Most systems will use a username/password combination to authenticate users. The username is typically not secure - it’s often just the user’s email address. The password provides the security.
There are many ways for an attacker to learn a user’s password:
- Guessing
- This should be extremely rare, but it’s always a possibility, especially if the attacker knows personal info about the target user.
- Dictionary attack
- A program runs through a ‘dictionary’ or list of common words/passwords to find the target’s password.
- Brute force attack
- A program tries every possible combination of letters, numbers, and other characters to find the password
- This is pretty easily detected, and in most systems will quickly trigger an account lockout
- Even if the system does not directly stop these attacks, very strong passwords will make it prohibitively time consuming
Password Guidelines
- A password should be AT LEAST 8 characters, preferably many more than that
- A strong password will have a mixture of upper case & lower case, as well as numbers and special characters
- the larger the set of characters that a password can use, the longer it will take to guess one.
- Passwords should also be changed regularly
A Strong password is good, but it’s even better if users have Multi-Factor Authentication