Problem solve Get help with specific problems with your technologies, process and projects.

How to create stronger passwords

Learn how password crackers work, six ways you can create stronger passwords and two ways you can avoid the risks of password cracking.

I think someone has used a 'password cracker' to access my e-mail account. Is this possible? My computer is not connected to a network, so access would have been through a remote computer. If this is possible, can you please tell me what I can to prevent this from occurring again?
If your computer isn't connected to a network, it's unlikely someone stole the user ID and password to your e-mail account using a password cracking tool remotely. Your initial assumption is correct, but that doesn't mean the attacker couldn't have installed the cracker, as you correctly call it, locally right on your machine.

Let's take a closer look to see what might have happened. Before doing that, we need to understand a little about how password crackers work.

Some common password cracking tools are John the Ripper, Brutus, Cain and Abel, and LC 5 (formerly L0phtcrack). However, these tools don't run in isolation, or indiscriminately grab passwords out of thin air. They run against the hashed password files used by both Windows and Unix systems for storing passwords. These files contain the pairs of user IDs and passwords, but with the passwords encrypted in one-way hashes, for users with accounts on the workstation.

These hashes are called one-way, because they can't be decrypted. Cracking tools convert words from lists – some from dictionaries, others from commonly known and used passwords – into hashes and compare them with the hashes in the system password file. In other words, cracking tools don't actually break passwords themselves, they compare hashes of encrypted possible passwords.

Crackers can be used remotely, installed directly onto a desktop or run off a disk inserted into the workstation. Either way, they need access to the password hash file sitting on your machine. The following are two ways to protect yourself from this in the future:

  1. Strengthen your passwords. The word lists used by cracking tools consist of words from dictionaries and common everyday words. An attacker can easily find these lists on the Web and install them with the cracker. If you have an unintelligible password, it makes it that much harder – and slower – for a cracker to defeat. That could be the difference between getting into your machine, or not.
    • Here are some tips for strong passwords:

    • Make sure your password is at least six, preferably eight, characters long.
    • Don't use words that can be obtained from a dictionary, or any common name, such as those of your children, spouse or pets (remember what happened to Paris Hilton?).
    • Use an unintelligible combination of letters, both upper and lower case, and numbers. A password like "mycatsname25" can be easily broken, however, "nG67kLr42" might not be.
    • Expire passwords on a frequent basis, preferably every 60 or 90 days.

  2. Improve the physical security for access to your machine. Chapter 5 of my book, The Little Black Book of Computer Security has tips for physically securing your system from intruders, including those intent on installing password crackers.
This was last published in December 2005

Dig Deeper on Password management and policy

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.