Want to keep learning?

This content is taken from the Raspberry Pi Foundation & National Centre for Computing Education's online course, Introduction to Cybersecurity for Teachers. Join the course to learn more.

Passwords

What do we protect with our passwords?

Most of our online accounts are protected by a username and password combination. These passwords protect the data that we store in our accounts, whether that is our bank details, our purchase history, or our home address.

Exercise

How many accounts do you have that are password-protected? How many different passwords do you have?

Read the rest of this step, and comment on how secure you think your passwords are

Passwords do not form a perfect defence. There are many ways in which attackers can find out your passwords and then use them to enter your accounts.

How are passwords hacked?

You will learn about three different types of password attack: brute force attacks, theft of individual passwords, and theft of batches of passwords.

Brute force attacks

In a brute force attack, an attacker guesses passwords until they find the correct one. This might involve guessing a combination of characters, or creating a list of passwords beginning with the most common, as in the more specialised dictionary attack. The dictionary that attackers use contains passwords centred around real words and combinations of real words.

A wordcloud of common passwords

Theft of individual passwords

An attacker could steal a victim’s password, for example, by using the social engineering techniques discussed previously, or by infecting the victim’s device with a form of malware that records their activity, including the letters that they type. You will learn more about malware next week.

Some websites take more precautions to protect your accounts than others. You might have multiple strong passwords for an online banking account, but you might not take the same precautions when setting up a social media account. Attackers know this, and will target weaker accounts to help them to guess the passwords for more secure accounts.

Theft of batches of passwords

An attacker could hack a website and steal batches of passwords. This can give them access to lots of accounts at the same time. To learn more about how websites store passwords securely, refer to the attached PDF.

How do you make a strong password?

Passwords should be memorable for the individual, but difficult for an attacker to guess. As you have seen, password attacks often rely on victims using common combinations of characters and similar passwords across multiple accounts. Therefore, all of your passwords need to be different and unpredictable.

Avoid using personal details and dictionary words

You should avoid using any personal details, like your pet’s name or your favourite sports team, as a basis for your password. To protect yourself from a brute force attack, you should avoid dictionary words altogether, even if you’re substituting some letters for numbers or symbols — if “password” is in the attacker’s dictionary, so is “p@ssw0rd”.

Increase the length and complexity of your password

You should also increase the length of your password and add in more types of character. The more types of character you include and the longer your password is, the more guesses the attacker has to make.

Use a strong password generator

Rather than finding a strong password, it is better to design a strong password generator that you can use to easily create lots of memorable passwords that appear random. Here are three methods of generating passwords:

  • Create a phrase from random words — you can still defend against a dictionary attack if you combine words in an unpredictable way. Choosing words at random is the easiest way to do this. For example, this website helps you to choose words at random with dice. Once you have chosen the words, you should add numbers and symbols into the password.
  • Use a memorable phrase as the basis of your password, instead of using words. For example, you could turn the phrase ‘FutureLearn is the number one online learning platform’ into the password ‘FLitn1e-lp’. You can tailor this phrase to the purpose of your account to make it more memorable. For example, you could use a phrase about shopping to make a password for an eBay account.
  • If you have a visual memory, create a grid of characters (arranged randomly) and choose your password by drawing a pattern. Then, you would just need to learn the pattern, not the actual password.

computer screen showing a password being entered

Next step

In the next step, you will learn how to keep your phone secure.

Questions

  • What kind of information might an attacker use to guess your password?
  • Why is a longer password more secure?
  • How might you avoid an attacker stealing your password through a phishing attack?

Share your answers in the comments

Share this article:

This article is from the free online course:

Introduction to Cybersecurity for Teachers

Raspberry Pi Foundation