Instead of using a single password, we use a combination of three keys.
We use two keys for the encryption instead of one to keep them separated at all times from each other, so they can not be stolen from one message on the network.
And the third key encrypts the data between the browser and the server to block browser attacks.
And that's why we are 3rdKey.
For each of your first two keys, use two to four seemingly random words that no-one would associate with you no matter how well they know you.
For your third key, use a single word that's five to ten characters long, that's not associated with you, but is easy to remember.
But why use random words?
For years we've been told to use random characters for a password, including special characters, numbers and upper and lowercase letters. And while it's true that this will require a brute-force attack, the length of these passwords is significantly longer than the average person is able to memorise.
Using a few words, however, is easier to rememeber, and can also require a brute-force attack. So it's easier and safer to use a few random words than to use a very long random password.
Using random passwords of sufficient length will require an attacker to use a brute-force approach to determine the password (there are circumstances where this is not true, TBD).
The question is, how long will it take to "break" passwords of different lengths?
The English language has 26 alphabetical characters (the numbers change for other languages, but the concept is the same). If we include upper and lower case, we have 52 possible letters. There are 10 numbers, that takes us up to 62 possible characters. And if we include a few special characters, like plus (+), minus (-), underscore (_), exclamation point (!), star (*), caret (^), bar (|) and tile (~), we end up with 70 characters. (some special characters are not allowed on some sites, but the real reason I've listed these is that it's a round number, 70)
If the password is one character long, then there are 70 possible passwords. If the password is 2 characters long, then there are 70 possible characters in position 1 and 70 in position 2. That means there are 70 * 70 possible passwords of length 2. Similarly, there are 70 * 70 * 70 possible passwords of length 3.
For a password of length 8, there are 70^8 possible passwords (70 times itself 8 times). Which is 576,480,100,000,000 possible passwords. Computers today can process things very fast, up to 1x10^12 times per second. That means that it would take about 576.5 seconds to test all of the possible combinations of an 8-character password, less than 10 minutes.
By making the password longer, we increase the time required to break it. A 10 character password for example, takes 33 days, and 12 characters require 438 years, and 14 characters requires 2 million years.
Unfortunately, computers are getting faster every day, the fastest know today can do 93 petaflops (93 with 15 zeroes after it). And hackers often network computers together when making a concerted attack. If a hacker had 10 computers doing 93 petaflops, that would be 10 * 93 * 10^15, or 93x10^16. Let's round that up to 100x10^16 which is 10^18.
Now, instead of a 14 character password requiring 2 million years, the computers only need 2 years, a million times faster. A 10 character password would take only 2.8 seconds to crack.
The logic here is the same as with random passwords, except that we use words instead of characters.
There are 171,476 words in current use in the English Language dictionary, so a hacker would have to try all of those words in order to crack a password made up of just one random word from the dictionary.
Using just four words would take 14 minutes to crack with 10 computers doing 93 petaflops. And six words would take 792,811 years. Eight words would require 23x10^15 years.
Of course, we don't all know 171,476 words, apparently with about 3000 words you can understand 90% of conversations. Six words out of these 3000 would take just 12 minutes, so we don't recommend using just common words, you need to use a random word generator that is taking from the full 171 thousand words.
But we can take it one step further, in addition to using random words, you can use words, phrases, numbers, dates and other things that have some association for you (to make them easy to remember) but are unlikely to be connected with you by anyone who knows you or searches for information about you online.
For example, the name of your first crush, the date of your first kiss, the car plate number of your grand-dad's car when you were young, or maybe a place you used to visit with your nan. These are normally not found in the dictionary, and they're not usually the kinds of things you discuss with people, so they increase the complexity of any password cracking algorithm yet again.
The purpose of this is to force the attacker into using a brute-force attack. And now we're back to the number of characters in the password. And since you've used a few random words the length of the password is unknown to the hacker, so they have to try 1 character, 2, 3, 4, etc. all the way up the length of your password.
Having selected two to four words (dates, numbers, places, people, or random words), for each of your keys, they will range in length from 10 to 20 characters, each.
And knowing one key won't help in anyway, they must know both, then we're talking 20 to 40 characters (or more) that have to be brute-forced. And since you might have included dates or numbers and names, you might have upper and lower case and special characters, so they end up going back to 70 possible characters per position.
A password of 20 characters would take 2.5x10^11 years, and 40 characters would take 2x10^48 years.
So you can see that remembering four to eight "seemingly" random words is a far easier way making it almost impossible for a hacker to break your password.
Ideally five or six words that aren't associated with you Ideally you want five or six (5 or 6) words that are not connected with you, and that are not found in a regular list, like a dictionary or list of names. And if you mix in some n
We could say "as long as you can make them". But that doesn't help.
There are two types of "passwords" that are difficult to hack.
What kinds of words are easy to remember but impossible to guess?
The reason they need to be random, and varied, is that hackers use databases to attack passwords now, a database of names, a database of places, etc. But if you have mixed up the words so that they are random, databases will not work because they need to know all the words in the list, and if some of the words are numbers (like dates or a phone number or a license plate), the database method falls short.
Let's assume you have selected a list that is something like "Marilyn Roscamond, QS07 WDE, 2136764532, Maggie Mae Marvin, 12/12/1978". Now just split them into two parts, so that part one becomes "Marilyn Roscamond, QS07 WDE" and part two becomes "2136764532, Maggie Mae Marvin, 12/12/1978". And you have your two encryption keys. You do not need to use spaces or commas or slashes if you do not want to, and you can insert other special characters if you wish, maybe after the 1st character of each word. that is up to you. The point is that if you have selected some seemingly random words or phrases, its near impossible for a hacker to guess the words, so they are forced to use a brute-force attack.
Instead of using a set number of characters, think in terms of words. Ideally you want to have two or three unrelated words for each key.
Stay away from words like "the" or "and" but instead use real words that have no real meaning to you like "elephant" or "hoover" or "porcupine", five to ten letter words that you will easily remember, but that aren't associated with you.
Another idea is to use something that is very memorable to you, but that no-one else would know. Like the name of your first crush.
But the point is to have at least two words for each key, three is better, four might be overkill.
Two keys made up of two or three words will be sufficient to prevent even the most ardent attacks.