When you need to log into a site, you typically enter a username and a password. Using a password is the most popular way to prove to a website that you authorized to use it. It’s popular, because it’s easy: you remember and enter just one piece of information, and you can access the information and services hosted at the sites you visit.
Passwords aren’t the only way. Security experts increasingly recommend using two-factor authentication, where you combine a password with something else that only you could know or could possess. Two-factor authentication is rapidly becoming more popular, but still only 50 percent of the world’s most popular websites support it. And everyday users don’t seem too enthusiastic about using it, as over 90 percent of GMail users, for example, still enter just a password to log into their account. Apparently, the need to do something in addition to entering a password seems too much of an inconvenience for most people to countenance. And so, most of us continue to rely solely on the strength of our passwords to protect us.
That’s the reality. How can we make that reality as safe and secure as possible? It comes down to using the most secure, un-guessable, un-crackable password we can remember and type without injuring ourselves.
Here’s a website that can you help you choose a strong password: https://howsecureismypassword.net/. It’s actually a lot of fun to use. Type any of your passwords into the text box, and the page will tell you how long it will take a lone typical PC to crack it. Go ahead and experiment with it. You’ll see how adding just a few special characters and making your password just a little bit longer can have a dramatic effect on how long it would take to break your password.
The site estimates how long it would take to crack a password using a variety of techniques. It compares the password against a list of the most popular ones, which is a depressing read for those of who work as cybersecurity educators. (How can people still think “12345” is a good password? I mean, really?) It checks if the password is a known dictionary word, which would be easy for you to remember but also would prove easy for someone to guess, since it is not, at all, random. In fact, password hackers often perform what are called dictionary attacks, running through a set of hundreds of thousands of words to determine if any of them could be your password.
If these checks fail – if you didn’t choose one of the most common passwords and you didn’t choose a word from the dictionary – then the website calculates your password’s entropy. Entropy measures how random your password appears. The more randomness or entropy the password possesses, the harder it will be for someone to find it by simply running through all possible combinations of letters, numbers, and special symbols. Attacks in which the hacker runs through all possible character combinations are called brute-force attacks. Depending on how complicated your password is, brute force attacks can be fruitful, or they can take so long as to be completely infeasible.
As you play with the website, you’ll likely experiment to find ways to create a password that will take trillions of trillions of years to break. It’s even possible to create passwords that the website describes as taking “Forever” to break. But ask yourself if you can remember that password. Probably not. So, there is a tradeoff. Use the website to come up with a password you can remember, that you can enter without too much inconvenience, and that can’t be broken in a reasonable amount of time.
What’s a reasonable amount of time? The website reports how long it will take to break your password using its variety of techniques assuming you are using just one computer to break it. If someone really wants your password, they might use a whole warehouse of computers to try to break it. Take the number of years the website reports and divide it, say, by 1000, and you’ll learn how long it will take 1000 computers working together to break your chosen password. If the resulting estimate is thirty days, then that means you can choose that password, but make sure you change it every thirty days.
For most of us, the idea of 1000 computers working simultaneously to break our passwords is a pretty remote, extreme scenario. So, this would be a choice made with an abundance of caution. And that’s exactly how all your online choices should be made: with an abundance of caution. Always err on the side of abundant caution.
I recommend using this tool to come up with a strong password that could serve as a starting point. Then, use that password in combination with some other approach to generate a unique password for every site you visit. Then, commit to changing your passwords on a fixed schedule, perhaps every 30 days. You’ll have a safe, secure way to authenticate yourself to a website without having to depend on two-factor authentication.
Just make sure you don’t write it down on a post-it note!