15 min read

1. About Passwords

Let's start with an explanation about the importance of passwords. Due to a trivial understanding about passwords themselves, users might ignore the importance of having a guarded and strong password. A strong password is one that is fairly difficult for a cyber-criminal to decode and guess. Thus, to recover a forgotten password, people might hire a hacker or scammer to decode and change back their password. A strong password is one that can withstand various attacks from hackers and the account will remain safe. This way, people can minimize the opportunity to get scammed when they need to recover their password. A strong password also protects user data, privacy, and confidentiality because there's no reason for a hacker to want to hack an account with a generic password and a few dollars in it. After all, the password is the first line of defense for personal data, and users should put a high interest in ensuring a secure password for their account.The basic point of the whole text lies in the realization about the importance of passwords and how people can employ them to ensure safety and privacy in life. This stage is considered as the highlighted topic where people can't avoid implementing it to have a proven guarded life against the increasing terrible cyber-crime and threats over the internet. By understanding the motives and reasons behind cyber-criminals, password generation could contemplate one suggested action to protect themselves, which is to come up with a guarded password to protect their own data.

1.1 Importance of Strong Passwords

A significant amount of network security breaches today are the result of password attacks, often facilitated by weak or guessable passwords. The best way to minimize the likelihood of a security breach via a password attack is to ensure that users are assigning strong passwords to their accounts. Password security is the first line of defense against unauthorized access to a system, yet password policies are often among the weakest and least enforced security measures. Strong password policies are even more critical in an era of heightened concern over security. Measures taken to increase password strength, if properly implemented and enforced, can have immediate and lasting security benefits.In the early days of computing, most users had only one password: their login password. Since most computers were not networked, this level of security was sufficient. Today, however, things are drastically different. It is no longer a question of whether a network has been broken into, but simply when it will happen and how extensive the damage will be. Any Internet-connected computer is a potential target. The need for strong passwords has never been greater.

1.2 Risks of Weak Passwords

Research has shown that weak passwords are the root cause of many computer compromises. Weak passwords are easy to guess based on a limited number of possibilities. With the speed and processing power of today's computers, it is easier than ever before for someone to guess a password in a short amount of time. When we use words that are easily guessed or related to us (such as names of family members and pets), we are making it even easier for someone to gain unauthorized access to our accounts. Weak passwords constructed of a combination of dictionary words, names, and dates are security risks, as they have higher possibilities of being broken. It is simple to write a program that tries all the words in a dictionary and some from a list of proper names or number permutations. Online password guessing tools use the dictionary and permutation tactics to crack your password. This is known as a dictionary attack and a brute force attack. These attacks are very effective methods for gaining unauthorized access to personal information and data. Weak passwords are also vulnerable to "shoulder surfing" in public places where someone can easily see and memorize your password, or simple eavesdropping on your internet communication. In general, if you can remember your password, there is a good chance it is weak. Step one towards prevention of password compromise is the understanding of what makes a bad password and awareness of the tactics used to compromise or steal passwords.A 2003 study showed that 75% of Ohio State University undergraduates used the same, simple password for most of their online accounts. Things are even getting more risky over time. We love to use technology because it makes our lives easier, such as online banking, checking account balances, making bill payments, and transferring funds. We are always engaged with online financial transactions for goods or services. In addition, many of us keep personal information on our computers. Most people want to keep their personal information secure, but usually do not take the necessary steps to ensure that it is. Using strong, unique passwords is essential in order to protect your identity and your personal information. A strong password helps to: a) Keep your information secure; b) Protect your privacy; c) Prevent identity theft.

2. Creating Strong Passwords

2.2 Avoiding Personal Information It's important to never create a password that contains personal information such as your name, birthday, and address. This information is often readily available for people to find, and using it in a password would make it much easier for someone to gain unauthorized access to your account. Also try to avoid using the same password for different accounts, as if someone were to figure it out, they would have access to more than just one account.2.1 Length and Complexity It's a good idea to create your passwords with a length of at least 8 characters, as a longer password provides better protection. The strength of a password also increases with different characters, so including numbers and punctuation will generally make it stronger. Try using a phrase that only you would know, and abbreviate it into a password. For example, "My grandmother's birthday is July 4th, 1923" turns into "Mgbij4th,1923".Password strength is a measure of the effectiveness of a password in resisting guessing and brute-force attacks. In its usual form, it involves a concept common to many password-management systems requiring a user to create a password so that it registers as acceptable within a particular password policy. Creating a strong password is important not only with Joomla! but with any server side login (and even some client side logins). User accounts are a prime target for hackers and malicious users to gain unauthorized access and do things like tamper with user data, change settings and content or deface your site. If a malicious user gains access to an administrator account, the devastation it can create is compounded.

2.1 Length and Complexity

Consider using an on-screen keyboard when entering passwords to avoid keyloggers.A user's password phrase should focus on having words that are easy to remember and don't include words that can be found in a dictionary. Using numbers and special characters to replace letters that make sense is by no means secure. For example, using '[email protected]' is NOT strong, given it is a simple character substitution of the word 'password'. However, mixing in numbers and special characters will dramatically increase the strength of the password. The best way is to include them within the phrase, such as turning "Too long and Complex=2L&C". The more difficult the special characters and capitalization are used, the better. This method makes passwords both easy to remember and type, while also increasing its complexity.Length is the primary factor that determines the strength of a password. It is important to have a minimum password length of at least 8 characters, but it has been found that 14 is ideal. The reason is that each character adds an additional bit to the entropy of the password, making it more secure and harder to guess. Most importantly, having a longer password usually means that you will use a phrase that is easy to remember, which is very beneficial.

2.2 Avoiding Personal Information

It's also important to bear in mind cultural differences. Words from your native language can still be considered personal information even if you use an English keyboard to type them. This is particularly relevant to people who have a password for an account on a server in another country. A good example of this is the Acute Aphex, where a user tried to speak to us in English using complex English phrases but all the while we had a laugh at his expense because his name was "Újjas Eszter". In accordance with this, avoid contact information. This applies both to you and to people you know and can still be an easy source of information. This means avoiding email addresses, messenger names, phone numbers, etc. with the added bonus that if you ever lose the information, you won't have to change your password!One way to obtain your password is by using personal information. Many people use aspects of their own lives as passwords and therefore put themselves at risk. Anyone who might know you can guess this type of password quite easily. For example, if you like cars and motorbikes and your name is Bob, chances are your password might be something like "boblovescars". To avoid this type of situation, don't use personal information such as your name, birthday, spouse's name, child's name, pet's name, or your favorite team. This information is easy to obtain through public records or social media. By avoiding using this kind of information, you can increase the security of your password. This does mean you might have a memorable password, but by using the techniques in this guide, you can create a memorable password that is still difficult for others to guess.

2.3 Using a Combination of Characters

To increase password strength, one must mix letters and non-letters as well as long strings of characters to produce better protection. Any character on the keyboard may be used in a password, and passwords are case-sensitive. When creating a password, it is best to use a combination of letters and non-letters. Using numbers and symbols in place of letters (for example, "p4ssw0rd" instead of "password") is a way to make a memorable password less memorable. Substituting characters not only makes the password less predictable, it also increases the number of possible combinations, and thus the strength. A common and insecure way to accomplish password substitution is to simply change case (for example, "Password" instead of "password"). To do this securely, choose a different letter to replace with its upper or lower case pair. This should be avoided, however, as case substitution is so common that it is now included in the calculations for password strength. There are generally regarded as 4 types of characters: lower case letters, upper case letters, numbers, and symbols. Using the symbol characters greatly increases a password strength, in part because it often requires use of the shift key which increases the chance of case errors (while also increasing the strength of case substitution). Overall, to increase password strength its best to use a diverse mixture of both letters and non-letters with an emphasis on non-letters and an avoidance of common dictionary word and letter patterns. This can be very difficult and annoying to do with memorable passwords, which is one of the reasons it's often best to use a password manager and a very strong but not memorable master password.

2.4 Regularly Updating Passwords

If a password is compromised, the attacker will exploit it immediately, and frequent password changes just result in users alternating between a list of passwords, many of which will be similar to the password that's just been compromised. In a paper examining the password habits of hospital employees, it was found that passwords were often changed in response to a suspected security threat, but little attention was actually paid to generating a stronger password. Passwords stayed the same or only varied slightly, and even when staff were aware of an incident involving patient information being compromised, there was often no change to the related passwords. In the study, an overwhelming 75% of employees stated that they felt that changing passwords was an effective way to prevent unauthorized access, yet the research demonstrated that this was not the case. Given the disruptions it causes, the strong focus on changing passwords may, in fact, be an obstacle to establishing a better password management policy and educating users to choose and memorize more secure passwords.Regularly updating passwords is an effective step in minimizing password-related risks. Current security guidelines, such as the NIST password recommendations and Microsoft's baseline security settings, recommend 90-day password expirations. The idea of changing passwords frequently isn't a new one, but due to the requirements of various corporations and the auditors who ensure they're meeting these requirements, users are forced to choose new passwords quite regularly, and this can affect the way they manage their passwords. In choosing something that changes often, it's all too tempting to select a password that follows a pattern. DevOps team to the rescue to make the process easy for you! Using the high flexibility of the passphrases as a base and tweaking it to suit various password rules, they have developed an algorithm that can generate a password that's both highly random and yet still very memorable to the user, according to a given policy. Users need to be educated on the fact that they shouldn't be relying on password changes as a means to secure their account.

3. Managing Passwords

Two-Factor Authentication. Two-factor authentication systems can be easily understood using a bank ATM as an analogy. With an ATM, you must have the physical card and know the PIN associated with the card in order to access the accounts associated with it. The card is the first factor and the PIN is the second factor. Similarly, two-factor authentication requires you to have two out of three types of credentials, which are often something you know (like a password), something you have (like a mobile device), or something you are (like a fingerprint). Typically, the most secure type of two-factor authentication sends a time-sensitive code to your mobile device when a login attempt is made on a new or unrecognized device. This PIN must be entered in addition to the password, so even if someone else has your password they will be unable to log in without the PIN. This system can be a bit less convenient, but greatly increases the security of an account. Two-factor authentication is available on many services like Gmail, Facebook, and various banking websites. Often these systems are not enabled by default and you must enable them in your account settings. Two-factor authentication is not a replacement for using a strong password and should be used in conjunction with it. Once you have enabled two-factor authentication, it's a good idea to store backup codes in case the mobile device used for authentication is lost or broken.Password Managers. Password management services, such as KeePass, LastPass, or 1Password, help you keep track of your various passwords across different sites. These services usually require you to remember one strong master password and can help you generate more secure passwords. Additionally, password management services can pre-fill your login information on websites and some even have the ability to log in automatically. Many of these services can sync your password data with a smartphone or tablet. This can be a very convenient way to keep track of passwords, but you must consider the security of accessing your passwords on a mobile device. Using a password manager can be a good way to maintain unique and strong passwords for each site, particularly if the alternative is using the same password on many sites because it's easier to remember.

3.1 Password Managers

The general concept behind a password manager is that it provides a convenient method for a user to maintain and input multiple strong unique passwords for accounts, without having to remember those various new passwords. With the use of a password manager, a user may only have to remember a single strong password for the manager to then gain access to the stored password data.A password manager is a software application that is used to store and manage users' passwords and the associated account login information. The method in which the password data is stored can vary per application - from a locally stored file on the user's computer, an encrypted file that can be backed up, or a database that is stored and maintained on a central server. The security of such methods can vary depending on the trust of the application itself and the use of a strong security key or master password for encryption/decryption of the stored passwords.Password management can come in various forms, such as using the same base password with slight variations for different accounts, writing down passwords for reference later, or using a more secure method such as password managers. For the case of the last method, considering the previous principles on password creation, it is the most efficient and secure method for maintaining multiple strong unique passwords for accounts.Many people use the same password for multiple accounts, which is a major risk to the security of those accounts in case the password is discovered by someone else. One of the major challenges in trying to generate long, secure passwords is remembering exactly what that password is. This is where password management comes into play - a method of simplifying the use of various strong and unique passwords for multiple accounts.

3.2 Two-Factor Authentication

The strength of two-factor authentication lies in this separation of the two factors. Consider the example of a bank card and pin number. These two items are both forms of authentication, but are useless on their own. You can give your bank card to someone for them to make a payment with, and then take it back, leaving the person who took it with no option to retrieve money from your account. Similarly, if someone manages to find out your pin number, they can't use it without the card. This effectively provides two-factor authentication for your bank card, and is why cards require the pin number to make a payment, rather than just signing for it.Two-factor authentication is an excellent method of preventing access to your account, as even a keylogger or other form of malware which has stolen your password will be rendered useless. It is particularly useful for accounts which you may need to access from a public computer, such as email or cloud storage, as you can leave the second factor of authentication at home, safe from potential attackers.Two-factor authentication, in order to the standard login system of providing a username and password, adds a further step to verify the user. This can take the form of a numerical code which is sent to your phone that you must enter in addition to your password, a temporary key file which you plug into your computer, or even a biometric device such as a fingerprint scanner. By using a second piece of information, even if your password is compromised, the attacker will still require the second factor of authentication, something they are unlikely to have.

3.3 Avoiding Password Reuse

A better solution is to create different passwords with no correlation, and store them in a password manager for easy access. This may be difficult initially, as remembering several unrelated passwords can be challenging, but over time it will become second nature.If a password is strong in relation to the root, it is likely that the derived passwords are equally strong. Depending on the type of hash used for storage, it is feasible that an attacker could obtain a few hashed passwords and determine the root password via a password cracking algorithm, then apply the same method to derive different passwords for different accounts.A common technique used in password reuse is to derive a root password and then append or prepend different characters to reflect the account in question. For example, if your root password was 'password1', your Facebook password might be 'facebookpassword1'. While this is certainly an easy method to remember passwords, it is also easy for an attacker to crack.Now, the idea of remembering several complex passwords can be very daunting. Again, this is where a password manager is an extremely useful tool. If the password is sufficiently complex and difficult to remember, writing it down can also be a viable option, but be sure to store it in a safe location.Using the same password concurrently on separate accounts is a very dangerous practice. If a single password is exposed or cracked, all your accounts and data can be easily compromised. To prevent this catastrophe, ensure that you use a unique password for the critical and important accounts such as email and banking. This will isolate the impact of a potential breach.

4. Best Practices for Password Security

Use a strong mix of characters. Be sure to use numbers, upper and lower case letters, and symbols in your password. Using something like p@sswOrd123 as an example would be a very strong password and can be simple for you to remember. There are also sites that can create strong passwords for you. Using strong passwords decreases the chances of being hacked and having your information stolen. On the other hand, avoid easy to guess passwords such as your name, birthday, login or email, names or birthdates of your children or spouse, etc. If it is easy for you to remember, it is probably just as easy for someone else to guess. Always use a different password for every website. If you cannot remember all of your passwords, write them down on paper and keep it in a safe place, just remember where you put it! Another method would be to store your passwords in a text document and zipping it with a program like WinZip, and then encrypting the zip file with a unique complex password. This method has the potential to be very secure, but is not practical if you frequently need to access your passwords on different computers. Instead of doing this, it may be more practical to use an online password storage tool, but this poses the risk of losing everything if the website is hacked. When in doubt, changing your password is never a bad thing.

4.1 Changing Default Passwords

Another bad practice in creating a password is making just a single password for every account you have. This can also be very dangerous since when one of your accounts is hacked, then all of your accounts will be vulnerable. You should create a different password for each account. If you have a problem remembering all those passwords, just write them on paper and keep it in a safe place.In creating a password, it is better to use a combination of random letters and numbers. Although it can be hard to remember, this kind of password is very hard to be guessed. There is one trick to create this kind of password and still easy to remember. You can create a password based on a known sentence and take the first letter of each word. For example, if you have the sentence "I'm the best gamer", then your password will be "itbg".Many people create passwords by using simple words. Some of them use their name, simple words from the dictionary, or number/letter sequences. This is a very bad practice since a simple password can easily be hacked using password cracker software. Your name, dictionary words, or number/letter sequences are very predictable and can be guessed easily by people who attempt to hack your account.When it comes to an online account where many people enter, there is no better way to keep it secure than using a password. Some people can use your account to perform prohibited actions, and it can be very bothersome. There are several things you can consider in creating a password to secure your account. This article will give you several best practices for password security.

4.2 Being Wary of Phishing Attempts

The phisher's goal is to steal your personal information, such as user names and passwords, credit card numbers, etc. Often the first indication of an attack is a large amount of account hijacking taking place. The attacker is using automated methods to verify the stolen information by attempting to login to various accounts. If you use separate account information at different sites but the same information at a multitude of gaming sites, for example, and you suddenly find one or more of those accounts hijacked, this might be an indication that a phisher has stolen your information from just one of those gaming sites. Phishing attacks are a constant threat to online account security, and require diligence and awareness to defend against.Phishing is a type of attack where an attacker attempts to trick you into providing your personal information, usually by posing as a legitimate site and then e-mailing you to "verify" your information at that site. The trick is pulled off by including a link in the e-mail that takes you to the bogus site. If you do not look carefully at the URL in your web browser, you may not realize you are at a phony site. Sometimes the phisher will use other methods, such as IM (instant messaging) or IP telephony.

4.3 Regularly Monitoring Account Activity

When it is known that even the best password can be cracked, and that the fallout from a stolen password can already be underway the moment you enter your login details, how can you protect yourself from future problems? As much as we hope our passwords will keep our accounts locked, ensuring that we know when something goes wrong can be just as important. Regular login to accounts will start to give you a feel for normal activity. For example, a sudden influx of emails from people claiming to have received spam from your account can often be a cunningly-spammed address harvester at work; or sending out mail from your account. With services such as Gmail, you can see if and where your account has last been accessed from (an IP address), and many online games display a full log of login times and IP addresses. Take five minutes to know how much access monitoring you have. It is a fairly common occurrence for large websites to be hacked, and their entire user databases leaked onto a hacker forum. If you're a regular user of a website that has had said problems, keeping an eye on your account and/or email for the next few months could save you a lot of potential hassle!