Passwords are the keys to our digital iden­ti­ties. A strong password serves as the first line of defense against cy­ber­crim­i­nals. However, sta­tis­tics show that two-thirds of Americans use the same password across multiple accounts and 13% even use the same password for every­thing.

My­De­fend­er
Easy cyber security
  • Regular virus and malware scans
  • Automatic backups and simple file recovery

What are the re­quire­ments for password security?

Many people still rely on weak or easily guessable com­bi­na­tions for their passwords. To ensure a high level of password security, several factors should be con­sid­ered. Choosing a secure password and using a password manager can be regarded as fun­da­men­tal aspects of password security.

What makes passwords secure?

Although secure passwords alone cannot provide absolute pro­tec­tion against attacks by cy­ber­crim­i­nals, creating a secure password is still crucial for safe­guard­ing your accounts. Users can check whether their chosen password is secure by following a range of criteria:

  • Length: The length of a password plays a critical role, as longer passwords are ex­po­nen­tial­ly harder to crack than shorter ones. A strong password should be at least 12 to 16 char­ac­ters long.
  • Com­plex­i­ty: A secure password should include uppercase and lowercase letters, numbers, and special char­ac­ters such as @, #, or $. This variety makes it more difficult for both humans and automated tools to guess the password.
  • Un­pre­dictabil­i­ty: Avoid simple patterns or rec­og­niz­able words in passwords, as cy­ber­crim­i­nals often use dic­tio­nary attacks, testing common passwords.
  • Unique­ness: Do not reuse passwords across multiple services and platforms. Instead, use unique passwords for each web service.
  • Regular updates: Es­pe­cial­ly for critical services, updating passwords regularly can reduce the risk of ex­ploita­tion due to previous security breaches.

Choosing the right password manager

Password managers are practical tools for gen­er­at­ing and securely storing complex passwords. When selecting the right password manager, ensure it supports end-to-end en­cryp­tion and includes features such as breach alerts or security audits. Regular updates are another indicator of a trust­wor­thy password manager.

Major password leaks in recent years

Every day, we entrust vast amounts of sensitive data to companies and tech­nol­o­gy, with passwords often being the sole pro­tec­tion—one that, it seems, is not taken seriously enough. This is evident from the numerous data breaches in recent web history. Cy­ber­crim­i­nals have re­peat­ed­ly accessed login cre­den­tials using methods like malware, phishing emails, or brute-force attacks, stealing con­fi­den­tial user data. Below is an overview of some of the most sig­nif­i­cant incidents:

  • LinkedIn (2012, 2016): LinkedIn was hacked in 2012, resulting in the theft of over 6.5 million hashed passwords. In 2016, an ad­di­tion­al 117 million login cre­den­tials from this hack surfaced on the dark web.
  • Yahoo (2013, 2014): One of the largest security breaches ever affected Yahoo. Between 2013 and 2014, a total of three billion accounts were com­pro­mised, including usernames, passwords, and security questions.
  • Adobe (2013): More than 150 million Adobe user accounts were stolen during a breach, with many of the passwords poorly encrypted.
  • Facebook (2019): Facebook revealed that millions of user passwords were stored in plain text on internal servers. Although the data did not leak ex­ter­nal­ly, the incident high­light­ed the need for secure practices even at the company level.
  • Col­lec­tion #1-#5 (2019): In January 2019, over two billion email addresses and passwords from various sources, including known and pre­vi­ous­ly unknown leaks, were published as part of this mega-leak.
  • Twitter/X (2022): A security breach exposed personal data from over 5.4 million accounts, including phone numbers and email addresses, due to a bug.
  • RockYou (2024): RockYou2024 was a massive leak, con­sid­ered one of the largest ever published, com­pris­ing over 9.9 billion passwords compiled from various sources.

These events un­der­score the critical im­por­tance of cy­ber­se­cu­ri­ty. Despite this, sta­tis­tics reveal con­cern­ing behaviors regarding password security in the U.S. Only about one in five Americans (20%) changes their password after learning about a security breach, while 34% report regularly updating their passwords. However, around two-thirds of Americans reuse passwords across multiple accounts, sig­nif­i­cant­ly in­creas­ing their risk in case of data breaches. Ad­di­tion­al­ly, 64% of users rely on passwords that are only 8 to 11 char­ac­ters long, which may be vul­ner­a­ble to attacks.

Note

For their attacks, cy­ber­crim­i­nals often do not use their own computers but instead exploit the devices of un­sus­pect­ing users. These devices are infected with malicious software, allowing attackers to remotely control them. Such com­pro­mised systems, often referred to as bots or zombies, are organized into large networks.

How to check password security

Checking the security of your passwords is a crucial step in pro­tect­ing your digital accounts from unau­tho­rized access or after data leaks. There are various methods and tools available to check whether your passwords have been com­pro­mised, meet current security standards, or are too weak.

Online services for data leak checks

  • Have I Been Pwned (HIBP): One of the most well-known and trusted platforms is Have I Been Pwned (HIBP). Here, you can check whether your email address or password has been com­pro­mised in a known data breach. By entering your email, you will receive a list of websites affected by leaks where your data may have been stolen. The site also allows direct password checks, ensuring anonymity through spe­cial­ized hashing tech­nolo­gies.
  • Google Security Check: Google offers an in­te­grat­ed password-checking feature in Chrome. The browser alerts you if any of your saved passwords have been part of a data breach. Ad­di­tion­al­ly, you can perform a com­pre­hen­sive security check via your Google account, which also iden­ti­fies weak or reused passwords.
  • Security features of password managers: Many modern password managers offer a function to check your stored passwords. These tools scan for weak­ness­es, du­pli­cat­ed use, and known security incidents. This way, you get a clear overview of which passwords need updating.

Testing password strength

Besides checking for data leaks, it is essential to evaluate the strength of your passwords. Numerous tools can assist with this by assessing the length, com­plex­i­ty, and entropy (ran­dom­ness) of a password. These services also simulate how long it would take to crack your password using a brute-force attack. For example, the password 123456 can be cracked in less than a second whereas a stronger password like X$4g8JwQ!a_%j could withstand attacks for many years.

Manual review and mon­i­tor­ing

If you know that a par­tic­u­lar platform has been affected by a data breach, check whether you have an account on that platform. Change your passwords im­me­di­ate­ly, es­pe­cial­ly if you have reused them on other websites. It is also helpful to follow cy­ber­se­cu­ri­ty news or platforms like Reddit (e.g., the subreddit [r/netsec]) to stay informed about new data breaches. Security vul­ner­a­bil­i­ties are often reported there earlier than through official channels, allowing you to take pre­ven­tive measures in time. Ad­di­tion­al­ly, tools like HIBP offer email no­ti­fi­ca­tions that alert you when your email address appears in a new leak.

Go to Main Menu