The best security measures are useless if weak credentials are chosen. This raises two essential questions, which I would like to explain below.
What is a bad password anyway?
How can I create and remember strong passwords?
There are two main ways to attack in guessing credentials.
All combinations are tried through. Depending on the choice of characters and the length of the password, there is a finite number of combinations.(formal, power laptop, example
Z = character pool
L = Password length
X = number of combinations
ZL = X
Explanation Character Pool:
Alphabet (a-z): 26 characters
Upper and lower case (a-Z): 2 times alphabet
Numbers 8 (0-9): 10 characters
Special characters (#!…): 10 characters
In addition, of course, it depends on the hardware equipment of the attacker. The following is an example to illustrate this.
Alphabet (a-z): 26 charactersCase (a-Z): 2 times alphabetNumbers 8 (0-9): 10 charactersSpecial characters (#!..): 10 characters
Z (a-Z) = 52
L = 8
528 = 53 *1012
Combinations per second = 350 *106
Time needed: 6 days
GPU Computing Clusters:
Combinations per second = 180 *109
Time required: 5 seconds
Here is the additional hint that statically, the password is guessed after half the time.
List of possible passwords(public lists, own list, default credentials, company, Facebook and co) or mutate (+year or special characters)
After that passwords would be bad, which
- are short
- be in password lists
- contain unchanged words
- be old
- Be used multiple times
The latter does not allow a direct attack, but still has a significant impact if the same password is used on multiple services. Just because Amazon protects customer credentials quite well, doesn’t necessarily apply to the “InSecure-HerzHund-forum.de” or the “trusted” fitness app from Paraguay that keeps activating my camera.
There are two possible solutions to this dilemma
- A password manager (post to follow)
I would like to explain the latter briefly. Let’s assume that you need a password for eBay. Think about a sentence in the context of eBay.
I am the auctioneer
Changes the space to any special character and adds a number in any position.
With this you have created a password, which
- Long is
- Not in a password list
- Not consisting of an unchanged word
- has not been used more than once
- And easy to remember is
This leaves only the password age factor, which is influenced by you. It is recommended to change passwords every 90 days. I consider this to be excessive for private individuals and for passwords created in this way. Here I would do the password change once a year.