Currently developing futuristic smart-device, IoT connected, highway construction site safety system in EU.
Used to work on infrastructure, application architecture and cloud engineering.
The best approach is to pick a password that is hard to guess and at the same time complex enough not to be cracked within timespan of following years, after which it will become obsolete (you change it or stop using the service).
Using something obvious and related is really a bad idea to start with (birth dates, favorite things, names, family members, colors, songs, etc.) The best password is totally unrelated to anything known to you from the outside. This prevents password guessing by visiting your social app profiles and trying your dog's name, friends names, mother's birthdate, rock band name from your t-shirt picture and similar.
Very good rule of thumb is a sentence that makes visual sense in your head but is composed of random, totally unrelated words.
You cannot protect yourself against passwords that are improperly treated by the remote service, so any small or new service should be considered insecure and you should change passwords regularly. If someone steals unencrypted or weakly encrypted password directly from the database of that service there's nothing you can do and even the strongest password in the world will not help.
You have to take into account that efficiency and speed of password cracking increases every year (new and more powerfull GPUs, ASIC chips, new algorithms, etc.)
If your password stolen from remote service was properly encrypted and does not suffer from dictionary attack weakness (words included are not 100% included in frequently used dictionaries) then its biggest strength is its complexity.
This can be easily calulated as : entropy size ^ password length
Where entropy size is how many bits are there in each password character. E.g. only lowercase letters produce 26 possible distinct values a-z. If you add UPPERCASE letters than one character can be 26 + 26. Add digits and it will become 26 + 26 + 10 (a-z + A-Z + 0-9).
Then make this an exponent of the password length - e.g. lower + upper + digits (62) ^ password length (5) = 916,132,832. So there's about 916 million possible combinations of lower, upper and digit characters in a 5 character long password. Depending on the cryptographic algorithm used this can be enough or not. For NTLM encryption (used in Windows systems) by buying 2x NVIDIA GTX 1080 you are able to achieve 44.4 GH/s (giga [billion] hashes per second) so your 5 letter password would be cracked in an instant.
For example going to 6 characters it would take about 1s, 7 characters 79 seconds, 8 characters 81 minutes, 9 characters 84 hours and 10 characters 218 days.
Of course current RTX 3090 cards are much more effective so when the attacker has access to expensive equipment the longer your password is the longer it will take to crack it.
Please also note that:
8 character password consisting of lowercase + UPPERCASE + digits [0-9] + 16 special characters (like *-+/.,!?$#@%^& and similar) has LESS ENTROPY THAN a solely lowercase character password of length 11 characters, because:
The best approach is to pick a password that is hard to guess and at the same time complex enough not to be cracked within timespan of following years, after which it will become obsolete (you change it or stop using the service).
Using something obvious and related is really a bad idea to start with (birth dates, favorite things, names, family members, colors, songs, etc.) The best password is totally unrelated to anything known to you from the outside. This prevents password guessing by visiting your social app profiles and trying your dog's name, friends names, mother's birthdate, rock band name from your t-shirt picture and similar.
Very good rule of thumb is a sentence that makes visual sense in your head but is composed of random, totally unrelated words.
You cannot protect yourself against passwords that are improperly treated by the remote service, so any small or new service should be considered insecure and you should change passwords regularly. If someone steals unencrypted or weakly encrypted password directly from the database of that service there's nothing you can do and even the strongest password in the world will not help.
You have to take into account that efficiency and speed of password cracking increases every year (new and more powerfull GPUs, ASIC chips, new algorithms, etc.)
If your password stolen from remote service was properly encrypted and does not suffer from dictionary attack weakness (words included are not 100% included in frequently used dictionaries) then its biggest strength is its complexity.
This can be easily calulated as :
entropy size^password lengthWhere
entropy sizeis how many bits are there in each password character. E.g. only lowercase letters produce 26 possible distinct valuesa-z. If you add UPPERCASE letters than one character can be 26 + 26. Add digits and it will become 26 + 26 + 10 (a-z + A-Z + 0-9).Then make this an exponent of the password length - e.g. lower + upper + digits (62) ^ password length (5) = 916,132,832. So there's about 916 million possible combinations of lower, upper and digit characters in a 5 character long password. Depending on the cryptographic algorithm used this can be enough or not. For NTLM encryption (used in Windows systems) by buying 2x
NVIDIA GTX 1080you are able to achieve 44.4 GH/s (giga [billion] hashes per second) so your 5 letter password would be cracked in an instant.For example going to 6 characters it would take about 1s, 7 characters 79 seconds, 8 characters 81 minutes, 9 characters 84 hours and 10 characters 218 days.
Of course current RTX 3090 cards are much more effective so when the attacker has access to expensive equipment the longer your password is the longer it will take to crack it.
Please also note that:
8 character password consisting of lowercase + UPPERCASE + digits [0-9] + 16 special characters (like *-+/.,!?$#@%^& and similar) has LESS ENTROPY THAN a solely lowercase character password of length 11 characters, because:
Thanks for your reply Slavius 😎 . Υou were completely understandable 😁😁