Main content
AP®︎/College Computer Science Principles
Course: AP®︎/College Computer Science Principles > Unit 7
Lesson 7: User authentication methodsStrong passwords
A password is a form of authentication; a way of proving that yes, this is the user that owns this account.
Passwords protect access to just about every piece of digital information about us: bank accounts, private email, social networks, chat conversations, and much, much more.
Password attacks
Since so many user accounts are authenticated with a password, attackers are always looking for ways to uncover a user's password.
These are the most common ways:
- Guessing
- Brute-forcing, which is basically computer-assisted guessing at a much larger scale
- Stuffing, where attackers find the credentials for one service and try them on another service
- Malware, especially keyloggers
- Phishing scams
Users can defend against malware and phishing scams by being careful about what they download and what emails they believe.
To defend against the attacks of guessing, brute-forcing, and stuffing, users need a strong password that can’t be easily obtained by someone with ill intent.
Picking a strong password
A strong password is:
- Irregular, to avoid simple guessing. Have you ever “changed” a password by putting a "1" or a "!" at the end of it? An attacker will change it the same way!
- Complex, to avoid brute-forcing. A strong password is long and includes more variety than just the letters of the alphabet, like numbers and symbols. There are 26, start superscript, 8, end superscript possible passwords that are 8 characters long and just made of lowercase letters, while there are 52, start superscript, 12, end superscript possible passwords that are 12 characters long and made up of both uppercase and lowercase letters. That's 208, comma, 827, comma, 064, comma, 576 versus a whopping 390, comma, 877, comma, 006, comma, 486, comma, 250, comma, 200, comma, 000 possibilities. A little bit of complexity goes a long way.
- Single-use, to avoid stuffing attacks. If an attacker manages to discover a user's password for one service, they shouldn't be able to use that same password to get into all their other services.
At the same time, passwords need to be memorable. If a user forgets their password constantly, then it's not a very good password.
Here are ways that users can make passwords that are both memorable and strong:
Create an initialism. Simple words and common phrases are easier to guess. An initialism is made up of all the initials of a phrase. For example, you could take the phrase “I want to create a strong password” and turn that into a complex password like
Iw2CR8a!!!pw. You could also make initialisms based on favorite song lyrics, and then you'll be singing your way through login screens. 🎶Combine unrelated words together. Imagine you have a real paper dictionary (and maybe you do!). You randomly turn to a page, randomly point, and choose the word under your finger. Do that four times, combine the words with symbols, and you'll have a strong password like
vivid-wrung-octopus-misapply. Use a password manager. Perhaps you now have a few strong, memorable passwords in your head—but can you actually remember 40 of those? Password managers to the rescue! A password manager application can auto-generate strong passwords, keep track of all your passwords, and let you unlock access to your passwords with one very strong and memorable password.
🔍 You can search online for "password meter" and find webpages that will calculate the strength of passwords for you. For security reasons, you should not put one of your actual passwords in those meters, but you can try out other password ideas and see how strong they are.
Entering a password
Even if you've come up with a super strong password, you still need to be careful when you're actually typing the password:
Only fill in passwords over a secured connection. It's easy for malicious onlookers to see passwords sent over a non-secured Internet connection (and non-secured is the default!).
When you're entering a password in the browser, look for the lock icon that indicates an HTTPS connection:
Watch out for shoulder surfers. If anyone is near you while you're typing your password, they might be trying to memorize what you're typing.
🙋🏽🙋🏻♀️🙋🏿♂️Do you have any questions about this topic? We'd love to answer—just ask in the questions area below!
Want to join the conversation?
so if there is no https:// it isn't safe?(14 votes)
Well if the webpage is served using HTTP then then browser will send a HTTP request to fetch the webpage.
If the webpage is served over HTTPS then your browser then the browser uses both HTTP and TLS - that is, it uses the Transport Layer Security (protocol) that makes communication secure.
Additionally, a website could be completely harmless if it is served over HTTP (not HTTPS) but it just isn't secure.
Also note that the browser will show your lock icon if it is safe (HTTPS).
The general rule of thumb is that if the webpage isn't secure, then it might not be safe, and thus you shouldn't enter any personal information (so you might not want to make an account unless you know more information about the website).
Hope this helps!(15 votes)
How do password managers keep all your passwords safe? Couldn't the password manager get hacked and steal all the passwords?(4 votes)
A password manager encrypts the stored passwords to keep them from being read. The password manager could be hacked which is why it is important to research the password manager and see how well its security has held up before using it.(6 votes)
Wow, the internet isn't so safe, like I already knew, but I did not know that there is no https:// that isn't safe...(3 votes)- Well, that's not 100% right. The reality is that let's say, you put your password in the box, you send it. What the "s" after the http means is that no hackers will be able to reach your information during the way to the website you sent your information to.
Was that what you needed? You can ask me again if you want more information about this topic. Just write my name. Though I might not be able to answer immediately. I hope I get to talk with you again!(6 votes)
So I did a little research on the initialism approach for passwords. Looks like those passwords do not generate enough entropy. Hackers can be effective in using dictionary attacks, especially if they know to create a dictionary composed of song lyrics and begin guessing the first letter of word within a phase.
I really think this article could be improved by talking about the diceware method for creating master passwords with high entropy.(5 votes)- how many lessons are there in this?(2 votes)
There are 7 lessons in this unit. (You could count it yourself)(2 votes)
What if you forget the main, superstrong password for a password manager? Is there a way to retrieve the main, superstrong password?(2 votes)- Some password managers may provide some sort of account recovery option, however, many do not. So, it would be best not to forget the password for the password manager in the first place.(1 vote)
yes thank you!(2 votes)
half the questions make no sense.(2 votes)
Some people on the other hand use the space bar as their password(2 votes)- can you stop the hackers with out cyber security protection?(1 vote)
No sadly you cannot(2 votes)