MyWiki

Weak Password Policy

3 min read

A Weak Password Policy happens when a program lets people make passwords that are easy to guess, short, or not complicated enough. This makes it easier for bad guys to break into accounts. Weak passwords like “123456” or “password” can be cracked very quickly.

A weak password policy also means letting people use the same password again, not making them change it regularly, and not using extra security like multi-factor authentication (MFA). If a bad guy gets one password, they can get into many accounts.

If a program doesn’t make you use strong passwords, you might be able to use weak ones like:

  • password
  • 12345678
  • qwerty123
  • admin

Bad guys can easily guess or crack these passwords using special tools.

If a program only uses passwords for security and doesn’t ask for something extra (like a code sent to your phone), a bad guy who steals or cracks your password can take over your account.

If a system doesn’t limit how many times you can try to log in, bad guys can keep trying until they guess the right password. For example:

POST /login
 
username=admin&password=admin123

If there’s no limit, a bad guy can try thousands of passwords every second until they find the right one.

If you can use old passwords again, bad guys can use passwords that were stolen before to try to get into your account. If you never have to change your password, a bad guy has more time to try to break in.

  1. Make Strong Passwords a Must
  • Passwords should be at least 10-16 letters and numbers long.
  • You have to use big letters, small letters, numbers, and special symbols.
  • Don’t let people use common passwords by checking them against lists of stolen passwords.
  1. Use Multi-Factor Authentication (MFA)
  • Use MFA for important accounts and when doing important things.
  • Use codes that change regularly, fingerprint scans, or special security keys.
  1. Limit Login Attempts and Lock Accounts
  • If someone tries to log in wrong 5-10 times, lock the account for a while.
  • Make people wait longer each time they try to log in wrong.
  • Use puzzles on login pages to stop computers from guessing passwords.
  1. Make Passwords Expire and Change Regularly
  • Make people change their passwords every few months for important accounts.
  • Don’t let people use the same passwords they used before.
  1. Use Good Password Hashing Methods
  • Store passwords safely using strong methods like bcrypt, Argon2, or PBKDF2 with special salts.
  • Don’t use old or unsafe methods like MD5 or SHA-1.

Graph View

Recent Notes