General security

Steps to Stronger Passwords

Hashim Shaikh
May 3, 2017 by
Hashim Shaikh

A journey of password

The utilization of passwords is known to be old. Sentries would challenge those wishing to enter a territory or moving toward it to supply a secret word, and would just enable a man or gathering to pass if they knew the secret key. In present day times, username and passwords are normally used by individuals for a sign-in process that controls access to secure PC working frameworks, cell phones, digital TV decoders, computerized teller machines (ATMs), and so on, bank account, social media, etc. In today's world, an individual may have passwords for some reasons like signing into records, recovering email, getting to applications, perform a transaction of money, modify databases, access systems, sites, perusing the morning daily paper on the web.

Some information about the first use of password:

The principal PC secret word or the password was produced in 1961 at the Massachusetts Institute of Technology, for use with the Compatible Time-Sharing System (CTSS), which offered authorization access to a large portion of the essential processing capacities we utilize today. CTSS was intended to oblige different clients without a moment's delay, with a similar center processor controlling separate consoles. In that capacity, every specialist required an individual purpose of passage into the framework.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

"The key problem was that we were setting up multiple terminals, which were to be used by multiple persons but with each person having his private set of files," Fernando Corbató, head of CTSS program, told Wired. "Putting a password on for each user as a lock seemed like a very straightforward solution."

A password is a word or series of characters utilized for client confirmation to demonstrate personality or get to endorsement to access an asset, which is to be kept secret from those not permitted to get it.

Need of strong passwords:

In the year 2016, Mark Zuckerberg Twitter and Pinterest accounts were compromised. No wonder. Mark's password for those accounts was"dadada." Depending on the theory of human behavior that humans may use the same password for signing into a different website, hackers tried his password on Pinterest and other sites. They were successful on Pinterest. The group of hackers responsible for this was known by the name "OurMine." Let us explore the list of people whose passwords were hacked by OurMine:

  1. The Twitter records of Wikipedia fellow benefactor Jimmy Wales
  2. Pokémon Go maker John Hanke
  3. Twitter prime supporter Jack Dorsey
  4. Google CEO Sundar Pichai

Many other social and group accounts. The list does not end here; there were many big personalities and celebrities whose accounts were compromised because of using a password. Just have a look at the names of few:

  1. Drake
  2. Katy Perry
  3. National Football League (NFL)
  4. John Podesta Chairman of Hillary's Clinton so on and so on

These names are taken from the list of "P@ssholes of the Year 2016"

This hack took place just because they used weak passwords for their accounts. There is a need of stronger password for the users, and we will let you know how not to be on the above list and avoid being P@ssholes

Steps to stronger password:

  1. The length of the password

If a user keeps the password as "welcome" this is definitely a weak password, and it is present on the top 25 worst password list.

Make sure the length of your password is more than 12 characters.

How about a user keeping a password "123456789012" is it safe? Absolutely not, as it is not alphanumeric. According to the site, it would take 25 seconds to crack such password.

Do not use personal information or generic words in passwords.

  1. Alphanumeric password:

The password in this category comprises of the following "abc-xyz" + "ABC-XYZ"+"123-789"

So the sample password would be something like "welcome1234". According to the site it would take one day to crack such password.

Don't use personal information or generic words in a password.

Let's make our password a bit more complex.

  1. Special characters:

Along with the above mentioned "abc-xyz" + "ABC-XYZ"+"123-789" we would require introduction of special character such as "!@#$%^&*(){}[];':",<>/?=+"

Now our sample password would look something like "welcome@123". According to the site, it would take five days to crack such password. However, by using the dictionary present it can be cracked before time.

Don't use personal information or generic words in a password.

  1. Bruce Schneier's Method:

Bruce back in 2008 introduced a password creation mechanism. It was on the line of keeping a sentence and using it for the password.

Sentence: What a beautiful day it is! Will you give me the duck back?

Password: Wabdii!Wygmtdb

According to the site, it would take 29 Million years to break the password.

Don't use personal information or generic words in a password.

  1. Different passwords for different sites:

A British security specialist has drilled down the information made open by Anonymous group hacks against Gawker and and found that numerous clients with records at both sides utilized a similar password for their login qualifications.

Indeed, contrasted with past research on the issue, the information shows an ever increasing number of online users that are reusing passwords.

Password reuse over various Websites speaks to a hazard since all that the cracker needs to do is break one password and use it over different websites for the same user.

Don't use personal information or generic words in a password.

  1. Using passphrases:

A passphrase is a grouping of words or other content used to control access to a PC framework, program or information. A passphrase is like a password in utilization, yet a lot longer for included security. Passphrases are regularly used to control both access to, and operation of, cryptographic projects and frameworks, particularly those that get an encryption key from a passphrase. The inception of the term is by similarity with a password. The present day idea of passphrases is accepted to have been designed by Sigmund N. Doorman.

Passwords look like: welcome@123

Passphrase looks like: This is my hat, where should I keep it? à Thisismyhat,whereshouldIkeepit?

According to the site, it would take two duodecillion years to crack the password. Now, this sounds pretty strong.

Don't use common passphrase such as "Iameating" or "Iamsinging."

Don't use personal information or generic words in a password.

  1. Two-factor authentication:

Two Factor Authentication (2FA), is an additional layer of security that is known as "multi-level validation." It requires a password and username as well as something that is unique to the user that they do not have memorized, for example, a physical token or mobile device that can receive messages or personal email account, etc.

Utilizing a username and password together with a snippet of data that lone the user knows makes it harder for a potential cracker to get entrance and take that individual's information.

Truly, two-factor validation is not another idea but rather its utilization has turned out to be much more pervasive with the advanced age we now live in. As of late as February 2011 Google reported two element confirmations, online for their clients, trailed by MSN and Yahoo.

The following URLs guide you to enable 2FA:




You can search 2FA for different site by using the URL:


What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Hashim Shaikh
Hashim Shaikh

Hashim Shaikh currently works with Aujas Networks. Possessing a both OSCP and CEH, he likes exploring Kali Linux. Interests include offensive security, exploitation, privilege escalation and learning new things. His blog can be found here: and his LinkedIn Profile here: