What makes a strong password?

In today’s day and age the importance of a strong password cannot be over stated, but have you really stopped for a moment and considered just what makes a strong password? Many organizations have policies concerning passwords and while a policy is an absolute the reality is that passwords often are weak. For example, consider for a moment that a policy states that passwords must be at a minimum of eight characters and include upper case, lower case, one special character and a number. If an employee was to use a password of P@ssword1 then they would be conforming to the policy, but the reality is this is a poor password. Using an everyday computer the password and Windows System password protection this password could be cracked in less than a day.

The Human Fault

The reality is that we as humans are not wired to recall a completely random set of characters from memory therefore we typically create a password that can be easily remembered or has personal meaning that acts as a hint. For example, if the same employee was to set a password of p?[Mvt`V instead of P@ssword1 the time to then crack this much more complex password then becomes four months and seven days. At this point it begins to look as though the idea of passwords can be much more difficult to crack, but once again the black hat community has a strong arsenal of tools and a $900.00 password attacker then takes the password of p?[Mvt`V back to one day to crack and a $180,000.00 password attacker then represents less than one day to crack the password of p?[Mvt`V.

You should always avoid passwords that make use of the following:

  • Dictionary words
  • Common misspellings
  • Abbreviations
  • Sequences
  • Personal information

Brute Force Attacks

The threat of brute force attacks are real and there are many well known programs readily available via the Internet that anyone can download. To put things into perspective I want to demonstrate the estimated amount of time it may take to crack the password of p?[Mvt`V using this form of attack with GRC’s Interactive Brute Force Password “Search Space” Calculator.

Brute Force Search Space Analysis

Brute force search space analysis demonstrates that p?[Mvt`V may be breached anywhere from 8.77 hundred centuries, 7.66 hours or even 27.57 seconds. At the point the reality of risks associated with passwords should be sitting in. So what would happen if we make a simple change of requiring a twelve character password instead of eight characters? In this scenario I will use a password of K#WE”1AfmU%.

Brute Force Search Space Analysis

Brute force search space analysis demonstrates that the use of the password of K#WE”1AfmU% may be breached anywhere from1.74 hundred billion centuries, 1.74 thousand centuries or even 1.74 centuries. As you can gather a twelve character password is much more strong than its counterpart eight characters.

Password Cracking Software

  1. Cain & Abel is a password recovery tool for Microsoft Operating Systems. It allows easy recovery of various kind of passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, recovering wireless network keys, revealing password boxes, uncovering cached passwords and analyzing routing protocols. The program does not exploit any software vulnerabilities or bugs that could not be fixed with little effort. It covers some security aspects/weakness present in protocol’s standards, authentication methods and caching mechanisms; its main purpose is the simplified recovery of passwords and credentials from various sources, however it also ships some “non standard” utilities for Microsoft Windows users.
  2. John the Ripper is a free password cracking software tool. Initially developed for the UNIX operating system, it currently runs on fifteen different platforms (eleven architecture-specific flavors of Unix, DOS, Win32, BeOS, and OpenVMS). It is one of the most popular password testing and breaking programs as it combines a number of password crackers into one package, autodetects password hash types, and includes a customizable cracker. It can be run against various encrypted password formats including several crypt password hash types most commonly found on various Unix flavors (based on DES, MD5, or Blowfish), Kerberos AFS, and Windows NT/2000/XP/2003 LM hash. Additional modules have extended its ability to include MD4-based password hashes and passwords stored in LDAP, MySQL, and others.
  3. L0phtCrack is a password auditing and recovery application (now called L0phtCrack 6) originally produced by Mudge from L0pht Heavy Industries. It is used to test password strength and sometimes to recover lost Microsoft Windows passwords, by using dictionary, brute-force, hybrid attacks, and rainbow tables.
  4. RainbowCrack is a computer program which generates rainbow tables to be used in password cracking. RainbowCrack differs from “conventional” brute force crackers in that it uses large pre-computed tables called rainbow tables to reduce the length of time needed to crack a password drastically.


Passwords are here to stay and because of this it is extremely important to both understand the risks associated with passwords no matter if you are an individual or a corporation. I urge you to implement strong passwords and in the event you’re not positive if you password can stand up to attack then you should check out GRC’s Interactive Brute Force Password “Search Space” Calculator. Remember to never share your password and think about it as a key to your home. Good luck and I hope that you found this post informative and useful.

Leave a Reply

Required fields are marked *.