How strong are your passwords?

August 2024

How strong are your passwords? 

Passwords are one of the most common examples of secret authentication - providing assurance that a person or entity is is who they claim to be. Of course, there are various types of authentication, and they may be simply classified into three groups:

  • Something you know e.g. a password or PIN (Personal Identification Number)
  • Something you have e.g. a credit card or bank card
  • Something you are - Biometrics. These are unique physical or behavioural characteristics that can identify an individual e.g. fingerprint, iris pattern, voice and facial recognition.)

For now, let's just consider passwords. Most software and systems require passwords as part of the login process. The process is aimed at a user validating themselves before being given access to the assets contained within the software or system. We all seem to require a growing number of passwords and it can be tempting for individuals to use simple and short passwords where they can.

Over time, requirements have grown for increasingly longer and more complex passwords. Where a requirement may once have been for a simple 6 or 8 digit password, it's common now to require something longer and more complex. The requirement will often be for a combination of upper and lower case letters, numbers, and special characters.

"While the requirement for strong passwords can be inconvenient, there is a very good reason for it".

With the ever-increasing computing power available, its becoming quicker and easier to use that to effect a 'brute force' hack of simple passwords. That can be demonstrated in a password strength test.

Check out the brief video linked to the image above. It provides a startling demonstration of the need for stronger - longer and more complex - passwords.

Of course, there are other things to consider apart from the brute force attack. A more random selection of numbers / letters / characters than that used in our demonstration will be harder to guess. Organisational controls can also come into play. For example: A password provided by a vendor as a default (e.g. that supplied by a cloud service provider) should be altered following first use. People should be required to keep their passwords secret (not shared with others). These controls and more may be documented in an Access Control Policy or similar that users are required to acknowledge.

Passwords are also frequently used in conjunction with another form of authentication (as mentioned above). This is known as 2FA (two-factor authentication) or MFA (multi-factor authentication - which may require two or more factors).

Hopefully, the above is a timely reminder of the need for strong passwords.

For those seeking to comply with the ISO 27001 Information security standard, passwords to access software and systems are covered under the requirements of Annex Control A5.17 Authentication Information.

Ready to start your journey to ISO 27001?

The first step to commencing a management system based on ISO 27001 is to conduct a Gap Analysis. We can provide a qualified, experience certification auditor to perform a professional Gap Analysis service for you.

Contact us today to discuss your needs!

'ISO 27001 Information Security in plain English'

This web site includes a series of blog articles where we work through all the clauses and controls in ISO 27001. A great starting point for developing your ISMS.

It began with an introductory webinar. A copy of the slide deck is available for you here:

Qudos_ISO_27001 Information_Security_in_plain_English (PDF)

Find out more about Qudos management system consultancy services

Click the LinkedIn Follow button below to receive notification of further articles and webinars.


There's nothing like word of mouth to share creative content. So, if you found this blog informative, please share it with a colleague or business associate.