How to Create a Strong Password?

Before we delve into what constitutes a strong password, it is important to explain how hackers can misappropriate passwords in the first place. Here are some of the most common methods: 

• A dictionary attack is the most primitive method of cracking a password, but it is also highly effective in the case of weak passwords. These attacks are exactly what they sound like: A hacker uses an automated tool to try every word in a dictionary or other word list to see if one of them works as the password. As such, if a password is a common word or name found in the dictionary, it can often be cracked in mere seconds.
• A brute-force attack is a little more sophisticated, in that it tries every combination of letters, numbers, and symbols until it finds the right one. However, given the number of possible combinations, longer passwords take exponentially longer to crack. For example, it takes hours for a modern computer to crack an alphanumeric password of eight characters, but years for those that contain 10 random characters.
• Sometimes, attackers will try to guess a victim’s password simply by trawling through their public-facing social media and other accounts to find out more information about them. For example, if someone uses a maiden name, the name of a pet, or a popular nickname as their password, then a quick look through the person’s social networking profiles will probably reveal that information.

More advanced password cracking tools tend to use a combination of the first two. They often start with a basic dictionary attack before moving on to try every possible combination. However, even if all the supercomputers in the world were working together to crack a password, it would still take an impractically long time to find the right combination. For example, cracking a 256-bit encryption key, of which there are 2255 possible combinations, would take exponentially longer than the lifespan of the universe. In other words, it is probably safe to assume the hacker will run out of patience when trying to brute-force attack a strong password or encryption key!

That said, a strong password alone will not protect against threats like phishing scams, which use social engineering tactics to dupe unsuspecting victims into giving away confidential data. Furthermore, many passwords, like those stored by most browser-based password managers, are stored unencrypted on the local device. This is why passwords should ideally be backed up with a secondary authentication measure, which we will look at later.

Longer and more complex passwords are inherently stronger to the point they are practically immune to brute-force or dictionary attacks and are almost impossible to guess.

When choosing a strong password, the most important thing is to stay clear of the obvious. A password that consists only of words found in the dictionary or a sequential list of numbers is an extremely bad idea. However, even adding a digit or two to a word in the dictionary will not protect you from a brute-force attack in most cases.

Making a password practically immune to a brute-force hack requires taking a few extra steps, including the following:

• The longer a password, the stronger it is. Your passwords should ideally be no shorter than 15 characters, and 12 at the minimum.
• The larger the character set, the better. Using a combination of upper and lowercase letters and numbers and, ideally, a symbol or two, is the best approach.
• Avoid common substitutions, such as using the digit ‘0’ in place of the letter ‘O’. Most password-cracking tools try these substitutions before going for a brute-force attack.
• Avoid using sequential numbers, letters, or keyboard paths. For example, ‘QUERTY’ is an easy one to guess, and it is even in a lot of dictionaries too.
• Never rely on single words or names, even if they are extremely rare or from languages other than English. After all, dictionary attacks often use wordlists in the millions.

At the same time, we realize that a password should be easy enough for its owner to remember without having to risk entering it so many times that their account gets flagged for suspicious activity. If you can come up with a phrase or sentence that gives you a mental image, albeit one that no one else would ever be able to guess, then that is a good start. That said, it is still a good idea to incorporate some numbers and symbols too.

It is important to remember that, no matter how long or complex your passwords are, they only provide one layer of security. Moreover, every password is potentially vulnerable to phishing scams. For example, if you are duped into entering login information on a fake website that masquerades as the real thing, no amount of password complexity will protect you. Because of this, you need to bolster your defenses, ideally by using a secondary authentication method in addition to your passwords. Most high-value online accounts, such as those used for online banking, require this. 

In technical terms, this is known as multifactor authentication (MFA). MFA combines two (or sometimes even three) methods to verify the user’s identity. These factors are a combination of two or more of the following:

•   Something you know, such as a password or PIN code
•   Something you have, such as a physical security token or bank card
•   Something inherent to you, such as a fingerprint or facial recognition scan
•   Somewhere you are, such as a specific GPS location, device, or network

One example of MFA that we use regularly is when you withdraw money from an ATM. While the bank card itself is something you have, the PIN code is something you know. As such, to gain access to your account, a thief would have to have your card and know the PIN code. On top of that, you may have noticed that many banks will automatically put a temporary block on your card if it is used in an unusual location, such as a foreign county, which serves as a third authentication factor. Other common authentication factors include smartphone apps or SMS messages. 

Another way to boost the effectiveness of your passwords is to use a password manager, like those built into most modern web browsers. However, using a standalone third-party tool like Dashlane or 1password offers a more comprehensive solution. These services can generate a random password for each online account that even you will not know. Instead, they enter the login credentials automatically, making them practically immune from social engineering attacks. You will still need a highly complex master password though, but password managers can save a lot of time while also improving your online safety.