Your password might not be as secure as you think.
Megan Squire, professor of computing sciences at Elon University, delves into how to make the strongest password to keep your information safe.
Dr. Squire joined Elon’s faculty in 2003 after completing her Ph.D. in Computer Science at Nova Southeastern University. She has also worked at several technology startups in Research Triangle Park, NC and in south Florida. At Elon, Dr. Squire teaches courses in database systems, data mining, data science, and cybersecurity. Her research centers around the collection, curation, and federation of large amounts of data about how free, libre, and open source software (FLOSS) projects are developed.
Why do web sites make us add all kinds of numbers and punctuation into our passwords? Does that really help make them harder to guess?
When a hacker gets a list of stolen credentials, our easiest targets are the folks who used dictionary words (like ‘dragon’ or ‘password’) or really common passwords (like ‘abc123’ and ‘qwerty’). But for weird passwords that we’ve never seen before, we’ll have to conduct what’s called a brute-force attack. This means writing software to try every possible combination until we find a match. A well-chosen password will make the brute force attack take as long as possible.
So which passwords take the longest to crack? The answer might surprise you.
Turns out, the longer the password, the more difficult it will be to crack, even if the password is only made of lowercase letters. Here’s why:
Consider a 6 character password made up of any of the 95 letters, numbers, or symbols on a keyboard. Guessing that short password means our software has to try 735 billion different combinations, or 6 to the 95th. That sounds like a lot, but a 10-character password made up of only lowercase letters gives 10 to the 26th, or 141 trillion, possibilities. So, the longer the password, the more time the brute force attack will take, even if the diversity of characters is relatively low.
This is why security experts now recommend choosing as long a password as possible, and worrying about character complexity second. While you’re at it, you should use a different password for every site or application, and get some password management software to keep track of all this. And above all, never use ‘password’ or ‘123456’ as your password!