Are your passwords strong enough? How should you use numbers when creating them? And what about multi-factor authentication? Here’s what you need to know about creating and maintaining strong passwords

How do you create a strong password, one that can withstand being cracked by even the most sophisticated attacks?

Most of us know not to use commonly used passwords and personal details when setting these, and instead to use numbers, special characters, and so on.

But even if we follow this advice, our passwords may leave us vulnerable to attacks.

So why is this? And what should we be doing instead? First, let’s look at the two main reasons our passwords don’t quite cut it.

The two main reasons your password isn’t strong enough

We’re often led to believe a password is stronger than it actually is for two reasons.

The first reason is that the average user will be happy to be guided by the site on which a password is created as to what they should do. 

This is a problem as it’s easy to confuse the minimum conditions for creating a password on a particular site with best practices around password creation in general. 

A password you create may well satisfy the criteria for a particular website, and may include a number and a special character for additional security, but if it’s one you tend to use elsewhere, it’s not necessarily a good idea to continue using it on additional sites. The site in question, of course, won’t know just how frequently you’ve used it previously, and so it cannot advise you here.

It’s perfectly normal to want to make life easy for yourself and to balance security with convenience. If you only need to define a password that’s eight characters in length, with one special character and one number among these, why make it longer and more complicated than that?

The second key reason explains why we should.

Most online users want their accounts to be secure, but they lack sufficient awareness of how threats to passwords have evolved over time, and whether the advice we have always believed to be best is still sound.

Again, this is perfectly understandable. Password security is hardly the most exciting subject and it takes effort to stay on top of how things change in this space.

As online threats evolve over time, we should take notice of new recommendations so that these can be defeated. But in reality, most of us slip into a habit of doing things one way and just stick with it.

For example, many of us will now habitually use special characters and numbers in our passwords as we have been prompted to do so for some time. The theory behind this is that a more unique combination will be harder to crack. 

But as the use of special characters has become commonplace, password-cracking methods have adapted to this. To understand how, it’s useful to look at the two main ways in which passwords are cracked, namely through dictionary attacks and brute force attacks. 

Dictionary attacks vs brute force attacks

Dictionary attacks are commonly thought of as the process of using every word in a dictionary to guess a password until the correct one is found.

The title is somewhat misleading, however, as the requirement for special characters and numbers in today’s password means this approach wouldn’t be particularly effective today.

For that reason, these attacks may not actually use every word in a dictionary as such, but will typically make use of common word