I’ve seen a lot of comments here about long passwords, with little explanation as to why that protects your account. Here’s a basic crash course on the cybersecurity of password management:
Passwords are easy to generate
Passwords are strings, which are fundamentally an array of characters.
Being able to procedurally generate a string like that is trivial to a programmer, and is a common brute-force attack.
Attackers can generate a list of strings comprising different characters. That could be from
), and any variation therein.
With that in mind, if your password was
frog, then an attacker could write a program to iterate from
z over a span of 4 characters (as the length of the array of characters
frog is 4):
Their program would output something similar to:
aab, … and you get the idea.
With that in mind, how easy is it for an attacker to try every password?
Well, let’s say hypothetically that you have a 4 character long password, comprising only letters in the Latin alphabet.
There are 26 characters in the Latin alphabet.
There are 2 cases (upper & lower).
Therefore, each letter must be one of 52 possible characters, ranging from
The maximum number of combinations that your password can be is
52 * 4, each character being one of a possible 52.
Therefore, there are
7311616 possible combinations.
That sounds like a lot, but a quick (unoptimised) program I just wrote & ran calculated all the possible combinations in 18 seconds.
Passwords are easy to guess
The above program isn’t very practical to an attacker. It might work fine for an account that uses
1234 as a password, but beyond that, it’ll take time and resources to crack a 16 character long password (especially if it has a mix of ASCII letters, integers and special characters), and you can bet your bottom dollar that your account won’t be the only one they’re interested in accessing.
With that in mind, the cornerstone of cybersecurity is:
You shouldn’t be trying to stop the attacker; you should be trying to raise the cost to the attacker.
… where cost is the time, money or resources the attacker values.
Going back to our
frog example password: logically, someone who wanted to gain access to your account would iterate through the words in a dictionary first. Maybe your favourite word is
frog, and you happen to have that in your ROBLOX bio. It makes sense that an attacker would pull words like that from your socials.
Having a long password like
frogsarethebest is not practical if it’s easy to guess.
Equally, ROBLOX has a friends list, which is essentially an address book of all the people who you have met online who could contact you. Even if you had a super-duper strong password that no attacker could ever feasibly get their hands on, it could be easier for them to attack your friend’s account.
In doing so, they could send you a message asking for your security cookie, and thus gain access to your account.
That is called social engineering.
More characters equals more security
The factors that influence the strength of a password are:
- Character variation (ASCII letters, integers, special characters)
A longer password is better because the attacker has to try more characters than a shorter password, therefore you waste their time and resources.
A character varied password is better because the attacker has to try more characters than a password containing one type of character, therefore you waste their time and resources.
A random password is better because the attacker cannot rely on the influence of words (like a favourite pet’s name), therefore you waste their time and resources.
So, going from
frog, a password an attacker could crack in
7311616 combinations, let’s try something more secure with all of these in mind.
Let’s make our password:
- 16 characters long
- Include letters (uppercase & lowercase)
- Include integers
- Include special characters
Let’s say our password is
%V4@o7$n$F*T53&4. That matches our criteria.
How many combinations are there that an attacker would potentially have to try before getting our password?
- There are 26 letters of each case in the Latin alphabet; that’s 52 potential characters.
- There are 10 potential integers that each character could be. 52 + 10 = 62.
- There are ~32 special characters on a standard keyboard. 62 + 32 = 94.
- Therefore each character in our password must be one of 94 possible characters.
- Our password is therefore one of 94^16 (that’s 94 to the power of 16) combinations.
Our password has
3.715742908×10³¹ possible combinations.
Based on the time my program took earlier: calculating every combination of that password would take
TL;DR: Read the last point!
Hope this helps.