Skip to content
Privacy Dedicated Library

What is strong password?

February 27, 2022

When we create a new account at social media, an online shop or service, we are asked to create a strong password. What it means and how it’s measured if the password is strong or not we will describe in this article.

How password strength is measured

The password strength is defined by the password entropy or unpredictableness. In other words – how hard it is to guess your password with a password guessing tool (brute force attack). Here is what affects password’s entropy:

  • random password generation (humans are bad at creating passwords);
  • number of characters (length of the password)
  • presence of symbols, numbers, letters of upper and lowercase, special characters.

The more letters (both upper and lower case), symbols, numbers your randomly generated password contains the harder it will be to brute force it.

How to create a strong password

With the advance of modern computers, the requirements to passwords have increased drastically for the last 10 years. If you still use numeric passwords of 6 characters you should know this: regular PC can hack it in seconds. Please, see below simulation of 6 digits password guessing with the Hashcat tool.

Hashcat Password Brute Force

So, how to create a password which will take an eternity to hack? Below are some estimates, how long it will take to hack a password by a regular PC:

  • 6 chars alphanumeric lower case only – up to 10 seconds
  • 6 chars alphanumeric + lower and upper case – up to 10 seconds
  • 7 characters alphanumeric + lower and upper case + symbols – up to 1 minute
  • 8 characters alphanumeric + lower and upper case + symbols – several hours
  • 9 characters alphanumeric + lower and upper case + symbols – 15-20 days
  • 10 characters alphanumeric + lower and upper case + symbols – 3 years
  • 11 characters alphanumeric + lower and upper case + symbols – 164 years
  • 12 characters alphanumeric + lower and upper case + symbols – 10,000 years

Summary

Now you have an idea about what kind of passwords are relatively safe. It is worth noting that these calculations represent guessing hashes offline, which is not the same as brute forcing online, like social media accounts. For the latter, the time will inevitably increase because of captcha, retry limits and other brute force protection technics. However, one should not use less than 10 digits passwords containing both lower and upper case letters, numbers and special characters. Important, usage of dictionary words will drastically decrease password safety. Passwords like “iloveuK%1” are not safe. Hope, you enjoyed the reading and you can find more security related articles in our library.