Passwords remain the primary method of user authentication. They are the keys to the kingdom—or at least, the keys that, together with a username, grant access to systems and sensitive information.
A Brief History
Passwords have a long history predating computers. Military sentries, for example, used passwords to allow passage only to those deemed worthy. If you knew the word, you could pass. Once enough people learned the password—or enough time had passed—it would be changed for security.
What Makes a Good Password?
A good password is something easy for you to remember but difficult for others (humans or machines) to guess. However, making passwords overly complex often leads people to forget them or write them down in insecure places. Unless you store them in a secure password manager, writing them down is risky.
To strike the right balance:
- Avoid dictionary words—these are easy for password-cracking tools to guess.
e.g., Password, PassWord123, or similar combinations are not secure. - Avoid keyboard patterns like qwerty, 12345, or abcdef.
- Do not use names of family members, pets, celebrities, or fictional characters.
- Never reuse passwords across multiple accounts.
Reusing credentials increases your risk, especially in the event of a password breach. - You can check whether your credentials have been compromised using Have I Been Pwned.
Tip: People remember meaningful sentences better than random strings.
Instead of IwltvDLifi2020, just remember: "I would like to visit Disney Land in Florida in 2020."
How Do Hackers Get Your Password?
Even with secure passwords, hackers have ways to obtain them. Here’s how:
1. Password Guessing
Hackers guess passwords manually or use automated tools. If they know details about you—like your favorite car brand—they may try Ferrari1.
A strong lockout policy after multiple failed login attempts reduces this risk.
2. Password Leaks
Billions of passwords have been leaked online. Cybercriminals can buy these lists and try them on other sites.
Don’t reuse passwords across platforms.
3. Password Spraying
Here, attackers try one common password (e.g., Password1, Winter2020) across many accounts in the same organization.
Ensure users change default/reset passwords immediately.
4. Brute-Force Cracking
Hackers use powerful computers to hash and compare millions of passwords rapidly.
Use long, complex passwords and systems that implement strong hash algorithms (e.g., bcrypt, Argon2).
The Power of Multi-Factor Authentication (MFA)
Since passwords can be forgotten, guessed, cracked, or phished, MFA adds a second layer of protection—something you have (e.g., phone, token, biometric) in addition to something you know (your password).
Examples of MFA include:
- USB security keys
- SMS verification codes
- Authenticator apps
- Biometrics: fingerprint, retina, voice, or typing patterns
- Location-based verification (e.g., login blocked if attempted from a new country minutes after a local login)
MFA significantly enhances account security, especially in cloud-based services where access can be attempted globally.
Important Note
There are websites that let you test how secure your password is.
Never enter your actual password into these tools. Use sample passwords instead.
