What is a Strong Password?

Sep 15 14

What is a Strong Password?

Paul Weinstein

First published: 19th of August 2014 for Orbit Media Studios

Passwords are a pain. They are required for too many things; your phone, your computer, your apps, your accounts. They get in the way of getting something done.

It would be wonderful if this post was an introduction to something better. Alas, for the time being, we’re stuck with passwords. So, how can we best use them? How can we secure ourselves and others? What, exactly is a “strong” password?

That’s Weak

Let’s start by considering the opposite, what makes a password weak?

  • The password is the same as, or contains part of the user/account name.
  • The password can be easily referenced, such as a common word found in a dictionary or a reference to a local team.
  • The password contains numbers or letters in sequential order, 1234 or qwerty.
  • The password contains simple substitutions, 0 (zero) for O or @ for a.
  • The password contains personally identifiable information; favorite number, color, or pet’s name.

These examples are considered weak because they are based on simple patterns that are easy to guess and trivial for an automated process to test at high speeds. More to the point, common words and patterns expose the two main problems with many passwords; different people with the same cultural influences and one person reusing a password multiple times.

Playing the Bad Guy

Let’s put on the black hat for a moment and consider the problem. We want to gain access to someone’s account. Let’s consider the account in question and begin to create a list of possible passwords.

Starting at the top of our list we have:

  • admin
  • administrator
  • password
  • pass
  • 1234
  • 1111

Next we add some less specific, but common, everyday words:

  • love
  • mom
  • money
  • damn

Finally we add some specific, but still common names for pets, teams, and cities:

  • Fido
  • Whiskers
  • Giants
  • Bears
  • Aurora
  • Lincoln

Now, we need some computer logic to do something with this list. Part of the program might look like this:

For each word…

  • try the word, as is
  • try the word, but change the capitalization
  • try the word, combined with another word in the list
  • try the word, substituting letters with numbers and symbols

With this dictionary of words to try and a process to try them with we can now make an automated attempt at accessing the account.

But wait, you might be thinking, how large of a list does this really have to be? One study by security consultant Mark Burnett determined that in a pool of over 6,000,000 unique accounts, a list with 1,000 of the most frequent passwords will match 91% of the accounts. Increase the list to 10,000 and now we have access to 99.8% accounts.


And once we’ve gained access to an account the chances that the user has used the same password elsewhere will increase. A 2014 research study estimated that, “43- 51% of users reuse the same password across multiple sites.” Moreover, knowing a user’s password also increases the chance of guessing a variation of the known password in use elsewhere.

So What is a Strong Password?

Guidelines for what constitutes a strong password will vary, based on a number of conditions, such as:

  • The sensitivity of the information being protected. Is this your financial information or your collection of food photos?
  • Does the application limit the number or type of characters that can be used in a password?
  • Does the system incorporate two-step authentication? That is, does the system authenticate you in two stages?

With these conditions in mind, the main goal is to lower the ability of an aided attacker from guessing what the password is, therefore;

  • Use more characters, not less. Use a minimum password length of 8 to 14 characters when possible.
  • Mix in lowercase and uppercase letters, numbers, and symbols as permitted, but not as a substitution.
  • Do not use the same or similar password for important accounts, such as banking or financial websites.
  • Avoid using information that is or might become publicly available or identifiable.
  • Remove patterns, sequences, and common words as much as possible. Embrace the random.

And to keep track of your newly created, randomly long passwords? Use a secure password manager which will store all your passwords encrypted with a master password key.

But take note, while some password managers store passwords locally on your device, others store the data on a server elsewhere on the Internet. Which storage method is right for you will depend on your aversion to risk.