Passwords are the keys to our digital iden­tit­ies. A strong password serves as the first line of defense against cy­ber­crim­in­als. However, stat­ist­ics show that 36% of UK re­spond­ents reuse passwords across 5 to 10 sites and that 35% admitted to resetting their passwords every day or multiple times a week.

MyDe­fend­er
Safeguard your data with easy cyber security
  • Regular virus scans
  • Automatic backups and simple file recovery

What are the re­quire­ments for password security?

Many people still rely on weak or easily guessable com­bin­a­tions for their passwords. To ensure a high level of password security, several factors should be con­sidered. Choosing a secure password and using a password manager can be regarded as fun­da­ment­al aspects of password security.

What makes passwords secure?

Although secure passwords alone cannot provide absolute pro­tec­tion against attacks by cy­ber­crim­in­als, creating a secure password is still crucial for safe­guard­ing your accounts. Users can check whether their chosen password is secure by following a range of criteria:

  • Length: The length of a password plays a critical role, as longer passwords are ex­po­nen­tially harder to crack than shorter ones. A strong password should be at least 12 to 16 char­ac­ters long.
  • Com­plex­ity: A secure password should include uppercase and lowercase letters, numbers, and special char­ac­ters such as @, #, or $. This variety makes it more difficult for both humans and automated tools to guess the password.
  • Un­pre­dict­ab­il­ity: Avoid simple patterns or re­cog­nis­able words in passwords, as cy­ber­crim­in­als often use dic­tion­ary attacks, testing common passwords.
  • Unique­ness: Do not reuse passwords across multiple services and platforms. Instead, use unique passwords for each web service.
  • Regular updates: Es­pe­cially for critical services, updating passwords regularly can reduce the risk of ex­ploit­a­tion due to previous security breaches.

Choosing the right password manager

Password managers are practical tools for gen­er­at­ing and securely storing complex passwords. When selecting the right password manager, ensure it supports end-to-end en­cryp­tion and includes features such as breach alerts or security audits. Regular updates are another indicator of a trust­worthy password manager.

Major password leaks in recent years

Every day, we entrust vast amounts of sensitive data to companies and tech­no­logy, with passwords often being the sole pro­tec­tion—one that, it seems, is not taken seriously enough. This is evident from the numerous data breaches in recent web history. Cy­ber­crim­in­als have re­peatedly accessed login cre­den­tials using methods like malware, phishing emails, or brute-force attacks, stealing con­fid­en­tial user data. Below is an overview of some of the most sig­ni­fic­ant incidents:

  • LinkedIn (2012, 2016): LinkedIn was hacked in 2012, resulting in the theft of over 6.5 million hashed passwords. In 2016, an ad­di­tion­al 117 million login cre­den­tials from this hack surfaced on the dark web.
  • Yahoo (2013, 2014): One of the largest security breaches ever affected Yahoo. Between 2013 and 2014, a total of three billion accounts were com­prom­ised, including usernames, passwords, and security questions.
  • Adobe (2013): More than 150 million Adobe user accounts were stolen during a breach, with many of the passwords poorly encrypted.
  • Facebook (2019): Facebook revealed that millions of user passwords were stored in plain text on internal servers. Although the data did not leak ex­tern­ally, the incident high­lighted the need for secure practices even at the company level.
  • Col­lec­tion #1-#5 (2019): In January 2019, over two billion email addresses and passwords from various sources, including known and pre­vi­ously unknown leaks, were published as part of this mega-leak.
  • Twitter/X (2022): A security breach exposed personal data from over 5.4 million accounts, including phone numbers and email addresses, due to a bug.
  • RockYou (2024): RockYou2024 was a massive leak, con­sidered one of the largest ever published, com­pris­ing over 9.9 billion passwords compiled from various sources.

These events un­der­score the critical im­port­ance of cy­ber­se­cur­ity. The results of a rep­res­ent­at­ive survey conducted by GMX of 1,050 people are all the more as­ton­ish­ing: 64% of people stated that they use the same password for some, or even all, of their online accounts, while only 21% use a different password for each of them. The 2019 GMX study also revealed that 9% had never even changed their main email account password, which leaves them very vul­ner­able.

Image: Infographic: The British and their passwords
In­fograph­ic on the topic ‘The British and their passwords’.
Note

For their attacks, cy­ber­crim­in­als often do not use their own computers but instead exploit the devices of un­sus­pect­ing users. These devices are infected with malicious software, allowing attackers to remotely control them. Such com­prom­ised systems, often referred to as bots or zombies, are organised into large networks.

How to check password security

Checking the security of your passwords is a crucial step in pro­tect­ing your digital accounts from un­au­thor­ised access or after data leaks. There are various methods and tools available to check whether your passwords have been com­prom­ised, meet current security standards, or are too weak.

Online services for data leak checks

  • Have I Been Pwned (HIBP): One of the most well-known and trusted platforms is Have I Been Pwned (HIBP). Here, you can check whether your email address or password has been com­prom­ised in a known data breach. By entering your email, you will receive a list of websites affected by leaks where your data may have been stolen. The site also allows direct password checks, ensuring anonymity through spe­cial­ised hashing tech­no­lo­gies.
  • Google Security Check: Google offers an in­teg­rated password-checking feature in Chrome. The browser alerts you if any of your saved passwords have been part of a data breach. Ad­di­tion­ally, you can perform a com­pre­hens­ive security check via your Google account, which also iden­ti­fies weak or reused passwords.
  • Security features of password managers: Many modern password managers offer a function to check your stored passwords. These tools scan for weak­nesses, du­plic­ated use, and known security incidents. This way, you get a clear overview of which passwords need updating.

Testing password strength

Besides checking for data leaks, it is essential to evaluate the strength of your passwords. Numerous tools can assist with this by assessing the length, com­plex­ity, and entropy (ran­dom­ness) of a password. These services also simulate how long it would take to crack your password using a brute-force attack. For example, the password 123456 can be cracked in less than a second whereas a stronger password like X$4g8JwQ!a_%j could withstand attacks for many years.

Manual review and mon­it­or­ing

If you know that a par­tic­u­lar platform has been affected by a data breach, check whether you have an account on that platform. Change your passwords im­me­di­ately, es­pe­cially if you have reused them on other websites. It is also helpful to follow cy­ber­se­cur­ity news or platforms like Reddit (e.g., the subreddit [r/netsec]) to stay informed about new data breaches. Security vul­ner­ab­il­it­ies are often reported there earlier than through official channels, allowing you to take pre­vent­ive measures in time. Ad­di­tion­ally, tools like HIBP offer email no­ti­fic­a­tions that alert you when your email address appears in a new leak.

Go to Main Menu