P@s$w0ord isn’t a good password, but what is it? Complexity is not the key, length is. We explain the best strategy for a usable and strong password.

It’s every first Friday for me World Password DaySo, World Password Day. The password is not the most secure, but it is by far the most common technique to use accounts and online identities. As long as we have to share them, we’d better make sure they’re safe. And note: Secure does not necessarily mean unreadable or complex.

Websites of all kinds have trained us to pick bad passwords for years. Special characters, capital letters and numbers appear sacred, while a length of just eight characters is usually sufficient. Such passwords are difficult for humans to remember, but easy for computers. Special characters won’t save you from hackers or malware, but a healthy length of your password will. As an added bonus, you can choose something to remember yourself.

A child’s play with brute force

Before we explain exactly what a good password is, you need to know what makes a bad password so bad. Criminals today have exponentially more computing power at their disposal than about ten years ago. You can use it to guess your password. This doesn’t happen in a subtle way: attackers simply try combinations, sometimes based on dictionaries, and do so at random. Sun brute forceAttack can be very successful with a humble password.

In 2023, it will take less than a second to crack a six-digit password.

Take R8@bl# as an an example. This password combines uppercase and lowercase letters with numbers and symbols. Security experts from Hive Systems have investigated how long it will take to crack such a password in 2023. The answer: less than a second.

Special characters help a little

The same applies to eftanvie: An 8-digit password with all lowercase letters. Variations in the symbols play a role in this case. choose you Eft@nv13, then it takes about five minutes to crack the password. It’s less dramatic, but still not as long.

The longer your password, the harder it is to crack. Add a character to the above password so that e.g Eft@nv13A the cracking time is already six hours. A tenth sign turns into two weeks, and an eleventh turns into three years. A few weeks might be enough to protect an unimportant personal account, but not so long if the password allows access to really sensitive data.

Twelve characters or more

Microsoft recommends that you do not make a password shorter than twelve characters and preferably even choose fourteen. A 14-digit password with uppercase and lowercase letters but no numbers or symbols can be cracked in about 17,000 years. If you add numbers or symbols, a successful attack could easily take a million years. Such passwords are currently practically uncrackable and also appear to be relatively future-proof. On the other hand: In 2022 it will still take sixteen million years to crack a similar password: the computing power will surely catch up with your short password.

Passwords are a thing of the past: they’re better known as a passphrase.

Passwords are a thing of the past, it’s better to speak of a passphrase. An ideal passphrase can be much less complex to remember than just six random characters. It’s a good idea to combine a few numbers and symbols in a sentence like this, and by no means limit yourself to words from the dictionary. Embark on any nonsense that doesn’t mean anything to a computer, but might mean nothing to yourself.

Snorreke eats pieces of Purina

We give an example. Maybe you have a cat named Snorreke who likes to eat Purina kibble in the kitchen. You yourself are not averse to the dialect. In this sense, you can decide MustachePuri@keuke1. This password has twenty characters. Hive calculated the crack time for eighteen-character passwords. If you add up all the characters for such a password, the cracking time is 26 trillion years. For MustachePuri@keuke1 so even longer. A dictionary-based attack won’t help a hacker here either.

The length is therefore the most important parameter for a good password. Mustachioedpurias a shorter version without special characters, thanks to its length of thirteen characters, it can withstand a thousand years of brute force attacks.

rules of thumb

So for a good password choose:

• A passphrase of at least twelve characters, but preferably more than fourteen;
• A combination of upper and lower case letters, preferably supplemented with numbers and special characters;
• No names of people, streets, companies, or anything else that can be looked up online or in a dictionary;
• A passphrase that is significantly different from other passphrases in a meaningful way;
• A phrase you can remember yourself.

We share a few more examples for inspiration:

• 1LoveS0ftF@tCat$
• B00tjeVaren@ZilverLak3
• @woeL0mpeHackerz
• Hopefully Unable

All of these passwords are long and contain complex characters, so a brute force attack must consider the full range of characters available. You can imagine someone with a fat cat, a fan of the leisure domain Zilvermeer, a hater of dumb hackers and a hopeful person can remember these passwords. Each of them is easier for a person than the insecure one R8@bl#.

Don’t forget the tips above if you need to create a new secure password, but don’t forget that passwords are never watertight. Do not under any circumstances share them, including with family and friends, and use MFA whenever possible. And do you occasionally come across a website that displays an error because your password is too long? Then avoid them or send an angry email if you have no other choice.

This piece was originally published as part of our October 2022 Safety Month. We’ve updated the piece based on the latest password security numbers.