Passwords are a very important security issue. The more interesting the target behind a password is the more people will try to hack that password.
There are many ways you can find out a password, such as physically watching somebody type it, or repeatedly working through every possible combination. This would be pretty easy with a password like "aaa" but increases in difficulty the longer and more complex the password becomes.
Computers can do this much faster than people. If your password only has 3 letters a computer can discover it in less than 1 second.
The best way to increase the security of your password is to make it longer. If a password has more characters the computer has to do more trial-and-error, which costs time. You can see in the chart below how long it takes to guess a password with a certain number of characters.
It's also important to note that passwords based on words or using repeating characters are much easier to crack. For instance "testtesttesttes" has 15 digits, but most likely could be cracked within 2 seconds. Character "sets" can further increase your password complexity to make them more difficult to crack. i.e. if your password only contains lower case letters (a-z) there are only 26 options for each position in the password, but adding upper case letters (A-Z) increases that to 52 options per position, add in numbers (0-9) and you're up to 62 options per position. Another way of putting this would be if you have a 6 character password using only numbers there are roughly 1 million possible combinations, add lower case letters and from 6 characters you get over 300 million combinations, include upper case letters and the possible combinations jumps to over 2 billion. Each additional character beyond the 6 starts to exponentially increase the number of combinations making your password harder and harder to crack. You can also add special characters in most systems which will further increase the base complexity.
Those who lack the imagination to wildly press all keys on the keyboard can use a program like this - TWPassGen or use the following method:
How to create a password
A password should have no recognizable structure, or more precisely the password should have no machine-readable structure. It doesn't matter how you choose your passwords which can give you unexpected freedom. For example when you need a new password for a shell-account or webshop just look around you. Take the first object you can create a sentence from and create the password using the first letters of every word in that sentence. You look around you and notice your phone, which inspires the sentence "I don't like to talk on the phone nor do I do it very often" it would be "idlttotpndidivo". This already looks promising. Now to add the other character sets capitalize every n-th letter, for examply every 3rd: "idLttOtpNdiDivO". Now you can add numbers and keep it memorable by replacing letters with similar looking numbers, for example an "O" (oscar) looks like a "0" (Zero), an "i" (india) looks like a "1". Substitute some letters with numbers, but be sure you don't replace them all so you're not inadvertently decreasing the complexity of your password: "idLttOtpNdiD1v0". Now you have a wonderful password which you easily can remember with this mnemonic trick.
Elapsed time to hack a password
| Minimum length | maximum(!) needed time |
|---|---|
| 3 characters | ca. 0,2 seconds |
| 5 characters | ca. 14 minutes |
| 8 characters | ca. 53252 hours |
| 10 characters | ca. 1 179 469 weeks |
| 12 characters | ca. 84 168 853 years |
| 15 characters | ca. 19 104 730 610 573 years |
Password settings
Root-Password
The root password cannot be changed in the Webinterface! You have to run the "setup" command either from the console or by using SSH-Session via Putty. Then choose the "root-Password" command and press "OK". Then you will be pompted to enter the password twice. "OK" ends this setting.
Lost root-password
If you lose the root-password, all you can do is to reinstall the system.
Admin-password
The admin-password has to be changed via a putty-session, just like the root-password.