CS Fundamentals
Learn how to create strong passwords, why password security matters, how attacks work, and best practices for managing your passwords safely.
Introduction
Your password is the key to your digital life. Behind it sits your email (which can reset every other account), your banking information, your personal photos, your academic records, your social media presence, and your professional reputation. If someone guesses or steals your password, they can impersonate you, steal from you, and cause damage that takes months or years to repair. Yet most people use weak passwords, reuse them across multiple sites, and rarely change them.
Password security is not glamorous — it is one of those topics where everyone knows what they should do but few actually do it. This chapter explains why strong passwords matter, how attackers crack weak ones, and what practical steps you should take to protect yourself without going crazy trying to remember hundreds of random character strings.
How Passwords Get Compromised
Understanding how attackers steal or crack passwords helps you understand why certain practices protect you.
Brute force attacks try every possible combination systematically. For a 4-digit PIN, an attacker tries 0000, 0001, 0002... all the way to 9999 (only 10,000 combinations — trivial for a computer). For a password with more characters and character types, the number of combinations grows exponentially, making brute force impractical if the password is long enough.
Dictionary attacks try common words and phrases — "password," "123456," "qwerty," "iloveyou," and variations. These are much faster than brute force because they only try likely candidates. This is why simple English words make terrible passwords.
Credential stuffing uses passwords stolen from one website's breach to try logging into other websites. When a site gets hacked and millions of email/password pairs are leaked, attackers automatically try those combinations on banks, email providers, and social media. If you reuse passwords, one breach compromises everything.
Phishing tricks you into entering your password on a fake website that looks identical to the real one. The attacker sends you an email that appears to come from your bank, you click the link, enter your credentials, and the attacker now has them.
Shoulder surfing means someone physically watching you type your password — in a classroom, library, or public place. Keyloggers are malware that records every keystroke you make, capturing passwords as you type them.
What Makes a Password Strong?
A strong password resists all the attack methods described above. The key factors are length (the most important factor — each additional character multiplies the possible combinations exponentially), complexity (using different character types — lowercase, uppercase, numbers, symbols), and unpredictability (avoiding dictionary words, personal information, and common patterns).
The math is compelling. A 6-character lowercase-only password has about 300 million combinations — a modern computer can crack this in minutes. An 8-character password mixing all character types has about 6.6 quadrillion combinations — much harder but still crackable with dedicated hardware. A 12-character mixed password has over 400 sextillion combinations — effectively uncrackable with current technology.
Length beats complexity. A simple passphrase like "correct horse battery staple" (four random words, 28 characters) is actually stronger than "P@$$w0rd!" because its sheer length creates more possible combinations, despite using only lowercase letters and spaces.
Best Practices for Password Management
Use a unique password for every account. This is the single most important rule. When (not if) one service gets breached, only that one account is compromised — not your entire digital life. Yes, this means managing dozens or hundreds of passwords, which leads to the next point.
Use a password manager. A password manager (Bitwarden, KeePass, 1Password, LastPass) generates strong random passwords for every site, stores them securely encrypted, and fills them automatically when you log in. You only need to remember one strong master password — the password manager handles everything else. This is not lazy — it is the most secure practical approach.
For your master password (and the few passwords you must memorize), use a passphrase — four or more random words strung together. "mango bicycle telescope thunder" is easy to remember but extremely difficult to crack. Add a number or special character somewhere if the site requires it.
Enable two-factor authentication (2FA) wherever available. Even if your password is stolen, 2FA requires a second verification (usually a code from your phone) that the attacker does not have. Use authenticator apps (Google Authenticator, Authy) rather than SMS when possible — SMS can be intercepted through SIM swapping attacks.
Never share passwords with anyone — not friends, not family, not IT support. Legitimate IT staff never need your password. If someone asks for it, it is a social engineering attack.
Check if your accounts have been in breaches at haveibeenpwned.com — this free service checks your email against known breach databases. If you are found in a breach, change that password immediately (and anywhere else you used the same password).
Common Mistakes to Avoid
Do not use personal information (birthdate, pet name, phone number, address) — attackers research targets on social media. Do not use simple keyboard patterns (qwerty, 12345, zxcvbn). Do not just add a number to the end of a weak password (password1 is not significantly stronger than password). Do not write passwords on sticky notes attached to your monitor. Do not use the same password for years without changing it.
Key Takeaways
- Passwords protect your entire digital identity — treat password security as critically important
- Attackers use brute force, dictionary attacks, credential stuffing, and phishing to compromise passwords
- Length is the most important strength factor — 12+ characters recommended minimum
- Use a unique password for every account — one breach should not compromise everything
- Password managers are the practical solution to managing many unique, strong passwords
- Enable two-factor authentication on all important accounts for an additional security layer
- Passphrases (random word combinations) are both strong and memorable
- Never share passwords, and check haveibeenpwned.com to see if your accounts have been in breaches
Exam Focus
Revise definitions, diagrams, examples, and short-answer points for Password Security.
Interview Use
Prepare one clear explanation, one practical example, and one common mistake for this Computer Fundamentals topic.
Search Terms
computer-fundamentals, computer fundamentals, computer, fundamentals, cybersecurity, basics, password, security
Related Computer Fundamentals Topics