Helping you balance your online life

Aug 14th


Guidelines for strong online passwords

Criminals are after your passwords so that they can gain access to your bank accounts, social networking sites, and generally steal by impersonating you online. Here we will examine ways of strengthening your passwords to protect against brute-force attacks.

A criminal will use dictionary words in trying to guess your password – this is called a dictionary or brute-force attack. Password-cracking software can quickly cycle through a range of dictionary words and combinations of these words and numeric characters, in order to guess a password. A criminal conducting a dictionary attack using an average-speed PC, could crack passwords such as "MySecret", "BankEntry", "MyBank9", "RomeSky", all in less than a minute. Other combinations of words, such as "RedCircle", "DavePhone", and "NeverKnow", can all be cracked in much less than an hour.

Password cracking criminals know that most people add numbers only at the end of their passwords, and generally use upper case characters only at the beginning of words. So for example, "James1964", "AliceJ19", "Beach200", can all be cracked in a few hours.

Criminals are also aware of the technique many people use, in replacing "E" with "3", "S" with "$", "l" with "1", etc. So for example, "b3each202", "homeba$e", and "1unch500", are all cracked within an hour.

Spelling words backwards is also a technique known to password crackers. For example, spelling the word "secret" backwards and adding a couple of numbers such as "terces80", is easily cracked in a few minutes.

Passwords are strengthened by making them longer and by avoiding dictionary words. So, for example:
"JaJwuth2" would take about 15 hours to crack
"JaJwuth2f" would take almost a month to crack
"JaJwuth2fa" would take about 5 years to crack
"JaJwuth2fapow" would only be cracked after millions of years

There is a technique described below on how you can create and remember a million-year password such as "JaJwuth2fapow".

Here are some guidelines for making your passwords stronger:
  1. Use different passwords for different websites. In this way, if one of your passwords is compromised, it only affects one website. Using many complex passwords is only practical with the use of password manager software. You should ensure your password manager is protected against key logging attacks or else it may simply be a convenient organizing tool for a key logging criminal.
  2. Avoid dictionary words, people's names and company names.
  3. Use a combination of:
    1. Upper and lower case characters (avoiding upper case only on the first character),
    2. Numeric characters, but not only at the end,
    3. Non-alphanumeric characters (such as "$%^&*").
  4. Replacing "E" with "3", "S" with "$", and "l" with "1", etc. does not add much to complexity.
  5. Ensure your passwords are at least nine characters long.
  6. One technique of creating a complex password that you can remember, is to take the first characters of the words of a song or rhyme you know. So for example, "Jack and Jill went up the hill to fetch a pail of water" becomes the password "JaJwuth2fapow" which currently takes about a million years to crack.

Dave Waterson is the CEO of data security company SentryBay, makers of DataMask.