Main content
Course: Internet safety > Unit 1
Lesson 7: Going deeper with device securityStrong passwords
A password is a form of authentication; a way of proving that yes, this is the user that owns this account.
Passwords protect access to just about every piece of digital information about us: bank accounts, private email, social networks, chat conversations, and much, much more.
Password attacks
Since so many user accounts are authenticated with a password, attackers are always looking for ways to uncover a user's password.
These are the most common ways:
- Guessing
- Brute-forcing, which is basically computer-assisted guessing at a much larger scale
- Stuffing, where attackers find the credentials for one service and try them on another service
- Malware, especially keyloggers
- Phishing scams
Users can defend against malware and phishing scams by being careful about what they download and what emails they believe.
To defend against the attacks of guessing, brute-forcing, and stuffing, users need a strong password that can’t be easily obtained by someone with ill intent.
Picking a strong password
A strong password is:
- Irregular, to avoid simple guessing. Have you ever “changed” a password by putting a "1" or a "!" at the end of it? An attacker will change it the same way!
- Complex, to avoid brute-forcing. A strong password is long and includes more variety than just the letters of the alphabet, like numbers and symbols. There are
possible passwords that are characters long and just made of lowercase letters, while there are possible passwords that are characters long and made up of both uppercase and lowercase letters. That's versus a whopping possibilities. A little bit of complexity goes a long way. - Single-use, to avoid stuffing attacks. If an attacker manages to discover a user's password for one service, they shouldn't be able to use that same password to get into all their other services.
At the same time, passwords need to be memorable. If a user forgets their password constantly, then it's not a very good password.
Here are ways that users can make passwords that are both memorable and strong:
Create an initialism. Simple words and common phrases are easier to guess. An initialism is made up of all the initials of a phrase. For example, you could take the phrase “I want to create a strong password” and turn that into a complex password like
Iw2CR8a!!!pw
. You could also make initialisms based on favorite song lyrics, and then you'll be singing your way through login screens. 🎶Combine unrelated words together. Imagine you have a real paper dictionary (and maybe you do!). You randomly turn to a page, randomly point, and choose the word under your finger. Do that four times, combine the words with symbols, and you'll have a strong password like
vivid-wrung-octopus-misapply
. Use a password manager. Perhaps you now have a few strong, memorable passwords in your head—but can you actually remember 40 of those? Password managers to the rescue! A password manager application can auto-generate strong passwords, keep track of all your passwords, and let you unlock access to your passwords with one very strong and memorable password.
🔍 You can search online for "password meter" and find webpages that will calculate the strength of passwords for you. For security reasons, you should not put one of your actual passwords in those meters, but you can try out other password ideas and see how strong they are.
Entering a password
Even if you've come up with a super strong password, you still need to be careful when you're actually typing the password:
Only fill in passwords over a secured connection. It's easy for malicious onlookers to see passwords sent over a non-secured Internet connection (and non-secured is the default!).
When you're entering a password in the browser, look for the lock icon that indicates an HTTPS connection:
Watch out for shoulder surfers. If anyone is near you while you're typing your password, they might be trying to memorize what you're typing.
🙋🏽🙋🏻♀️🙋🏿♂️Do you have any questions about this topic? We'd love to answer—just ask in the questions area below!
Want to join the conversation?
- so if there is no https:// it isn't safe?(27 votes)
- Well if the webpage is served using HTTP then then browser will send a HTTP request to fetch the webpage.
If the webpage is served over HTTPS then your browser then the browser uses both HTTP and TLS - that is, it uses the Transport Layer Security (protocol) that makes communication secure.
Additionally, a website could be completely harmless if it is served over HTTP (not HTTPS) but it just isn't secure.
Also note that the browser will show your lock icon if it is safe (HTTPS).
The general rule of thumb is that if the webpage isn't secure, then it might not be safe, and thus you shouldn't enter any personal information (so you might not want to make an account unless you know more information about the website).
Hope this helps!(34 votes)
- How do password managers keep all your passwords safe? Couldn't the password manager get hacked and steal all the passwords?(17 votes)
- A password manager encrypts the stored passwords to keep them from being read. The password manager could be hacked which is why it is important to research the password manager and see how well its security has held up before using it.(21 votes)
- What if you forget the main, superstrong password for a password manager? Is there a way to retrieve the main, superstrong password?(13 votes)
- Many websites lock you out after a few unsuccessful login trials. Is this not a good way to avoid hackers entering by any trial-and-error attempts? If so, why is this not a general policy of websites?(7 votes)
- Yes, this is one method used to prevent hackers from trying to brute-force a password. Most "bigger" websites/companies have this protection in place.
Building a feature like this does take some time and development resources, which may be why some sites do not have this. Some sites may also opt for a similar protection mechanism such as an API rate-limit, which would restrict hackers to only make a limited number of guesses in a certain time period. As long as your password is complex enough, the rate limit and computational limits of computers would effectively make your password impossible to guess because it would take too long to do so.(12 votes)
- What if an app wants a password with only numbers? What do you do? Wouldn't that be too easy to guess?(6 votes)
- Would a strong password be necessary for every website?(3 votes)
- It's recommended to use a strong password for all of your websites, especially those that may contain valuable personal, medical, and financial information.(4 votes)
- can we build our own protection with out them knowing any of our data or knowing our info? So that we don't have to pay for protection at our own costs?(2 votes)
- In theory, you could build your own protection software. However, writing your own cybersecurity software is not a good idea unless you have training and experience in the field. It is easy to accidentally leave your software vulnerable to exploitation, so it is generally better to stick with software that has been professionally tested.(5 votes)
- If the lock on the browser is there, does that mean that there is an HTTPS connection? Or do you have to click it to find out?(2 votes)
- Yes, the lock symbol on the browser signifies that there is indeed an HTTPS connection established. However, clicking on the lock symbol provides additional details about the website's security certificate and allows you to view extra information about the connection (some browsers do not have a "lock" icon, so if that is the case then you have to click on whatever icon is next to your search bar to find out).(3 votes)
- how to make a strong password(2 votes)
- 12 characters, unusual symbols like ~,and random capitalization.(1 vote)
- but what if someone finds out the password to your password manager?(2 votes)
- Then they have access to ALL of your passwords. That is one of the disadvantages of password managers, and that is also why the password to your password manager should follow all of the steps mentioned in the article for the most secure password to the highest(1 vote)