When Can a Password Be Considered Secure?
1990's spy movies might have you believe that cracking a password involves a nimble-fingered person sitting in front of a computer, trying out different combinations until the green "Access Granted" message appears. The reality nowadays is quite a bit different. Hackers have tools that do the brute-forcing for them. With the right hardware, these tools can make hundreds of thousands of guesses per second meaning that the time and effort that needs to be invested in cracking a single account is negligible. Having a weak password just makes the bad guys' job a whole lot easier.
How do we make the hackers' job more difficult?
The answer to this question is simple: "by using secure passwords." Unfortunately, the answer to the question of what a secure password is is anything but simple. Several years ago, a now-famous web comic called xkcd tried to teach users that "correcthorsebatterystaple" is a stronger password than "Tr0ub4dor&3". Put these two into any password strength meter, and it will tell you that both passwords are fairly strong. This, obviously, isn't true.
They've already been put on the internet, people have used them, and they're now a part of virtually every password dictionary. There's another problem with xkcd's approach. The web comic's argument is that stitching together four random common words makes a password both impossible to guess and easy to remember. While this was probably true back when the comic made its first appearance, experts now argue that password cracking tools have caught up.
Complexity is important
It's simple maths, really. If you have a two-character password (you shouldn't) with only lowercase letters, there are just 26 possibilities for each of the characters. In other words, there are 676 possible permutations. If you have lowercase and uppercase letters, you have 52 possibilities for each character and a total of 2,704 possible permutations. Add numbers, and the possibilities for each character go up to 62, with the number of permutations sitting at 3,844. Then, you have dozens of special characters that can boost the complexity of your password further up. This, unfortunately, isn't enough.
Length is also important
Obviously, even if it has a "?" and a "@" in it, a three-character password will be cracked in less than a second. The more characters you add to your password, the greater the number of guesses needed to crack it. Most experts suggest that a reasonably strong password shouldn't be shorter than 14 characters, and it's fair to say that this is the number you should be aiming for.
A long password with a random selection of uppercase and lowercase letters, numbers, and symbols could be a really good way of protecting your account. It could also be completely useless.
Uniqueness is crucial
If you're thinking about creating a really strong password and then using it for all your accounts, you might as well save yourself the trouble. Cybercriminals don't just crack passwords. They also steal them, and the constant torrent of data breaches we see every day shows that vendors don't do enough to protect them. If the bad guys get your username and password from one website, they'll try the same combination on other websites as well. Once again, they have tools that automate the process and make it extremely quick. Complexity and length don't really play a role if the password is reused because criminals won't need to crack it. They just need to do the same thing you've done – enter it on other websites.
To recap, the idea of what is and what isn't a secure password has evolved quite a bit over the years. In the past, when cyberattacks were few and far between, a super long and complex password wasn't that important. Nowadays, however, bad guys have tools that let them compromise large numbers of accounts in no time. Luckily for you, you also have a tool that can put a spoke in their wheel.