At the end of this lesson, you will be able to:

  • Describe dictionary attacks and brute force attacks
  • Identify secure and insecure passwords
  • Create a secure password
  • Describe safe password policies across multiple websites


Avoid words that are in the dictionary.

Dictionary attacks are when hackers try every single word in the dictionary. The hacker doesn’t need to type in each word; instead, he writes a program to go through each word in the dictionary automatically.

Do not use any of your personal information as your password (your name, phone number, birthday, etc.)

These are very common passwords. If a hacker has access to any of this information, your password could be cracked.

Use a combination of letters and numbers.

Passwords with random numbers are harder to guess than those with just letters, because there are more possible combinations.

Your password should be at least eight characters long.

Even if your password is made up of completely random letters and numbers, it’s still possible to do a brute force attack. A brute force attack is when a hacker writes a program to try every possible combination of letters and numbers. The shorter the password is, the easier it is to do a brute force attack.

Write your password down and keep it in a safe place.

Keep your password in a place that only you have physical access to. Do not leave your passwords in your desk or by your computer, because someone could easily find them. Some security experts advise that you should never write your password down, because it could be stolen. However, when people don’t write passwords down, they usually choose simpler, less secure passwords.

Use a different password for each account that you have.

If you only have one password for all of your accounts and someone figures it out, that person has access to everything. For example, if your email password is the same as the password to your bank, then someone who discovers your email password could steal money from you.

Your email password is your ultimate password.

Many web services have a feature to email your password to you if you forget what it is. Anyone could log in to your bank account with your name, for example, and then ask the bank to email the password. Your bank then emails your password to your email account. If another person knows your email password, that person can get your bank password too.


Dictionary Attacks 101

Rainbow Hash Cracking

Brute Force Key Attacks Are For Dummies

Hardware Assisted Brute Force Attacks: Still For Dummies

Passwords vs. Pass Phrases

GRC Perfect Password Generator


Secure Passwords

For full projects and source code, download the updated version of our Introduction to Web Design Curriculum.