Weak vs Strong Passwords

While moving from one web hosting provider to another, I came across a server log that showed a list of failed login attempts, detailing seven days of attempted break-ins near the end of this last September. Fortunately, my password is reasonably strong, but it could be a lot better.

Of the two dozen or more offending hosts, three of them collectively attempted more than 25,000 attacks. Most of the rapid-firing attacks lasted only a few minutes.

  • vivio.treda.com.tr (Turkey; 1,925 attacks)
  • 193.0.81.42 [fizyk2.fuw.edu.pl] (Poland 11,239 attacks)
  • 221.215.127.171 (China; 12,155 attacks)

Hackers frequently perform dictionary attacks on sites, using readily downloaded lists of commonly known weak passwords, such as admin, 1234, password, abc123, p@$$w0rd, asdf, qwerty, aaaa, and other easily guessed passwords. According to a recent study, 8% of all passwords in use today are a common word found in the dictionary followed by a “1”. With an abundance of word lists available online, dictionary attacks are often very successful. And fast.

I wasn’t too worried about the break-in attempts, because my login password for that website was seven random digits long — somewhat secure, considering that it is not a word contained in any dictionary and had both letters and numbers. But if someone where to obtain a hash of that password, modern computers capable of generating 3 million passwords a second could easily hunt offline through the 78.3 billion combinations (26 letters, 10 numbers, 7 digits = 36^7) in less than eight hours.

Choosing Strong Passwords

How do you choose a strong password to help foil the attackers?

  • Use the entire keyboard, not just the most common characters. Passwords should contain a mix of upper and lower case letters, numerals, special characters, and punctuation. Unfortunately, not all websites allow passwords to contains punctuation or other special characters.
  • Your password must be at least 8 characters long (it should be at least 10, and longer is even better). Even passwords with fewer than 15 digits have their own vulnerabilities. Each character that you add to your password will exponentially increase the protection it provides.
  • Don’t base the password on any personal information (dates, pets, addresses, kid’s names, cities, jobs, schools, ex-girlfriends, cars, etc.) or on any word in any dictionary in any language.
  • Don’t write the actual password down. My one exception to this rule is print a copy of banking, financial, and computer passwords for storage in a safety deposit box at the local bank. Instead, develop a mnemonic for remembering complex passwords. The mnemonic should be created in such a way as to be safe to write down.
  • Don’t otherwise tell your password to anyone. Ever.

Check the strength of your password with an online checker such as Microsoft’s JavaScript Password Checker. Don’t worry, using a password checker on the website of a reputable company doesn’t usually transmit your password over the Internet, only your JavaScript-enabled browser sees it. A word of warning: presented under the guise of providing a free service to the community, password checkers on unknown, remote websites might just be collecting passwords for later use…

In the meantime, I’ve taken my own advice. My passwords to access my web server and my banking websites are now between 15 and 20 digits long. That should continue to keep the bad guys out for the next sixty-four quintillion years.



Leave a Reply

  • (will not be published)