Password Security Basics

1. How Passwords Get Cracked

The most basic reason passwords get cracked is they're 'guessable.' According to 2023 data breach studies, the most commonly used passwords are shockingly simple: '123456,' 'password,' 'qwerty,' and similar.

Attackers don't target you individually — they run automated attacks against millions of accounts. Using leaked password lists, they attempt logins across millions of accounts one after another.

2. Types of Attacks

Brute Force Attack

Tries every possible character combination. An 8-character lowercase password has about 209 billion possibilities, but modern GPUs can compute billions of hashes per second, cracking it in minutes. Adding character types and length is the countermeasure.

Dictionary Attack

Uses lists of common words and phrases like 'password,' 'sunshine,' 'iloveyou.' Human-chosen 'memorable passwords' are often predictable and fall prey to dictionary attacks.

Credential Stuffing

Takes leaked email/password pairs from one service and tries them on others. This is why password reuse is dangerous — one breach compromises all your accounts.

Social Engineering

Guesses passwords from publicly available information: birthdays, pet names, favorite bands shared on social media. Passwords based on personal information are vulnerable to targeted attacks.

3. Measuring Password Strength

Password strength is measured in 'entropy' (bits). Higher entropy means exponentially more attempts needed to crack, making it harder to break.

As a guideline: under 40 bits is 'weak,' 40-60 is 'moderate,' 60-80 is 'strong,' and 80+ is 'very strong.' An 8-character random alphanumeric password has about 48 bits; a 6-word passphrase has about 78 bits of entropy.

Crucially, entropy depends on the generation method. A password that 'looks random' but was chosen by a human has lower entropy than a truly random computer-generated one.

4. Effective Defenses

Use a password manager: Generate and store unique random passwords for each service. You only need to remember one master password. This completely counters credential stuffing.

Enable two-factor authentication (2FA): Authenticate with a smartphone app (authenticator) or security key in addition to your password. Even if your password leaks, 2FA prevents unauthorized login.

Longer + random beats regular changes: The old 'change your password every 90 days' rule is no longer recommended (NIST SP 800-63B). Instead, set a sufficiently long, random password and only change it when a breach is confirmed.

5. The Passphrase Solution

A passphrase combines multiple words into a password. Like 'correct-horse-battery-staple,' it's much longer than a typical password yet easier to remember.

Selecting 6 words from the EFF Diceware word list (7,776 words) yields about 78 bits of entropy — stronger than an 8-character random alphanumeric+symbol password (~52 bits) and easier for humans to remember and type.

The key is that word selection must be truly random. Words you 'randomly' choose yourself are actually biased. Tool Palette's passphrase generator selects words from the word list using cryptographically secure random numbers.