We talk a lot about safe passwords here. But something we’ve never covered is why a safe password is safe. We’ll talk about the most common techniques used by password hackers and why using long, strong, and frequently changed passphrases prevent your accounts from being hacked.

Password cracking is simply a modern form of cryptography — the art of writing, or in this case, solving, codes.

For password hackers, this process is automated by computer. Two of the most used versions are brute-force attacks and dictionary attacks.

A brute-force attack tries every possible combination of letters, numbers, and symbols to crack a password. It’s the least complicated way to crack a password, but also the most ineffective since it wastes a lot of time making unlikely guesses.

Longer passwords can also defeat this approach simply by virtue of time. For example, a brute-force attack might take 5 minutes to crack a 9-character password, but 9 hours for a 10-character password, 14 days for 11 characters, and 3.9 years for 12 characters.

A dictionary attack enters every word in a dictionary as a password. This removes some of the randomnesses of a brute-force attack, reducing the amount of time needed to find the password—provided that the password is in the dictionary, of course.

Note that “dictionary” doesn’t literally refer to a simple English dictionary; the entries in a cryptography dictionary may include common substitutions (for instance, “4pple” for “apple”) and numeric entries.

Using a passphrase verus a password is one way to foil a dictionary attack. For example, Sh3rl0ck is not a terrible base password, but Sh3rl0ck@221BBakerSt is much stronger against brute force and dictionary-based attacks.