Q: I’ve been told that my passwords should now be at least 10 characters long in order to be secure nowadays. Is that true?
Passwords tend to be the only thing separating criminals and thieves from our online accounts, which is why they spend so much time creating sophisticated means to compromise them.
The advice you’ll ever hear about creating “strong passwords” is generally designed to thwart sophisticated guessing schemes commonly referred to as “brute-force attacks.”
Those attacks, which are generally done offline by high-speed computer networks, are a systematic process of trying every possible combination of letters, numbers and special characters until the correct combination is figured out.
Long, complex passwords are the best way to combat this type of attack.
Understanding brute-force attacks
If you were to only use two characters for your password, you can see how a high-speed computer could guess every possible combination in the blink of an eye.
In fact, the Gibson Research Password Haystack Tool suggests that any two-character password can be broken in 0.0000000000354 seconds or less.
Each additional character that you add exponentially increases the number of possible combinations — so the longer your password is, the longer it will take for a brute-force attack to be successful.
Most of you have been trained to use complex eight-character passwords; they’re hard for you to remember btu still easy for attackers to crack. With today’s sophisticated password cracking technology, GRC’s tool suggests it’ll take just over a minute to break any eight-character password, no matter what combination of characters you use.
By stretching the password to 10 characters, that minute turns into a week — as long as you have included uppercase characters, numbers and special characters.
Use passphrases, not passwords
If you don’t follow the guidance on using all the required characters, the number of possible combinations drops exponentially.
For instance, the time it takes to crack a complex 10-character password that does not include an uppercase letter goes from a week down to just over six hours.
The key to creating strong, complex passwords that you can remember is to stop using passwords and start using passphrases.
My go-to example of “I H8te Passwords!” is a 17-character passphrase (including spaces) that GRC’s tool suggests would take 13.44 billion centuries to crack.
By creating a passphrase that is personal to you, you have a much better chance of creating a long complex password that you can easily remember.
For example, “I’m Going To Aruba in 2017!” is 27 characters long and uses all the required characters. Some sites don’t allow you to use spaces, but it would still be 22 characters long.
12-character minimum
I personally shoot for at least 12-character passphrases these days, knowing that brute-force cracking technology is going to get faster as time goes on.
If time wasn’t a factor, any password of any length can eventually be broken, but time is a factor with cyberthieves, so make yours long and complex enough so that your accounts aren’t worth their time.
Ken Colburn is founder and CEO of Data Doctors Computer Services. Ask any tech question on his Facebook page or on Twitter.