Basically I found many people discussing about passwords and stuff, etc.
So I went to google around and found out that they don't really explain much into detail. So I wen't ahead and did my research.
But after 1 week+- of research and asking, I found out that about 70% of the information I found is generally false or half-true.
Why? Mainly because they were methods in the past that was carried over. If used today, they work less effective.
Password Strength, what's that?
But first, what is Password Strength? From wiki here.
In short, a strong password generally needs to be long, complicated and hard to guess.
The most common methods used to hack password nowadays is through :
But those are less often used as you would most likely only see expert hackers be able to do those. If you have those kinds of hacker up against you, then password strength won't really help you anyway. Its mostly other factors.
DictionaryAttack, Bruteforce...what are those?
In order to make our password stronger, we first need to understand what kind of common method they use to hack.
Nowadays script-kiddies using built-in tools or some average hacker would make themselves a bruteforce tool to try and crack into a password.
What is bruteforce?
Bruteforce is a extremely powerful tool used to crack into passwords, they are often used as last resorts by expert hackers. Bruteforce is basically that one guy you see in FPS games, spamming all his rounds till his target dies. Except that in this case, bruteforce only stops when it manages to crack the password or until the owner tells it to stop.
So bruteforce..How does it work?
bruteforce basically tests every possible combination of a pass, from [a..z] , [1..0] and even syntax from [/..\] . In certain cases where needed, they even test combination for unique characters from other languages like [是..我] . This is what makes them a powerful tool and have a 100% success rate on cracking ALL kind of password.
But why does people says it 'fails'? Mainly is because bruteforce requires time. It can't test all 1 million possible combination in just one second. On average, it does 500~3000 guesses/second depending on the user's computer's spec using the bruteforce attack. Hence, bruteforce can really take a long time specially if the password's length is long. [But some experts knows how to reinforce their bruteforce, so they may even go up higher than 10000 if their system can take it!]
Dictionary Attack?
Dictionary Attack is the 'lazier' version of bruteforce attack. Instead of testing all kinds of possible combination, letters, numbers, syntax, it only tests for words. Meaning that it will only try all possible words inside the english language(or some other language) until it manages to crack the password. This is less effective but a faster version.
For phishing and some other more, I will state that later since they are not really related to password strength.
Making a strong password!
With the above information, clearly right now you should know that for a password to be strong, we need to :
So lets start with an example. Lets just say we want our password to start off with 'creator' . So you can basically crack your brains around with messing around and most likely end up with 'Cre@tor` instead. That right now is fine but still weak as the length is not long enough. So we can simply add the word `union` to it. So it becomes 'Cre@tor union'. But notice how the second word make sense to the system? Just simply modify it a little bit and it becomes 'Cre@tor Un1on' and we are actually done here!
End result : Cre@tor Un1on
Effectively , we just made a password that is easy to remember as well as hard to guess.
This password actually takes up close to ~60 bits of entropy, which would take a few year for bruteforce to crack into it if it operated at 3000 guesses/second. If we took in account for slightly more reinforced bruteforce attacks, this password would still be effective as it would still take about many months for the bruteforce to crack it.
If you still feel insecure, you can add 'The' at the front. Doesn't matter if you modify it or not, since you already have 2 complex "words" backing it up already, lets not make your life harder.
Why are those 70% of information today false?
Let me state something first : They are NOT false. But they are just ineffective for today.
Those methods could have been effectively applied in the past without too much problems. But since new and better stuff(hacking tools) are always coming up, changes are needed to be made.
Why are those methods ineffective? Simply because
Lets say for example, using our past example above, the previous method would have only focused on 'creator' , they would tell you to add symbols, add numbers at the front , reverse it.... etc.
And end of the day? The result they give would most likely be this : 123R0t@erc
And they just made us a password that is hard as hell to remember, short and easy to guess.
That password would have taken up to ~42 bits of entropy , which would take about a few week or less for the bruteforce to crack it at 3000 guesses/second. If we took in account for slightly more reinforced bruteforce attacks, this password would be cracked within a few days.
Hence? This effectively shows that this method is less effective than our previous' method since it's easier to crack into. (Plus, do you prefer to remember "123R0t@erc" or "Cre@tor Un1on" )
Conclusion
To make your password strong, you need to have good length OR complexity. Why is the 'or' bolded? Because you have to remember the password too! If a password is too long and complex for an average human brain to remember, that defeats the purpose of a password.
As long as it is not readable/english-recongized by a computer and is longer than 14 words or more, you are in the safe zone.
Others
So I may have stated something like 'AES' or 'Phishing' . Those are not really affected by password strength but they contribute into the chances of your passwords getting cracked.
AES
AES is mainly associated with encrypting files and stuff with password. If your password is encrypted(which is, by default most of the time), the hacker would have a harder time trying to crack into your password. Plus only expert hackers can bypass into encrypted passwords. Otherwise, they only can turn and seek to bruteforce or phishing, etc.
How to counter? Its already countered! [Passwords are encrypted by default]
{ Note : I am actually wrong to just directly state that passwords are the ones that are encrypted, but I wouldn't want to do some science/programming drilling so I decided to keep that short and say "passwords are encrypted" }
Phishing
Basically making using of PHP(networking) and redirecting user's information to the hacker. For example , I can easily make a page that looks exactly the same like this forum's login page and modify the text-box on the interior and redirect whatever information you have filled inside it to my email when you click 'submit' or 'login' , then redirect you back to your profile/homepage.
How to counter? Be on alert whenever you are clicking links to tell you to login on strange websites/emails. You can hover over the link and check the link's URL at the bottom left of the webpage.(Or Copy URL and paste in notepad in phone) Does it links you to the correct website? Does the URL look strange like 'www.go0gle.com' ??
SQL-Injection
Rarely anyone does that to hack into passwords, since it is mostly used to 'destroy' or 'take over' websites. But SQL is a programming language for database. So SQL-injection would simply mean to infect the database, controlling it however you like. Database most of the time contains your password and being able to control database == being able to read it. So the hacker can read your password through SQL-injection.
How to counter? If you are the one managing the app/website, make sure your code is properly structured and stuff... etc. Make sure there is no room for mistakes or accidental 'clashes'. As long as no one w/o permission can modify your database/code , you are safe.
And that is it for my long post. Comment down below to let me know what you think or something. Feel free to correct and point out my mistakes if I made any!
So I went to google around and found out that they don't really explain much into detail. So I wen't ahead and did my research.
But after 1 week+- of research and asking, I found out that about 70% of the information I found is generally false or half-true.
Why? Mainly because they were methods in the past that was carried over. If used today, they work less effective.
Password Strength, what's that?
But first, what is Password Strength? From wiki here.
Password strength is a measure of the effectiveness of a password in resisting guessing and brute-force attacks. In its usual form, it estimates how many trials an attacker who does not have direct access to the password would need, on average, to guess it correctly. The strength of a password is a function of length, complexity, and unpredictability.
The most common methods used to hack password nowadays is through :
- Dictionary Attack
- Phishing
- BruteForce
But those are less often used as you would most likely only see expert hackers be able to do those. If you have those kinds of hacker up against you, then password strength won't really help you anyway. Its mostly other factors.
DictionaryAttack, Bruteforce...what are those?
In order to make our password stronger, we first need to understand what kind of common method they use to hack.
Nowadays script-kiddies using built-in tools or some average hacker would make themselves a bruteforce tool to try and crack into a password.
What is bruteforce?
Bruteforce is a extremely powerful tool used to crack into passwords, they are often used as last resorts by expert hackers. Bruteforce is basically that one guy you see in FPS games, spamming all his rounds till his target dies. Except that in this case, bruteforce only stops when it manages to crack the password or until the owner tells it to stop.
So bruteforce..How does it work?
bruteforce basically tests every possible combination of a pass, from [a..z] , [1..0] and even syntax from [/..\] . In certain cases where needed, they even test combination for unique characters from other languages like [是..我] . This is what makes them a powerful tool and have a 100% success rate on cracking ALL kind of password.
But why does people says it 'fails'? Mainly is because bruteforce requires time. It can't test all 1 million possible combination in just one second. On average, it does 500~3000 guesses/second depending on the user's computer's spec using the bruteforce attack. Hence, bruteforce can really take a long time specially if the password's length is long. [But some experts knows how to reinforce their bruteforce, so they may even go up higher than 10000 if their system can take it!]
Dictionary Attack?
Dictionary Attack is the 'lazier' version of bruteforce attack. Instead of testing all kinds of possible combination, letters, numbers, syntax, it only tests for words. Meaning that it will only try all possible words inside the english language(or some other language) until it manages to crack the password. This is less effective but a faster version.
For phishing and some other more, I will state that later since they are not really related to password strength.
Making a strong password!
With the above information, clearly right now you should know that for a password to be strong, we need to :
- Make it long
- Make it complex
- Make it senseless(for the system)
But also, do take note that we need the password to login, so it must be easy to remember.
So lets start with an example. Lets just say we want our password to start off with 'creator' . So you can basically crack your brains around with messing around and most likely end up with 'Cre@tor` instead. That right now is fine but still weak as the length is not long enough. So we can simply add the word `union` to it. So it becomes 'Cre@tor union'. But notice how the second word make sense to the system? Just simply modify it a little bit and it becomes 'Cre@tor Un1on' and we are actually done here!
End result : Cre@tor Un1on
Effectively , we just made a password that is easy to remember as well as hard to guess.
This password actually takes up close to ~60 bits of entropy, which would take a few year for bruteforce to crack into it if it operated at 3000 guesses/second. If we took in account for slightly more reinforced bruteforce attacks, this password would still be effective as it would still take about many months for the bruteforce to crack it.
If you still feel insecure, you can add 'The' at the front. Doesn't matter if you modify it or not, since you already have 2 complex "words" backing it up already, lets not make your life harder.
Why are those 70% of information today false?
Let me state something first : They are NOT false. But they are just ineffective for today.
Those methods could have been effectively applied in the past without too much problems. But since new and better stuff(hacking tools) are always coming up, changes are needed to be made.
Why are those methods ineffective? Simply because
- Hard to remember
- Not long enough
Lets say for example, using our past example above, the previous method would have only focused on 'creator' , they would tell you to add symbols, add numbers at the front , reverse it.... etc.
And end of the day? The result they give would most likely be this : 123R0t@erc
And they just made us a password that is hard as hell to remember, short and easy to guess.
That password would have taken up to ~42 bits of entropy , which would take about a few week or less for the bruteforce to crack it at 3000 guesses/second. If we took in account for slightly more reinforced bruteforce attacks, this password would be cracked within a few days.
Hence? This effectively shows that this method is less effective than our previous' method since it's easier to crack into. (Plus, do you prefer to remember "123R0t@erc" or "Cre@tor Un1on" )
Conclusion
To make your password strong, you need to have good length OR complexity. Why is the 'or' bolded? Because you have to remember the password too! If a password is too long and complex for an average human brain to remember, that defeats the purpose of a password.
As long as it is not readable/english-recongized by a computer and is longer than 14 words or more, you are in the safe zone.
Others
So I may have stated something like 'AES' or 'Phishing' . Those are not really affected by password strength but they contribute into the chances of your passwords getting cracked.
AES
AES is mainly associated with encrypting files and stuff with password. If your password is encrypted(which is, by default most of the time), the hacker would have a harder time trying to crack into your password. Plus only expert hackers can bypass into encrypted passwords. Otherwise, they only can turn and seek to bruteforce or phishing, etc.
How to counter? Its already countered! [Passwords are encrypted by default]
{ Note : I am actually wrong to just directly state that passwords are the ones that are encrypted, but I wouldn't want to do some science/programming drilling so I decided to keep that short and say "passwords are encrypted" }
Phishing
Basically making using of PHP(networking) and redirecting user's information to the hacker. For example , I can easily make a page that looks exactly the same like this forum's login page and modify the text-box on the interior and redirect whatever information you have filled inside it to my email when you click 'submit' or 'login' , then redirect you back to your profile/homepage.
How to counter? Be on alert whenever you are clicking links to tell you to login on strange websites/emails. You can hover over the link and check the link's URL at the bottom left of the webpage.(Or Copy URL and paste in notepad in phone) Does it links you to the correct website? Does the URL look strange like 'www.go0gle.com' ??
SQL-Injection
Rarely anyone does that to hack into passwords, since it is mostly used to 'destroy' or 'take over' websites. But SQL is a programming language for database. So SQL-injection would simply mean to infect the database, controlling it however you like. Database most of the time contains your password and being able to control database == being able to read it. So the hacker can read your password through SQL-injection.
How to counter? If you are the one managing the app/website, make sure your code is properly structured and stuff... etc. Make sure there is no room for mistakes or accidental 'clashes'. As long as no one w/o permission can modify your database/code , you are safe.
And that is it for my long post. Comment down below to let me know what you think or something. Feel free to correct and point out my mistakes if I made any!