How to create an uncrackable password


Your password has most probably already been compromised – or will be compromised in the nearest future. That’s why utilizing a password manager that can generate truly random passwords is so essential, according to security specialist Roger Grimes.

Grimes, the Data-Driven Defense Evangelist at KnowBe4, a security awareness education company, laid out top reasons for using a password manager during a webinar exploring pressing questions surrounding that technology. Grimes has been hacking for decades, having written thousands of articles on cybersecurity and security awareness.

According to Grimes, humans are fairly simple when it comes to creating passwords: they choose weak combinations or familiar sequences that can be used across multiple platforms. Once their single account gets compromised, all others will likely be too. It all comes down to a simple truth: “Most complex passwords just aren't that complex.”

ADVERTISEMENT

“In the world of password creation, how strong or weak a password is known as entropy. Most user-created passwords are weak because they have a low entropy, which means they really don't have a whole lot of randomness, even if they're required to have ‘complexity.’ Most people's complexity means that they have to use an uppercase character. Most people almost always put the uppercase character in the first position, and it's usually followed by a lowercase vowel.

“Most people are using names or words as the root of their password in the uppercase, the first digit, which is usually a consonant followed by a lowercase vowel. If they’re required to use the number symbol, the numbers are going to be 1 or 2, in most cases, and be at the end. And if they're required to use symbols again, they'll usually be at the end.

“The average keyboard has about 94 characters, but most people don't use anywhere close to those 94 different characters. Most people will use the same 17 characters for their passwords.”

Following that analysis, Grimes gives an example of a strong human-created password: 20 characters or longer with an element of unpredictability. However, he acknowledges that people don’t like to type and certainly don’t like to remember varying sequences of such length. That’s where password managers come in.

“A password manager could easily create these truly random passwords, and then you can use them as easily as clicking on your password manager website entry,” Grimes explained.

Think you’ve created an uncrackable password? Think again

The dangers of human-created passwords are quite straightforward: they’re guessable, and with modern technology, breakable within seconds. After examining 56 million breached and leaked passwords in 2023, the Cybernews research team discovered the password “123456” was used in 111,417 cases.

Despite the fact that most passwords are hashed – unlike encryption, hashing turns a password into a scrambled version of itself – they are not unhackable. Although it’s impossible to decipher passwords directly from their hashed representations, cybercriminals can typically brute-force obtained hashes offline.

ADVERTISEMENT

“Microsoft said in December that one in every 250 of their corporate accounts is compromised each month. Each month. It's a lot of successful password guessing going on or social engineering. There are tens of billions of passwords on the Internet and what's called password dumps.”

Grimes highlighted how common it is to believe that different human-created passwords are strong for security. He cites his own example, saying that he didn’t realize how easy it would be for an attacker to guess his credentials if they were dumping all the stolen passwords. The reason for this is also very human: his passwords had a pattern.

“A perfectly random password is the best possible password you could use. Those are the type of passwords that come out of a password manager. But if you go to the next one here, if you have a perfectly random password up to about ten characters, it doesn't take a password hash cracking rig long to crack. It would only take it about three weeks to crack a ten-character password.

“But as you start to move to an 11-character, perfectly random password or a 12-character, perfectly random password, it starts to become really, really secure.”

The logic then becomes quite simple: if you’d like to come up with a password that will be uncrackable yourself, it needs to be 20 characters or longer. If you have a perfectly random password, then it only needs to have 12 characters.

Choosing the right password manager

But which password manager to opt for? Grimes cites a variety of things to pay attention to: whether it’s supported by your operating system, whether it has enterprise support, an auto-fill function, and, most importantly, whether it can generate truly random passwords. Cybernews has gathered password managers’ coupons and promo codes that are valid this year.

“A lot of password managers will allow you multifactor authentication to protect them instead of having to use a master password [the main password used to log in to a password manager]. Most password managers get to type in some master password to unlock them. Well, if you can use multi-factor authentication to protect your password manager, that gives you some additional security and prevents some types of attacks.”

Now, of course, password managers could also potentially be hacked – they are what Grimes calls “a single point of failure risk.” It provides a threat actor with a treasure trove of your passwords. He illustrates three types of risks: remote attacks, local attacks, or attacks against the vendor.

“If it's in your browser, they can immediately download all those passwords really, really quickly. But if you have a password manager program and it's locked, they don't immediately get to those passwords. They have to either wait for you to log in and then steal your passwords. Or they're going to key-log your password managers, master password, and then use that against your password manager at some other time when you're not paying attention.

ADVERTISEMENT

So just remember this: whether it's a remote attack or a local attack, if a hacker or malware is on the victim's desktop, it is game over. Although, again, if your password manager is not open, they're not getting to all those passwords right away, and a lot of password managers automatically lock up.”

Grimes suggests that password manager vendors tend to patch bugs very quickly. Overall, he says, the probability of a password manager being hacked is much lower than the risk of using weak passwords across multiple websites.