Password Security and Management
A password is the most widely used form of authentication on the internet. Despite the rise of biometrics and multi-factor authentication, passwords remain the primary gate to almost every digital account. A weak or reused password is one of the most common reasons accounts get compromised. Strong password practices close this vulnerability significantly.
Why Password Security Matters
A 2023 study found that "123456" was used by millions of accounts globally and could be cracked in under one second. In every major data breach, weak and reused passwords rank as one of the top contributing factors. Protecting passwords means protecting the identities, finances, and private information tied to those accounts.
How Attackers Crack Passwords
Brute Force Attack
The attacker uses automated software to try every possible combination of characters until the correct password is found. Short passwords fall quickly. Every extra character added multiplies the cracking time dramatically.
BRUTE FORCE: IMPACT OF PASSWORD LENGTH
4-character password (lowercase only): 26⁴ = 456,976 combinations
Time to crack: < 1 second
8-character password (lowercase only): 26⁸ = 208 billion combinations
Time to crack: ~2 hours
12-character password (mixed case + numbers + symbols):
~3.2 × 10²⁰ combinations
Time to crack: millions of years
LESSON: Length is the most powerful factor in password strength.
Dictionary Attack
Instead of trying random combinations, the attacker uses a pre-built list of common passwords, words, and phrases. Most people choose passwords based on words they can remember — names, places, sports teams. Dictionary attacks target this predictability.
DICTIONARY ATTACK LIST (sample): password, 123456, password1, qwerty, abc123, letmein, monkey, master, iloveyou, admin, welcome, login, sunshine, football, 12345678 ...and millions more "Football@1990" looks complex → but base word "Football" is in the list With minor variations added → still cracked within seconds
Credential Stuffing
Attackers purchase leaked username-password combinations from previous data breaches (often sold on dark web forums) and automatically test them across many websites. If someone uses the same password on multiple sites, one breach exposes all of their accounts.
CREDENTIAL STUFFING ATTACK:
Step 1: Website X suffers a breach. 10 million username+password combos leaked.
Step 2: Attacker buys the list on the dark web.
Step 3: Automated bot tests each combo on:
Gmail, Facebook, Amazon, Netflix, Banking sites...
Step 4: User "priya@email.com" used same password everywhere.
Attacker logs into ALL her accounts.
PREVENTION: Use a unique password for every single account.
Rainbow Table Attack
A rainbow table is a pre-computed database of hashes for millions of common passwords. Instead of hashing each guess during the attack, the attacker looks up the stolen hash directly in the table. If a match exists, the password is revealed instantly.
RAINBOW TABLE: ┌──────────────┬──────────────────────────────────┐ │ Password │ MD5 Hash │ ├──────────────┼──────────────────────────────────┤ │ password │ 5f4dcc3b5aa765d61d8327deb882cf99 │ │ 123456 │ e10adc3949ba59abbe56e057f20f883e │ │ letmein │ 0d107d09f5bbe40cade3de5c71e9e9b7 │ │ abc123 │ e99a18c428cb38d5f260853678922e03 │ └──────────────┴──────────────────────────────────┘ Attacker steals hash: 5f4dcc3b5aa765d61d8327deb882cf99 Looks it up in table → immediately reveals: "password" DEFENSE: Password Salting (explained below)
Password Salting
A salt is a random string added to a password before hashing. Even if two users have the same password, their salted hashes will be completely different. This destroys the usefulness of rainbow tables.
HASHING WITHOUT SALT: "password" → Hash: 5f4dcc3b5aa765d... (always the same, in rainbow tables) HASHING WITH SALT: "password" + Salt "xQ7!kP2" → Hash: 9a2b7f4e1c... (unique to this user) "password" + Salt "mK9#rL5" → Hash: 3d8c1a7b2f... (different user, different hash) Rainbow table useless → both hashes are different, neither in the table.
What Makes a Strong Password?
PASSWORD STRENGTH CHECKLIST: ✔ Minimum 12 characters (16+ is better) ✔ Mix of UPPERCASE and lowercase letters ✔ Include numbers (0-9) ✔ Include special characters (!@#$%^&*) ✔ Not based on personal info (name, birthday, city) ✔ Not a real word found in any dictionary ✔ Different for every account WEAK PASSWORD EXAMPLES: "password" → Dictionary word "John1990" → Personal info (name + birth year) "Qwerty123" → Keyboard pattern + common number string "Football@123" → Dictionary word with predictable substitutions STRONG PASSWORD EXAMPLES: "tK#8mP2!xR4vLq" → Random, 15 characters, mixed types "Blue$Rain!42Desk" → Passphrase-based, long, complex
Passphrases: A Practical Strong Password Strategy
A passphrase combines multiple random words into a long, memorable string. A four-word passphrase is often stronger than a short complex password and far easier to remember.
PASSPHRASE EXAMPLE:
Four random words: "Mango" + "Cloud" + "Bicycle" + "River"
Passphrase: "MangoCloudBicycleRiver"
→ 22 characters long
→ Extremely difficult to brute force (length advantage)
→ Easy to remember (visual story: mango on a cloud, bicycle by river)
Add complexity: "Mango!Cloud#Bicycle$River9"
→ Even stronger
Password Reuse: The Domino Effect
DANGER OF REUSING PASSWORDS: User uses same password "Tiger@2022" on: Gmail ──────────────────────────────────► Account 1 Amazon ─────────────────────────────────► Account 2 Netflix ────────────────────────────────► Account 3 Bank ───────────────────────────────────► Account 4 Small forum site suffers a breach → "Tiger@2022" leaked Attacker tests it on Gmail → SUCCESS Attacker tests it on Amazon → SUCCESS Attacker tests it on Bank → SUCCESS ALL FOUR ACCOUNTS COMPROMISED by one breach on a small, forgotten site.
Password Managers
A password manager is a software tool that generates, stores, and auto-fills strong, unique passwords for every account. The user needs to remember only one master password to unlock the manager. Everything else is handled automatically.
HOW A PASSWORD MANAGER WORKS: User sets ONE strong master password to open the vault. Inside the vault: Gmail → "tK#8mP2!xR4vLq" (generated by manager) Amazon → "pZ!9nW3@mV7yRt" (unique, generated) Netflix → "hX$4kB2#cF8wNs" (unique, generated) Bank → "jM@7rL5!bQ2xGp" (unique, generated) On login page: Manager auto-fills the right password. User never needs to type or remember individual passwords.
Popular password managers: Bitwarden (free, open-source), 1Password, Dashlane, KeePass (offline). Using any reputable password manager is dramatically safer than memorizing or reusing passwords.
Default Passwords: A Critical Risk
Many routers, smart devices, and software systems come with factory-set default passwords like "admin/admin" or "admin/password." Attackers maintain lists of these default credentials and use automated tools to try them against IP addresses on the internet. Changing default passwords immediately after setup is one of the most important basic security steps.
DEFAULT PASSWORD DANGER: Home Router ships with: Username: admin Password: admin User sets up router but never changes the password. Attacker scans the internet for routers with default credentials. Attacker logs into the router → Can redirect traffic, spy on all devices. SOLUTION: Change ALL default passwords to strong unique ones immediately.
Password Security Best Practices Summary
| Practice | Why It Matters |
|---|---|
| Use 12+ character passwords | Length exponentially increases cracking time |
| Use unique passwords everywhere | One breach does not expose all accounts |
| Enable MFA on every account | Stolen password alone cannot grant access |
| Use a password manager | Makes strong unique passwords practical |
| Never share passwords | Even trusted people can be compromised |
| Change default passwords immediately | Default passwords are publicly known |
| Do not write passwords on paper | Physical theft exposes all accounts |
| Check if email is in known breaches | Identifies if current passwords are already leaked |
Checking haveibeenpwned.com shows if an email address or password has appeared in any known data breach. This is a free and useful tool for assessing personal password exposure.
Strong passwords and MFA protect accounts at the individual level. The next important area is web application security — understanding how the websites and apps people use daily can be attacked and how those applications are built to defend themselves.