Creating Strong Passwords and Checking Their Security: A Practical Guide with Free Tools – ITFROMZERO

Table of Contents

Context & Why It’s Needed: Weak Passwords – An Open Door for Hackers

Personal data and business information are invaluable assets in the digital age. However, no matter how much security technology advances, the root of many problems often lies in what seems like the simplest thing: passwords.

During a security audit for over 10 servers, I was surprised to find an alarming commonality: many systems had fundamental vulnerabilities, with weak passwords being one of the leading causes. In reality, many users are still accustomed to setting easy-to-guess passwords like birth dates, names, or reusing the same password across multiple services. This habit not only poses personal risks but also seriously threatens the entire system they work on.

Imagine a weak password as an unlocked door. Attackers, with a bit of patience, can easily gain access through brute-force or dictionary attacks.

For example, a 6-character password can be cracked by brute-force in just a few hours. The consequences are severe: from data loss and personal information leaks to heavy financial damage for individuals and organizations. Therefore, understanding and practicing how to create strong passwords, while also checking their security, is no longer an option but a mandatory requirement to protect data in cyberspace.

So, how do you build solid “walls” with passwords, and how do you know they are strong enough? This article will guide you step-by-step, using free and easily accessible tools.

Installation and Tool Preparation: Powerful Helpers

Creating and managing strong passwords is not easy, especially when you have to remember them all. This is when we need help from specialized tools.

Managing Passwords with a Password Manager

I often advise friends and colleagues to use password managers. This is an extremely effective solution to store all your passwords securely, often with strong encryption. Some names I trust are KeePassXC (open-source, installed locally) or Bitwarden (available in both cloud and self-hosted versions). They help you only need to remember one master password and automatically fill in complex passwords for other websites.

Using Free Password Generation and Checking Tools

Besides a password manager, sometimes we need a quick tool to generate random passwords or perform a preliminary check on the security of a character string. This is where useful websites like ToolCraft become invaluable. I really like ToolCraft because the entire processing takes place right in your browser (client-side), meaning your data is never sent to the server. This is especially important when you want to create or check sensitive information like passwords.

This section will focus on two main tools from ToolCraft:

Password Generator: Helps you easily create random, complex passwords.
Hash Generator: Used to illustrate how passwords are securely stored (as hashes), not to hash passwords you intend to use.

Detailed Configuration: Building Unbreakable Passwords

Creating a strong password is not just about randomness; it also requires adhering to several principles. Our goal is to make passwords as ‘expensive’ as possible, forcing hackers to spend too much time and resources to decrypt them.

Golden Rules for Password Creation

Length: This is the most important factor. The longer the password, the better, with a minimum recommendation of 12-16 characters, and preferably over 20 characters for important accounts.
Complexity: Combine uppercase letters (A-Z), lowercase letters (a-z), numbers (0-9), and special characters (!@#$%^&*…).
Uniqueness: Absolutely do not reuse passwords for different accounts. If one service is compromised, your other accounts will remain safe.
Randomness: Avoid dictionary words, personal information, or easy-to-guess sequences like “123456” or “password”. Let the computer generate random passwords for you.

Practicing Strong Password Creation with ToolCraft Password Generator

Now, we will use the ToolCraft Password Generator tool to create a sample password.

Access the page: https://toolcraft.app/en/tools/security/password-generator
You will see options to configure the password:

Password Length: Drag the slider to select the desired length. I usually choose between 16 and 24 characters.
Character Types: Check the types of characters you want to use: Uppercase, Lowercase, Numbers, Symbols. Always select all four for maximum complexity.
Exclude Similar Characters: This option helps eliminate easily confused characters like “l” (lowercase L), “1” (number one), “O” (uppercase O), “0” (number zero). I usually don’t check this if the password is very long, but if you need it to be a bit more readable, you can consider it.
Exclude Ambiguous Characters: Removes characters that might be difficult to type on some keyboards or different systems (e.g., `{}[]()/'”`).

As soon as you change the options, a new password will be automatically generated and displayed along with its Password Strength rating. Try to achieve Very Strong or Excellent.

For example, I will create a 20-character password, including all character types:

Password: P$oJk8L#y!QzX7vB@nG6
Strength: Excellent

This password is long, random, and complex – very difficult to guess or crack.

Understanding Hashes and Their Role in Password Security

When you register an account on a website, your password is not stored in plain text. Instead, it is “hashed” into a fixed string of characters. The hashing process is one-way, meaning the original password cannot be recovered from the hash, but if you have the original password, it will always produce the same hash. This protects your password even if the website’s database is compromised.

We can illustrate this using the ToolCraft Hash Generator tool. (Emphasizing again: you should not use this tool to hash real passwords, but only to illustrate how it works.)

Access: https://toolcraft.app/en/tools/developer/hash-generator
Enter a text string into the Input Text field, for example: MatKhauYeu
Select a hashing algorithm (e.g., SHA-256).

You will see the corresponding hash string:

SHA-256 Hash of "MatKhauYeu":
030f2421f1e9c5a7b6c8d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1

If you change a small character in “MatKhauYeu” (e.g., MatKhauYeo), the SHA-256 hash string will be completely different. This is an important property of cryptographic hash functions: small changes in the input produce large changes in the output.

On Linux, you can also generate a hash for a file or a string using simple commands:

# Hash a string directly
echo -n "MatKhauYeu" | sha256sum

# The output will be:
# 030f2421f1e9c5a7b6c8d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1  -

# Hash a file
# Example: sha256sum my_important_file.zip

Systems will store this hash string along with a unique “salt” for each user to enhance security and prevent rainbow table attacks.

Checking & Monitoring: Ensuring Your Passwords Always Stay Secure

Creating strong passwords is just the beginning. Regularly checking and monitoring whether your passwords have been compromised is even more important.

Assessing Password Strength

The ToolCraft Password Generator tool we just used not only generates passwords but also provides a strength assessment. This is a useful indicator to know how difficult your password is to guess. Always aim for passwords rated as “Very Strong” or “Excellent”.

Additionally, there are websites like howsecureismypassword.net that allow you to type in a password and estimate the time it would take to crack it. However, be cautious when entering real passwords into untrusted third-party services. ToolCraft’s data is safer because it processes directly in the browser.

Checking if Passwords Have Been Compromised in Data Breaches

Many data breaches have occurred in recent years, exposing billions of accounts, including emails and passwords (though often hashed). Troy Hunt’s Have I Been Pwned (HIBP) service is an excellent resource to check if your email or password has been found in known breaches.

You just need to visit the website, enter your email or password, and HIBP will tell you if they appear in compromised databases. If so, it’s a sign that you need to change your password immediately for all related services.

Enabling Two-Factor Authentication (2FA/MFA)

No matter how strong your password is, there’s always a possibility it could be compromised. That’s why I always recommend using Two-Factor Authentication (2FA) or Multi-Factor Authentication (MFA) for all important accounts.

2FA adds another layer of security, requiring you to provide a second authentication factor (e.g., an OTP code from a phone app, fingerprint, physical security key) in addition to your password. Even if attackers obtain your password, they still won’t be able to log in.

Most major services like Google, Facebook, banks, and cloud services support 2FA. Take the time to enable it!

Changing Passwords Regularly and Monitoring Security Notifications

Finally, changing passwords for important accounts regularly (e.g., every 6 months or once a year) is a good habit. Furthermore, pay attention to security notifications from the services you use. If you receive an email alert about suspicious activity or someone attempting to log into your account, take immediate action.

By combining strong password creation, using a password manager, regularly checking with free tools, and enabling 2FA, you have equipped yourself with the necessary “weapons” to protect data in the digital environment. Make this knowledge a habit to keep yourself and the systems you manage safe.