How to Pick Passwords That Take Millennia to Crack

Could a hacker crack your password in a few seconds? Or would it take lifetimes before a supercomputer could figure yours out? Making a few tweaks to your password strategy can take you from a hacker's dream to an uncrackable account. But do you know how to pick better passwords that keep hackers out? A new study published by cybersecurity company Hive Systems dives into the specific characteristics of strong passwords and what you can do to make yours uncrackable. Password length, diversity of character types, and uniqueness all play a significant role in how long it takes to crack your password.

What do we mean by "cracking" a password?

Before we look at what makes a password easier to crack, we should clarify what is meant by the phrase "cracking a password." As explained in the Hive Systems study methodology, when you use a website or app that requires a password to log in, password data is stored on their servers. The service uses that data to verify that you are the account holder and are entering the correct password when logging in. Typically, a password "hash" is stored rather than a plaintext copy of the password itself. A hash is a scrambled version of the password, which the service computes every time they need to check if the user is entering the correct password. If a hacker breaks into the service's network and manages to steal the account data, they now have password hashes. To make those hashes usable, the hackers have to "crack" them or try to guess what each hashed password is, then check if the guess was correct. Special programs like Hashcat running on high-speed computers speed up the guessing process. However, the time it takes to crack the hashes depends on which hashing algorithm the service used (MD5 is weak, while PBKDF2 is super strong) and whether users created "good" passwords for their accounts.

How to make a password harder to crack

As we looked over the data for the Hive Systems study, a few things became clear:

1. Uncrackable passwords use ALL available character types - uppercase, lowercase, numbers, and symbols.
2. The absolute minimum length for an uncrackable password is 11 characters (assuming the password uses a mix of all character types).
3. Most passwords created by humans are easy for computers to crack, so generated passwords are better.
4. You may not know which hashing algorithm a website uses to store data, so always create the strongest password possible for every online account.
5. Reusing the same password on multiple sites negates the security benefits of a complex password.

According to the study, an 18 character password that combines numbers, uppercase and lowercase letters, and symbols, would take 438 trillion years to crack, even when the service uses the weak hashing algorithm MD5. In contrast, hackers would instantly crack a 6 character password with the same mix of character types.  In other words, complexity matters, but so does length. And according to NIST, the longer the password becomes, the less important it is to have a mix of character types. So, for example, if you have a 20 character password, perhaps a passphrase based on a unique combination of words or phrases, adding numbers or symbols adds little extra strength. Given the considerable number of leaked passwords now available on the dark web, anything less than a generated 11 character password is asking for trouble. Of course, most of us don't know whether or not our data is on the dark web. The odds are that at least some of your passwords (and usernames and email addresses) are in a database of hacked accounts. That's why reusing passwords is so risky; hackers can easily use the same login combination on other websites. 

Best practices for password security

Staying ahead of password crackers takes some effort but ultimately comes down to a few simple steps.

1. Make every password unique - no two accounts should use the same password, ever.
2. Focus on long, complex passwords; ideally, 18 or more characters using a mix of character types.
3. Generate passwords with a password generator, rather than thinking up each new password yourself.
4. Use a password manager to generate, store, and enter passwords.
5. Create a long passphrase as the master password to your password manager.
6. Add extra layers of protection to accounts by turning on security alerts and enabling two-factor authentication.
7. Change passwords when a website experiences a data breach and keep an eye out for suspicious account activity

Ultimately, a good password security strategy is fundamental to protecting yourself online. Taking the time to create uncrackable passwords will help safeguard your personal information against theft and abuse. A password manager like LastPass simplifies password security by creating, storing, and filling all passwords for you. Check out LastPass Premium to make hacker-proof passwords and monitor the dark web to know when your accounts are at risk.