How strong does a password need to be?

We are forever bombarded with advice on how to make strong passwords, there are endless schemes. The crackers and hackers know about all of these schemes. They have huge lists of leaked passwords, alphanumeric combinations of various sorts and certainly all the words in all the dictionaries. Today, our local law enforcers sent out some friendly advice on avoiding ID theft and stuff and they suggested using number substitions for your p455w0rd5…they think crackers and hackers don’t know about l33t? They are the l33t! Too easy.

Now, password strength can be about complexity. S4ygCskPC looks quite strong…ish and is the kind of password some logins suggest you use and often limit you to using. But it would take a theoretical massive cracking array a couple of minutes to crack. S4ygCskPC@ with its non-alphanumeric character is stronger, that would take a week. But what about a password like this b0B…….. ? It looks too simple and easy doesn’t it? But, it would take that same array a couple of years to crack simply because it has one more character, albeit a repeated character. You see, the cracking software does a bruteforce attack or a dictionary attack by working its way through increasing combinations of all possible characters, testing th smallest passwords, then adding a character, re-testing and so on.

S4ygCskPC@ is far too short a password but not entirely unmemorable, you could probably learn it. Pad it out with a set number of a single character you repeat, or extra words, say and it will take any cracking software so much longer to get to it than is feasible without a quantum computer, say. So, you could do this S4ygCskPC@S4ygCskPC@S4ygCskPC@, which would take 6.90 hundred billion trillion trillion centuries to crack, unless the cracker knew that you’d simply repeated your password a couple of times. dB1……………………… would also take 6.90 hundred billion trillion trillion centuries and perhaps having read this article, the crackers might be able to shift how they work and start adding full stops…so don’t follow this template, use your own memorable scheme to pad out a simple, short, easy to remember password with a set number of characters the count for which you can easily remember…

More on password padding from Steve Gibson at GRC.