Passwords are like underwear: don't let people see it, change it very often, and you shouldn't share it with strangers.
- Chris Pirillo
Cybersecurity isn't all about understanding complex frameworks or getting certifications. It's about proactivity, continuous learning, and adopting everyday habits that strengthen your digital defenses. One of the important, everyday practices is to keep your passwords secure.
We are all used to being told not to use the same password for many services. Passwords should also be strong, i.e. sufficiently long and varied. For most of us, two opposite goals were listed here. No one can remember long, obscure passwords, so we will inevitably end up making serious security mistakes if we do not act in a planned way - using a system to manage passwords securely.
.png)
Data leaks happen all the time. Nowadays, almost every day you can read about new data leaks in the news. Some data leaks involve direct leakage of password information, such as the leak of 164 million users from LinkedIn in 2016 - and 10 billion password leak for hacking forum in 2024 with plain-language passwords. In 2024 Meta was fined for storing 600 million Facebook and Instagram passwords in plaintext. In addition to passwords, data leaks usually reveal either trade secrets or personal information, allowing fraudsters to create more convincing phishing attempts.
Have you ever read a news item about a data leak that confidently stated that "the leaked passwords were encrypted after all"? Usually, every smartly managed online service has encrypted passwords with an encryption algorithm and salted them, but this does not prevent passwords from being exposed.
When a fraudster gets hold of a list of passwords encrypted with an encryption algorithm, they set a password cracking program in motion. Once the information has been leaked, the cracking can be done offline, and the restrictions on the number of times a real password can be attempted, such as those used on online login forms, no longer exist. With modern computing power, an 8-character password using the most common encryption methods can be cracked in minutes.
We live in a digital world where we shop online, maintain social relationships - in fact, we conduct all kinds of transactions and business. We should be more concerned about this than we usually are.
A hacker can sometimes try to get a "key logger" on your device that tracks your clicks, or a program that duplicates your phone's screen, and deduce your password through this, but these can be greatly affected by secure device use. When it comes to leaked passwords from online services and cracking them with simple password cracking software, the length of the password directly affects the time it takes to crack it. These programs try different combinations until they get it right. A 5-character password takes seconds, a 10-character password takes years.
As computing power and the methods used by hackers to teach password crackers continue to improve, these cracking times are getting shorter all the time.
Of course, they also try to fish your password out of you directly
Phishing is one of the most common security problems. It involves a scammer trying to impersonate your credit card and get you to give up confidential information - for example, your login to the service in question. Phishing scams today are very sophisticated and it is not necessarily easy to tell whether they are a scam or a legitimate request.
One of the most popular passwords seems to be the eternal 'password'. It can be found on the above mentioned website https://haveibeenpwned.com/Passwords, leaked with millions of user credentials, and yet it still ranks in the 'top ten' of the most popular passwords in the latest surveys. Ingeniously changing o to 0 or a to @ won't save the day either. These are the results from haveibeenpwned, showing how many times the password in question has been seen involved in data leaks:
When I test the random password '8oQ%z7$hJTOL3!RV' recommended by my password management system on the site, the response is zero times. So the sensible thing to do is to find tools that allow you to use random passwords that you don't need to know yourself, let alone try to remember.
Aleksi86! or Tampere20#. Does it look like a familiar password style? Most passwords you make up yourself are actually very common and predictable. For example, we use a name, place or other common word as a starting word, perhaps capitalised. We continue with a number and end with one common special character required as a must (!, @, # or whatever).
The upshot is that this is the kind of pattern that a password cracking program can expect, and makes many correct guesses even before the actual cracking of the password begins. So many passwords are leaked that crackers have a lot of knowledge about common password mudslinging techniques - so don't use them, and stick to completely random passwords.
You may have heard that it makes more sense to use a 4-word password instead of a shorter password, for example. This may indeed be more secure, but is often completely irrelevant, as each system would require a different password anyway. If anyone can remember 100 four-word passwords, go for it. For most of us, trying to make passwords memorable is pointless - there are simply too many to remember, no matter how simple they are.
The average person reuses each password 14 times. Reusing passwords across multiple accounts is a critical mistake. If one account is compromised, all other accounts with the same password are at risk. This practice can lead to a domino effect, where a breach in one service can expose sensitive information across multiple platforms.
So if passwords are not reusable, the idea of creating your own inventive algorithm to generate passwords may come to mind. However, password cracking scammers and the software they use are usually at least as inventive. If you use some clever method to generate passwords, usually the exposure of one password will mean that not much effort is required to deduce the method itself and other passwords.
Now be honest, do you remember owning an account that still has the same password year after year? Some platforms can force the users to change the password regularly, and even though it might feel like a tedious task when popping up in the worst possible moment, the benefits coming from it are all worth it. Not all breaches and vulnerabilities are detected immediately. If a password is exposed in a data breach or through malware, regularly updating it minimizes the window of opportunity for an attacker to exploit it.
Multi-Factor Authentication, or more commonly known MFA, adds an extra layer of security by requiring an another form of verification in addition to the chosen password. This could be a text message code, an authentication app, or a biometric factor like a fingerprint or facial recognition. So, even if a password is compromised, MFA can prevent unauthorized access. Without MFA, your account relies solely on your password, increasing vulnerability.
.png)
The average user has over 90 online accounts requiring passwords. So what do you do if you want to keep your passwords safe? You should use software designed for password management.
Such software is like that little black book where you write down all your passwords, but encrypted and easier to use. Password protection is a core competency of these password management providers, and LastPass, for example, describes quite extensively the principles they have used to build a multi-layered protection for our "vaults". Their aim is to ensure that even in the event of a breach, the encrypted content of the vaults is never compromised. In addition, it is also in the interest of such a provider to check that passwords leaked from other services do not match users' master passwords. It is good to have such a partner in your daily life.
The password management system will always let you decide at the time of registration how complex the password will be this time, and remember it for you. Password management systems are also designed to work with multiple devices. Whether you sign up for a new service from your phone, laptop or tablet, your password and username are automatically placed in a vault where they can be retrieved the next time you log in, whatever device you use.
There is at least one more challenge left. How do you come up with a strong enough password for the main password management system? In this case, the passphrase mentioned earlier could work. For help / ideas on how to create a passphrase, see for example severalpassphrase.com.
The second option is to trust your memory and force yourself to use the main password often enough so that you don't forget it. This usually works well enough for passcodes on your phone or tablet, for example, which you will of course need to remember to access the password manager.
Many users fall into common traps such as using weak passwords, reusing the same password across different accounts, or relying on easily guessable information, significantly increasing their vulnerability. Furthermore, failure to update passwords regularly can leave accounts open to attack.
Fortunately, tools such as password management systems and multi-factor authentication can provide stronger security measures. A password manager simplifies secure password creation and storage, while multi-factor authentication adds an essential extra layer of defense, making it considerably harder for hackers to gain unauthorized access. Remembering these tips and common mistakes is not just sensible but necessary in safeguarding your digital identity.
Elevate Your Knowledge with Exclusive Access to Weekly Webinars, Video Courses, Help Articles, and Blogs.
