Bad passwords : letmein, password, mothers maiden name, dog’s name, common dictionary word
Good password: zrfwwfnnbdmr (12 random characters, all letters)
Better password: cpYCy0u6NlKG (12 random characters, letters and numbers)
Very strong password: Uq6*#Fd$eidHaRBzpwiC (20 random characters, letters, numbers and special characters)
When a hacker wants to crack someone’s password, there are two basic methods; dictionary based attacks and brute force attacks.
Dictionary attacks involve a piece of software trying to log in using every word in the dictionary, and I mean in the dictionary of the software. Often these custom dictionaries will include commonly used insecure passwords such as “password”, “let me in” and “p@ssw0rd” These types of attack are very fast, as the number of words guessed is relatively small for a piece of software, eg 50,000.
On the other hand, brute force password attacks use every combination of character, lower and upper case letters, numbers, and other characters such as !, #, @, $. These attacks are much slower as the number of possible combination is very high. Suppose our company has a policy of using 8 characters, where at least one number is used, and lower and uppercase letters are used. For the English alphabet, this equates for 2 x 26 + 10 = 62 possible combinations per character.
For an 8 length password, this equals 62 to the power of 8 = 218,340,105,584,896 ( i.e approx 218 trillion permutations.)
If the company specifies an even stronger password policy, that at least one non alphanumeric character be included, eg ^ then the number of possibilties per characters on a standard UK keyboard = 34 + 62 = 96 to the power of 8 = 7,213,895,789,838,336 ( approx 7,213 trillion)
This means brute force attacks are very slow, as there are so many permutations for the software to loop through. The maximum known successful brute force attack has been of 64bit encryption. This is for 2 to the power of 64 or 18,446,744,073,709,551,616
This is equivalent to a strong password of 10-11 characters.