The best security measures are useless if weak credentials are chosen. This raises two essential questions, which I would like to explain below.

What is a bad password anyway?
How can I create and remember strong passwords?

There are two main ways to attack in guessing credentials.

  1. BruteForce
    All combinations are tried through. Depending on the choice of characters and the length of the password, there is a finite number of combinations.(formal, power laptop, example

    Z = character pool

    L = Password length

    X = number of combinations

    ZL = X

    Explanation Character Pool:

    Alphabet (a-z): 26 characters

    Upper and lower case (a-Z): 2 times alphabet

    Numbers 8 (0-9): 10 characters

    Special characters (#!…): 10 characters

    In addition, of course, it depends on the hardware equipment of the attacker. The following is an example to illustrate this.

    Alphabet (a-z): 26 charactersCase (a-Z): 2 times alphabetNumbers 8 (0-9): 10 charactersSpecial characters (#!..): 10 characters

    Z (a-Z) = 52

    L = 8

    528 = 53 *1012

    Gaming Laptop:
    Combinations per second = 350 *106
    Time needed: 6 days

    GPU Computing Clusters:
    Combinations per second = 180 *109
    Time required: 5 seconds

    Here is the additional hint that statically, the password is guessed after half the time.

  2. Dictionary
    List of possible passwords(public lists, own list, default credentials, company, Facebook and co) or mutate (+year or special characters)

After that passwords would be bad, which

  • are short
  • be in password lists
  • contain unchanged words
  • be old
  • Be used multiple times

The latter does not allow a direct attack, but still has a significant impact if the same password is used on multiple services. Just because Amazon protects customer credentials quite well, doesn’t necessarily apply to the “” or the “trusted” fitness app from Paraguay that keeps activating my camera.

There are two possible solutions to this dilemma

  • A password manager (post to follow)
  • Creativity

I would like to explain the latter briefly. Let’s assume that you need a password for eBay. Think about a sentence in the context of eBay.

I am the auctioneer

Changes the space to any special character and adds a number in any position.


With this you have created a password, which

  • Long is
  • Not in a password list
  • Not consisting of an unchanged word
  • has not been used more than once
  • And easy to remember is

This leaves only the password age factor, which is influenced by you. It is recommended to change passwords every 90 days. I consider this to be excessive for private individuals and for passwords created in this way. Here I would do the password change once a year.