The PracticalCyberSecGuide

Passwords: Creation, Management and Storage

A practical method for creating, storing and changing passwords without relying on memory tricks, reuse or fragile habits.

Operational brief

Objectives and practical frame

At the end of this module, you will be able to:

  1. 01

    create strong passwords

  2. 02

    avoid reuse

  3. 03

    understand when to use a password manager

  4. 04

    know what to do if a password is compromised

4.1 Why passwords are so important

This section focuses on why passwords are so important as part of access protection. The practical question is what prevents a stolen or guessed secret from becoming full account access.

Good protection combines uniqueness, strong factors, secure recovery and habits that do not collapse when a device is lost or a prompt appears unexpectedly.

Note

A weak, reused or personal-life-based password can put many services at risk at once. This module explains how to reason about length, uniqueness, passphrases, password managers and secure storage, avoiding useless rules and habits that are easy to guess.

4.1.1 The password as an access key

This detail focuses on the password as an access key as part of access protection. The practical question is what prevents a stolen or guessed secret from becoming full account access.

Good protection combines uniqueness, strong factors, secure recovery and habits that do not collapse when a device is lost or a prompt appears unexpectedly.

Example

A good password strategy is based on long unique secrets, safe storage and quick replacement when exposure is suspected

A good password strategy is based on long unique secrets, safe storage and quick replacement when exposure is suspected.

4.1.2 Why passwords are often weak

This detail focuses on why passwords are often weak as part of access protection. The practical question is what prevents a stolen or guessed secret from becoming full account access.

Good protection combines uniqueness, strong factors, secure recovery and habits that do not collapse when a device is lost or a prompt appears unexpectedly.

4.1.3 Characteristics of a weak password

This detail focuses on characteristics of a weak password as part of access protection. The practical question is what prevents a stolen or guessed secret from becoming full account access.

Good protection combines uniqueness, strong factors, secure recovery and habits that do not collapse when a device is lost or a prompt appears unexpectedly.

4.1.4 Characteristics of a good password

This detail focuses on characteristics of a good password as part of access protection. The practical question is what prevents a stolen or guessed secret from becoming full account access.

Good protection combines uniqueness, strong factors, secure recovery and habits that do not collapse when a device is lost or a prompt appears unexpectedly.

4.1.5 The problem of password reuse

This detail focuses on the problem of password reuse as part of access protection. The practical question is what prevents a stolen or guessed secret from becoming full account access.

Good protection combines uniqueness, strong factors, secure recovery and habits that do not collapse when a device is lost or a prompt appears unexpectedly.

4.1.6 Passphrases

This detail focuses on passphrases as part of access protection. The practical question is what prevents a stolen or guessed secret from becoming full account access.

Good protection combines uniqueness, strong factors, secure recovery and habits that do not collapse when a device is lost or a prompt appears unexpectedly.

4.1.7 Examples of weak passwords

This detail focuses on examples of weak passwords as part of access protection. The practical question is what prevents a stolen or guessed secret from becoming full account access.

Good protection combines uniqueness, strong factors, secure recovery and habits that do not collapse when a device is lost or a prompt appears unexpectedly.

4.1.8 Examples of stronger password criteria

This detail focuses on examples of stronger password criteria as part of access protection. The practical question is what prevents a stolen or guessed secret from becoming full account access.

Good protection combines uniqueness, strong factors, secure recovery and habits that do not collapse when a device is lost or a prompt appears unexpectedly.

4.2 Where not to store passwords

This section focuses on where not to store passwords as part of access protection. The practical question is what prevents a stolen or guessed secret from becoming full account access.

Good protection combines uniqueness, strong factors, secure recovery and habits that do not collapse when a device is lost or a prompt appears unexpectedly.

4.3 What password managers are

This section focuses on what password managers are as part of access protection. The practical question is what prevents a stolen or guessed secret from becoming full account access.

Good protection combines uniqueness, strong factors, secure recovery and habits that do not collapse when a device is lost or a prompt appears unexpectedly.

4.3.1 Benefits of password managers

This detail focuses on benefits of password managers as part of access protection. The practical question is what prevents a stolen or guessed secret from becoming full account access.

Good protection combines uniqueness, strong factors, secure recovery and habits that do not collapse when a device is lost or a prompt appears unexpectedly.

4.3.2 Risks when a password manager is used badly

This detail focuses on risks when a password manager is used badly as part of access protection. The practical question is what prevents a stolen or guessed secret from becoming full account access.

Good protection combines uniqueness, strong factors, secure recovery and habits that do not collapse when a device is lost or a prompt appears unexpectedly.

4.3.3 Browser or dedicated password manager?

This detail focuses on browser or dedicated password manager? as part of access protection. The practical question is what prevents a stolen or guessed secret from becoming full account access.

Good protection combines uniqueness, strong factors, secure recovery and habits that do not collapse when a device is lost or a prompt appears unexpectedly.

4.3.4 The master password

This detail focuses on the master password as part of access protection. The practical question is what prevents a stolen or guessed secret from becoming full account access.

Good protection combines uniqueness, strong factors, secure recovery and habits that do not collapse when a device is lost or a prompt appears unexpectedly.

4.3.5 Storing passwords on paper: when it may make sense

This detail focuses on storing passwords on paper: when it may make sense as part of access protection. The practical question is what prevents a stolen or guessed secret from becoming full account access.

Good protection combines uniqueness, strong factors, secure recovery and habits that do not collapse when a device is lost or a prompt appears unexpectedly.

4.4 Personal and business passwords

This section focuses on personal and business passwords as part of access protection. The practical question is what prevents a stolen or guessed secret from becoming full account access.

Good protection combines uniqueness, strong factors, secure recovery and habits that do not collapse when a device is lost or a prompt appears unexpectedly.

4.4.1 Periodic password changes: when they are really needed

This detail focuses on periodic password changes: when they are really needed as part of access protection. The practical question is what prevents a stolen or guessed secret from becoming full account access.

Good protection combines uniqueness, strong factors, secure recovery and habits that do not collapse when a device is lost or a prompt appears unexpectedly.

4.5 What to do if a password has been compromised

This section focuses on what to do if a password has been compromised as part of access protection. The practical question is what prevents a stolen or guessed secret from becoming full account access.

Good protection combines uniqueness, strong factors, secure recovery and habits that do not collapse when a device is lost or a prompt appears unexpectedly.

Attention

If you reuse the same password, one breach can compromise multiple accounts.

Mistake

Only changing the final number in a password.

Good practice

Use long passphrases and a reliable password manager.

Exercise

Weak password review

Take three weak password examples and rewrite only the criteria, not real passwords: what would make each one longer, unique and less guessable?

In summary

A good password strategy is based on long unique secrets, safe storage and quick replacement when exposure is suspected.