Creating Secure Passwords

Daniel Kasprzyk
4 min readApr 30, 2021

People will always prefer convenience over security. This has a very negative impact as it very often leads to account takeovers since people just make it too easy for hackers to get in. Today I’ll show you how your passwords can be broken, what can be done to get around it and then how to create stronger ones instead.

Bruteforce attack performed with John the Ripper

When it’s time to break into your account, hackers will often try two methods; bruteforcing and dictionary attacks. Bruteforcing involves an attacker trying every combination of characters in hopes of hitting the right order. An example of this would be trying every digit from 0000 to 9999 to crack a 4 digit PIN. Bruteforcing is much more computaionally expensive as passwords are created on the go.

To stay protected from these attacks, you should try to make your passwords long and complicated to increase the time it takes to hit the right combination. The more characters you have the longer it takes to guess them all. Also never include personal information in your passwords as this information isn't really private in todays age of the internet. A simple Google search is all it takes to scrape your socials.

Dictionary attack performed with Hydra

Dictionary attacks are much stronger in comparison as they rely on a long list of already compromised passwords and then reading those passwords one by one (hence the name as these lists get quite big). A list like this would contain simple passwords like admin, password, password123, qwerty and so on. It could also contain more complicated passwords from data breaches. As long as your password is on this list, there is no protection as it will eventually be reached when the dictionary is fully iterated through (which doesn’t take too long with todays technology).

Protecting yourself from these attacks is done by setting setting long and unique passwords that aren’t likely to have been used by others already. You should also keep an eye out for data breaches (which can be done by signing up to ). Once the password is out in the wild, it’s permanently compromised as long as the dictionary exists for use.

Now that you know how passwords are broken, lets make some stronger ones. There are two types: passwords and passphrases. Passwords usually consist of one word, some numbers and maybe some special characters. Passphrases are similar however they usually use more words to make up a phrase (eg ThisIsAPassword). Passphrases have the advantage of being easier to remember and type out while passwords are much more random which makes them harder to guess.

When it comes to my accounts, I usually use passphrases (if they can even be called that, you’ll see what I mean in a second) and passwords on some occassions. To make sure these are random, I use a site that generates a string of words based on some settings that you provide.

Now that we have a set of random words and numbers, we want to add some more spice to it since it’s not exactly the most secure. By simply copy and pasting it into a text editor we can add a special character on each side of the numbers and then replace 2 or more letters from each word with numbers.

This increases the security of the password as the attackers have to guess: the randomly chosen words with their correct capitalization, numbers (which you can both choose as many as you wish) and the correct special characters along with their position in our passphrases. The reason I mostly use these is that they are cryptographically secure and they are much much easier to type out on devices where you can’t copy and paste (stuff like consoles).

If you’re curious to see just how tough your password is, you can visit this site (it makes some calculations based on the characters used, the length and the complexity of the password. Use this site at your own risk as you never know what could happen).

So that’s all it takes to make secure passwords. There may be times where a site limits the amount of characters that you can use which makes it tougher to create a passphrase using my method. In those cases I use a password generator as it saves me the hassle of fitting into the limit and ensures it’s random and secure (a link to a password generator can be found just under the generate passphrase button). All that’s left is to store the passphrase in a password manager, activate 2 factor authentication and you’re good to go your accounts will thank you :)