top of page
Search

What Makes a Good Password?

  • Writer: Dakota Ross
    Dakota Ross
  • Aug 31, 2021
  • 5 min read

Updated: Jan 23



Synopsis


A good password is a password that consists of at least 21 characters comprised of lowercase, uppercase, numbers, and special characters. As an example, I would use #38ConcreteMixture38#. This password is complex enough to take a brute force hack over a million years to discover, and it is easy to replicate should I need to if I cannot copy and paste the password. Also, that password is easier to give over the phone, should you need to. If you want to improve the password, you could use #38C0ncr3teM!xtur378#, but that is a bit extreme and does not buy you much more protection. At this point, the rest of the article expands on how I came to this conclusion.


Security & Usability Characteristics


When it comes to determining a good password, we need to determine what a good password is? Many would say how secure a password is determined by how good it is. I would say that the security the password provides is one of the characteristics that should be considered when determining the quality of a password. I would also extend that the usability of the password is also critical. The ease of typing in the password if you don't have access to a password manager to copy and paste the password. That said, I will focus on the security and usability of the password to determine a good password. Much of security is about balancing the ease of use with the constant attempt to maximize safety. You want to push security to the point where it does not become unbearable. Should the security system become unbearable, then the system will be abandoned.


Password Security


When is your password secure enough? When determining if a password is safe enough, we must consider other aspects of securing the account. Same as securing your house, it does not make sense to barricade the front door if you are leaving the back door unlocked. The path of least resistance will determine how safe your house is. The same is true for account security. When you sign into a website, your login credentials are encrypted and sent to the destination. If I wanted to gain access to your account, I don't need to crack your password. I can instead attempt to break the encryption and get the credentials that way. For this reason, we will want to increase the security of the password to the point where it is on par with the protection provided by the encryption.


Based on my reading, it would take the world's most capable supercomputer, the MilkyWay-2, about a million years to break the encryption of a standard 256 AES encryption used for web traffic using HTTPS SSL encryption. We will want to determine a password that matches or exceeds that capability. Based on what password security checker, roughly 21 characters will bring a password up simultaneously for the MilkyWay2 to crack, granted that is if you are not using a commonly used password. I would recommend extending the to at least 16 for a little cushion.


So we know how long we want the password, but we will also want to determine how complex the password should be. The number of required characters mentioned above is based on a password that consists of lowercase, uppercase, numbers, and special characters. At least one of each should be used if allowed. To demonstrate why all available character types should be used, let us explore the following example; a password length of one only using lowercase characters will have 26 possible passwords. If you use lowercase and uppercase, there are 52 possible passwords. If we included lowercase, uppercase, numbers, and special characters, you are looking at 70+ possible passwords depending on which special characters are allowed. The calculation used to determine the number of possible solutions is as follows.


(Number of Possible Characters)^(Number of Characters in the Password)


To drive the point home, let's take four passwords of 8 characters. Each successive password will apply another character type to the password.


a(8) 208,827,064,576

aA(8) 53,459,728,531,456

aA1(8) 218,340,105,584,896

aA1!(8) 722,204,136,308,736


I am assuming ten special characters available, so the total number of available characters I used was 72.


Now let us look at a fully complex 16-character password.


aA1!(16) 521,578,814,501,447,328,359,509,917,696


Password Usability


For a password to be usable, it should not look like it is encrypted when you read it in plain text. A good password needs to be easily identifiable to the human eye to be held in your memory for the short time you need it. Imagine you are trying to log into a website on your computer, and you need to copy the password from another source, your phone, and you need to type in a password that looks like this,


M$z#7gXgg5DvJVx#


You will likely misspell something and have to put it in again. If a computer attempted to break your password via a brute force attack, it is just fine with a password like that. A computer does not care which password you use, be it.


M$z#7gXgg5DvJVx#

or

TakeoffJumpper8!


These passwords are 16 characters, but the second is far easier for a human to read and to remember long enough to log in with it. Since cyber security is not someone sitting at your computer looking at your pictures and guessing your password, creating a password that is easier to read is superior. Considering the two passwords above, the second is ideal because it reaches the complexity and length threshold and is easier for you to read.


When it comes to security, you are always attempting to balance security with usability. If the system is not usable, it will be abandoned regardless of its security. Passwords should be treated the same way to avoid password recycling. Each password should be unique, and creating passwords that are easier to read reduces the likelihood a user will feel the desire to recycle a password because the overly complex passwords are too much of a hassle.


Conclusion


A password with at least 16 characters containing the four available character types is easy to read should you need to type the password in is, in my opinion, a good password. Regarding account security, you must remember that your accounts should be multifactor authentication and account lockout policies should the account receive a specified number of failed login attempts. You can leverage all these and other security tools to secure your accounts. There are many aspects to consider when creating a password that some might mention, such as different hacking techniques, and they are correct. However, from my experience, appropriately complex passwords are rarely hacked. Most of the time, a potential attacker will request the password via an email and, in some cases, succeed, but without going into a topic for another post, I believe we answered the question at the top of this post "What makes a good password?"

Comments

Not subscribed yet?

This injustice can persist no longer!

Type in your email below to remedy this grave situation.

bottom of page