Remember those good old times when you could just use an all lowercase letter password of just six characters? You might have to bury deep into your memories, since those times are long gone. For me, the last such password I can remember, was my password for Spele.nl ten years ago. Back then, I could simply use turnen as my password, since that was my favorite sport. However, nowadays you need to include both lowercase and uppercase letters, characters, and numbers in your password, which also needs to be at least eight characters long. Why did such a change occur in the last decade, where we now need much more difficult passwords?
The math
To illustrate this, we will start with a simple calculation. When you are asked to create a password of a certain combination of elements and of a certain length, that password will fit into a space of all unique options that conform to that requirements. In the math that will follow, we assume that the hacker is randomly generating password guesses.
If your password would consist of eight lowercase letters, for example, password, iloveyou or welcome, your space would contain $26^8$, or $208,827,064,576$ options. The choice of each letter is independent, since we do not have to use different letters each time. In other words, we have 26 possible choices for the first letter, 26 for the second, etcetera. The password space is thus the product of the possibilities: $26 \cdot 26 \cdot 26 \cdot 26 \cdot 26 \cdot 26 \cdot 26 \cdot 26 = 26^8$. This might seem like a really great number and impossible to guess, but unfortunately, the opposite is true: it would only take a hacker 3.5 minutes to guess it.
If you also include uppercase letters, the password is already much harder to guess, since you now have 52 choices for each of the eight entries. However, a hacker would still be able to guess it in less than 15 hours. So, let’s include digits. Now, we have 62 possibilities for each entry and it takes a hacker about 2.5 days to guess it. If we also include special characters (take !, @, #, \$, %, ^, &, ?, / and +), we have 72 possibilities. It now takes a hacker 70 days.
However, including more possibilities for each character is not the only way to make it harder for hackers. Going from 8 to 12 entries, the password gets increasingly harder to guess. If you take lower- and uppercase letters, digits, and special characters, the space of all unique options is $72^{12} = 19,408,409,961,765,342,806,016$, or close to $19 \cdot 10^{21}$. Due to this simple change, it may take over 15 million years for a hacker to guess your password.
What makes a password secure?
The longer and more complex a password is, the longer it takes a hacker to crack it. The 15 million years it may take to guess your password with 12 entries, lower- and uppercase letters, digits, and special characters may seem great. However, even long and complex passwords are susceptible to be cracked. This is because most passwords are not truly random and unique.
For a password to be random, you cannot choose a base word and make it ‘more complex’. Take for example the base word password. Now, replace letters with some special characters, digits and uppercase letters. This can become P@55w0rD. A smart hacker will not just ‘go down the list’ and try every option, but they use logic to guess the password. So, they will not simply start with aaaaaaaa, then go to aaaaaaab and aaaaaaac, but they will start with common base words. Then, they will go over all complex variations of the word. This makes your very hard password less hard to crack. If your password is completely random, hackers can’t make assumptions about the base word and they will have to use brute force to crack it.
However, a password also needs to be unique. This means that you should not use the same password, or even the same base word for two accounts. Since, if one of those passwords is compromised, hackers can log in to any account you are using the same password for.
So, are your passwords truly random and unique? Then, no worries! You make it very hard for hackers to crack your password. However, if this is not the case, you might have to think about changing your passwords, so relentless hackers will have a hard time stealing them.
This article is written by Deirdre Westenbrink
