How to improve your password security

Understanding What Makes a Strong Password

On average, each of us uses approximately 13 unique passwords across all our accounts. To some this may sound like a lot, though research shows that many of these passwords are used across different accounts.

Repeat password use is frustratingly common, especially when you consider that should your password be compromised on one account, then there is very little stopping someone compromising the rest of your accounts.

Though you may have varyingly secure passwords depending on the importance of the given account, there are a few simple steps and measures that you can take to help strengthen your password process and your overall information security.

Four Unrelated Words

One of the most common methods of creating a secure, yet memorable password is to combine 4 unrelated random words, such as ‘CorrectHorseBatteryStable’ (although not that one). To make it more difficult for a hacker to guess, it is important these words have no relation to yourself, such as your username or date of birth,

Whereas a two-word combination may be broken within a few hours, if you ensure that the password is at least 15 characters long, the ‘would-be’ attacker will be waiting years to crack your password

Password Manager

Depending on the amount of accounts you have, it is likely that it is going to be difficult to remember all these passwords without any help.

Rather than writing these passwords down on a piece of paper or keeping them within a plain text file, there are a host of great password managers out there. Many of which are available for free and generate secure passwords simply and securely.

The best thing being you will only need to remember one password to access the rest. Though remember, there is quite a lot of pressure to remember that one, since without it, you might be locked out of multiple accounts.

Two-Factor Authentication

Increasingly common in the digital world is ‘two-factor authentication’. Generally now a standard for banks, this process prompts the user for a second form of verification during the login process that helps prove the user’s legitimacy and increase account security.

This two-factor authentication could be an access-code sent via text, a phone call or even a device-generated code. This means that should an attacker gain your password; they would still not be able to get their hands on your account or your safely secured information.

A definite improvement within anyone’s password process.

Online Audit

Though it might not sound like the most exciting way to spend an afternoon, conducting an ‘online audit’ is quickly becoming a digital necessity.

This can entail several elements. Firstly, deleting accounts that are no longer active or needed.

Remember your old Myspace account? That is right, 427 million passwords were hacked. As a site loses users, they often loose the motivation to keep their accounts as secure. Meaning it is probably worth spending that extra bit of time exercising your GDPR right to erasure and get rid of those teenage digital tracks.

As well as removing old accounts, it is worth checking to see if your email addresses have been linked to any known breaches. Have I Been Pwned? should give you your answer. If you discover any breaches, it is probably time to change those passwords too.

Password Terminology

Want to understand the password process a little better? Here are some key terms used in password security:


When we create a password for a login, what is known as a hash is generated. It is a scrambled version of the password stored as a record that enables your login. Should an attacker gain access to these password hashes, then the password remains unknown. The task for the hacker at this stage, is to try and break the code.


The two most common approaches that hackers employ: brute force and dictionary. Firstly, a brute force attack attempts any and all combinations possible, generating huge amounts of hashes, and comparing them to the stolen hash. If they find the match - then they discover the password.

Alternatively, a dictionary attack generates hashes from lists of common passwords, dictionary entries, and common character combinations. A method which can prove to be very effective; especially if your password is not too complex.

Adding Salt

To counter these attacks, cryptographers use a process, known as ‘adding salt’. This mathematical technique prevents nefarious characters from comparing generated hashes, by adding randomisation into the hashing process; meaning two users with the same password would have a different hash.

Security Awareness for your Organisation

Enjoyed our blog? Learn more about how Hut Six can help improve you security awareness with training and simulated phishing. Start a free trial now, or book a meeting with one of our experts.


Data Protection Act Updates to Coverage

Who Does the Data Protection Act Apply To?

Who Does the Data Protection Act Apply to? Blog by Information Security Awareness Training and phishing simulator provider Hut Six Security

Social Engineering Methods

Why Social Engineering Works

What Social Engineering Methods do attackers use to get your personal information? Blog by Information Security Awareness Training provider Hut Six Security

Data Protection by the Numbers

What Year Was the Data Protection Act Introduced?

What Year Was the Data Protection Act Introduced? - 2018, however it has seen some changes as enforcements have increased.

Data Protection Principles

How Does the Data Protection Act Protect your Rights?

How Does the Data Protection Act Protect your Rights? Blog by information security awareness training provider Hut Six Security.

Ransomware Explained

How a Ransomware Attack Works

Knowing how a ransomware attack works is the key to avoiding them and the damage they can pose to your organisation. Blog by Hut Six Security.

Hut Six Staff Snippets: Handling Sensitive Information

Hut Six Staff Snippets: Handling Sensitive Information - Hut Six

Luke talks about his favourite Information Security tutorial, Handling Sensitive Information. Information Security video by Hut Six Security.

Recognising Phishing Attacks

4 Ways of Recognising Phishing Attacks in 2020

Ways of recognising phishing attacks to ensure your organisation stays secure. Blog by information security awareness training provider Hut Six Security.

Data Protection Act's Eight Principles

What are the Eight Principles of the Data Protection Act?

What are the Eight Principles of the Data Protection Act? Why has this changed to seven in the DPA 2018? Blog by Hut Six Security.

Hut Six Staff Snippets: Encouraging a Secure Culture

Hut Six Staff Snippets: Encouraging a Secure Culture - Hut Six

Kayleigh talks about her favourite Information Security tutorial, Encouraging a Secure Culture, which explains the importance of building a secure culture.

Remote Work - the New Normal?

The Age of Remote Work

4 Key Information Security Risks for remote work during lockdown. Blog from Information Security Awareness training provider Hut Six Security.

Speak to us about your Cyber Awareness