In order to know if your password is secure, you’ll need to understand certain basics about how passwords are used. I’ll use some example passwords in this post. These are examples only; do not use as your password.
A password can be used, like a key to a safe, in order to encrypt data and decrypt data. A password can also be used to access certain websites or online accounts. In such cases, the data should be encrypted by the system used on the website — but most sites give little or no information about their security of your information.
However, a password is not used directly as the encryption/decryption key. Instead, to make it more secure, the password is hashed. A hash is a non-mathematical function used to convert a string of characters or a digital file into a random-looking set of zeros and ones of a particular length. The zeros and ones are usually represented in Hexadecimal format with the digits 0 to 9 and the letters a to f. Examples using the common MD5 hash function:
password — MD5 hash
password123 — 482c811da5d5b4bc6d497ffa98491e38
123456 — e10adc3949ba59abbe56e057f20f883e
letmein7 — 9a02b55e072d71503831a887b1756a8f
The password examples above are all poor passwords, but the hashes look secure. The hash is what is actually used to encrypt the data. Why are certain passwords insecure when the actual key used for the encryption is long and random? It is because hackers can take a list of common passwords and generate, in advance, a list of the hashes.
Now if your password is very common and very insecure, like “password123″ or “654321″, anyone can go online and with a few guesses perhaps access your account. But the more serious problem occurs when a hacker obtains a database from a website of hashed passwords. All they have, initially, is the hash, not the actual password. But they can run a program that tries a large number of possible passwords, generates the hash, and then compares that hash to the database. When they find a match, they know the password.
A hacker with just a desktop computer can run every possible six character password through a hashing program, and check it against a database of hashed passwords. In other words, no 6 character password is secure. At 7 or 8 characters, the password becomes more resistant to a “brute force” attack, i.e. a test of every possible combination of characters of that length. By 9 or more characters, the length of the password is relatively secure (though not against a well-heeled opponent like the NSA).
The same hacker can easily test every word in the dictionary, as well as every word in the dictionary with one, two, three, or four numbers (or characters and numbers) added to the end. So these examples of passwords are not secure:
In short, any password containing a dictionary word, or a name or other common word, is not secure, even if you add numbers, or letters and numbers to the end. Even a password with multiple words plus numbers is not secure:
The reason is that a hackers “dictionary” includes not only the words in an actual dictionary, but also phrases that are commonly used as passwords. This type of hacker dictionary is obtained partly from lists of cracked passwords that have been obtained by other hackers in the past and posted online.
Now you might think that if you combine two passwords using the word-number formula, it would be safe. Not so. Passwords like these:
are not secure because hackers will also take the terms (words, phrases, common passwords) from their hacker dictionary and try every combination of two passwords. So if “fishing493″ and “boat998″ are both in the dictionary, a check of every combination will find: fishing493boat998
The solution to this problem? Follow a few simple password rules:
1. no dictionary words at all
2. no phrases
3. do not use the common formula of word-number or number-word
4. passwords should be 9 characters or more
I also suggest using Password Safe to generate secure passwords and to store those passwords in encrypted form. To generate a password with Password Safe, click Manage | Password Policies, then choose the default and click Edit. Next, set the password policy, i.e. whether the password will contain numbers, upper or lower case letters, or symbols. The “Generate” button on the same screen, or in any password database entry, can then be used to create a new random password.
If you need an easier to remember password (that is a little less secure), choose a password length of at least 9 characters, with only uppercase letters and numbers. Then, once the password is generated, choose some characters to be lowercase that would also be easy to remember (like the first few or last few letters). So “TT6C9YGUU” becomes “tt6C9YGuu”. You can also make the password easier to remember by using a separator symbol. So “RTVXMBGJAMY6″ becomes “rtVX*MBGJ*Aty6″.
For important files that are encrypted on a backup external hard drive, use a long random password that you have thoroughly memorized. There is no substitute for memorization, since even your Password Safe database needs a password to access it.