The measure of how difficult it is to crack a password is called its strength. This generally refers to the number of attempts that an attacker needs to guess a password successfully.
Computer scientists measure password strength in terms of the number of bits it takes to express and store the password in question. If it takes eight bytes (64 bits) to store a password, in theory it should take 264 attempts to crack it. For every extra bit, the number of possible combinations will double.
However, in practice the number of possible passwords is far lower than this. The most secure passwords are those generated randomly, but they're also the most difficult to remember.
Webmasters usually leave the task of thinking up passwords to their site's users in order to reduce the number of password-reset requests that they have to deal with. Users tend to make passwords meaningful and therefore easily recalled.
This tendency gives the determined hacker a head start. We live in an age when we post inconsequential chatter about every aspect of our lives, but there's a very good reason to think hard before hitting [Enter]. Tiny snippets of information such as a pet's name, your first school or your mother's maiden name (both used as password reminder questions) can be very useful for password cracking.
Earlier this year, a hacker with the online handle 'Croll' used the Google Apps' password reset mechanism to gain access to a Gmail account that was used by a Twitter employee. He did so by finding information that allowed him to guess the answer to the Google Apps password reset challenge question. Once in, Croll found information needed to access other accounts, including that of the wife of Twitter CEO Evan Williams.
When I used to assess network security for large corporations, one of my most difficult but ultimately rewarding tasks was guessing passwords. Sometimes, a lazy user or system administrator had simply set the password to the username.
I estimate that about 20 per cent of the time, this got me into an account. I'd also look around users' desks for pictures of children, cars, football teams, pop stars and so on. I'd comment on what lovely children a user had based on the pictures displayed on their desk, and try to get a name out of the proud parent to try as a password.
On encountering a car enthusiast, I'd try everything from the make to the owner's vanity plate. In other instances, because passwords had been generated at random by the systems they were protecting, end users (especially home users) would adorn their monitor with 'sunflowers' of Post-it notes with passwords or reminders for them.
To prevent these problems, both at home and at work, one very good method of creating passwords that are both personal and yet difficult to crack is to take the initial letters of the first line of a song, poem or other piece of literature you know well and to make a password from the initial letters of each word.
Change 'o's to 0s, 'i's to 1s and 'e's to 3s and you have a string of almost random letters and numbers that's very difficult for software to crack. When the time comes to change your password, simply use the second line, and so on. It's the ideal password; both memorable and strong.
Test with L0phtcrack
You can test the strength of your Windows passwords against a real hacking tool using a utility called L0phtcrack by L0pht Holdings. Download it from here.
Because it's capable of capturing Windows hashes being sent to authenticate users trying to join domains and access password-protected shares, L0phtcrack will also install a utility called Pcap. This enables your network card to accept traffic not meant for it, so that it can 'sniff' data as it goes past. If you use a traffic monitoring application such as Wireshark, Pcap will already be installed.
L0phtcrack isn't free, but you can use it for 15 days without buying and entering a licence key. To demonstrate its power, create a new account and give it a long password (we chose 'elephant'). Use a word from the dictionary for this.
Now, run L0phtcrack and, after a nag screen about buying the product, a wizard will appear. Click 'Next' to continue. Leave the capture option on 'Retrieve from the local machine' and press 'Next'.
For the auditing method, leave the type on 'Quick password audit'. This searches a dictionary for passwords (and modifications such as adding a number), as well as for a list of various combinations of letters and numbers. Hit 'Next' again, and leave the reporting options as they are.
Finally, press 'Next', and 'Next' again to begin auditing your local machine's passwords. L0phtcrack will now import the local password hashes and begin its work, checking the password against nearly 30,000 possibilities.
In our test, it took just 29 seconds to crack the password 'elephant'. A longer password of 'hippopotamus' took just 32 seconds to crack – so it's clearly not a good idea to use a word from the dictionary.
The licensed version of L0phtcrack really enables you to test your password's strength by testing it not only against a dictionary, but also against a huge number of possible number and letter combinations of variable length. Eventually all passwords can be cracked using this option.
To protect yourself, change your password regularly. If security has been breached, the hacker will be cracking an out-of-date password and you'll remain safe.