There's lot on the web regarding passwords and what they should consist of. There are plenty of sites that also validate the strength of a would-be password. But do those sites make useful suggestions??? Let's find out.
But first what makes a stronger better password? Clearly, the longer and the more types of characters used the better. However creating a password from a word and substituting letters for numbers is not advisable, password cracking tools cater for this behaviour and adding numbers to the end of a word. Password, Pa$$word, P455word, Password1234 are some truly awful examples of what's bad.
The following table shows the top sites from google search results. So I decided to test those sites. Passwords of varying complexity were entered and the results are below. The colour coding depicts how well the site did with a given password. Red is bad, Yellow is okish and Green is good.
As you can see some sites believe that 'Password1234' will take 10,000 years to crack. Of the sites tested only 'https://www.my1login.com' provided realistic results for known passwords. I'm not sure of the validity of 'sokv3sHMqdCgUB' taking 27 trillion years to crack, it's based on A to Z upper and lower case characters and numbers.
'https://password.kaspersky.com/' rates the password and validates it against known password lists. Interestingly Kaspersky rated 'sokv3sHMqdCgUB' higher than ''u%L~C3|u^@ LT'.
We know not to trust sites to validate the strength of passwords and have an idea of what is acceptable, and what's a bad password. So the advice is mixed and managing the type and number of complex passwords required is a massive nightmare. My suggestion is to delegate the task to a program designed to generate passwords, personally, I use Keepass all my passwords look something like the following 'L$e(`}0}*MmhtKm(WBrY' or '0iJqhzxlMv81mU6ARnVf', both are 20 characters. Some sites don't support the additional special characters and an alternative A to Z and Number password is needed.
Simple, right!!!
Not really, Kaspersky collects password lists and by the looks of it, many thousands of password lists. Many of those lists will be from sites and companies that have been hacked and their passwords uploaded to the Internet.
Visit 'https://www.avast.com/hackcheck', it's the same as 'https://haveibeenpwned.com/' but better, no signing up and Avast delivered an email with the sites and associated passwords.
It's never simple and there's a 'but'.
Companies that have been hacked try and hide the fact or simply don't know for extended periods. Your password or encrypted password could be out in the wilds and you may never know, undermining the long complex Keepass passwords.
What to do....
2 Factor Authentication..... what the......Don't panic it's not that bad.....
If your Android user downloads 'Google Authenticator'. For any site that provides email, financial or social media enable 2FA. When you log on the password is entered and a rotating 6-digit pin from the phone is entered. If your password is compromised the hacker won't have the second part of the authentication to logon. Hopefully, an alert will be sent to your email address informing you of an unsuccessful login attempt, providing time to change the password.
In these connected times, it's important to secure your online presence as much as you secure your personal possessions with locks on the doors.
Of course, burying your head can be an alternative plan, however, I belong to the tin hat brigade and tend to secure everything to the point it stops being useful ;)