How To Make a Simple Password – Unhackable for 580 million years!

by Janith

Following up on my “10 Tips to Prevent Hackers“, I want to bring more emphasis on our number one tip – Strong Passwords. The effectiveness of security of increasing the length of a password by just one more letter, symbol or number grows in a very,  VERY steep exponential rate.

In other words, for every extra digit you add on to you password you triple, quadruple or even 5x the different possibilities. The longer the password, the more effort required to discover it. However, longer passwords also means more difficult it is for users to remember it.

So, what if I tell you that a simple  password would take a human hacker 580 million years to crack or even a super-computer up to 59 years?! Now, that would be optimum security wouldn’t it?

Average Time to Discover Password

No. of Characters

Possible Combinations

Human Hacker

Computer Hacker

1 36 3 minutes 0.000018 seconds
2 1, 300 2 hours 0.00065 seconds
3 47, 000 3 days 0.02 seconds
4 1, 700, 000 3 months 1 second
5 60, 000, 000 10 years 30 seconds
10 3, 700, 000, 000, 000, 000 580 million years 59 years

This table of data consists of possible characters from A-Z and numbers 0-9. Human discovery assume one try every 10 seconds. Computer discovery assume one million tries per second. Also the “Average time to discover” assumes that the password would be discovered in approximately half the time it would take to try all possible combination.

Example of Average Time to Discover a Password

Let’s say for example – for a one character-password there’s 36 combination consisting of letters A-Z (26 possibilities) and numbers 0-9 (10 possibilities) When, we apply the assumption that each HUMAN attempt takes 10 seconds – hence a human hacker should take 360 seconds or 6 minutes to break the code.

Then we apply the second assumption that the hacker will discover the password exactly half-way through – therefore they will discover the password in 3 minutes which is referred to as the “average time to discover passwords.”

Exponential Growth – What is it?

Below you can see a visual representation of what I meant by the “exponential growth” earlier. Just by adding one extra digit you open up so many more possibilities and make it much harder for hackers to get into your sensitive files.

password_graph

As you can clearly see – by just adding one more digit to your 3-letter password you decrease the chance of a “random guess” by such a value that it is almost impossible for a human to hack. I cannot stress enough on how significantly your security status improve for every extra digit you add – but don’t go overboard because you just might forget your next 20-character long password..

Now, Implement & Good Luck!

Hopefully all of that made sense. So, take this into consideration and use as many different digits as possible. Remember you are not limited to just numbers and letters – symbols such as “!@#$%^” are always good for extra unguessable protection.

Back to the top

by

To learn more about this author and see all of their posts, click below.

View Full Profile →

Discover the Real Meaning...

of what it means to master the psychology of your blogging practice. Find out one of the most missed aspects to blogging now, totally free!

Abhik February 3, 2009 at 8:38 am

That’s really awesome!!
Thanks for the article dude.

Thumb up 2 Thumb down 0
Leon - Make Money Online February 3, 2009 at 3:02 pm

This is very interesting! Just curious, did you completely come up with this yourself, or did you get the information and data from another website?

Thumb up 0 Thumb down 1
Janith February 3, 2009 at 3:40 pm

@Abhik – Thanks for your comment, appreciate it.

@Leon – It was strangely bit of both, because I read about the exponential growth in password security by just adding one more character in my I.T Class and at the same time, we were doing Probability (Combinations) in Math – so the two helped me device that table.

However, I must give the credit to my I.T class for inspiring me with the idea ;)

Thumb up 1 Thumb down 0
MrMag February 3, 2009 at 4:57 pm

Great advice.
One thing to keep in mind is that it will change depending on how many number/letter/symbol combinations you have.

i.e. if you have 10 letters and 1 number, it wont be as effective as say 10 randomly and evenly dispersed numbers/letters.

But still good info, you can still calculate the number of years a computer will take based of that 1 million tries per second.
So thanks :)

Thumb up 0 Thumb down 0
Janith February 4, 2009 at 2:07 am

Thank you for your comment, MrMag.
Your quite right, just by adding that one extra number you almost raise the possibilities by a significant power.
The difference is just so immense!

Thumb up 0 Thumb down 0
Leon - Make Money Online February 3, 2009 at 5:13 pm

Also, forgot to mention: Using a mix of capitals and lowercase adds another set of 26 possible digits.

Thumb up 0 Thumb down 0
Janith February 4, 2009 at 2:05 am

Yes of course, the possibilities are endless. Capital letters are a great way to add a whole new 26 combinations, which would take even longer for human and computer hackers a like.

Also, one key that isn’t used for passwords often is the space-bar. It works on most password fields and not many people use it ;)

Thumb up 0 Thumb down 0
Ryan February 3, 2009 at 6:04 pm

I always have a hard time coming up with a good unhackable password. Thanks for this data, this will come in handy!

Thumb up 0 Thumb down 0
Janith February 4, 2009 at 2:04 am

No worries Ryan! Glad you could get some good out of it :)

Thumb up 0 Thumb down 0
Make Money Online Tips February 4, 2009 at 8:53 am

Woooow you have put it so well. I always thought of using less keys but now i know why the bigger the password the better it is.

Thumb up 0 Thumb down 0
Alex Fraiser February 9, 2009 at 7:23 pm

Woah, you’ve been using small passwords? Good thing no one has tried anything on you (right?), that could have been bad!

Thumb up 0 Thumb down 0
SERPGenius February 5, 2009 at 2:39 am

I accidentally typed this comment on the other article, hopefully you guys can remove that :)

Woah, this is one of those things that we all have in the back of the mind but we don’t realize till someone points it out.

This takes me back to my Year 12 Math’s class with the probability theories :P

Nicely written out Janith!

Thumb up 0 Thumb down 0
Blogging Tips February 5, 2009 at 11:19 am

Interesting. Mine should take more than 10 years to crack. Not too bad, eh?

Yan

Thumb up 0 Thumb down 0
Alex Fraiser February 9, 2009 at 7:22 pm

Must be a very patient person to even attempt to crack that. ;)

Thumb up 0 Thumb down 0
Janith February 6, 2009 at 4:15 am

10 years – is that for a human or computer hacker, Yan?
Nevertheless, either way it is a very long long time ;)

Thumb up 0 Thumb down 0
Sire February 6, 2009 at 8:43 am

I have always had trouble remembering passwords so I use a piece of software that remembers all my passwords. I will allow me to generate a password manually or I can let it do it for me automatically once I set the parameters such as length etc. The beauty about it is that double clicking on the password copies it to the clipboard for 20 seconds, time limit for security reasons, and then I paste it into the required area. I think this is pretty good as it gets around those hackers that can copy the keys pressed on the keyboard.

Thumb up 0 Thumb down 0
Alex Fraiser February 9, 2009 at 7:21 pm

20 seconds?! That’s sounds really cool. What’s that software called?

Thumb up 0 Thumb down 0
Sire February 11, 2009 at 5:22 am

It’s called Keypass Password Safe

Thumb up 0 Thumb down 0
SERPGenius February 6, 2009 at 7:53 pm

Okay – I’ve followed some of the tips here and according to these calculations;

It will take 30 years for a computer to hack my password =D

Thumb up 0 Thumb down 0
Alex Fraiser February 9, 2009 at 7:20 pm

Sounds good. I pity the fool who wants to crack you. :p

Thumb up 0 Thumb down 0
Richael Neet February 7, 2009 at 1:01 am

Internet Usage 101, I suppose. But yeah, password security is getting more and more important in an age when spoofing, cracking and hacking is a child’s play. I have had my password cracked once and from that day, I learnt the value of strong passwords. By the way, cracking my current password will crush a super computer lol :p

Thumb up 0 Thumb down 0
Alex Fraiser February 9, 2009 at 7:20 pm

Do you use different passwords for each site? Or, are you someone who uses one password on one site (like your blog) and the same ones on other sites?

Thumb up 0 Thumb down 0
Cheap Motorcycles February 9, 2009 at 7:19 am

I’ve been meaning to make a skirt for a looong time, and this one is great. I don’t have an overlay mattress, but… I’m sure I can tinker this to my needs.

Thumb up 0 Thumb down 0
Pheak Tol February 9, 2009 at 3:42 pm

I didnt think it would be that easy!…time to up the number of characters to my password haha

Thumb up 0 Thumb down 0
Alex Fraiser February 9, 2009 at 7:19 pm

Great idea!

The only downside is that it’s extra hard to remember the password. So unless I write down my passwords somewhere when I go away, I wouldn’t be able to get into many websites I use. =/

Thumb up 0 Thumb down 0
Arjun U February 11, 2009 at 7:13 am

nice. really nice. i’m gonna reddit this article…

Thumb up 0 Thumb down 0
Janith February 14, 2009 at 12:22 am

Thank you for Redditin’ this article Arjun :)

Thumb up 0 Thumb down 0
theblurr March 6, 2009 at 9:38 pm

Great post. Having 10 characters well make a basically un-hackable password as long as you don’t use dictionary words.

Thumb up 0 Thumb down 0
seo March 9, 2009 at 8:37 am

cool stuff bro…something like eye ball that couldn’t be seen!

Thumb up 0 Thumb down 0
iLinda March 9, 2009 at 9:46 am

Nice article & I will implement your tips in my all types online passwords.

Thumb up 0 Thumb down 0
Alex March 9, 2009 at 2:32 pm

Good idea. Never know, someone could be eying your site getting ready to break in.

Thumb up 0 Thumb down 0
x-ben March 9, 2009 at 10:26 am

Thank you ~~~

x-ben’s last blog post..World of Warcraft

Thumb up 0 Thumb down 0
Suganindia March 12, 2009 at 6:13 am

Hehe mine is already 19 characters long

Thumb up 0 Thumb down 0
Cody March 26, 2009 at 9:48 pm

Yes this can be true but also take in mind that you can run more than one pass crack at a time…

Thumb up 0 Thumb down 0
Emily- password cracking March 27, 2009 at 12:38 am

Thanks for your tips, i am looking for password protection procedures got it from you. Thanks, if possible report me the tips about how to protect from gmail hacking, credit card cracking also.

Thumb up 0 Thumb down 0
Linn April 9, 2009 at 10:32 pm

interesting facts.. that’s why I prefer to use shift keys mixed with number. My university has a policy that at least one shift key and one numeric and 8 minimum chars to compose a website, it was pretty hard first, but since that time, I am used to better password creation.. so, we just nee a system that works and enforce it for a while, then we will get used to it. I attended to Deakin University, Victoria.

this is fantastic post to enforce.. actually, if you focus this one to be 12 pages article, you might even get published in IEEE or some sort like that.. well done.

Linn’s last blog post..Earn Money Online – Easy and Effective Bidvertiser Referral

Thumb up 0 Thumb down 0
Janith April 10, 2009 at 3:28 am

Thank you for stopping by Linn, and it was recently that our school also made “complex” passwords compulsory. Some of them include;
- Minimum 8 characters
- At least one special character (#$@% etc.) and at least one number
- Can’t be the same as your last 25 passwords!
- Can’t be your name, age, student code or address, date of birth.

The new security measures are so much better, because I remember the number of people with the 3-4 letter passwords constantly complaining that they keep getting hacked! *face palms*

Featured on IEEE? That’d be a honor to say the least. :P

Thumb up 0 Thumb down 0
Typhoon April 17, 2009 at 6:10 am

The password can hacked more fast if a hacker has a Super Computer of high ram(say 500GM from that Toshiba Company). Now if he uses any of the these Brute force or Dictionary Attack then he might get the password quickly of your account.

At Last! The possibilities are less :0 (lol)

Typhoon’s last blog post..More fun and Benefits while commenting on SmartBloggerz!

Thumb up 0 Thumb down 0
thetrojan01 May 2, 2009 at 3:03 am

HACKERS USE COMPUTERS FOR BRUTE FORCING. SO IT ISN’T 580 million years but 59!

Also, this is not true with the use of WordLists.

Thumb up 0 Thumb down 0
Meredian Credit Union May 14, 2009 at 3:41 am

hey thankx for this useful post …. the tips are amazing and it is a new and good way to safe our accounts… great post

Thumb up 0 Thumb down 0
Joel Brown May 16, 2009 at 12:28 am

I think that this can also have some bearing on whether it is just letters or if there are numbers included as well. I have seen 10 character passwords cracked by a computer in no time, and 5 character passwords that include a symbol, still not beaten in a number of days.

I do understand some of it can be luck, but i think adding a symbol immediately adds a major jump in the ability to crack a password.

Joel Brown’s last blog post..Cost of Losing a Customer

Thumb up 0 Thumb down 0
Bob May 23, 2009 at 5:40 pm

I don’t plan to live that long

Thumb up 0 Thumb down 0
How To Easy - Jake July 23, 2009 at 7:54 pm

It’s good not to use passwords that are easily guessed either, especially if you have sensitive information locked behind it. When I was a kid, my cousins and I tried for about an hour to guess the password on my uncle’s computer. When we started “really thinking” we decided we’d try a password related to his profession. He was a preacher at the time. So naturally we typed in jesus and cracked the password. We really thought we were something because of that. LOL Thanks for the great tip!
.-= How To Easy – Jake´s last blog ..How To Save Money on Electric Bills – Heating & Cooling =-.

Thumb up 0 Thumb down 0
ZQ | Travel Blog August 7, 2009 at 8:20 am

wow a 10-letter password – thats tough to remember.. perhaps can use auto-form filling bots e.g. Roboform

ZQ
.-= ZQ | Travel Blog´s last blog ..Mozart Madness and Public Transport in Vienna =-.

Thumb up 0 Thumb down 0
Notahacker August 12, 2009 at 12:27 pm

Seriously? 10 characters? Whoopde-woo, a 10-character strong password! The arguments for your article are theoretically sound (yes, a 10-character password can be many orders of magnitude more secure than a shorter one), but in practice is meaningless. This is because it assumes a simple brute-force attack, which is a highly inefficient way of cracking passwords.

Don’t get me wrong, this is sound advice, but it is incomplete, and as such it is incorrect and also potentially dangerous. Everyone who reads this article should be aware that simply the length of a password does NOT mean it will be safer. In fact, unless proper practice is used, making a password longer could make it less safe.

The key to a secure password is to keep it random and varied. Modern convention calls for a minimum of 14 characters, including upper and lowercase letters, numbers and symbols. It is important not to use common words, or l33t-speak, as well as elements of your name (or username) or words/numbers that can easily be attributed to you (birthdates, names of loved ones, etc). Also, avoid using characters more than once, putting the same type of character together (number followed by number, symbol followed by symbol).

Personally, I think of a password in terms of easy memorable words and numbers which make sense to me, and then add a mix of symbols and upper/lower case letters and assign similar characters in replacement of others. Therefore, the end result is a complex password that still resembles easily memorable words to me. So for example, “supercool69″ (which is easily memorable) would become “zV9#r€.O/6n!4E” (s becomes z, u becomes V, p becomes 9, e becomes #, r stays r, c becomes €, o becomes . , o becomes O, l becomes /, 6 stays 6, 9 becomes n!4E). As you can see, if you know the original supercool69, it is not hard to remember the harder version, which will add an incalculable more amount of security than the 11-character long “supercool69″.

Don’t be fooled everyone, making your passwords safe means WORKING to keep them safe. A password that is not annoying to type in is not a good password!

Thumb up 0 Thumb down 0
Seth August 12, 2009 at 2:05 pm

I really see your point… I think the article is trying to make this point as well though.

Strong passwords are based on using multiple character types and lengths. Good point and thanks for the discussion!
.-= Seth´s last blog ..11 Tips To Improve Your Facebook Marketing =-.

Thumb up 0 Thumb down 0
used tires August 16, 2009 at 9:54 pm

I’ve taken a computer Security course a few years ago, I learned alot when it comes to this stuff! And I can certainly agree that making a password 10 characters long at the least, and making sure to mix capital will lower case letters, will make it a very very strong password for sure! Because if you use capital and lower case letters, it increases your range of possible characters by alot! =D

Till then,

Jean

Thumb up 0 Thumb down 0
Vic of BusinessAccent August 17, 2009 at 1:02 pm

Wow…great great article. My first time to read such post. Thanks. What a nice illustration of numeric figures. By the way, how about special characters like %$*, do they have the same difficulty with ordinary letters and numbers?

Thumb up 0 Thumb down 0
University Heights real estate September 5, 2009 at 8:40 pm

Thanks a ton Janith, this was a perfect table explaining how many characters are suitable, with having 10 character long password, I’ve been in favor of keeping two passwords. Like logging in for email or forums, you need two passwords to sign in. You can keep one password 10-character long and the other one shorter. But as you said it would take a computer hacker 59 years, my idea might not be worth practicing it lol.

Thumb up 0 Thumb down 0
Hakeem - technology and gadgets September 6, 2009 at 11:45 pm

What along time just to be able to discover a password.
.-= Hakeem – technology and gadgets´s last blog ..Tech Weekly podcast: Studying at the Singularity University =-.

Thumb up 0 Thumb down 0
Volksphone September 19, 2009 at 9:25 am

Ok I think 59 years for computer hacker is really secure. I didn´t not live this time from this day.

regards
Volksphone
.-= Volksphone´s last blog ..Usability-Schnelltest für die eigene Firmenwebsite =-.

Thumb up 0 Thumb down 0
Garry@moistdesigns September 21, 2009 at 3:52 am

Awesome for anyone to think on this.Simple logic with rationality makes this acceptable.Even if we consider technology updates and other factors and shorten the time by half still it is long enough time to think of another password,isn’t it ;) I liked it.

Thumb up 0 Thumb down 0
oes tsetnoc September 24, 2009 at 2:38 am

great article tutorial, i am thinking to add more special characters of all my password to prevent hackers.
.-= oes tsetnoc´s last blog ..Increase Link Popularity By Blog Commenting =-.

Thumb up 0 Thumb down 0
foo bar December 6, 2009 at 9:39 am

I didn’t read all of the comments, but I have a few questions about this.

1) How did you come up w/ 32 characters? 32 letters in the English alphabet, assuming that’s the basis here. numbers 0-9 would make that 41…. I don’t get it.

2) You say that if number of characters = 1, that would make for 32 combinations. So you’re assuming case-insensitive. You should clarify.

3) Let’s not even go into special characters (they are chars after all).

4) Finally, if someone’s password is the letter “a”, then they deserve to be hacked.

Thumb up 0 Thumb down 0
foo bar December 6, 2009 at 9:40 am

Correction to my bullet #1:

1) How did you come up w/ 36 combinations. 32 characters in the English alphabet ….

Thumb up 0 Thumb down 0
Fairmutex January 7, 2010 at 12:10 am

Good explanation you have all my respect ;)

But all of this assumes that the passwords are not stored hashed

Because hashing the password will loose some information so that you can never recover the password back. If the password is hashed then it takes less time to guess than described here because multiple passwords map to the same hash. Those who know a bit of math will understand this.

Example with binary (this is not what happens in reality just to give the gist to normal users)
Assume a password is 3 characters long
Lets say we remove the last character from password so that the password is not recoverable (i know this only need two attempts but am trying to make it simple to you)

set of passwords hash
000 00
001 00
010 01
100 10
101 10
110 11
111 11

by removing the last character we made more passwords valid to match the hash in this case its divided by 2. (its the nature of the example that made this decrease the amount of time to guess linear it might be exponentially reduced in reality)

So don’t be so sure of the accuracy of the calculation above.

Thumb up 0 Thumb down 0
Adam Jonsson January 22, 2010 at 4:42 am

My standard password is 10-12 characters so thanks for assuring me that I’m pretty safe. Of course that I can’t remember all of them – they are stored in KeePass database :)

Thumb up 0 Thumb down 0
HD Expert December 18, 2010 at 3:35 pm

And if you use a good password generator, like for example http://www.pctools.com/guides/password/ to generate a 12 character password — all it requires is for you to remember it.

Might also want to create two passwords, one for the “more secure” things like your gmail account, and another for various forums on the internet that might get hacked themselves.

Thumb up 0 Thumb down 0
pool lounges January 27, 2011 at 5:32 am

Excellent post I must say.. Simple but yet interesting and engaging.. Keep up the awesome work!

Thumb up 0 Thumb down 0
Andri April 15, 2011 at 5:57 am

So, we have at least 10 characters in password. Thanks for the info.

Thumb up 0 Thumb down 0
Nasif April 27, 2011 at 11:41 am

I have symbols in all my password and so stored in document. The problem I face is that I can’t log into emails or social networking site like facebook whenever I am on PC outside my home

Thumb up 0 Thumb down 0

Comments on this entry are closed.

Previous post:

Next post: