We use cookies on our websites. Information about cookies and how you can object to the use of cookies at any time or end their use can be found in our privacy policy.

3 min read 11 comments

How Safe Is Your Password, Really?


Conventional wisdom has it that passwords should be long, alphanumeric and, most importantly, need to be changed on a regular basis. In fact, as many of you already know, companies require their employees to change their passwords at regular intervals for security purposes. As it turns out, much of what we believe in when it comes to password security isn't necessarily true, as several researchers and studies have recently pointed out. The science may be complex, but we've boiled it down so that you can find out how to generate an “uncrackable” password.

It has become a common practice for websites to evaluate your passwords on a scale from weak to strong. Based on the algorithms used by websites such as Facebook and Twitter, alphanumeric passwords get the highest “security” rating. As developer Cameron Morris managed to discover, however, a lot of these supposedly safe passwords can be hacked by an amateur in less than one day. If you take an alphanumeric password such as “34Lakers56” named after your favorite basketball, it may pass the Facebook strength test, but leaves you totally exposed to outside attacks.


Morris completely redefines the concept of password strength. Instead of judging the value of a password on a relative scale, Morris developed an analytical tool that could determine how much time it would hypothetically take to crack your password.

Using his Passfault Analyzer (a tool which I rurge all of you to try out), you'll encounter some surprising results. Turns out my favorite password (which I use to guard my WiFi connection) could be cracked in just 3 days, whereas it would take several months to decode my childhood password which is a made-up word (apparently, baby words work great as passwords!). Obviously, we would all like to have passwords that would take at least a billion years to crack.

You may not like to hear this, but truly secure passwords need to be long, really, long, like anything from 20 to 30 symbols. More importantly, your password should not include any words that can be found in the dictionary. Generating a cryptic alphanumeric password devoid of words may be a difficult endeavor, especially when you have to memorize the bloody thing.

So as a recent Carnegie-Mellon study suggests, once you've found a password that would take lightyears to crack – stick to it. Changing your password actually undermines your security and you can't be expected to memorize a random set of characters every three months. Then we start writing these passwords down on bits of paper– and it's a downward slope from there on in terms of security. That's why it's essential to memorize one or two bulletproof passwords and test them with the Passfault Analyzer tool. Can't think of a good “uncrackable” password? Here's a good tutorial video on how to come up with the perfect password and leave the hackers biting their nails:

How did you fare in the Passfault test? Did your passwords turn out to be as safe as you thought? Share your thoughts in the comments!


Source: Naked Security


Write new comment:
All changes will be saved. No drafts are saved when editing

  • How to miss the point!

    They aren't attempting to predicted computing power of the future or how big evil hackers bot net is, but provide a useful security diagnostic tool by providing a quantifiable value to the strength of your password.

    Yes it's for a given strength of attack and encryption, but so are any of these assessments. This does highlight the flaws of some "strong " passwords that rely on dictionary words and numbers.

    I for one found it useful and will use it to guage the RELATIVE strength of future passwords. My new wifi password being 25 centuries :-)

  • Wow... this tool can tell how many years it would take to crack my password?
    It's knows exactly how much computing power we will have 10 years from now???

    It's also knows if I'm use 100 networked computers... or 25,000... to do the cracking????

  • > They basically use these programs to guess the password by completing thousands of combinations per second.

    That's pretty impressive. My account only allows 1 guess every 30 secs (at most).
    To do even 100,000 guesses would take far longer than 100 seconds.

  • > once you've found a password that would take lightyears to crack

    Huh? No one at androidpit knows what a "light-year" is? It's a measurement of *DISTANCE*... not of time.


  • Their method of trying thousands of combinayions per second will not work for most websites like google who suspend your login after a few failed attempts. Your wifi connection on the other hand I can see someone hacking at it for a few days.

    I use an app called mSecure to keep track of my passwords.

  • Ti Mo May 25, 2012 Link to comment

    Or is it you who is the hacker... You made the website and now know every password we typed in there :O


  • Here is a good overview on how they do it: http://en.wikipedia.org/wiki/Brute-force_attack

    They basically use these programs to guess the password by completing thousands of combinations per second.

  • Ti Mo May 25, 2012 Link to comment

    Like how do you hack a password anyways? I mean I don't wanna have a detailed explanation but rather a quick overview cause I have like no idea how they'd do it lol

  • It is definitely a sobering test. Just changed all my passwords to be on the safe side so that hackers can spend quatrillion years trying to hack it.

  • Ti Mo May 25, 2012 Link to comment

    Yeah made a new one. Time: 1 year and ten months. And good memorable for me :D

  • Ti Mo May 25, 2012 Link to comment

    Lol my fb and WLAN access password is cracked in 2 days, my Google password in less than a day Oo