When using computers you will often use passwords to protect files, or to login to websites or programs. These passwords are like the key for a lock on a door; they prevent others from entering. Without the key you can't get in. If somebody else gets the key, you are not safe any more.
These days, computers are very fast, and hackers make use of this speed to find passwords, simply by trying millions of different passwords until they find the right one.
How to create passwords that cannot easily be broken by a brute force attack with a fast computer?
Long passwords
To protect against this type of attacks a good strategy is to use passwords that are long enough. The longer the password, the longer it will take to find it.
Many different characters
But length of a password is not the only strategy to use. It is also useful to create a password that makes use of a wide range of characters. Passwords that consist of only lowercase characters are more easy to break than passwords that combine upper and lower case characters. In a moment we will see why.
Apart from characters from the alphabet it is also allowed to use numbers in passwords and sometimes also other characters. By including numbers and other characters in addition to the lower and upper case letters you can create an even stronger password.
Let's compare some different scenarios of making passwords.
The table below shows the number of possible passwords in three different scenarios:
- A = "only lower case passwords"
(26 characters from a to z) - B = "lower case mixed with numbers"
(26 characters from a to z, and 10 numbers from 0 to 9) - C = "lower case mixed with upper case and numbers"
(26 characters from a to z, another 26 from A to Z, and 10 numbers from 0 to 10)
Password length |
A only lower case abc…z |
B lower case and numbers abc…z + 0123…9 |
C lower case, upper case and numbers abc…z + ABC … Z + 0123…9 |
1 | 26 | 36 | 62 |
2 | 676 | 1,296 | 3,844 |
3 | 17,576 | 46,656 | 238,328 |
4 | 456,976 | 1,679,616 | 14,776,336 |
5 | 11,881,376 | 60,466,176 | 916,132,832 |
6 | 308,915,776 | 2,176,782,336 | 56,800,235,584 |
7 | 8,031,810,176 | 78,364,164,096 | 3,521,614,606,208 |
8 | 208,827,064,576 | 2,821,109,907,456 | 218,340,105,584,896 |
9 | 5,429,503,678,976 | 101,559,956,668,416 | 13,537,086,546,263,600 |
10 | 141,167,095,653,376 | 3,656,158,440,062,980 | 839,299,365,868,340,000 |
11 | 3,670,344,486,987,780 | 131,621,703,842,267,000 | 52,036,560,683,837,100,000 |
12 | 95,428,956,661,682,200 | 4,738,381,338,321,620,000 | 3,226,266,762,397,900,000,000 |
13 | 2,481,152,873,203,740,000 | 170,581,728,179,578,000,000 | 200,028,539,268,670,000,000,000 |
14 | 64,509,974,703,297,200,000 | 6,140,942,214,464,820,000,000 | 12,401,769,434,657,500,000,000,000 |
15 | 1,677,259,342,285,730,000,000 | 221,073,919,720,733,000,000,000 | 768,909,704,948,767,000,000,000,000 |
Compare the pink cells in the table
If a computer can break the code A15 in 1 second, then it will take 458,432 seconds to break the code in C15 (which is 5.3 days). This shows clearly the advantage of using combinations of lower case (abc), upper case (ABC) and numbers (0123). It is even better to include also other symbols (when allowed) such as # or @ in the password.
Compare the green cells table
Let's say a computer can try 1,000,000,000 passwords per second and we want to be sure that it cannot break our password in two weeks. Two weeks is 1,209,600 seconds, so this computer can test 1,209,600,000,000,000 passwords in the two weeks. The green marked fields show what password length is sufficient.
Conclusion
Use combinations of lower case, upper case and numbers (and other symbols if allowed), and use a length of at least 9 to create sufficiently strong passwords.
Passwords you can remember
Random looking passwords such as 19TqbFjotlD27 are difficult to remember, but if your grandfather was born in 1927 and if you can remember a known easy sentence like "The quick brown Fox jumps over the lazy Dog" (where nouns were written with a capital letter) it is suddenly much easier to remember it.
Try it for yourself. Just use a sentence you can easily remember (e.g. "I was born in the Year 1963", "My Hometown since 2002 is New York") and turn it into a password (IwbitY1963 or MHs2002iNY).