Passwords 101

You've probably heard by now that you need to use strong and unique passwords. A password needs to be 8 characters long and include at least one uppercase letter and number, and sometimes a special character such as punctuation as well.

Many people complain about these requirements, enter “Pa$$w0rd” and think they're fine. And, since most websites have similar rules, they use this same password again and again, thinking they are safe. They're very wrong.

The false sense of peace and security that too many people feel using passwords like this comes from a fundamental misunderstanding of the reasons for the “strong and unique” advice. The biggest concern in secure passwords is not creating a password that no human will ever guess, but rather to minimize the damage done when hackers gain access to the database of a website that you are registered on. Websites get hacked frequently, and even major sites like Adobe and Sony have had user data stolen recently.

If a website that you used was hacked, how much danger are you in? The answer to that question depends greatly on how they were storing passwords. A lot of websites store passwords in their databases in “plain text,” which has been warned against for over a decade now because anyone who has access to the database immediately knows your password. Many more websites use something called a “hash” that converts your password into gibberish in a way that is difficult to reverse, which is better but still discouraged because of the tools that hackers have at their disposal. The recommended way of storing passwords is something called a “salted hash” which is very similar to a regular hash, except that it has a little bit of extra randomness to it so that even two identical passwords have different values when stored, rendering the tools that the hackers use useless.

Assuming that the website stores your password correctly, it is still only a matter of time until the hacker knows your password, and the amount of time it takes to “brute force” depends on how strong your password is. A password such as “123456” or “password”, which are still among the top ten most commonly used passwords will fail almost immediately, as will anything that substitutes letters for numbers or special characters (such as p@ssword) in any common password. Even a completely random password that is eight characters of gibberish will be cracked in about 12 hours.

The length of time it takes to crack a password that is not in a hacker's “dictionary” of common passwords can be estimated by taking the number of possible characters (the lowercase alphabet is 26, add 10 if using numbers, 26 more for uppercase letters) to the power of the length of the password. This means that “card” should take 26 times as long to crack as “car” and a 26th as long as “cards.” When it comes to passwords, length is usually more important than complexity. It is estimated that “my password”, which is all lowercase, will take an entire year, while “IaR0ieK#” will take only 9 hours.

Having a strong password won't protect you against poor security practices, however, and any password is immediately available to a hacker who has access to passwords that are stored in plain text. And, considering that the number of users who had their data stolen in a hack last year alone was greater than the total number of people on Earth, everyone should just assume that at least one of their accounts have been hacked. This is especially dangerous for those who, like most, use the same password for email, online banking, etc. because once a hacker has the password to one of these, he has access to everything else. This is why many security experts say that using unique passwords is more important than using strong passwords.


Through 20 years of effort, we've successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess.
xkcd: Password Strength

There are two main techniques when it comes to creating strong and unique passwords: using pass-phrases or using password managers. Passphrases are passwords that consist of a few whole words, optionally with character substitution, which allows for humans to more easily remember long passwords. Password managers, however, handle remembering passwords for you, allowing for use of extremely long and complex passwords while avoiding the problem of remembering passwords entirely.