New year, new password?

The start of the year is a good time to change our passwords in the devices and applications on which we want to maintain a high level of security, or in any case prevent them from being the same, as always, as a mere precaution.

There are several methods with which computers can be attacked regardless of whether the device is a mobile, a tablet or a computer.

  • With dictionaries or word lists. An attacking program reads from a database or data dictionary and attempts to penetrate the system.
  • With rules. This system is more sophisticated than the previous one, since you have to discover and program the rule, but in the end you always get an access.
  • By brute force . It is the least sophisticated method, since it is about testing and testing, it requires a lot of process capacity.
  • With a mixture of the above. Hybrid attack.

If we have a 4-digit password, the attacker will only need 10,000 attempts to penetrate. It may seem like a lot, but in less than a second it is achieved. You have to think that the attacker has enough technology to achieve his goal. We can repeat the process, but for lowercase letters (27) taken 4 in 4, 531,441 attempts will be needed, as we see are many more, but a few seconds for a computer.

If we increase to uppercase, lowercase and special characters we will have a total of 97 cases (numbers, letters and special characters) to choose and, if we return to the 4 digits, the possibilities would become 88,529,281, as we see the number of attempts Increase by increasing the characters to choose. Also if we increase the password length, passing it from 4 to 10, the attacker would have to make 73,744,400,000,000,000,000 attempts.

Passwords follow the rule 20/60/20. 20% are easy, only numbers or letters and less than 7 characters in length, 60% of average difficulty between 7 and 10 characters in length and 20% longer and with greater difficulty.

The longer the passwords the better, combining numbers and letters, some of them uppercase or lowercase and with some special character. All this is very good, but is it practical? We must think that simple 1234 codes … or similar are easy to find. Saving passwords on an Excel sheet, or a “post it” or paper, is risky because it can fall into the hands of someone who of course makes everything easier.

Get away from keyboard walking 

Therefore, we should avoid things or methods extremely simple as following a sequence of keyboard (keyboard walking . An easy-to-remember sequence of numbers is the dates in “ddmmaaaa” or similar format, we already have 8, if we add a phrase, name, surnames that we remember and in some specific position, upper or lower case and intermingle a number, we already start to have something much more serious. If we also add special characters, we will have a little or nothing vulnerable system.

There are applications that when you try to access them a finite and low number of times, say that three, without success, automatically revoke the user and force us to change the password.

Finally, we can classify passwords into two large groups, those that matter to us, by data, by access to banks or sensitive information. Or those we use for certain queries or accesses, such as certain newspapers or other types that do not need complex passwords. The objective is that we have our own algorithm, which we can remember, that allows us to change it from time to time, avoiding unnecessary risks.


Manuel García Ramírez
MGR Consultants IT y Security Manager