Taking Control of Passwords: Understanding Password Strength

Last month, we invited you to join us in the first step toward getting a handle on your passwords by starting a list of the sites you encounter where you’ve got an account registered. For the next step, we’ll keep on keeping on with that while we take a moment to consider general wisdom regarding password production and poaching.

Generally, passwords get compromised in one of three ways:

  1. They get stolen, as in a data breach or someone swiping the post-it note off your monitor (changing passwords on some regular interval ensures a stolen password isn’t “active” forever, especially if we don’t notice right away)

  2. They get cracked, as in a hacker’s automated password-hacking code slogs through combination after combination until it hacks your password (which is where complexity and length comes in, as you’ll see below)

  3. They get shared, as in handed over willingly to a friendly email or phone scammer (if you ever suspect this has happened, contact UDit for advice)

For now, let’s zero in on number two, cracking passwords. Recognizing that different services have different requirements for length and complexity (e.g. number of characters, inclusion of super special characters, etc. etc. etc.), keep the following in mind:

  1. Longer is better. Password strength is like an algebra class word problem: “If a password is 8 characters long and must have at least one alpha and one numeric character, how many different passwords are possible?” We won’t make you do that math (we won’t make *us* do that math, either), but every extra character added to your password increases the number of possible passwords exponentially.

  2. Random is good, too. Some services (like your debit PIN number) require a shorter password. If you can’t go long, go crazy. Avoid the obvious choices for a four-digit number (like a year). And those password-cracking tools hackers use? They often include dictionary entries. So using a fully intact common word or phrase isn’t a great idea, either.


A Special Note to the Flyer Faithful: If a hacker were going to guess a UD employee or alum’s password, they’d likely start with the obvious - “GoFlyers” or “RudyUD”. If you’ve ever wondered, that’s why UD-related terminology is disallowed in our passwords. (But it doesn’t explain why you can’t use MerleHaggard; send us your guess for that one and we’ll send you some swag.)

We’re all aware of the quandary here - make a password that’s long and complicated enough to be secure (or “strong”, in common password parlance) but not so impenetrable that we can’t remember or type it. We’ll come back to that in March.

But here’s our action item for February: Experiment with password strength. Visit the Kaspersky password checker and see how some possible passwords stack up. The tool estimates how long a given password would take to crack (and it says “GoFlyers” would get cracked in a mere 26 minutes). Heads up: Even though the tool doesn’t store the passwords you try out, it still recommends not entering your actual password. So if you want to see how your current password fares, try something that’s just similar.

Previous Post

Phish or Cut Bait

Phishing is a popular "hobby" for many scammers, so we must be ever-vigilant in our online endeavors to avoid becoming a victim of their bait.
Read More
Next Post

The Phish Commish Says: Watch Your “To” and “From” Fields

This month our Phish Commish is helping us detect phony messages by breaking down the "TO" and "FROM" fields in an email.
Read More