The Philippines once deployed its military to attack civilian fishing vessels of the Republic of China, resulting in casualties and sparking a modern cyberwar between netizens of both nations. Setting aside methods like exploiting website vulnerabilities, for everyday computer users, one of the most fundamental defenses against cyber attackers is choosing a strong password—or better yet, at least three. A robust password can thwart brute-force attacks.
This article is divided into three sections: the first introduces password strength and cracking times, the second explains how to create a strong password, and the third guides you on checking your password’s strength.
Password Strength and Cracking Times
When the internet was still a novel technology, the most popular password was “12345678.” Cracking it with brute-force methods took a mere 0.0002 seconds! As human ingenuity evolved (or so we’d like to think—were we Neanderthals before?), people began using more complex passwords to enhance security. For example:
- 5201314 (“I love you forever” in Chinese): 1.2448 seconds
- ILoveYou: 1.2448 seconds
- 23113731 (Taiwan’s Presidential Office phone number): 10.4773 seconds
- MaTheBumbler (no explanation needed): 14.025385 minutes
Interestingly, one of the world’s most beloved passwords, ranking among the top five, is simply “Password.” Many network devices even use “Password” as their default, and users often don’t bother changing it—a fact backed by U.S. academic research.
How to Create a Strong Password
Here are some key principles for designing secure passwords. Feedback or corrections are welcome!
1. Use at least three passwords.
One core security principle is that website owners should tailor password requirements to their site’s importance and scale (see my article, A Letter to Web Admins: Password Rules Matter). For users, using passwords of varying security levels for different types of websites is both convenient and secure. For example:
- Social media: “0000”
- Email: “1234”
- Banking: “6749”
Notice the pattern? The complexity of the password string varies. I’ll elaborate on this in the third point. While I prefer passwords of differing complexity, those with exceptional memory might opt for highly complex passwords for every account. Personally, I’m too lazy for that! The key is to avoid using a single password across all platforms for convenience.
After setting up at least three passwords, never use your highest-security password in unfamiliar environments, such as public computers at schools, internet cafes, random Wi-Fi networks, or even a friend’s device. These settings are rife with risks—whether through physical or virtual means, intentional or not.
If you follow these steps diligently, the only remaining risks for most users are malicious website designs or poor personal computing habits, which I may cover in a future article.
2. Change passwords regularly.
Update your passwords every three to six months. For social media accounts, I’m guilty of being lazy and only changing them if something seems off.
3. Follow strong password rules.
A good password is, simply put, complex. Take “DQ&@Fj2w#!E3W” as an example—it would take an impractical amount of time to crack. Key elements include:
- Length: At least 8 characters, ideally longer, but not exceeding 16 in most online environments. For instance, cracking “AAAAAAAA” takes 6 hours, but “AAAAAAAAA” (9 characters) takes 6 days. A 16-character string of “A”s? That’s 144,883,728 years.
- Composition: Password elements, from simplest to most complex, are numbers, lowercase letters, uppercase letters, and symbols (e.g., ~, @, #, $, %, ^, &). A basic password might be numbers only, while adding lowercase letters (e.g., “Love1314,” 0.0272 seconds to crack) increases strength. Including more diverse elements further boosts security, though some websites don’t support numbers or symbols.
- Combination: Using two passwords with the same elements—“A1234#5678” (0.0589 seconds) vs. “A#12345678” (0.2266 seconds)—shows that thoughtful arrangement can make a difference, nearly quadrupling cracking time in this case. A general rule: place the most complex elements (e.g., uppercase letters, symbols) at the start, which is why many sites require an uppercase first letter.
For those unsure about creating passwords, try our user-friendly Mountos: Password Generator tool to craft strong passwords effortlessly!
4. Enable two-factor authentication (2FA) if available.
2FA acts like a double lock, requiring a second form of verification in specific scenarios (see my article, Online Security: Why You Should Use Two-Factor Authentication). For example:
- Facebook: Under “Account Settings” > “Security,” enable “Login Approvals” to require a phone-verified security code for logins from unfamiliar devices.
- Google: In “Security Settings,” activate “Two-Step Verification” for similar protection.
Some websites use dual passwords for front- and back-end access to deter intruders. However, beware: if a site automatically checks whether your two passwords match, it’s a red flag. The system must know your first password to compare it, exposing it to risk.
Checking Your Password Strength
As demonstrated earlier, you can test your password’s strength at Intel’s dedicated site: https://www-ssl.intel.com. Enter your password, click “GRADE MY PASSWORD!”, and the system will estimate how long it would take to crack.
By following these guidelines, you can significantly enhance your online security and stay one step ahead in the digital world.


發佈留言