Dealing with passwords is a fundamental part of interacting on the internet with the best Android tablets, our favorite budget smartphones, and all the other devices we use. Passwords protect everything from the mundane (our Spotify, YouTube, and Twitch accounts) to the vitally important (our PayPal, Amazon, and Venmo accounts) and everything in between. They are the keys to the digital locks on our online property and, as such, play an important role in protecting our lives from bad actors who are intent on stealing identities and wreaking havoc. And to take your digital security to the next level, check out the best 2FA apps on Android.

It's vital that you are the only one who knows or can guess your passwords. But what makes for a good password? To understand that, you'll need to know a thing or two about how internet ne'er-do-wells crack passwords.

Brute-force attacks

A broken lock icon over a field of numbers

In digital security, repeatedly guessing a password is called a brute-force attack. The idea is simple. Try every combination of letters and numbers until the right one is found. This kind of task is tedious, repetitive, prone to error, and time-intensive for a human. But for a computer, most of these problems become trivial.

According to NordPass, computers can guess between 10,000 (on an old-school Pentium 100MHz) and one billion passwords per second (on a supercomputer). Guessing a four-digit PIN (10,000 possible PINs) would take a second in the worst case of the slowest computer not finding the correct PIN until the last check.

When it comes to alphanumeric passwords consisting of only lowercase letters and numbers (36 possible characters), a six-character password (36⁶ possible character combinations) could be solved in 217,679 seconds (2.5 days) in the case of the Pentium, or about 2 seconds in the case of the supercomputer. These numbers are the maximum time it takes to brute force the passwords. This is unacceptable from a security standpoint.

However, a complex password like @ndroidPo1ice is harder to guess. It's made up of 13 characters mixed between uppercase, lowercase, numbers, and symbols, giving 94 possibilities per character, which works out to 94¹³ (over 44 septillion) password combinations. This level of complexity is sufficient for thwarting our low-powered computer, which would take over four sexillion seconds (over 1.4 quadrillion years) to brute force all the combinations. It also dominates our high-powered computer, which would take over 44 trillion seconds (1.4 billion years) to guess.

Dictionary attacks

Two-page spread of an open dictionary

These calculations assume the longest possible time, with the computer only guessing correctly on the last possible permutation of characters. The average time it takes to guess a password would be about half of what's stated above. Worse, people are awful at picking passwords, but it's (mostly) not our fault. The problem is that the best passwords to thwart brute-force attacks are a random distribution of letters, numbers, and symbols. The easiest passwords to remember are made of numbers and words that have some personal meaning. This opens us up to a new vulnerability: dictionary attacks.

This type of attack is successful because most people use common words in their passwords. Instead of testing every combination of every possible character, an attacker can test words known to be used in many passwords. Plus, given the plethora of data breaches in the past decade, attackers can find lists of hundreds of millions of passwords to test, a far cry from the 44 septillion possibilities in our previous example.

Password cracking

A magnifying glass revealing a password in a field of green numbers

Another avenue of attack for hackers relies on the way online services store passwords. Companies don't save a list of plain-text passwords. Doing so would make user data vulnerable. Instead, they use a special type of encryption to store passwords. The idea is to make a function to easily convert a password into a new value such that it's difficult to determine the original value based on the converted value.

Since companies began using these algorithms, hackers have been working hard to find ways to crack them. Some, like SHA-1, have been so thoroughly compromised that a simple Google search of the converted value reveals the original password. Others can be cracked in a matter of hours with brute force by renting time on AWS.

With the proliferation of these types of attacks, a bad actor only needs the list of encrypted passwords and a bit of time to access your accounts.

The solution

How can we be sure that no one can guess our passwords? A good rule of thumb is to look at modern password requirements from financial institutions. Your bank, for instance, may require passwords that are at least eight characters and have one uppercase letter, one lowercase letter, one number, and one symbol. So the previous example of @ndroidPo1ice checks all the boxes.

In general, it's a good idea to have longer, more complex passwords. But this introduces a new problem. Most of us have dozens of accounts. We can't remember 50 passwords for 50 services. The best solution is a sort of compromise. When you have different passwords for different websites, focus on the important ones that control access to your money (Amazon, PayPal, Venmo, and bank accounts) and use a simpler password for your less vital accounts (Spotify, TikTok, Discord). This way, if your password is revealed in a data breach, it minimizes the risk to your most vital accounts.

As for creating a password that's resistant to brute-force attacks, dictionary attacks, and cracking, focus on length over complexity. Potential passwords could be based on a meme (@11yourBase@reB310ng2us), a video game (theC@k3is@L13), or a book (itWasThe835tOf*itWasTheW0r5tOf*). But avoid personal information like birthdays, phone numbers, or nicknames since this kind of information can be found by scouring social media.

There's no need to remember all your passwords

An open notebook with a list of bad passwords

Now that you have an awesome password that's resistant to common hacking techniques, you need a way to remember it along with the dozens of other passwords protecting your online accounts. One way is to write it down. Some people have a notebook just for passwords, and it's not a bad way to save your passwords because a notebook can't be hacked. The two drawbacks of this method are that you need the book with you for it to be useful and, if you lose it, you've lost all your passwords and potentially given them to someone else if they can figure out which accounts are yours.

If you're looking for a digital solution to password management, you have two basic flavors to choose from: cloud and local. A cloud service saves your passwords on its servers, and passwords can be accessed anywhere from any device. With a service like this, you only need to remember one password and the online password manager takes care of the rest for you. The drawback is you must rely on a third party to keep your passwords safe. If they get hacked, you get hacked.

You could also go with a local solution. If you don't trust a third party with your password security, download software that manages your credentials from your desktop or phone. This is a lot like the digital version of the pen-and-paper solution. Only your passwords are stored in an encrypted file on your computer instead of in a notebook you keep in your desk drawer. The drawback with local password managers is that they're only good for the device you're using.

One benefit of using password managers is that they often generate a secure password for you. Figuring out which solution is for you depends on your needs and personal preferences, but some are better than others.

The end of passwords

Even though the need for secure passwords is the highest it's ever been, we're probably living through the last days of the password as we know it. More and more businesses recognize the vulnerabilities inherent in relying solely on passwords to protect account security and are turning to multi-factor authentication to fortify their security.

According to a survey sponsored by online security company Duo, MFA has jumped from being a footnote in everyday security (28% of respondents used MFA in 2017) to being a ubiquitous part of the online experience today (79% of respondents used MFA in 2021). This sea change is due in no small part to groups like the FIDO Alliance, an industry group advocating for more robust online security standards and the abolition of passwords. And with support from the giants of the computing world (Amazon, Apple, Google, Microsoft) and the financial world (Bank of America, Master Card, PayPal, Visa), it won't be long until your phone, your face, or your fingerprint are all you need to traverse the internet.