In today's digital world, password management is a crucial issue for anyone active online. In other words, for all of us. Strong passwords are the first line of defense against cybercriminals who want to gain access to your personal and business information.

In this blog post, we explain why strong passwords are important, how to make them secure as possible and discuss the role of password managers, Multi-Factor Authentication (MFA) the passwordless authenication in protecting your online accounts.

Length and complexity of the password

Password cracking can range from very simple to extremely difficult, depending on the strength of the password and the techniques used by the attacker.

• Short passwords are easier to crack because there are fewer combinations. For example, a 4-digit password has only 10,000 possible combinations.
• Long, complex passwords that contain a mix of uppercase, lowercase, numbers and special characters are significantly more difficult to crack because of the exponentially increasing number of possible combinations.

How quickly a password is cracked

Cracking a password can be quick or take a very long time, depending on how the password is constructed and what techniques are used by hackers. Here are two scenarios:

• Simple passwords: For example, "abcdefghij" (10 lowercase letters) has about 141 trillion possible combinations. With modern computers, a hacker can crack this password in about 4 hours.
• Complex passwords: For example "A1b!2C@d#3jfus@SSjf12##" (mix of 95 characters) has about 60 trillion trillion combinations and would take an average of 361 years to crack.

How to crack a password - common techniques

Hackers use a variety of techniques to crack passwords. Some examples:

• Brute Force Attacks: In these, a hacker tries all possible combinations of characters until the correct password is found. Modern brute force attacks can be very fast. Long and complex passwords can slow down this type of attack.
• Dictionary Attacks: Here the hacker uses a list of common passwords. This type of attack is effective against weak passwords, with common components, such as words found in the dictionary, names, dates of birth, etc. Therefore, use unique, non-obvious passwords with a mix of characters.
• Phishing and Social Engineering: Hackers steal login credentials through forged emails or websites. The hacker sends forged emails or messages to victims with links to fake login pages. When the victim enters their information on this fake page, the login information is sent directly to the attacker. Therefore, always check URLs and use MFA.
• Rainbow Table Attacks: Rainbow Table attacks use special lists, called rainbow tables, to quickly crack passwords by matching pre-computed hashes of common passwords with stolen hash values. This makes it easy for hackers to figure out passwords without calculating every possible combination themselves.
• Credential Stuffing: In credential stuffing, the hacker uses stolen credentials (for example, from a data breach) to log into other accounts of the same victim. Never use the same password for multiple accounts.

• Password Spraying: The attacker chooses a small number of common passwords (e.g., "password," "123456," "welcome," etc.) or passwords that are common in the organization (e.g., "Spring2023!" if the organization's password policy often uses seasons and years). Instead of targeting one specific account, the attacker attempts to apply these selected passwords to a large number of user accounts. Use complex and unique passwords.

How do you best protect your passwords?

Follow this advice to keep your passwords safe:

• Make your password long enough: At least 12 characters.
• Use a mix of characters: uppercase, lowercase, numbers and special characters.
• Avoid personal information: Do not use names, dates of birth or addresses.
• Use password phrases: for example, "MyCatLikes3Mice!".
• Use a password manager: For easy generation and secure storage of strong passwords.
• Change passwords regularly: Especially for important accounts and apps. These include mail, work accounts, financial apps such as online banking, cloud storage and DigiD.
• Enable Multi Factor Authentication (MFA): Whenever possible, enable MFA for an extra layer of security. This means that even if someone manages to get your password, they still need a second factor of authentication to actually access your account.

Example of a strong password - use a password manager!

So what does an example of a strong password look like? "T3i*Jm#4B7!k8z^" is a good example of a strong password (14 characters, uppercase, lowercase, numbers and special characters).

Of course, this sounds nice in theory. But how will you ever remember this in practice? That's why a password manager is an ideal and actually essential tool. A password manager can generate and store unique and complex passwords for all your accounts. That way, you only have to remember one main password (make it complex, though). Some popular password managers are LastPass, 1Password, and Bitwarden.

Passwordless authentication

Passwordless authentication is a method that does not require users to enter a password to access their accounts or systems. Instead, alternative, often more secure methods are used to verify a user's identity.

Some common methods include: biometrics, such as fingerprints or facial recognition, physical hardware tokens and one-time passwords (OTTP). OTTP involves sending temporary login codes to the user that can only be used once.

The major advantage of passwordless is that it is user-friendly and fast. Users do not have to remember and manage complex passwords and password recovery is required much less frequently. Therefore, consider deploying on passwordless whenever possible. Consider your online banking app, where you log in with facial recognition.

Security awareness within companies

It is essential that employees within a company are aware of security risks and know how best to deal with them. Cyber attacks often target the weakest link, and this is often the human factor. There are unfortunately very many examples of this. Read more about security awareness here.

Conclusion - strong, complex passwords are essential

Strong passwords are a crucial first step in protecting your online accounts. By using long, complex, and unique passwords and changing them regularly, you can significantly reduce your chances of becoming a victim of a cybercrime or data breach. Use a password manager and MFA for the best account security. Consider using passwordless authentication whenever possible. Follow this advice to keep yourself and your data safe in the digital world.

This article was written by Ferry Braeken, Solutions Architect Security at Valid.