The best security measures are useless if weak credentials are chosen. This raises two essential questions, which I would like to explain below.
What is a bad password, anyway?
How can I create and remember strong passwords?
There are two main ways of attack to guess into credentials.
All combinations are tried through. Depending on the choice of characters and length of the password, there is a finite number of combinations.(formal, power laptop, example
Z = character pool
L = Password length
X = number of combinations
ZL = X
Explanation character pool:
Alphabet (a-z): 26 characters
Upper and lower case (a-Z): 2 times alphabet
Numbers 8 (0-9): 10 characters
Special characters (#!…): 10 characters
In addition, of course, it depends on the hardware equipment of the attacker. The following is an example to illustrate this.
Alphabet (a-z): 26 charactersCapitalization (a-Z): 2 times alphabetNumbers 8 (0-9): 10 charactersSpecial characters (#!…): 10 characters
Z (a-Z) = 52
L = 8
528 = 53 *1012
Combinations per second = 350 *106
Time needed: 6 days
GPU compute cluster:
Combinations per second = 180 *109
Time needed: 5 seconds
Here is the additional hint that statically, the password is guessed after half the time.
List of possible passwords(public lists, own list, default credentials, company, Facebook and co) or mutate (+year or special characters)
After that passwords would be bad, which
- are short
- are in password lists
- contain unchanged words
- old are
- Be used multiple times
The latter does not enable a direct attack, but still has significant impact if the same password is used on multiple services. Just because Amazon protects customers’ access data quite well, this does not necessarily apply to the “InSecure-HerzHund-forum.de” or the “trustworthy” fitness app from Paraguay that constantly activates my camera.
There are two possible solutions to this dilemma
- A password manager (post to follow)
I would like to explain the latter briefly. Let’s assume that you need a password for eBay. Think about a sentence in the context of eBay.
I am the auctioneer
Changes the spaces to any special character and adds a number in any position.
With this you have created a password which
- Long is
- Not in a password list
- Does not consist of an unchanged word
- was not used more than once
- And easy to remember is
This leaves only the password age factor, which is influenced by you. It is recommended to change passwords every 90 days. I consider this to be excessive for private individuals and for passwords created in this way. Here I would do the password change once a year.