Passwords. Catalan Data Protection Authority

What should a good password look like?

The longer the better, but it should never be less than 8 characters long, because it could be cracked in a matter of minutes using a brute force attack. In general, 10 characters can be considered secure enough, as long as it contains a mix of uppercase, lowercase, numbers, and symbols. It also needs to be updated regularly, as we will never be sure that it has not been leaked. You can check the time estimates required for a successful attack of this nature in this table. You can also check how long it will take to break your password.

Risky practices

Short passwords or even dictionary words.
Passwords with personal or professional data.
Passwords with keyboard patterns or other sequences.
Password reuse. It increases the risk because we are giving an actor the password we use elsewhere. It also increases the impact if the password is compromised.
You should also avoid practices that jeopardize the secrecy of passwords, such as post-it notes with passwords on your computer screen, sharing passwords, and entering passwords in plain sight, especially in public spaces.

Check the most common passwords list

How are passwords stolen?

Several attacks of very diverse nature can be used to attempt to steal your password:

Shoulder surfing, when entering the password in a public place.
Malware (keylogger type) installed on the device where the credentials are entered (either your own or someone else's device).
Phishing or digital fraud by email, call, SMS ...

It is common for stolen credentials to be sold on the dark web, or even posted on the internet. For example, RockYou2021 is a published archive that collects 8.4 billion filtered passwords.

How do I check if my password has been leaked?

There are tools to check if credentials have been leaked. Some examples are:

The website https://cybernews.com/password-leak-check/
The website https://haveibeenpwned.com to check if the password associated with an email address has been leaked.

However, as these services are not infallible, you need to change your passwords regularly.

What to do in case of leakage?

Passwords must be changed immediately to regain full control of your account and associated information.

Tips for staying safe

Do not share or reveal passwords.
Be cautious with security questions. If you use them, make sure you are only the person who knows the answer.
If you remember a password reminder, do so securely. Ideally, use a password manager, but at least reminders that are easily accessible to others should be avoided.
Whenever available, enable double authentication factors.

Video