Passwords, or sometimes pass phrases (a longer password made up of words), are the primary authentication system for pretty much everything and have been around for decades. From Twitter, Facebook, trading platforms and email mailboxes to sites where security is even more important, such as online banking. Weak passwords can be cracked. In some cases this takes just a few minutes. Tools such as dictionary password cracking uses a list of millions of passwords and can go through millions of passwords in under a minute.
Most people or businesses recommend a password of over 8 characters (in reality 12 or 14+ characters is best) made up of lower case letters, upper case letters, numbers and special characters (e.g. £*$ etc.). Ideally, a password would look like 'xNKc0<\e3U@WES', but this begs the question: can someone remember this, let alone a unique one for each website? A very secure password may be used but it can lead to people using it for every website login, or writing it down to help them remember it. Then all it takes is to steal one password and get access to someone's life.
PINs for credit and debit cards are a good example of how security measures can be effectively implemented, simply and cheaply. 0-9 are the options and four is the length. That may seem very short compared to a password of 8+ characters made up of varied letters, but the key difference is that the card locks after three attempts.
Most website login mechanisms will let you try hundreds of passwords. A clever one would slow the attempts down to make you wait ten seconds between each incorrect entry, lock you out for five minutes or make you call the company to verify your identity, thus making hundreds of false attempts take hours or days.
By following such simple and cheap options, password cracking can be drastically slowed down or stopped altogether.
Users can also mitigate the risk by creating a strong password or passphrase. The ideal password is long, complex, and easy-to-remember – but hard to break. Good passwords are often hard to remember so you can use the below guide method for creating either a non-dictionary password or a passphrase.
First pick a group of words: |
Take each first character and make a word: |
Add a random word at the end: |
Further strengthen: |
•I have a black labrador dog called charlie •my house is in south-east london •my favourite rock band is the beatles •my favourite musical instrument is the saxophone •I got married in paris in france |
•ihabldcc •mhiisel •mfrbitb •mfmiits •igmipif |
•ihabldccapple •mhiiselemail •mfrbitbmicro •mfmiitsred •igmipifebay |
•ihabldcc@pple •mhii$elemail •mfrb1tbmicro •mfmiits-red •igmipif+ebay |
If you would like to learn more about password security, please feel free to download the recording of our 'Cracking Passwords' webinar.
Visit cyber.qa.com for more information on how they can help solve the Cyber Security skills gap.

Graeme Batsman
Graeme joined QA in 2017 and has worked in security on and off for 15 years. His last role was as a Senior Technical Security consultant at Capgemini covering the public and private sector.
From the age of 17, he was running investigations into online scams and phishing. Today he teaches and/or has written: CEH, OSINT, CTF (conventional or OSINT), CyberFirst, practical encryption and Security+. Graeme is an avid writer with 130+ articles to his name and a chapter in a published book.
He loves thinking like a hacker to review and tweak settings with a fine-tooth comb.
More articles by Graeme
Shadow IT during Covid-19: Do not let your employees decide which apps and tools to use
If you don't take control, your remote-working teams may be putting your IT infrastructure at risk of hacking or loss of data…
29 May 202011 cybersecurity tips for more secure home-working during the Covid-19 outbreak
Keep your company and personal details safe while working from home. QA Cyber Security Technical Consultant Graeme Batsman of…
23 March 2020Hostile reconnaissance: What is it and how do we stay safe?
Shhh! Cyber attackers often use hostile reconnaissance in the physical world to find a way into an organisation. So what is h…
29 January 2020My partner is a landscape gardener – who would want to hack me?
You may think your small business would not be interesting to global cyber crooks. But you may have a client or supplier who…
29 January 20207 cybersecurity tips for wedding photographers – or anyone, really
QA Cyber Security Technical Consultant Graeme Batsman looks at why cybersecurity is important for photographers, especially t…
29 January 2020Cyber Security for everyone - what we all should know
In May the security of the official Sussex’s wedding photographers was breached, and private photos were released. This highl…
05 September 2019Cyber Attacks - Most of them are not as high-tech as you'd think
Hackers have a reputation for using complex technical means to gain unauthorised access to digital systems. However, low-tech…
05 September 2019Cyber risks are too often ignored by management
Project Managers and top management need a better security understanding to allocate resources and to sign off technical risk…
14 November 2017Rise and Fall of Bitcoin
With the popularity and value of crypto currencies growing, so do the security and anonymity concerns.
01 February 2018Endpoint and network firewalling needs to change
QA Cyber Security Trainer, Graeme Batsman, discusses how you need to focus on outbound as much as (or more than) inbound rule…
03 April 2018