Password security: top tips

This blog post will provide tips and tricks to generate more secure passwords to keep your online data safe. In a previous blog post, we tackled the topic of Password cracking speed. In the coming weeks, we will be going more in-depth on the associated risks and provide you with solutions.

Gaining access to a website or online data always occurs in three steps:

  1. Identification: you must identify yourself. Who are you?
  2. Authentication: Can you prove who you claim to be? This is typically where passwords come into play.
  3. Authorization: you have proven that you are who you claim to be, but are you actually authorized to access the website or data you want to?

Passwords are like keys are to your house. You don’t just leave your home open for everyone, do you? This is precisely why passwords are critical. They shield information and computer systems from unauthorized actors.

It is essential to keep your password strictly personal and never pass it on to colleagues, friends, family, write it down somewhere, …

Services ethical hacking & penetration testing

When to change your password

We would like to generally advise you to treat every website as an insecure one. Believe us, even big ‘reliable’ companies have suffered from breaches in the past, so take nothing for granted. Your username and password may be stored insecure/unencrypted and thus easily obtained by cybercriminals. Even if your password is stored securely, but you choose an easy combination, it might get cracked eventually by these attackers.

So, assume one of your passwords leaked. If you use your password for multiple applications, an attacker immediately gets more opportunities to abuse your identity. Therefore, use different passwords for different applications.

If your password is leaked, you suspect abuse, or you think someone has read your password, change it as soon as possible. Even if you are unaware of a leaked password, it is generally advisable to change it at least once a year as a precautionary measure, under the motto “Better safe than sorry”!

Password complexity

A complex password is essential because it makes it less likely for others with bad intentions to guess the password or crack it after obtaining it from an attack or breach list. A breach list is a list of usernames and passwords leaked from several websites and offered, generally free of charge, on the internet (more on this topic in an upcoming blog post).

A strong password reduces the risk that someone else can log in with your username and password. An easy to guess password leaves the door open for abuse. When others can guess your password, fraudulent activities can be performed in your name. To prevent this, an unguessable password is a minimum.

A password must be long and unique to ward off automated attacks by criminals. In general, the rule is “The more characters, the more secure”. It is wise to maintain a minimum length of at least eight to ten characters, from at least three of the following categories:

  • lowercase (a-z)
  • uppercase (A-Z)
  • numbers (0-9)
  • special characters (!@#$%^&*(),/?.>`~ etc)

Password phrases

Passwords quickly become challenging to remember in this way. Therefore, we like to recommend the implementation of a Password Manager (more on this topic in a future blog post). In addition, it is also possible to use passphrases instead of passwords. As stated above, a minimum length is important, and in the case of passphrases, meeting this requirement is a walk in the park. Finally, phrases are also relatively easy to remember.

To obtain a strong passphrase, you also need to observe some minimum requirements. Your passphrase should be at least four words long and should not contain personal information (such as name, date of birth, address, …).

An example of such a passphrase is: “I use 1 sentence instead of 1 password!” This passphrase consists of no less than 41 characters, made up of lowercase letters, an uppercase letter, special characters (spaces and an exclamation point), and numbers. We have thus generated a cyber-secure yet easy-to-remember password. Assuming the attacker uses an ordinary computer, it is estimated to take about one vigintillion years to crack this password.

Two-Factor authentication

Authentication, a.k.a. proving who you claim to be, can come in various forms. There are three main types:

  1. Something you know: password
  2. Something you have: access to SMS, dongle, etc.
  3. Something you are: biometrics (e.g., fingerprint)

Passwords are the most common and essential ones. However, no matter how strong your password is, passwords can still sometimes fall into the wrong hands due to a data breach or hack. Therefore, it is generally recommended to implement two-factor authentication (also called 2FA). 2FA is possible in several forms, like a special application, mail, SMS, authentication dongle, and many other ways!

On to a more secure password-protected world!

Next in our password series

In our upcoming posts, we will come back to password security and talk about password managers, breach lists, and many more.

This post was provided by one of our pentesters: Hendrik Noben
Want to know more about this topic:
Contact us at