To understand how to create a strong password, it is important to understand how hackers will try to crack your password. Brute force attacks attempt to guess a password correctly by starting at one character and iterating through all possibilities. Usually a hacker will write a program to do this for them.
TIP
Example “aaaa” “aaab” “aaac” “aaad” etc.
TIP
How long does it take to crack passwords with this technique?
| Password | Number of Words | Time to Crack |
|---|---|---|
| abcdefg | 7 character password | 15 minutes to crack |
| abcdefgh | 8 character password | 30 minutes to crack |
| abcdefghi | 2 word password | 1 month |
| abcdefghijkl | 8 word password | 1 year |
“abcdefg” 7 character password - .29 milliseconds to crack “abcdefgh” 8 character password - 5 hours to crack “abcdefghi” 9 character password - 5 days to crack “abcdefghijkl” 12 character password - 2 centuries to crack
WARNING
Even though the previous example shows that the password "abcdefghijkl" will take two centuries to crack, almost no attackers are going to use this technique to try to guess a password. Most attackers will use a combination of this technique, and the next two techniques to guess your password.
Dictionary attacks attempt to guess a password by brute forcing a password and substituting common dictionary words or patterns in place of letters. Instead of an attacker guessing a password by every combination of keys on a keyboard, they will try substituting words, common letter patterns (like ABCD, 1234, QUERTY QAZWSX, LKJHG), and common letter substitutions (@ for a, 8 for b, etc). This makes guessing a password happen exponentially faster.
TIP
How long does it take to crack passwords with this technique?
| Password | Number of Words | Time to Crack |
|---|---|---|
| 1springarbor! | 2 word password | 15 minutes to crack |
| #spring1arbor | 2 word password | 30 minutes to crack |
| C%ctu3GR0wsInArizon | 2 word password | 1 month |
| GO3anmAKEdis6!pl~sALLofw00rLD | 8 word password | 1 year |
Notice the typos and errors in the bottom two passwords. Attackers would have a very hard time guessing these passwords because they can't substitute words in place of the letters.
Dictionary attacks with password pastes use old passwords from other websites that you used in the past that had a data breach. Once a site has a data breach it is safe to assume that attackers have any password or personal information that you used on the site, unless the site tells you other wise. The example below is a real example (with a fictitious name) that happened at SAU.
TIP
Example password paste from an incident at SAU: