How strong are my passwords?

Remembering passwords can be a pain, especially if you have multiple accounts, each with a different password. So it's no surprise that we re-use or use simpler passwords to help us remember or reduce the amount of memorisation required.

This of course is not good for account security as it makes it easier for malicious actors to access your accounts because if they compromised one account, then they'll be able to access more or all of your accounts if you re-use the same password for everything. Or they could even just guess what password is being used for any of your accounts by trying common additions or alterations to a password they already know you use or have used in the past.

An example could be if your password was Beach18! and if this doesn't work for another account the hacker might try some of the following alternatives:

Be@ch18!
Beach19!
Beach18!!
Beach18@

As you can see these are rather simple changes and as such can be easy to guess if they know a password you've used before (or still do currently).

General Password Structure

As a general guide, passwords should usually follow the below rules:

Be at least 8 characters long
Contains at least 1 number
Contains at least 1 special character
Contains a capital letter
Should not be the same as another password you use elsewhere
Cannot be too similar to a previous password you used

Passphrases

A new line of thinking for password security is to move to “passphrases” meaning that your password is a phrase than a collection of numbers, letters and special characters. This is because the typical password structure is easier for computers to guess and hard for us as humans to remember.

An example of a passphrase is “Beach Driver Umbrella Vineyard” (spaces are included in the passphrase), the theory behind passphrases are they're easier to remember and still provide a high level of security due to their long length. One thing to try avoid however, is not to use a predictable sentence like “Beach Sand Gets Everywhere” as it's a phrase that is easier to guess.

For computers, it's easier to crack a traditional password than a passphrase

Check your password strength

So how do you know how strong a password is?

I recommend using Bitwarden's Password Tester, simply type your password into the box and it'll tell you roughly how long a computer needs to guess your password. I would recommend changing your password (if needed) to something that takes at least 5 years.

Our first example password isn't very strong

Our passphrase is very strong

When you initially create the password, some websites will tell you if a password is weak, average, strong and very strong. The issue is that most of those password checkers were designed for the traditional password requirements, meaning some websites will say your password is weak, even though Bitwarden's will say it's strong. See below for examples (Note: Bitwarden uses zxcvbn to calculate password strength):

Examples of what certain websites say about a password's strength

Please keep in mind that the results in the table above were taken back in 2012, so the respective password checkers should be updated by now. However, it is good to be aware that some sites still might not recognise passphrases as being superior to traditional passwords.

So after checking your password strength, if it falls under 5 years in time to crack, consider trying a passphrase of 4 words (maybe even a number/symbol or two) that don't make a grammatically correct sentence. Otherwise experiment with the tool to find a traditional password that works for you while still requiring a computer to take at least 5 years to guess.