At some point in our lives, we’ve all gone through some online account creation process and created a password. Frequently, we’re required to choose a password that includes something like at least one capital letter, one number, et cetera. The stricter the criteria, the more layers of security we think we’ve added to our passwords.
However, that’s not actually the case.
The math behind password security
To understand why, let’s do some math. (It will be really simple, I promise.) One method of attempting to defeat a password is to simply try all possible character combinations. This tactic is referred to as a “brute force” attack. It goes without saying that a password with fewer possible combinations is easier to brute force than a password with more possibilities. In cryptography, this is referred to as the ‘keyspace’. Statistically, if an attacker is brute forcing a password, they must try fifty percent of the keyspace before they have a better than fifty percent chance of gaining access.
Now, suppose I’m getting an account for a site that only requires two-character passwords. Since there are a total of 95 printable ASCII characters, that means we have a total of 95 x 95 possible combinations. Out of those 9,025 combinations, suppose an attacker could try five passwords per second. To try half the possible combinations would take about 900 seconds.
But what if the site decides to enforce a policy that one character in the password must be a number? This requirement reduces the possible number of passwords to only 950 (95 x 10). The same attacker would be able to try half the possible passwords in only 95 seconds.
Of course, no site would allow two-character passwords (I hope). The math however, is similar with longer passwords.
Other password pitfalls
That’s also not to say that a password should be something as simple as ‘walrus’ – walrus is a common word found in the dictionary and is subject to a “dictionary attack”. A dictionary attack is an attempt to gain access to a system by trying common words and passwords (such as ‘letmein’, ‘password123’, et cetera).
Beyond these common pitfalls, there are other ways that a password can be less secure – or easy to guess. Things like a spouse’s name, your date of birth, mailing address, et al. are examples of what not to use in a password.
The building blocks of a good password
Longer passwords are better, and contrary to the common misconception, they don’t have to be difficult to remember. A simple phrase can be easier to remember, but long enough to be difficult to brute force. Something like ‘ILikeDrinkingWhiskey,ButNotMoreThan5Shots.’ mixes upper and lower case, special characters (comma, ampersand, et cetera), and numbers but, due to one particularly eventful evening, is very easy for me to remember (although that’s not my actual password).
It’s also a good practice to reset your passwords frequently. For example, when getting started with a new server, we recommend immediately resetting your password and following these guidelines:
- Use at least 8 characters.
- Use a combination of upper-case letters, lower-case letters, and numbers.
- Avoid words or names, especially your name or the name of your business.
- Avoid a password that shares the same characters as the previous password. For example, changing “Ccodero1” to “codero2” is not a safe practice.
The moral of the story is that a password should use as many different characters from as many different character groups as possible.
No password will make any system perfectly secure, but by using the tips above, you can make it as hard on the attackers as you can. After all, passwords are one of your lines of defense keeping your dedicated server environment secure.
Of course, sometimes even the best laid plans go awry, and the most thoughtful passwords get lost in the rush of day to day life. If you ever lose your Codero Cloud password, you can recover it by following these steps, or chatting with one of our experts.
Tags: online security