A: As with so many things in life, the trick is to craft a proper question! 

In the distant past (well, distant in IT terms) hackers would crack passwords by knowing a bit about the user. Things like birthdays, names of loved ones and pets, phone number, character names from Star Wars and Star Trek could be used to quickly crack around 90% of passwords. And although many users still use such passwords, hackers no longer need to know you. 

Instead, modern account hacking uses software to automate entry of potential passwords. At a fundamental level, the software starts with a, then b, then c, eventually going to z. If these don’t open the account it tries again with aa, then ab, then ac, and so forth until the combination of uppercase, lowercase, numerals, and special characters is found that opens the account.

This may look like it would take a very long time to be effective. Even with an off-the-shelf computer it is possible to try upwards of 80,000,000 attempts per second, But keep in mind the ability to scale the process. By upgrading to using a server farm or a botnet, the hacker may be able to increase throughput 10,000-100,000 fold. This makes cracking a typical 8-character password possible in just minutes.

This is the reason I strongly recommend that every password be a minimum of 16 characters in length, with many industry professionals saying that should be a minimum of 24 characters. With each additional character in length, a password becomes logarithmically more difficult to hack. Eventually the hacker will give up on your account and move on to an easier target.

The Bigger Problem

In my 30+ years dealing with cybersecurity, the second hardest thing for me to convince clients to do is create long passwords (or passphrases). However the #1 problem has been to convince clients to use a different password for everything.

Trust me, I understand how impossible it is to remember more than a few passwords. But that isn’t a reasonable excuse–because you have much better and bigger things to do with your mind than to remember hundreds of passwords. Instead, use a password manager utility to create and remember all of your passwords. 

If you follow the path of “most people”, you will have just a few passwords that are used repeatedly for all of your visited sites. If so, then when one of these sites is hacked, and the hackers take all 100,000,000 user account credentials with them, they have all the time in the world to break these passwords offline. Once they have your password, they have software to automate using your username and password on every banking, credit card, and retail site on the internet. Often within minutes they will successfully access many of your accounts and most of your money.

So the answer to your question is:

  • Use a password manager utility to create and remember your passwords.
  • Passwords should be at least 16 characters in length, the longer the better.
  • Use a different password for every site and service.