Password Etiquette


We get it – managing passwords is no fun. In today’s age of Cloud based applications, we now need to manage and remember hundreds of passwords in order to properly do our jobs. The need to continually change these passwords or create new ones to access new tools leads us to forget existing passwords and reset them more often than we would like to admit.

Our initial thoughts to make our lives easier may be to always reuse the same password across multiple accounts. However, if your password from any of these accounts gets compromised due to a data breach – you are ultimately giving hackers access to all of your online applications where they may gain access to sensitive company and personal information.

Reusing passwords across various systems and websites is a major risk once a cybercriminal identifies one of your passwords. They will try to re-use that password anywhere they think you may have a personal or professional account. Often this process is automated, and access can be gained quicker than the length of time it would take you to reset all your passwords.

Also be aware that using your company email address as a username or reusing passwords across multiple systems and websites may be a violation of your company’s policies potentially putting your job at risk.

Create a strong password

When creating a password for a system or website – always use unique, strong passwords. Here are some tips to creating a strong password:

So, how can hackers and cybercriminals steal your passwords?

Hackers typically use a method called “brute force attack”. A brute force attack typically consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing it correctly. The attacker systematically checks all possible passwords and passphrases until the correct one is found. Hackers will often use tools that would allow them to run hundreds if not thousands of password combinations within seconds if a web application or system is not well-developed to prevent these types of attacks.

A brute force attack often uses what is called a “dictionary attack”. A dictionary attack is based on trying all the words in a prearranged listing. Such attacks originally used words one would find in a dictionary (hence the phrase dictionary attack), however there are now much larger lists available on the Internet that contain hundreds of millions of passwords recovered from past data breaches.

There is also software that can use such lists and produce common variations, such as substituting numbers for similar-looking letters or characters. Dictionary attacks often succeed because many people have a tendency to choose short passwords that are ordinary words or common passwords by appending a digit or punctuation character. Dictionary attacks are difficult to defeat, since most common password creations techniques are covered by the available lists, combined with cracking software pattern generation.

Outsmarting a hacking attempt

The good news is that brute force attacks and dictionary attacks can be outsmarted by using the following methods:

We now know the importance of creating and maintaining secure passwords and pass phrases. But, how are we supposed to remember all of these passwords and passphrases for so many websites?

Password Management

The answer is with a strong password manager. A good password manager allows you to securely store your passwords in a central encrypted password vault which can only be decrypted from your computer using a strong master secret. The compromise of the master secret to a password vault would require all passwords in the vault to be recreated. However, many password managers today provide two-factor capability and are designed in a way that cloud password services are not able to access the vault, even if compromised. Password managers contain much information that is valuable to cyber criminals, making them high-value targets, so securing these vaults is essential.

Previous Chapter: What is Phishing? Next Chapter:
BEC Scams

Cybersecurity Guide

Chapter 1: What is Phishing? Chapter 2: Password Etiquette Chapter 3: Business Email Compromise Scam Chapter 4: What is the “Dark Web”?