Updated: Sep 7, 2020
There's lots on the web regarding passwords and what they should consist of. There are plenty of sites that also validate the strength of a would be password. But do those sites make useful suggestions??? Lets find out.
But first what makes a stronger better password? Clearly the longer and the more types of characters used the better. However creating a password from a word and substituting letters for numbers is not advisable, password cracking tools cater for this behavior and adding numbers to the end of a word. Password, Pa$$word, P455word, Password1234 are some truly awful examples of whats bad.
The following table shows the top sites from a google search results. So I decided to test those sites. Passwords of varying complexity were entered and the results are below. The colour coding depicts how well the site did with a given password. Red is bad, Yellow is okish and Green is good.
As you can see some sites believe that 'Password1234' will take 10,000 years to crack. Of the sites tested only 'https://www.my1login.com' provided realistic results for known passwords. I'm not sure of the validity of 'sokv3sHMqdCgUB' taking 27 trillion years to crack, its based on A to Z upper and lower case characters and number.
We know not to trust sites to validate the strength of passwords and have an idea what is acceptable, whats a bad password. So the advise is mixed and managing the type and number of complex passwords required is a massive nightmare. My suggestion is to delegate the task to a program designed to generate passwords, personally I use Keepass all my passwords look something like the following 'L$e(`}0}*MmhtKm(WBrY' or '0iJqhzxlMv81mU6ARnVf', both are 20 characters. Some sites don't support the additional special characters and a alternative A to Z and Number password is needed.
Not really, Kaspersky collects password lists and by the looks of it, many thousands of password lists. Many of those lists will be from sites and companies that have been hacked and their passwords uploaded to the Internet.
Its never simple and there's a 'but'.
Companies that have been hacked try and hide the fact or simply don't know for extended periods. Your password or encrypted password could be out in the wilds and you may never know, undermining the long complex Keepass passwords.
What to do....
2 Factor Authentication..... what the......Don't panic its not that bad.....
If your and Android user download 'Google Authenticator'. For any site that provides email, financial or social media enable 2FA. When you log on the password is entered and a rotating 6 digit pin from the phone is entered. If your password is compromised the hacker wont have the second part of the authentication to logon. Hopefully an alert will be sent to your email address informing of an unsuccessful logon attempt, providing time to change the password.
In these connected times, its important to secure your online presence as much as you secure your personal possessions with locks on the doors.
Of course burying your head can be an alternative plan, however I belong to the tin hat brigade and tend to secure everything to the point it stops being useful ;)