A guest post from the ProtonMail Blog
You probably already know some obvious password safety tips, like don’t use “password” as your password. But did you know that a password like “Ch@ll3ng3r%$” is not much more secure? Sure, it mixes upper- and lower-case letters, numbers and special characters, like you’re often advised to do when creating a password for a new account. And yet a hacker could crack it using a dictionary attack in an hour or two. “Challenger” is a common base word, and the modifications are too simplistic to fool most hackers.
You may be thinking that no hacker would bother attacking you personally, and you’re probably right. The danger is not that a hacker will target you, but rather that your password will be part of a larger data breach. If you use a weak password, hackers can extract it from the database along with all the other weak passwords.
Therefore, your goal is to create a password that will be difficult for a hacker with a powerful computer to crack, while also being simple enough to memorize. This article will explain exactly how to do that, as well as offer some advice on what to do with your strong password once you’ve thought of it. But first it’s helpful to understand a bit about how online services use passwords to manage account access and how hackers can steal your credentials.
How passwords are stored – and stolen
A password is a way to confirm a user has permission to access an account or device. When you create a new account with an online service, the password you create is passed through a special algorithm (a cryptographic hash function) and converted into a seemingly random string of letters and numbers, known as a hash. That way, if the user database is ever leaked or breached, plaintext passwords are not exposed. The next time you enter your password to log in to your account, the password is again converted
to a hash and compared to the hash in the database. If it matches, you get access to your account.
Data breaches have become common, and hackers often get their hands on a big database of hashes. To convert the hashes to plaintext passwords, all they have to do is run different passwords through the hash function and see if the hashes match. A powerful computer can test billions of character combinations per second. One method, called a brute force attack, tries every possible combination of characters, starting with “0000000”, “0000001”, and so on. This process is slow, but perhaps not as slow as you’d think. A 12-year-old desktop computer processing brute force combinations can crack a password with five lower-case letters and five numbers in 23 hours.
How to create a strong password
A strong password is one that is easy for you to remember but difficult for a clever hacker with a powerful computer to guess. Short passwords using simple words and combinations are easy to crack. But long passwords using random characters are difficult to remember and may tempt you to reuse the same password across multiple accounts (don’t do that. The best solution for most people is to use an encrypted password manager with a long passphrase as the master password.
Another method, called a dictionary attack, saves time by trying common words, character substitutions (e.g. “3” instead of “E”), numbers, and combinations (e.g. a pet name plus a six-digit date). Dictionary attacks can be programmed to anticipate a large number of variations. Thus, even a password like “Pr0tonmai1#%$” is relatively predictable and could conceivably be hacked.
Here’s our recommendation:
Step 1: Sign up for and download a reputable, end-to-end encrypted password manager. Bitwarden, KeePass, LastPass, and 1Password are all good options.
Step 2: Use your password manager to generate unique, random passwords for each of your accounts. The default length and character mix are perfectly sufficient, but you can make your passwords longer if you wish.
Step 3: For your password manager and any passwords you must memorize, we recommend using a passphrase.
You can read all about passphrases in our previous article. Generally, you should use four or five random, uncommon words. Computer scientist Mike Pound also suggests inserting a random special character in the middle of one of the words. So, a password like “colloquyemphy9semaspectermalevolent” could be a strong password.
Of course, the problem with prescribing a strong password recipe is that hackers can now try to add this combination to their dictionary. Creating a good password requires a measure of creativity on your part to come up with a sufficient amount of entropy.
What to do with your strong password
First of all, don’t reuse it across multiple accounts. If your password is somehow exposed (perhaps in a phishing attack, social engineering, keylogger, etc.), the attacker could then attempt to enter your credentials to log in to other services. This is one reason it is imperative to use two-factor authentication.
Also, a word on password managers. No system is 100% secure, and there have been identified security vulnerabilities in password managers. Depending on your threat model, a password manager may not be appropriate for you. But we believe the benefits of a password manager outweigh the risks for most users. (You can also integrate your password manager with your ProtonMail account.)
This article is part of a series of how-to articles. You can follow us on social media or subscribe to our Reddit channel to join the conversation and keep up with ProtonMail updates.
The ProtonMail Team
About the Author
Ben Wolford is a writer at Proton. A journalist for many years, Ben joined Proton to help lead the fight for data privacy.