Password & MFA Best Practices

Passwords remain the most common form of authentication, yet weak passwords are involved in over 80% of data breaches. Understanding how attackers crack passwords helps you create better ones.

How Attackers Crack Passwords:

1. Brute Force Attacks Systematically trying every possible combination of characters. - Speed: Can try billions of combinations per second - Defense: Longer passwords exponentially increase cracking time

2. Dictionary Attacks Using lists of common words, names, and known passwords. - Includes: Common passwords, dictionary words, names, dates - Defense: Avoid real words and predictable patterns

3. Credential Stuffing Using passwords stolen from other breaches. - Why it works: Most people reuse passwords - Defense: Never reuse passwords across accounts

4. Social Engineering Tricking people into revealing passwords. - Methods: Phishing, pretexting, shoulder surfing - Defense: Never share passwords; be aware of who's watching

5. Keylogging Malware that records everything you type. - How it spreads: Malicious downloads, phishing links - Defense: Keep systems updated; avoid suspicious downloads

What Makes a Password Weak:

• Short length (under 12 characters)
• Common words or names
• Personal information (birthdays, pet names)
• Keyboard patterns (qwerty, 12345)
• Simple substitutions (p@ssw0rd)
• Reused across multiple accounts

The Most Common Passwords (NEVER use these): - 123456, password, qwerty - [Name][Year] (john1990) - [Sports team][Number] (cowboys22) - Password1!, Admin123

The Math of Password Length:

For a password using uppercase, lowercase, numbers, and symbols (94 characters): - 8 characters: 6 quadrillion combinations (~2 hours to crack) - 12 characters: Sextillions of combinations (~34,000 years) - 16 characters: Essentially uncrackable with current technology

Key Insight: Length matters more than complexity. "correct-horse-battery-staple" is stronger than "P@s5w0rd!"