hundreds of thousands (or more) of guesses per second.
Passwords & Human Weaknesses
So why are most passwords that people create not strong? Because they are not unique or random. Many think the most important factor when it comes to passwords is length, but this is not true. It is the uniqueness or randomness of your password that is most important. After this comes length. Let’s take song names as an example, according to Google there are 80 million songs in the world. Using a random lyric name should give an entropy of 26.2 but no one knows all 80 million songs. A human is likely to pick from the top 2000 songs, giving an entropy of 10.9. Most human-created passwords, no matter how clever the individual thinks they are, do not have a lot of real entropy. They are simply not unique, and hackers know all the methods that humans use.
So, how do you create a strong password? How do you measure password strength? How strong is strong enough? I’ll explain these concepts in Part 2 of this article. Stay tuned!
- Ultimate Guide To Create A Master Password – Part 1 ⬅ You are here
- Ultimate Guide To Create A Master Password – Part 2