Tech Made Simple

Hot Topics: Holiday Shopping & Gifts | 2014 Best iPhone Apps & Android Apps | Best TVs Under $500 & Under $1,000 | Apple iPhone 6

Use It

author photo

The Easy Way to Make Strong Passwords

by on August 08, 2012
in Computer Safety & Support, Computers and Software, Tips & How-Tos, Tech 101 :: 20 comments

The best way to lock something up digitally—whether it's to keep out hackers or your kids—is to use a different, strong password for every site and situation. So when break-ins occur, like they did on LinkedIn and eHarmony in June, only information you shared with one site is in jeopardy. What constitutes a strong password, though, may not be what you think.

The usual definition of a strong password is one that has at least 8 characters (the longer the better), with a mixture of upper and lower-case letters, numbers and, if the site or service allows, special characters, such as "!," "#" and "?."

It turns out the biggest factor in determining the strength of your password is its length, according to a study by Carnegie Mellon. Numbers, capitalization and special characters are all bonuses, but a short password that uses all of these tricks will still be much easier to crack than a long password with real words.

PassFault.comSo how strong are your passwords? You can check them on PassFault.com, a site created by a well-respected computer-security expert.

When you input your password (I recommend using one that's the same length with a similar mix of letters, special characters and numbers, rather than your real password), you'll get an estimate of how long it will take to crack. Passwords should take at least a year to crack and, ideally, centuries. For instance, I found that the password "treadmillfun1" can be cracked in 2 months, 9 days with a regular computer and in less than a day with a $900 password attacker.

If I change the password to "treadmillsaresofun1", the rating goes up to 4185 centuries for an everyday computer and up to 17 centuries for a $900 password attacker. The password is just as easy to remember and is much more secure.

Remembering all those passwords, though, is still difficult. That's where a password manager comes in handy.

You may already have a password manager that came with your Internet security software, like Norton Internet Security 2012 or Kaspersky Internet Security 2012.

If you just use a computer, try downloading the Mozilla Firefox Web browser and using its built-in password manager. Make sure you create a master password to protect your list by clicking on the "Firefox" button, then "Options" and then "Security." Safari 6, which is available for Macs running OS X Lion and Mountain lion, also stores passwords under your login. Other web browsers will save your passwords, but they're not protected by a master password.

Mozilla Firefox

If you access secure sites on your smartphone as well as your computer, you'll want one solution that works on all devices. I like Norton Identity Safe (free on Norton.com), which works on PCs, Macs, Android devices and iOS devices. In addition to storing your passwords under one strong password, it will fill those passwords in for you, generate new strong passwords for you (you can choose the length) and warn you about unsafe sites.

Subscribe to the Techlicious Daily Email!

Get the Techlicious Guide to Great Photography as your FREE gift!

Discussion loading

gravatar

Thank you - great information!

From Kelly on August 08, 2012 :: 11:09 am

Thank you - great information!

Reply

avatar

Bad news for me

From Josh Kirschner on August 08, 2012 :: 11:31 am

My email password would be cracked in less than one day. Am changing it now…

Reply

avatar

492 centuries. Much better...

From Josh Kirschner on August 08, 2012 :: 11:41 am

492 centuries. Much better…

Reply

gravatar

wow thank you for this

From kymi a (@kymnasium) on August 08, 2012 :: 4:40 pm

wow thank you for this very important info.

Reply

gravatar

Password Strength Checkers

From Tony on August 17, 2012 :: 9:12 pm

Reply

gravatar

Why Is It Allowed?

From cocobeli on August 25, 2012 :: 1:54 am

When are we going to demand more responsibility from those who require passwords? Surely allowing 10,000 or 1,000 failed attempts be made unacceptable?

Of course length and complexity are good things, but allowing brute force attacks to go on and on is just awful.

Reply

gravatar

Doesn't matter

From Bob on April 11, 2013 :: 11:42 am

As long as web sites use improper password storage techniques, it does not matter. Once a hacker gets the passwords from the web site, he then can take all the time he desires to attempt to break them. How should web sites protect against this? Slow hashing such as bcrypt and salting each one. See en.wikipedia.org/wiki/Bcrypt. Unfortunately not many web sites have done this even though it has been the gold standard for several years now. So in the absence of such protection, you have to provide it by using a long password. Longer is better.

Reply

gravatar

Is even checking safe?

From TheASCDoctor@gmail.com on August 25, 2012 :: 4:19 pm

When checking to see if one’s password is good, isn’t turning over one’s password to the site, where it is also capturing your ip address at the same time, handing over your secure information? 

After you’ve hit submit to check the security of your password, you don’t have any idea where your data just went, or who now has access to it? 

Seems to me even checking your password isn’t safe.  Seems to me one can’t be secure enough on the internet to protect their own data by controlling its access, release it to no one.

Reply

gravatar

Another site that's good that

From Kyle on August 26, 2012 :: 4:05 am

Another site that’s good that doesn’t send anything to a sever is https://www.grc.com/haystack.htm
It uses javascript so nothing is sent.
Gives better information about length as well.

Besides, if you’re truely paranoid, then you just give a password that is *like* the one you have.
Yours could be Hf%s9Sac9
These calculators *normally* don’t care about the order since crackers don’t either, so you can write in ABcdef12! and still get the same results. I’m not sure how well written that site is since it gives different results.

For example AbcDef12! takes 3 months.
While AbcDef12# takes less than 1 day?
It also suggest that there are a different number of possible combinations for both which is obviously not true.

Not a well made site for testing your password strength since it’s prooly written.

This site even says that a facebook password of “cracked1!” would take less than a day to crack on an average computer. An online attack like that would take centuries. You would have to have access to the password file itself, meaning you’ve already hacked into facebook.

It also thinks that an everyday computer can crack “elephant123123” in just 7 days. Passwords are cracked via all or none. The fact a common word is in there means nothing if you don’t know the rest of it.

However “supercalifragilisticexpialidocious” would take 29626889567382503000 centuries. Go figure.

It’s neat, but I question it’s accuracy greatly.

Reply

gravatar

Wrong

From Bob on April 11, 2013 :: 11:47 am

With rainbow tables and intelligent selection of words and combinations, some passwords with the “same” complexity are easier to crack than others. No longer are hackers using simple brute force cracking. Get over it and use passwords that are 15+ characters long and then you don’t have to worry about it. Unfortunately some web sites, like my bank, don’t allow passwords anywhere near that long. The web developers are way behind the times!!!

Reply

1.68e+32 centuries

From Clarke Waldron on August 25, 2012 :: 5:47 pm

Just using a common phrase, my birth year, my birth year “capitalized”, and spelling out the site’s name.

If you’re paranoid but wish to check your password, do as is suggested in the article: test a password of your proposed format, not the exact password.

I, too, have wondered why a site’s login would not consider it unusual that a login is attempted hundreds of times in a row.

Reply

gravatar

A simple random 6 character

From Kyle on August 26, 2012 :: 4:27 am

A simple random 6 character password would have 742,912,017,120 if it used at least one of each character sets. Something like aA1!df
An online attack would take decades. And a site might even block your IP if you flood it with thousands of tries per second.
An online attack is only useful for very common words.

Reply

gravatar

Wow

From Bob on April 11, 2013 :: 11:51 am

I hope you are not a web designer.

Reply

gravatar

Most limit the number of attempts

From Bob on April 11, 2013 :: 11:50 am

That is not the problem. Hackers break in and get the entire password database. Then they hack at it at their leisure. You can imagine that they don’t waste much time on the difficult to break ones since there are thousands of easy ones they can harvest in minutes. And then most people use the same username and password on many web sites. That’s a worthy harvest.

Reply

gravatar

@ TheASCDoctor@gmail.com there's no Submit

From Tony on August 25, 2012 :: 7:12 pm

@ .(JavaScript must be enabled to view this email address) there’s no Submit button involved on the sites I use. There’s a strength meter which changes color and percentage as you type the password. There’s also an indicator ranging from Weak, Medium, Strong, to Very Strong. The password is also shown hidden as dots as it is being entered.

Reply

gravatar

banks and others limit your p/w

From robertpri on August 26, 2012 :: 1:30 pm

Good info, but some financial places won’t allow p/w’s beyond 8 characters and no symbols. Very discouraging because that’s where we keep our money.

Reply

gravatar

I find it hard to

From Kyle on August 26, 2012 :: 10:00 pm

I find it hard to believe that any bank would have a limit of 8 with no special characters. I wouldn’t even considered putting money in a “bank” like that. The banks I’ve seen have you jump thru hoops to log in.

Reply

gravatar

They exist

From Bob on April 11, 2013 :: 11:52 am

In fact, they are common.

Reply

avatar

Schwab is one example

From Josh Kirschner on April 11, 2013 :: 3:11 pm

It’s hard to believe Schwab would have such poor password policies for account access, but they do. Here’s their password policy:
- 6-8 characters AND numbers
- Include at least one number BETWEEN the first and last characters
- Contain no symbols (!,%,# etc.)

Schwab at least offers the option of an RSA token for more security, but it’s hard to imagine many customers take advantage of that, and it’s far less convenient than simply having a strong password.

Reply

gravatar

Upside Down Letters & Crazy Symbols as passwords

From Ernesto on April 11, 2013 :: 5:03 pm

Has anybody considered using the following as passwords ?
Even simple words get extraordinary results :

Upside Down Letters :
http://www.sevenwires.com/play/UpsideDownLetters.html

And Crazy Symbols :
http://fsymbols.com/

The downside is that you will need by force a password manager like Keepass : http://keepass.info/
because you can’t “type” those characters per se.

Reply

© 2014 Techlicious LLC. :: Home | About | Meet the Team | Sponsorship Opportunities | Newsletter Archive | Contact Us :: Terms of Use | Privacy Policy

site design: Juxtaprose