Russ Harvey Consulting - Computer and Internet Services

Passwords: Your Electronic Signature

Long & Strong | Unique | Compromised Passwords | Remembering Passwords

The login screen requesting username and password.

Some of the material on this page has been moved to separate pages for multifactor authentication (MFA/2FA), password managers and LastPass (includes my reassessment after the breach).

Passwords Secure Your Online Accounts

Increasingly, our lives are lived online: banking, shopping, donating, e-filing taxes, corresponding, posting on Facebook, etc.

According to Mozilla, the average person has 130 online accounts.

That's a lot of unique accounts — each requiring a unique password that is strong enough to resist hacking.

Passwords Protect Authority

Think of passwords as an electronic “Power of Attorney.”

Anyone in possession of your passwords can make purchases, access your bank accounts, access or delete files backed up or stored online, change settings, even post libelous comments about others on your social media accounts.

Your passwords need to be protected diligently.

Unfortunately, consumers seem to ignore such advice:

[A]bout half of consumers (45%) only change passwords for providers when prompted by the platform, when hacked, or not at all, with a similar percentage (44%) often reusing the same password on most of their accounts, leaving account information unprotected.

Creating Effective Passwords

Several factors are involved in securing our online accounts with effective passwords.

Use a password manager in combination with multifactor authentication (MFA/2FA) to improve security.

These factors make it easier for you to keep your online accounts safe and quickly respond if a data breach reveals your account details.

Poor Password Choices Common

Unfortunately, most people view passwords as something imposed upon them rather than something that improves their security.

  • 44% of respondents use the same or similar passwords despite knowing this could increase their personal security risks.
  • 53% of respondents haven't changed their password in the last 12 months even after hearing about a breach in the news.
  • 41% of respondents think their accounts aren't valuable enough to be worth a hacker's time.
  • LastPass

The fact that social media and advertisers expend so much effort to track your browsing history should tell you that information is extremely valuable to them.

NordPass and partners found that the most common passwords are incredibly easy to guess — and it could take less than a second or two for attackers to break into accounts using these credentials. Only 44% of those recorded were considered “unique.” — ZDNet

Poor security hygiene is a strong contributor to why so many people continue to have their accounts hacked or suffer from ransomware and other malware infections.

To protect ourselves from cybercriminals, it is essential to use a combination of characters when creating a password, use different ones for each account, use a long password, change it regularly and use two-factor authentication.

Return to top

Make Passwords Long and Strong

Over two-thirds of users create simple passwords that can be hacked quickly — in less than one second, in many cases.
— Ipswitch

Generate passwords that are both long and strong to make them more difficult to guess and not easily discoverable.

Technology has now made 8-character passwords (including complex passwords with letters, numbers and symbols) insecure and the password-cracking ability of hackers improves each year.

These days, given the state of cloud computing and GPU password hash cracking, any password of 8 characters or less is perilously close to no password at all.
Jeff Atwood (2017)

Bruce Schneier's Choosing secure passwords (2014) will give you a good idea of how passwords get hacked and reveals a great deal about hacker dictionaries (they contain lists of passwords that you'd think were great).

Longer Passwords More Secure

Passwords should be at least 12–15 characters long (I'd recommend longer where the site will allow it).

Given the considerable number of leaked passwords now available on the dark web, anything less than a generated 11 character password is asking for trouble.


Of course, most of us don't know whether or not our data is on the dark web. The odds are that at least some of your passwords (and usernames and email addresses) are in a database of hacked accounts.


That's why reusing passwords is so risky; hackers can easily use the same login combination on other websites.
LastPass blog

Strong Passwords Harder to Hack

Password strength refers to an assessment of how difficult it would be to break a password using current (or sometimes anticipated) technologies.

You should preferably use complex random characters if the site supports that. Use a random combination of letters and numbers interspersed with other characters where possible.

  • Using mixed upper and lower case gives you effectively 52 letters to work from instead of 26.
  • Including multiple numbers and other legal characters (such as the pound key, hyphen and the underscore) significantly increase the security of your passwords.
  • Avoid starting with a capital and placing numbers and characters at the end.

Newer, more powerful computers are being developed all the time and this raises the bar for what is considered a secure password. Hacking by “bad actors” financed by countries have the resources to obtain and use such equipment regardless of expense.

Password Strength Meters

Many sites will indicate an approximation of the strength of your password.

Don't use third-party sites to check the strength of your password. Even if these sites aren't attempting to hack your accounts the mere fact that you've revealed a password to any site other than the one you use it to sign-in potentially makes it vulnerable.

Wikipedia's password strength entry includes examples of weak passwords such as the default passwords supplied by vendors (e.g., “admin”) and passwords that are more vulnerable to a “dictionary” attack.

Password Restrictions

Many sites have restrictions placed on both the size of allowed passwords and their complexity (including the use of anything but alpha-numeric characters).

The allowed legal characters can vary by site. Most will allow all letters and numbers, but some symbols (like /, \, < or >) may not be allowed.

  • Using a longer selection and correcting for the disallowed symbols will still provide for a stronger password of sufficient length.
  • Some sites will only let you create an all-lower-case password, but will let you change that later. Make that extra effort to ensure your account remains secure.

I find it annoying that many of these sites only tell you their restrictions AFTER you've attempted to enter a new password, particularly the special characters that are not allowed.

Server Choices Affect Security

Even if you're using a decent password, the level of security used by the sites storing our information and how the password information is transmitted can make you vulnerable.

  • Sites limiting passwords to eight alpha-numeric characters aren't bothering to encrypt stored passwords.
  • If your password is stored in plain text then anyone, employee or hacker, has immediate access to your password and the other information the server has stored about you.

Most data breaches have occurred because of an employee either using a weak password that allowed access to the system or were themselves the perpetrator.

Brute Force Attacks

Brute force attacks refer to the process of testing one potential password after another until the password is discovered.

When a hacker breaks into a company, they usually look for and download the entire password database.


In short, not all encryption algorithms are built equally, and even worse, many companies don't protect their passwords correctly.


Some hashing methods are old and weak, and as a result can be broken by hackers. More commonly though, hackers take the stolen hashes, and begin to extract the passwords with a few methods.
Hive Systems

How Hackers Steal and Use Your Passwords discusses how hackers extract passwords from stolen password hashes.

This chart is a visualization of password vulnerability to brute force attacks in 2023:

Time it takes a hacker to brute force your password.
Credit: Hive Systems

Using numbers, upper/lower letters and symbols in a password makes it harder to hack than a less complex password of the same length.

Notice how much longer the estimated time for cracking a password was in 2020:

Time it takes a hacker to brute force your password.
Credit: Hive Systems

Longer passwords are less vulnerable to brute force attacks.

That assumes the use of random characters and lots of other factors can considerably shorten the indicated timelines:

  • Hacker “dictionaries” are faster than brute force attacks.
  • If your password has been hacked elsewhere (even if yours wasn't the account hacked) it will be more vulnerable.
  • Restrictions on passwords to only letters and numbers or to 8 characters can considerably weaken them.
  • Patterns like starting with a capital letter and ending with numbers or symbols increase predictability.

“Dictionary” Attacks

Since some combinations are more likely, the hacker will build a “dictionary” of potential passwords. This dictionary contains foreign words, places and patterns of characters that form commonly-used world-wide passwords.

Data breaches have revealed personal information but also common passwords which are added to hacker dictionaries.

Return to top

Don't Reuse Passwords

Would you feel safe if every apartment in your building used the same key?

Reusing passwords or repeating phrases within your passwords is just as risky.

Users tend to use a single password at many different web sites.


By now there are several reported cases where attackers breaks into a low security site to retrieve thousands of user name/password pairs and directly try them one by one at a high security e-commerce site such as eBay.


As expected, this attack is remarkably effective.
Stanford Security Lab
The reality is that the majority, 91%, recognize that using the same or similar passwords for multiple logins is a security risk, yet 58% do it anyway. These people mostly or always use the same password or variation of the same password.


Does this sound like something you do? If so, cut that bad habit now!
LastPass blog

Once hackers catch on, all your accounts are vulnerable.

Generate Unique Passwords for Every Site

A unique password for every site limits the fallout if one account is hacked.

By generating a unique password for every site, each site obtains only your name, email and whatever other information you provided directly to that particular site.

Without the aid of password management software, people tend to reuse passwords or generate similar passwords with an extra number or other modifier. This is not security-smart.

Hundreds of online accounts can be compromised in a data breach on any given day. Reusing passwords could put your more sensitive accounts at risk.

Passwords are immensely valuable, whether they are for email, e-commerce sites, or even “just” a social media platform. Criminals aren't after your Spotify passwords because they want to see who your favorite artists are.


They are banking on the high likelihood that the same password will unlock your email, retail Website, or even your work network.
Check Point blog

Compromised accounts are vulnerable from anywhere in the world.

Make Them Random

Unfortunately, people are creatures of habit and tend to follow the same sort of process in creating passwords such as familiar names (girlfriends, sports teams, etc.) and predictable patterns.

Respondents also retain a fondness for “keepsake passwords” including personally significant details as a family or pet name, a birthday or other important date, or a current or previous address, with 48% reporting that practice the last time they created or updated a password.

Patterns Make Passwords More Vulnerable

Passwords with simple phrases or common combinations are easily guessed.

If you can say your password (even with variations like “password with a zero”) it can be compromised in as little as one second using a dictionary attack.

We tend to start with a capital and leave the numbers and special characters at the end. This makes their discovery easier.

Avoid simple substitutions like @ for a, 3 for e and (zero) for o (e.g., N3wP@ssw0rd1922!).

In one 2010 case study, the top three compromised passwords were 123456, password and 12345678.
— Duo Security

Keyboard Sequences NOT Secure

Keyboard sequences like qwerty, or zxcvbnm or patterns like “Z” on the number pad appear to be complex passwords. 123456 is used by 17% of users.

This practice is known to hackers, yet is still common according to the information culled from recent exploits.

Single Sign-on Flawed

Single sign-on (SSO) uses your Google, Facebook or Apple ID to log into third-party sites.

Single sign-on uses your Google, Facebook or Apple ID to log into third-party sites.

SSO may be convenient, but creates a single point of failure.

But for all its convenience, consumer SSO has some real drawbacks, too.


It creates a single point of failure if something goes wrong. If your password or access token gets stolen from an account you use for SSO, all the other sites you used it to log in with could be exposed.


And not only do you have to trust the companies that offer SSO to protect your privacy and security, you also have to trust all the third-party websites offering these options to implement them correctly.

While sites using SSO may not be provided with your Facebook or Google password, they can access information that allows them to improve their profile of you.

Logging in to a website using a service such as Facebook or Google allows the website to make a request for data about you.


Linking two or more sites allows companies to collect more data, building an increasingly rounded profile about you.


Allowing one account to have access to others means that if the least secure account is hacked, the rest could also be compromised.
Natasha Stokes

Facebook and Google both collect vast amounts of data on users then resell it to others, threatening your privacy and control nearly all Internet advertising revenue.

Allows for BITB Attacks

A new “fake browser” phishing attack called “browser in the browser” can take advantage of JavaScript, SSO and a fake login window to obtain the user's password. The fake window can fool all but the most astute observer with some understanding of how JavaScript and the login should look.

Return to top

Change Compromised Passwords

It is a good idea to change your passwords regularly but is critical after you become aware that one has been compromised in a security breach.

Frequent password change policies sound good, but they only work if you employ a password manager. Otherwise people tend to use weak passwords because they are easy to remember.

Sharing Passwords Risky

A surprising number of people share passwords without changing them afterwards.

The results of the LastPass Sharing Survey. Click to see the full infographic.
Credit: LastPass.

When you share a password, especially if it is done insecurely, you create a vulnerability that could cost you your privacy or empty your bank account.

Sharing Streaming Passwords

Many people share their streaming passwords with friends, family and others.

You may justify this with cost savings, but sharing your streaming passwords is putting your privacy and personal data at risk.

Sharing Passwords Between Work and Home

What about using the same passwords at home and at work?

This reduces the protection of both your personal and your business accounts.

What's frightening is that 47% of survey respondents admit there is no difference in passwords created for work and personal accounts.


Which means that one re-used password has the power to compromise an entire organization's network. A company's network security is only as strong as their weakest link — the employees.


Poor security habits can leave that door wide open for hackers.
LastPass blog


Remembering Passwords

Remembering complex passwords can be extremely difficult.

Even a password manager requires you to memorize your master password to protect your vault.

Memory Helpers

Remembering passwords can be made easier by using “memory helpers.”

Having a sentence that makes sense to you, but is not easily discovered could be one solution.

  • You can use the first letter in each word of a phrase that makes sense to you.
  • For better security, you want something that combines upper & lower case letters, numbers and, where possible, symbols.

"Jason plays the Grand Piano on the 2nd & 4th Fridays in December" can help you remember JptGPot2&4FiD.

Longer passwords are now necessary.

Avoid Common Quotes or Slogans

Avoid phrases that are easily guessed, like frequently-quoted Bible verses or company slogans.

There is a limit to how many of these clever phrases you can create and remember.

I recommend a password manager to generate a long and strong password to protect your online accounts.

The a password manager's password must be even stronger because it protects all your other accounts.

Be Careful With Lists

Be conscious of how you keep records of your passwords and don't use vulnerable locations which can easily be compromised.

  • Don't keep passwords on Post-it notes stuck onto your monitor where visitors and other employees can see them.
  • If you keep a list of passwords in a file on your computer, be sure it isn't recognizable as such.

Return to top

Generating Passwords

Most humans tend to use recognizable patterns when creating passwords.

You want to create passwords that are long and strong that are unique for every site or application.

I recommend using a password manager to generate your passwords since they are then stored in a secure manner and usually available for use on multiple computers and devices (depending upon the one you choose).

Password Generators

Password generators are the electronic versions of the one-time coding pads you may have read about in the history books.

Random-generated passwords provide better security because users are unable to select passwords that are easily compromised.

Be sure of the integrity of the site or app before depending upon the passwords it generates.

Related Resources

On this site:

Buy Me A Coffee


Return to top
Updated: August 23, 2023