Is your 'strong' password as secure as you think? Probably not

Posted: Updated:
By Catherine Holland By Catherine Holland

PHOENIX -- So you think those hard-to-remember passwords safe-guarding your online accounts are hard to hack? You might be surprised.

The general standard for passwords -- what most people have been taught is secure -- is eight characters, containing both uppercase and lowercase letters, numbers and at least one symbol.

"The problem with this is it's very hard for humans to remember, but very easy for hackers to break," Ken Colburn of Data Doctors explained to 3TV's Kaley O'Kelley. "An eight-character password, no matter what you use, if you do the math … the number of possible combinations can be broken because they're using super-fast computers."

That is called a brute-force attack, and it is exactly what it sounds like. Every possible password is tested until the correct one is found.

The example complex password Colburn used, 7&rQ$w1E, can be broken in a little more than a minute according to Gibson Research Corporation's "Password Haystack Concept." As the name suggests, the company compares your password to a needle in a haystack. The bigger the haystack, the harder it is for hackers to find that needle.

The company's website has what it calls a "Search Space Calculator." It does not evaluate the strength of a password. Rather it is designed to help people understand how long it might take to search every iteration of a given string.

The bottom line is relatively simple.

"You want longer passwords that are easier to remember," Colburn said.

The example he used to illustrate his point was, "I Love GMAZ on TV3!"

"It'd take about 1.2 hundred trillion centuries for a brute force attack [to break it]," he said. "Brute force is simply a math equation."

When it comes down to, a few extra characters can make the difference between a hackable password and a secure one.

"The length of the password is far more important than the complexity," Colburn said. "When you get up to about 15 [characters], it becomes really ridiculous for a brute-force attack. What'll happen is they'll try for a while, and then they'll move on to someone else."

If your passwords are eight characters or less, you're in the danger zone.

"Change them to something longer and easier for you remember," Colburn advised.

You still want to use uppercase and lowercase letters, numbers and special symbols, but you can do it in a way that makes sense to you, like Colburn did with his "I Love GMAZ on TV3!" example.

"The use of every type of character forces the attacker to search through the largest possible space," the GRC Q&A reads.

The idea is to make your haystack as big as possible.

That's why the company also suggests padding your passwords to increase their character counts.You can do that by adding a few characters, perhaps something as simple as "[*]," to the beginning, middle and/or end of your password.

"If you make the result long and memorable, you'll have super-strong passwords that are also easy to use!" according to GRC.

Now, are you ready for the correct answer to the poll question at the top of this story?

Of the two choices, "D0g....................." is the more secure password.

"Since it is one character longer and contains uppercase, lowercase, a number and special characters, that first password would take an attacker approximately 95 times longer to find by searching than the second impossible-to-remember-or-type password," reads the GRC website.

You can test your passwords for crackability at

Ken Colburn, the original Data Doctor, is the founder/CEO of Data Doctors Computer Services & Data Forensics labs.

Host of the award-winning Data Doctors Radio Program


Get real-time updates & threat warnings via our Facebook Fan Page: