But how do passwords have to look like to be considered secure? And who determines that? There is no authority with guidelines on the creation of secure passwords. Companies, organizations, software developers and end users all have their own definition of secure passwords.

While some may think it is sufficient to select a password with numbers in it, others demand a password with upper and lower case chars, numbers, special characters and a minimum length of 16 or more.

Defining the format of a secure password is however only one side of the medal. It does not do anything good if the software, website or service is not compatible with those settings. A website that restricts the password to a length of 10 characters without special characters would be incompatible with a secure passwords policy that requires at least 14 chars and one special character.

Generally speaking, a password becomes more secure with the length of characters it contains, and the different types of characters used.

Several companies have created online tools that give the user feedback on the complexity of the password. Is that password secure is a common search term for those services. Lets take a closer look at some of them, but before that, lets define some typical passwords that we will feed them.

password 1: password
password 2: 4wOe409r
password 3: !S8I5U39YDnt8f
password 4: E&4!74mneGrTmOJ!HIr0
password 5: DP12c*0J!dM5mfdq2r!&WmMi!#g3

Microsoft password checker: Offers a simple form field which accepts a password. The ratings go from weak to best.

check your password

password 1: weak
password 2: weak
password 3: strong
password 4: strong
password 5: best

How Secure Is My Password: Does not display a rating, but tries to estimate the time it would take to crack the password.

password 1: One of the 500 most common passwords, It would be cracked almost instantly
password 2: It would take About 252 days for a desktop PC to crack your password
password 3: It would take About 564 billion years for a desktop PC to crack your password
password 4: It would take About 100 sextillion years for a desktop PC to crack your password
password 5: It would take About 100,603,110 nonillion years for a desktop PC to crack your password

The Password Meter: Compiles a list of all characters used and rates the passwords accordingly.

password strength

password 1: Very Weak, score 7%
password 2: Very Strong, score 81%
password 3: Very Strong, score 100%
password 4: Very Strong, score 100%
password 5: Very Strong, score 100%

The three password security checkers seem to disagree on the strength of some of the passwords used. All see the first password as a weak password, but similarities end there, as the second password is considered weak by Microsoft, but very strong by Password Meter.

The question now is how you can come up with a password policy to make sure that you only use secure passwords. The answer is simple: Always use a password that comes close to the maximum length allowed. That value is highly software and site specific. Here are a few suggestions:

• Never use a password with less than 16 chars unless the site limits the maximum character length to less than that
• Always use upper and lower case characters
• Always use at least one number in the password
• Always use at least one special character in the password
• Never use dictionary words as part of the password or the password

This leads to a problem: Remembering the passwords. The easiest way is to use a password manager like Last Pass for this. Password managers can create passwords based on the user’s parameters. Last Pass users for instance only need to press Alt-G to open the password creation window in the web browser.

password creation

The password can then be copied and entered during account creation. These passwords can also be used for non-web services, and stored in the password manager for retrieval.

Password managers will automatically save passwords and accounts that have been created, so that there is no need to remember the password. Only the master password, which is the password providing access to the password manager’s database needs to be remembered.

A simpler solution is to write down the passwords locally, and either carry them with you all the time, or store them in a secure location so that third parties cannot use them to access the accounts.

Do you have a password policy? Let us know in the comments.

To explain the brute force concept in a few words. It basically is a method to try every possible combination until the right password has been discovered. Passwords that use lots of characters and make use of the complete char set including upper case, lower case, numbers and special chars are harder to brute force.

The Brute Force Calculator lets you enter the amount of chars of the password divided into upper case, lower case, numbers and special characters.

According to the script a single computer can brute force a password consisting of seven lower case chars and one number in 29 minutes while a password consisting of 7 upper case, 7 lower case, 1 number and 1 special char would take 3,129,145,610.89 days to crack on a single machine.

All based on a computer that is able to try 137,438,953,472 combinations per hour. The script is basically interesting for users who are still using short passwords who do not make use of the complete character set possible. It shows them that someone could crack their password in a short amount of time not even taking into consideration using distributed computing to brute force the password.

• The average length of time users have maintained their primary personal use password was reported as 31.07 months
• How frequently do you change your password on a regular basis when not required by the system?â€? 52.7% (166) responded “Neverâ€?

• 85.7% (270) reported that they use lowercase letters and 56.5% (178) reported that they use numbers or digits in their passwords. In addition, 54.9% (173) indicated that they use personally meaningful words, such as names of children, pets or street names, while 49.8% (156) indicated that they use personally meaningful numbers, such as birthdates or telephone numbers
• 54.6% of users (177) report using the same exact password for multiple accounts “Very Frequentlyâ€? or “Alwaysâ€?, while 33.0% (104) report using some variation of the same password for multiple accounts
• 73% (230) of respondents reported that they should change their passwords for accounts every three to six months, but 52.7% (166) responded that they “Neverâ€? change their password when not required.
• 70.5% (222) of respondents indicated that personally meaningful words should not be used, but 49.8% (156) reported that they use this practice.

So, what´s the lesson we learn from this stufy ? Users have to be forced to create passwords that meet certain security standards. I hate the IT section at my workplace because they force you to change the passwords regulary, use upper / lowercase, numbers and chars. The new password is not allowed to match with the nine previous ones, is not allowed to have repeated chars and not allowed to have logic sequences (123456, eee, sort of things).