Strong Passwords: What Makes Them Secure

To create strong passwords, you need to understand how they're broken: Brute force attacks Trying every possible combination. A 6-character lowercase password has 308 million possibilities - crackable in seconds with modern hardware. Dictionary attacks Using lists of common words, names, and known passwords. "password123" and "qwerty" are tried within milliseconds. Hybrid attacks Combining dictionary words with common modifications: P@ssw0rd, Summer2024!, John1990. Rainbow tables Pre-computed hashes of common passwords. This is why websites should use salted hashes. Social engineering Gathering personal information (pet names, birthdays, favorite sports teams) from social media to guess passwords. Credential stuffing Using leaked passwords from one breach to access accounts on other sites - which is why password reuse is so dangerous.

Password strength is measured in entropy - the number of possible combinations expressed in bits. Entropy formula: log2(character set size ^ password length) Character sets: • Lowercase only (26): 6 chars = 28 bits • + Uppercase (52): 6 chars = 34 bits • + Numbers (62): 6 chars = 36 bits • + Symbols (95): 6 chars = 39 bits Length matters more than complexity: • 8 random lowercase letters: 38 bits • 12 random lowercase letters: 56 bits • 16 random lowercase letters: 75 bits Cracking time estimates (10 billion guesses/second): • 40 bits: ~2 minutes • 50 bits: ~1.5 days • 60 bits: ~4 years • 70 bits: ~3,700 years • 80 bits: ~3.8 million years Target at least 60-80 bits of entropy for important accounts.

Avoid these frequent errors: Predictable patterns • Capitalizing the first letter only: Password • Adding numbers at the end: password123 • Substituting obvious characters: p@ssw0rd • Using keyboard patterns: qwerty, 123456 Personal information • Names of family, pets, or partners • Birthdates or anniversaries • Favorite sports teams or players • Cities or schools Reusing passwords If one site is breached, all your accounts using that password are compromised. Over 80% of data breaches involve credential reuse. Too short Even with maximum complexity, passwords under 12 characters are increasingly vulnerable to modern cracking hardware. Not updating after breaches When a service you use reports a breach, change that password immediately - and any other account where you used it.

Passphrases use multiple random words to create long, memorable passwords: Example: "correct horse battery staple" Why passphrases work: • Length provides high entropy (4 random words ≈ 44-60 bits) • Easier to remember than random characters • Faster to type than complex passwords • Resistant to brute force attacks Creating strong passphrases: 1. Use 4-6 truly random words 2. Don't use related words or phrases 3. Don't use song lyrics, quotes, or book titles 4. Consider adding a number or symbol between words 5. Use a random word generator, not your own choices Example generators: • Diceware method (rolling dice to select words) • EFF word lists • Password manager generators Weak passphrase: "I love my dog Buddy" Strong passphrase: "umbrella seventeen piano cascade"

Password managers solve the fundamental password problem: humans can't remember dozens of unique, complex passwords. How they work: • Generate random, unique passwords for each site • Store all passwords encrypted with one master password • Auto-fill credentials in browsers and apps • Sync across devices Benefits: • Every password can be truly random and unique • No password reuse across sites • Phishing protection (won't auto-fill on fake sites) • Secure notes for sensitive information • Breach monitoring and alerts Master password considerations: • This is the ONE password you must remember • Use a strong passphrase (5+ random words) • Never write it down digitally • Enable two-factor authentication Popular options: • Cloud-based: Bitwarden, 1Password, LastPass, Dashlane • Local-only: KeePass, KeePassXC • Browser built-in: Improving but less feature-rich

Even the strongest password isn't enough anymore. Multi-factor authentication (MFA) adds crucial protection: Authentication factors: • Something you know (password) • Something you have (phone, hardware key) • Something you are (fingerprint, face) MFA methods ranked by security: 1. Hardware security keys (FIDO2/WebAuthn) • Most secure option • Physical device required • Phishing-proof 2. Authenticator apps (TOTP) • Google Authenticator, Authy, etc. • Time-based one-time codes • Much better than SMS 3. Push notifications • Approve login on your phone • Convenient but can be spammed 4. SMS codes • Better than nothing • Vulnerable to SIM swapping • Use only if no other option available Prioritize enabling MFA on: • Email accounts (gateway to password resets) • Financial accounts • Social media • Password manager • Work accounts