Creating secure passwords—and by extension, remembering them—can be frustrating. Many passwords follow a basic formula: a child’s name followed by a number (often a two- or four-digit number representing the birth year) with a symbol tacked on that changes every time you’re forced to change the password. If your password’s hash (a string of random cryptographic characters that represents your password) is compromised and an attacker is attempting to crack it, a password like this is almost as ineffective as “Password1”!
The requirements to get started cracking passwords are easy to meet—any off-the-shelf computer with reasonable graphics capabilities can do it. As the power of the computer increases, the time it takes to crack the password decreases significantly. This is where two characteristics—length and complexity—become key.
If your password is too short, then a brute-force attack can crack it in a matter of time. If your password is too simple and relies on a base word found in the English language, the time required also is reduced. Cleverly interchanging the $ for the S or the @ for A won’t make a difference—password-cracking software is designed to catch those. The length of your password protects against brute-force attacks, while complexity protects against dictionary attacks. The problem is striking a secure balance that is reasonably long and complex, but not so difficult to remember that you have to write it down.
BKD Cyber cracks thousands of passwords each year as part of our services that help clients improve their cybersecurity. With the industry making a push to get away from the usual rules for length and complexity, it’s important to point out some of the common trends in passwords that we consider weak because they’re cracked with little effort—and often within just a few hours:
- The current month or season with the year at the end
- Any holiday with the year tacked on
- The city or street where you are located
- Your company name
- Your department or job title
- Your child or pet’s name with a number, especially a birth year
- The name of any popular song, nursery rhyme, or biblical passage (including abbreviations)
- The word “password” in any form, regardless of how many characters and/or numbers you transpose
- Vulgarity or racial slurs
- Sentences like “i hate passwords”
- The name of any Windows service or common network protocol
A good approach to creating a secure password is to use a phrase you will remember and break it down into pieces that appear random. For example, if you used something like “This is my password,” then the result would be “TimP.” Just be sure the length meets password guidelines. Also, steer away from common phrases or quotes and popular passages from books and movies. These are often stored within wordlists and detected almost immediately.
Visit the BKD Cyber webpage, reach out to your BKD Trusted Advisor™ or complete the Contact Us form below if you have questions.