Complete Guide to Password Security: Best Practices from Creation to Management
In 2023, NordPass's annual report showed that the most common password globally is still 123456, with over 4 million users. In the same year, the Have I Been Pwned database has collected over 12 billion leaked accounts. Password security is not an issue that "only professionals need to worry about" — everyone with an online account is a potential target.
This article does not discuss boring theories, only practical methods: why your passwords are insecure, and how to systematically change this situation.
Common Password Attack Methods
To defend effectively, you need to understand attacks. Here are the five most common password attack methods used by hackers:
1. Brute Force
Attackers use programs to enumerate all possible character combinations until they find the correct password. Modern GPUs can try billions of combinations per second.
Protection: Use sufficiently long passwords. For each additional character in the password, the cracking time increases exponentially.
2. Dictionary Attack
Instead of enumerating all combinations, it prioritizes trying common words and common password lists (rockyou.txt contains 14 million real leaked passwords).
Protection: Avoid using complete words, names, birthdays. Password@2024 may "look complex," but it is virtually useless against dictionary attacks.
3. Rainbow Table Attack
This targets database leak scenarios. If a website only stores MD5/SHA1 hashes of passwords, attackers can use precomputed hash tables to reverse-engineer the plaintext.
Protection: You cannot directly control this, but you can choose well-known major platforms (which use bcrypt, Argon2, and other salted hashes). What you can do is: use a unique password for each website, so even if one is leaked, other accounts are not affected.
4. Phishing
Forged login pages for banks, emails, and social platforms trick users into entering their real passwords. This is currently the most efficient attack method, and no matter how good the password is, it cannot prevent this.
Protection: Enable two-factor authentication (2FA); use a password manager (the auto-fill feature will not work on phishing websites because the domain does not match).
5. Credential Stuffing
Using leaked account credentials, attempt to log in to other websites in bulk. Since many users use the same password across multiple websites, the success rate is very high.
Protection: Use a unique password for each website — this is the most important principle.
Password Strength and Cracking Time
| Password Type | Example | Theoretical Cracking Time (Modern GPU) |
|---|---|---|
| 6-digit numbers only | 123456 |
< 1 second |
| 8-digit lowercase letters only | password |
< 1 minute |
| 8-digit mixed case + numbers | Pass1234 |
About 1 hour |
| 12-digit mixed case + numbers + symbols | X#7kP!m2qR@v |
About 3000 years |
| 16-digit random characters | tK9@mV#2pQ!xL&nR |
Hundreds of millions of years |
| 4 random words (Passphrase) | correct-horse-battery-staple |
Hundreds of years (and easy to remember) |
Conclusion: Length > complexity. A 16-digit all-lowercase random string is more secure than an 8-digit mixed case, numbers, and symbols.
Good Passwords vs. Bad Passwords
Common characteristics of bad passwords:
❌ 123456 # 最常见密码第一名
❌ password123 # 字典攻击秒破
❌ zhangsan1990 # 姓名+生日组合
❌ qwerty! # 键盘连续字符
❌ Admin@2024 # 年份+特殊字符的错误套路
❌ iloveyou # 情感词汇
Standards for good passwords:
✅ f7$Kp!mQx2@vR9n # 随机生成,16位混合
✅ purple-tiger-dance-7 # 随机词组 Passphrase,易记难破
✅ 每个网站唯一密码 # 避免撞库
✅ 从不在别处使用的规律 # 即使有规律也只有你知道
Passphrase is a good idea: Composed of 4 or more random words, it is easy to remember and far more secure than common "complex passwords." correct-horse-battery-staple is both easier to remember and more secure than Tr0ub4dor&3, as demonstrated by cryptographer Bruce Schneier.
Password Managers: The Only Viable Solution
Human memory cannot handle the task of "using a unique complex password for each website." Password managers are the only realistic solution to this contradiction.
Bitwarden (Highly Recommended)
- Pricing: Personal version completely free; premium version $10/year (includes TOTP functionality)
- Open source: Code is publicly auditable, and the community can self-host
- Cross-platform: Browser extensions, mobile apps, and desktop clients fully covered
- Security model: Zero-knowledge encryption (the server cannot see your passwords)
- Suitable for: Most individual users and small teams
1Password
- Pricing: $3/month (personal); $5/month (family, up to 5 people)
- Closed-source commercial product with a good security record
- Features: Travel Mode (hides sensitive vaults when crossing borders), SSH key management
- Suitable for: Paying users who pursue the ultimate user experience, developer teams
KeePass / KeePassXC
- Pricing: Completely free and open source
- Data storage: Local encrypted file (
.kdbx), not connected to the internet - Suitable for: Users who value privacy extremely and do not trust cloud services
- Disadvantage: Cross-device synchronization requires self-configuration (Dropbox, Jianguoyun, etc.)
Two-Factor Authentication (2FA)
A password is "something you know," and 2FA adds "something you have" as the second verification step. Even if the password is leaked, the attacker cannot log in without the second factor.
TOTP App (Recommended)
Time-based one-time password (RFC 6238), refreshing a 6-digit number every 30 seconds.
- Google Authenticator: Simple, but no backup feature (lose your phone = game over)
- Authy: Supports cloud backup and multiple devices, recommended alternative
- Bitwarden Authenticator: Built-in for premium users, saves a separate app
Hardware Keys (Highest Security Level)
FIDO2/WebAuthn hardware keys like YubiKey require physical insertion for verification, completely immune to phishing attacks. Suitable for users with extremely high security needs.
SMS Verification Code (Avoid if Possible)
SMS 2FA has the risk of SIM swapping, and its security is far lower than TOTP apps. Use an app if possible, not SMS.
Enterprise/Team Password Management Suggestions
- Use a team password manager: Bitwarden Teams, 1Password Teams, Dashlane Business
- Permission group management: Assign access rights by department/project, immediately revoke for departing employees
- Prohibit sharing personal accounts: Each person has an independent account, operations are traceable
- Regular audits: Check quarterly which accounts are still valid and which need rotation
- Mandate 2FA: At least require 2FA for critical systems (code repositories, cloud consoles, financial systems)
FAQ
Q: How long should a password be to be secure?
According to NIST's latest guidelines in 2024: minimum 12 digits, recommended 16 digits or more. For high-value accounts (online banking, primary email, password manager master password), use a random password or Passphrase of 20 digits or more. Length is more important than character types — a 12-digit all-lowercase random letter password is more secure than an 8-digit mixed case, numbers, and symbols.
Q: What if the password manager is hacked?
Legitimate password managers use end-to-end zero-knowledge encryption: your passwords are encrypted locally before upload, and the server only stores ciphertext. Even if the database is leaked, attackers cannot decrypt it without your master password. In the 2022 LastPass leak, what was stolen was also encrypted ciphertext. However, that incident also exposed the risk of metadata (website domain) leakage — this is a limitation that must be understood when choosing mainstream products.
The key to protecting your password manager: use a strong master password + enable 2FA, and do not store these two things in the password manager itself.
Q: What if I can't remember complex passwords?
This is precisely the purpose of password managers — you only need to remember one master password. If you don't have a password manager yet, you can start with Passphrase: choose 4 random and unrelated Chinese or English words, connected with hyphens, such as 太阳-橘子-键盘-河流. This type of password is easy to remember and has far higher security strength than traditional "complex passwords."
Summary
The core principles of password security are only three, but they can resist 90% of attacks:
- Use a unique password for each account (prevents credential stuffing and leak spread)
- Passwords should be long and random enough (prevents brute force and dictionary attacks)
- Enable 2FA for important accounts (the last line of defense after password leakage)
The only sustainable way to implement these three: use a password manager. Start today by registering a Bitwarden account and entrusting all new account creations and old account password changes to it. Looking back in a year, you will be glad you made this decision.
