All of the cybersecurity measures described in previous articles rely on some kind of password, so they won’t offer much protection if your passwords are easily guessed. Your computer’s storage could be totally encrypted, but it if the password is something weak like “Password1” then it won’t matter because this’ll be one of the first guesses which any attacker will make. Ultimately, even your anti-malware software can be disabled using your login password, so you really need to use strong and unique ones. But what constitutes a “strong” password?

Essentially, it’s one that’s hard to guess. “Social engineering” is commonly used to try to get the password directly from you, or at least information that makes it easier to figure out. This is that all-too-familiar situation where someone contacts you to try to deceive you into divulging personal details, such as by email or phone call. They may even be able to obtain these details without contacting you, such as by looking at your social media profiles. Therefore, avoid using passwords which contain personal information, such as your children’s names or dates of birth. (Also, you may want to think about removing some of this data from your social media profiles.)

However, bad actors can still attempt to work out your password even if they don’t have any of your personal information, or if your password doesn’t contain any. To do this, they can use software to systematically make guesses at a rapid rate. This is known as “cracking” the password.

Crack dealing

As you probably know from logging in to websites, trying too many incorrect passwords usually results in some kind of cooling-off period or extra verification procedure. Also, there’s a delay between attempts, so how could someone do this fast enough to determine the correct password?

For security, your password is stored on a server in “hashed” form. “Hashing” is a process that transforms each password into a seemingly-random string of characters from which it’s extremely difficult to determine the original sequence of characters (similar in concept to encryption). When a login attempt is made, the entry is run through the hashing algorithm and the result is compared with the stored password.

Sometimes, a company or organisation suffers a data leak in which the list of users’ hashed passwords appears on the Internet (which happens stupidly often, usually due to decision-makers not understanding cybersecurity). Cracking software can rapidly run each possible sequence of characters through a hashing algorithm and compare the resulting hash to that of the password. Once there’s a match, they’ve got your password. So a bad actor can take a bunch of hashed passwords offline and use cracking software to figure out the actual passwords.

Given enough time, any password can be cracked. However, the procedure naturally takes longer the more guesses are required. A truly “strong” password is one that would take an impractical amount of time to crack.

To achieve this, you need to maximise the amount of uncertainty in your password.

In these uncertain times

As an illustration, let’s imagine you use the password “T3rr!ble” to log in to an online account. The company suffered from a data leak, so now an attacker has your password in hashed form and is attempting to crack it.

You may think that substituting a “3” for the letter “e” and an exclamation mark for the letter “i” makes it harder to guess your password, but attackers are wise to this (mainly because everyone does it) so it doesn’t increase the uncertainty by much.

As a result, cracking software will usually try every word in an English dictionary, and has common character substitutions programmed into the procedure. Here’s how it might guess common substitutions within the word “terrible”:

The password 'T3rr!ble' with an arrow pointing to each of the characters 'T', '3', 'i', and 'e'. All of the possible substitutions of each character is shown.

The number of possible combinations is 495. Given that modern desktop computers can make billions of password guesses per second, that’s something like a mere 0.0000001 seconds of extra time spent on guessing that particular word’s character substitutions. By some estimates, the English language contains about 1 million different words. But even that still means it would only take a fraction of a second to find your password.

Now imagine that, instead of a word, your password were composed of 20 random characters, from a standard keyboard consisting of 104 different possible entries. The cracking software would need to try each of the 104 characters 20 times, in every possible order.

That’s a lot of uncertainty. In fact, about 5.6 x 1031 possibilities, which would take about a quadrillion years to crack using current technology. Although computers become faster as technology develops, this type of password would still outlive any attacker attempting to crack it now.

Remember that your password is unique… just like all of the others

It should be noted that any organisation which suffers a data leak should inform you that it’s happened, so that you can change your password. This is where the advantage of having unique passwords comes in. If you re-use a password on multiple websites, and it gets leaked from one site, then you need to change the password on them all or risk those other logins being accessed. However, if every password you use is unique, you only need to change the leaked one.