Ask The Expert - Password Security in Simple Steps

Notice: Undefined index: image in /mnt/volume1/vhosts/ on line 12

Nine Tips to Strengthen Password Security

This simple 9 step process can seriously enhance your level of protection from the average hacker. It also means that if anything misses the net, and someone has a password still you don’t want them to have, the passwords will be changed at least within a given timeframe you set. This ensure you have a policy in place to ensures and enforces password changes, especially for admin based accounts which can cause a lot of damage

  1.  Change passwords at least every three months for non-administrative users and 45-60 days for admin accounts.
  2. Use different passwords for each login credential.
  3. Avoid generic accounts and shared passwords.
  4. Conduct audits periodically to identify weak/duplicate passwords and change as necessary.
  5. Pick challenging passwords that include a combination of letters (upper and lower case), numbers and special characters (e.g. <$>, <$>, <%> and <&>).
  6. Avoid personal information such as birth dates, pet names and sports.
  7. Use passwords or passphrases of 12+ characters.
  8. Use a Password Manager such as “Dashlane” where users need just one master password.
  9. Don’t use a browsers’ auto-fill function for passwords

An advanced and under-used password security tip to consider is two-factor authentication, which is a way for websites to double confirm an end user’s identity. After the end user successfully logs in, they receive a text message with a passcode to then input in order to authenticate their ID.

This approach makes sure that end users not only know their passwords but also have access to their own phone. Two-factor authentication works well because cybercriminals rarely steal an end user’s password and phone at the same time. Leading banks and financial institutions enable two-factor authentication by default, but if not, the service can often be turned on by asking the website to do so. More and more non-financial websites are now offering two-factor authentication as well.

 Low Security Credentials

Although it should be common sense, employees need to avoid the use of passwords that are easy for hackers to guess. Among the top ten worst passwords according to are those that use a series of numbers in numerical order, such as <123456>. The names of popular sports such as and are also on the list as are quirky passwords such as and even the word itself.

 Emphasis should also be placed on the importance of avoiding common usernames. In analysis conducted by the information security firm Rapid7, hackers most often prey upon these 10 usernames in particular:

  • Username
  • administrator
  • Administrator
  • user1
  • Admin
  • Alex
  • Pos
  • Demo
  • db2admin
  • sql

 How Attackers Exploit Weak Passwords to Obtain Access

 While most websites don’t store actual username passwords, they do store a password hash for each username. A password hash is a form of encryption, but cybercriminals can sometimes use the password hash to reverse engineer the password. When passwords are weak, it's easier to break the password hash.

Here is a list of common word mutations hackers use to identify passwords if they feel they already have a general idea of what the password might be 

  • Capitalising the first letter of a word
  • Checking all combinations of upper/lowercase for words
  • Inserting a number randomly in the word
  • Placing numbers at the beginning and the end of words
  • Putting the same pattern at both ends, such as
  • Replacing letters like and with numbers like <0> and <1>
  • Punctuating the ends of words, such as adding an exclamation mark
  • Duplicating the first letter or all the letters in a word
  • Combining two words together
  • Adding punctuation or spaces between the words
  • Inserting <@> in place of

Educating end users on these tactics underscores the importance of creating long passwords (at least 12 characters) and applying multiple deviations, rather than something simple like just capitalising the first letter

We hope you enjoyed learning some simple tricks from “Ask The Expert” on Cyber Security. If you would like Sagari to review any specific topic then please feel free to email us directly by going to the Contact Form Here and emailing us what you would like our experts to help with

If you have any Cyber Security projects you would like us to review specifically, then please also get in contact using the Contact Form Here.

Many Thanks

The Sagari Team
Ask The Experts

Talk to a member of our sales team

Call Us Email Us Chat Now