Tech Tip: What Really Makes a Password Weak

Everyone knows passwords need to be strong, and most people think they know what “strong” means. They’re probably right, but there are two things people don’t typically understand about passwords:

  1. Passwords are often quickly guessed thanks to faster computers and AI. Have a capital letter? We can probably guess it’s at the beginning of your password. Have a special character? We can probably guess it’s at the end of your password, right before the number. Forced to change your password because it’s too old? We can probably guess you’ll change it by incrementing the number at the end by one. How long is your password? We might start by using the minimum length allowed in your system’s policy. Using techniques like this, at the high rate of speed modern computers and clouds can guess them, many passwords can be cracked in seconds. To make your passwords harder, don’t follow these typical patterns.
  2. No matter how complex a password is, passwords become trivially weak when you use the same password across multiple websites, services, and devices. It’s critical to always use unique passwords. When a password is compromised, criminals first do “credential stuffing,” where they attempt to log in as many places as they can, like online banking websites, retirement funds, shopping sites, etc., using your password. Criminals hit the jackpot if they get lucky and can execute this type of attack very easily.

It’s not easy to generate, let alone remember, truly complex, unique passwords. In fact, these days, it may be impossible for any typical human. The easiest solution is to use a trusted password manager like Pegasus Password Vault. Good password managers have these features standard:

  • Securely keep all your team’s passwords
  • Cloud-based (no server or backup required)
  • Comes with a mobile app (no computer is required to get a password)
  • Enforced password strength and uniqueness
  • Audited employee password use
  • Multi-Factor Authentication (MFA)-protected
  • Active Directory integration for Single Sign On (SSO) convenience

Multifactor Authentication (MFA) is also a key defense, but good passwords are still required.

Have questions about a particular topic and would like to see a future Tips article or video on it? We may have already covered it in our Tips and Tricks blog. Feel welcome to request a topic of interest to you, and you may see it in one of our future newsletters.