What actually is a strong password?
Guest written by: Laurits Vestergaard
What actually is a strong password? Increasingly our lives are online, thought innumerable online accounts all of which require a password. There are constant stories of data breaches and hacks where hackers have taken advantage of weak passwords to steal data, identities and money. Often, the default request for these is 12 characters with at least one special character, number and upper-case letter. Increasingly there is now a bar or prompt at the bottom which tells you how strong or weak your password is. But how ‘strong’ actually is this? At a core level it is a password someone cannot guess or undertake a brute force attack against (where they attempt to ‘guess’ passwords by taking every possible option)
This means you want a password which isn’t common or contains very personal information someone could know about you or find out to be able to guess what it is. Plus, that the password needs to be ‘computationally complex’ so that it is not easy for a computer to work out what it is.
What we ‘think’ is a strong password
The majority of online accounts have specific requirements to make a password ‘complex’ and therefore strong. They are often the same default requirements but this then leads people to take the same ‘shortcuts’ to meet the requirement and ensure they can remember the password. Most people will replace an E with a 3 or a L with a 1 to get around the number requirement. Or always make the first letter of the password uppercase. This means that while these requirements make the password you have created appear strong, there are predictable common traits to passwords that make them easier to crack because there are now automated ways to include these known strategies in brute force attacks. So, turning what appears superficially to be a strong password into actually quite weak one.
Also, it is very hard to remember what these combinations of letters and numbers are. This means they are reused, similar combinations are chosen, or they are often quite short. All of which can make these passwords less secure.
What actually is a strong password?
To make a password ‘strong’ we have to make it as computationally complex as possible and that comes through length and variation. In a longer password there are more potential combinations of characters this makes it harder for a computer to work it out. There is a debate about how long a password should be to be long enough – but it needs to be longer than the minimum 8-12 characters required by most online accounts. If you are using a longer password of just lower-case numbers this is still not hugely complex, making it easier to guess or brute force as these is less variation.
There area number of easy tricks you can use to make your password longer and more complex while still making it easily memorable. Use a passphrase rather than a word – this is a sentence which you will remember then switch out numbers and symbols. Just make sure you don’t use a memorable or famous quote as someone else will almost definitely have used it. Alternatively, you could use three random words; it can be more than three words but really has to be a minimum of three to hit the minimum length for a strong password.
To add in even more variation to your password you could use misspelling, slang, dialect, punctuation, contractions or phonetic spellings of words and add in emojis. A frequent and easy mistake is to use lots of the same characters multiple times like “111!!!!” or “11223344” in your password, as while this looks like it is adding length and complexity it is actually a very easy pattern to recognize.
Make it strong, and don’t reuse!
Passwords are critical to our online life – and with so much more of our information online the consequences of having your password cracked and someone obtaining access to your accounts are increasing. This means that making a strong password is essential – they are unlikely to be replaced by any other form of security requirement anytime soon. Creating a strong password minimizes the chances of it being either guessed or identified by a brute force attack, which is rare but big data breaches are increasingly common so it is a real risk today.
While having a strong password helps, using it across all your accounts is still a weakness, if it is cracked then someone has access to a lot of your accounts. One popular solution to this is a password manager which stores all your passwords and you have one strong password to access this manager. There are a lot of different managers about and it is a case of trying until you find one that works for you
There are many useful sites online that will tell you how strong a password is or if your accounts have been involved in a breach in the past, just be sure that a site is legitimate and try not to put your actual password in, use a similar built password to check its strength
To stay safe online you should also consider using a VPN, read our article to learn more about them