To have secure email conversations, there are some very important pointers to be kept in mind. There are a few elements of email that can be controlled by the user, so as to make sure that they have done the best they could, from their end. A major element of that security is the first thing that came to your mind when thinking of security: the password. A good password use can mean the difference between a malicious access to the account, and an account which takes years to crack. To make a good password, you need to be creative. And to be creative, you need a motive.
Here are the reasons why a good password is an important element to account security. If you have noticed the minimum password requirements of some websites, you would understand that a single addition of a symbol could mean the difference between an easy to crack password and a practically computationally impossible one. We say practically impossible for the general passwords. If the thing that your password guards is worth a lot, expect the hackers to spend a lot to break it too (in which case, they could go for relatively larger attempts based on the value of the data).
The most common way that hackers use to crack passwords is brute forcing. In this process, the hacker uses different combinations of characters based on the password strength, and settles for the one that finally opens the account. The speed of this attack depends on the security levels that are used. The more secure algorithms are usually slower in speed and vice versa. For example, SHA-256 is very fast but can take just a few days to decrypt, as opposed to RAR, which could take decades. In fact, if the hacker uses GPU processing to brute force, the speeds increase multiple folds, as GPUs focus on larger number of cores (they have hundreds of cores), as opposed to CPUs that have fewer but more powerful cores (2-16 cores). An i7 processor can break 8-digit passwords in a minute, while the same when mixed with letters can take a couple of weeks, and one with symbols added too can take a dozen years.
Depending on the security levels required, passwords should also be of reasonable length. Since the processing capabilities of commercial computers has increased over the years, 6-symbol passwords can be broken within a day. But adding just one symbol can increase the strength by 50 times, and two more symbols (letters, digits or symbols) can make that figure a dozen years. With strong passwords and secure algorithms, brute forcing can be ruled out.
a1s2d3f4 is a simple password that is easy to brute force. Why? It consists of lower-case letters and digits. There are 26 lower case characters and 10 digits, for a total of 36. There are 368 (=2821 billions) total passwords. With a brute forcing speed of 1 million passwords per second all the passwords will be found in a month.
Adding just one symbol to a password will change everything. Consider the password
a1s2d3f4&. Now it consists of 26 lower case letters, 10 digits and 14 special characters, totaling to 50. There are 509 passwords. With the same speed it will take almost 62 years to find all the passwords. Using GPU’s and a network these digits can be reduced at least to less that an hour and to 22 days respectively. If the hackers are lucky enough, they don’t need to brute force all the existing passwords - they might find it in the first half of the set or even faster.
Well, what if we changed one letter to upper case -
a1s2d3F4&? Now our character set totals to 76 and will take, with all our GPU’s and network power-ups, 2.6 years to find. Sounds good! Cut it in a half and once found your data will be one year old. Is your last year’s data worth paying for a highly loaded cluster during a year? If you say yes, add one more character and make it 100 years.
Instead of brute forcing stronger passwords, the hackers have taken to dictionary attacks. With a sufficiently large dictionary of known password combinations, the chances of cracking a password can ramp up significantly. If there are common words used in the password, breaking them becomes very easy. For example, “ThisIsAStrongPassword321” takes a relatively short time to crack, since it has commonly used words that are usually present in the dictionary. In fact, hacking programs use even L33T variations of such passwords to break into the system (L33T is a form of language typically used by nerds, hackers, and people who game online). There is a good article on how easy it is to crack a good-looking password such as "k1araj0hns0n," "Sh1a-labe0uf," "Apr!l221973," "Qbesancon321," "DG091101%," "@Yourmom69," "ilovetofunot," "windermere2313," "tmdmmj17," and "BandGeek2014.":
The specific type of hybrid attack that cracked that password is known as a combinator attack. It combines each word in a dictionary with every other word in the dictionary. Because these attacks are capable of generating a huge number of guesses—the square of the number of words in the dict—crackers often work with smaller word lists or simply terminate a run in progress once things start slowing down. Other times, they combine words from one big dictionary with words from a smaller one. Steube was able to crack "momof3g8kids" because he had "momof3g" in his 111 million dict and "8kids" in a smaller dict.
The one problem that comes with having more secure passwords is that longer passwords are very much difficult to remember. For example, a random 256-bit key would take an impractically long time to crack. But it would be impractical to memorize it as well. There're some technics that may help you memorize strong passwords.
For example, Bruce Schneier uses a scheme that makes a password out of a common sentence:
something like "This little piggy went to market" might become "tlpWENT2m. That nine-character password won't be in anyone's dictionary.Or
WIw7,mstmsritt... = When I was seven, my sister threw my stuffed rabbit in the toilet.
One more example - there's a so-called Diceware method of generating a passphrase. The idea is to randomly select six words that make a passphrase long enough and easy to remember. The dictionary contains 7776 words, so selecting 6 RANDOM words makes it up to 2x1023 guesses to find a password, which is very good.
The users need to have a tradeoff between memorability and security for such purposes. Therefore, instead of making extremely difficult passwords that would make it very difficult to memorize, the safekeeping of passwords should be prioritized. Keeping passwords safe would mean that another layer of security is added, and a wise use of passwords can save you from imminent break-in of your data, in most cases.