All Passwords Are Definitely NOT Created Equal

All Passwords Are Definitely NOT Created Equal.

In 2018, 1Password (a highly-successful password manager company with a market value of $6.8 billion) ran a contest called “How strong should your Master Password be?” The company gave out prizes to the first security researchers who successfully hacked various types of passwords in a carefully constructed contest. They followed that with some additional research of their own.

Important considerations are:

➡️​ “How long does it take to crack my password?” is definitely *not* the right question.

➡️​ “How much does it *cost* to crack my password?” is the right question.

➡️​ The results of their contest apply specifically to the ways 1Password generates, secures and stores passwords.

➡️​ You shouldn’t assume passwords used on other websites are protected the same way.

Below is 1Password’s chart which lists the least costly to crack to the most costly to crack password types which are created by a password generator, not a human.

☑️​ Three Random Words is the least secure, or least costly to crack, with an estimated cost to the hacker of $4,200. This style of password is frequently recommended by the British National Cyber Security Centre (NCSC), a public-facing entity attached to GCHQ, the British version of the NSA.

☑️​ “Smart Passwords” composed of 19 randomly-chosen upper-case letters, lower-case letters, numbers and special characters were the most secure, or most costly to crack. Password researchers call these “4-class passwords” since they’re composed of 4 classes or types of characters.

You can think of these kinds of ultra-strong passwords as modern passwords, because their growing popularity is a modern dynamic related to the increasing use of Password Managers, which create millions of them every day.

These types of passwords are best suited for use when you don’t need to memorize the password, and you don’t need to frequently type it on a cellphone. These outrageously strong, modern passwords can be written down and securely stored, or typed just once then stored in your Password Manager.

Chrome’s built-in Password Manager automatically produces only one type of password — randomly-generated modern passwords composed of upper-case letters, lower-case letters, numbers, and (frequently) special characters. If a special character isn’t auto-generated, the user is free to manually add a special character if the website requires it.

The dollar amounts in the chart above take into consideration the techniques and strategies 1Password uses to generate, process and store a master password. We can’t assume other websites would store our passwords as securely. Nor would these dollar amounts apply to passwords we humans create on our own, off the top of our heads. Those passwords would be far weaker and much less costly to hack.

1Password Blogpost: https://blog.1password.com/cracking-challenge-update/

— Anthony Collette

Scroll to Top