Most systems will use a username/password combination to authenticate users. The username is typically not secure - it’s often just the user’s email address. The password provides the security.

There are many ways for an attacker to learn a user’s password:

  • Guessing
    • This should be extremely rare, but it’s always a possibility, especially if the attacker knows personal info about the target user.
  • Dictionary attack
    • A program runs through a ‘dictionary’ or list of common words/passwords to find the target’s password.
  • Brute force attack
    • A program tries every possible combination of letters, numbers, and other characters to find the password
    • This is pretty easily detected, and in most systems will quickly trigger an account lockout
    • Even if the system does not directly stop these attacks, very strong passwords will make it prohibitively time consuming

Password Guidelines

  • A password should be AT LEAST 8 characters, preferably many more than that
  • A strong password will have a mixture of upper case & lower case, as well as numbers and special characters
  • the larger the set of characters that a password can use, the longer it will take to guess one.
  • Passwords should also be changed regularly

A Strong password is good, but it’s even better if users have Multi-Factor Authentication