Password strength is a measure of the effectiveness of a password in resisting guessing and brute-force attacks. In its usual form, it estimates how many trials an attacker who does not have direct access to the password would need, on average, to guess it correctly. The strength of a password is a function of length, complexity, and unpredictability.

1.Minimum length 8 characters :

►As a rule of thumb, your password must never be below 8 characters. If an attacker happens to use a brute-force attack on your account,which is just trying every possible comobination – with every addition of a character the time taken for the BF attack to crack your password increases exponentially. On average, while it may take just a few minutes to crack open a 6 character password, the time taken for cracking an 8 character password is measured in days and weeks. Assuming your attacker doesn’t have a a billion dollar ExaFlop supercomputer after your account, your password is reasonably safe if it is over 8 characters in length(ExaFlop = 10^18 calculations per second).

2.Names and ‘123’ are out of the question :

►The most common passwords are “Name123”. Whenever someone is after your account, the first thing they try is common passwords like this. Whoever that person is, you have to assume the worst. It might be some random old guy in his mom’s garage or maybe your best friend goofing around, you must assume they know everything about you- your name(duh), amily member’s names, favourite sportsmen, actors, singers- everything. This is the safest way to go. A surprisingly large number of people simply append a ‘123’ to the front or back of a common object thinking they are very smart, but this is the most predictable password there is. Most hackers will start straight away by adding that ‘123’, and if your password is anything like this, you’re screwed. Change it ASAP!

One more thing that deserves mention here is the so called “Security Question”. Reason being that people who know you will know questions about you like “What was your first pet’s name?” or “In what town were you born?” – some of the most common security questions. Plus, the people who know you are far more likely to be interested in taking a peek at your private messages than a random old guy in a garage.

Hence, I recommend to never actually use the security questions in the way they are meant to be used. Don’t use a direct answer, use something that the question reminds you of. While these may offer another layer of protection from annonymous attackers, they can make cracking your account fairly easy by the people who know you. As an example, someone you know well if left alone with access to your mobile phone might be able to get into your Facbook account with no difficulties at all. Always treat security question as an emergency password, it should be unobvious but easy to remember.

3.Random things? Think again.

►There’s something called a dictionary attack. In a nutshell, it means that your attacker has a dictionary, and a program that will throw every word in the dictionary as an attempt to crack your password. After trying out your own and related names +’123′, this is what the Hacker is going to try next – A dictionary attack. So it is better if you keep your password well away from any real words.

Although still not a 100% safe, ‘potjack123’ is much safer than ‘jackpot123’.

4.Turn it around :

►Now a password like ‘aGF$hvYH916!~**’ is probably as safe as it can get, but it’s not exactly easy to remember and definitely not easy to type quickly. For this reason, I(for one) turn words around. What I mean by that is instead of using ‘velocity’, use ‘yticolev’. While as a normal word, it’s easy to guess but after reversing the characters it’s unrecognizable.

After a few times, you’ll get used to it and will be able to type it as quickly as the other one.

5.Throw in symbols and numbers easily :

►If you’re like most people, your current passwords probably don’t have any weird symbols. But I have a quick way of adding both numbers and symbols to your password.

Here’s an example –


Looks weird, right? Well that’s the point. What we have here is, the base word ‘velocity’ – reversed, a ‘567’ at the start (which is much better than a ‘123’), and at the end I have seemingly random symbols which are actually just ‘SHIFT + 567’, that is these are actually the ones written above ‘567’ on your keyboard respectively. So all you have to remember is velocity and ‘567’ and within a few days you’ll be able to type this as fast as any other password but only this one will be relatively impenetrable. (Unless of course you have a supercomputer after your ass, in which case you’re screwed XD)

6.Capitalize- The final blow :

►You might be wondering what’s the point of adding so much random stuff to your password. Our main goal is basically to expand the number of characters which your attacker has to test to find your password. So – Small alphabets = 26 characters, Numbers = 10 more, Symbols = around 20 more. But if you throw in even just one Capital alphabet, that means your attacker has another 26 freaking characters to test which means, in this case, he’s screwed. Reason being the brute-force attack I mentioned earlier. Say your password is the one in the last point with a capital ‘V’ and ‘Y’ :


So that’s 14 characters with upper and lower case alphabets, numbers and symbols. Believe it or not, such is the power of exponential growth that it will actually take an average computer BILLIONS even TRILLIONS of years to crack your password. Now even if your insane attacker can somehow get a supercomputer, it would take him several thousands of years to get your password. After even a fraction of this time we can safely assume that he would have lost all his money buying the supercomputer and the will to do whatever he wanted to do with your account. (You can calculate the exact time by using permutations and combinations and the speed of the CPU)

One last thing, by using the same passwords for several different accounts you’ll only be making the hacker’s job easier. But yes, remembering a dozen passwords is probably not worth it. For this I suggest making tiny changes. If you use 567velocity for gmail, you can use 456velocity for facebook, 678velocity for yahoo etc. To hack the next account the hacker will have to go through all the combinations all over again and that for him, will probably not be worth it.

So there you have it! For all practical purposes a password like this will be impenetrable throughout your lifetime. (Nevertheless, I still recommend changing your password around twice a year or so. That’s because you’re not the only one reading this article.)

Want to be a real hacker? Sign Up!

Recommended | All | New

go to top