ACG-CYBER SECURITY BULLETIN NR 383: Cybersecurity Begins with Strong Passwords – The Importance of Complexity

Posted on April 7, 2025

Reference Number ACG-CSB 030625383

The following information was obtained from different cyber security sources for notification to all parties concerned pursuant to the mandate of the Philippine National Police Anti-Cybercrime Group (PNP ACG) and classified as “Restricted” pursuant to the PNP Regulation 200-012 on Document Security and Impact Rating as high based on PNP Information Communication Technology (ICT) Security Manual s.2010-01 p. 22 and p.129.

SUMMARY

The need for complex passwords has never been more critical. A strong, unique password is one of the simplest and most effective ways to protect yourself from cyber threats and keep your sensitive information safe. A weak password is like leaving your front door unlocked, inviting hackers to steal your data, access your accounts, and even commit identity theft. Despite numerous reminders, many people still use simple passwords like “123456” or “password,” making it incredibly easy for cybercriminals to break in.

Understanding why complex passwords matter is crucial in protecting personal and sensitive information from hackers. Longer passwords are harder to crack because they increase the possible combinations an attacker must try. For example, a 6-character password using only lowercase letters has over 300 million possible combinations, but a 12-character password with a mix of letters, numbers, and symbols has trillions of possible combinations, making brute-force attacks exponentially more difficult.

One of the main issues with weak passwords is their susceptibility to brute-force attacks, credential stuffing, and password spraying. Hackers use automated tools that can try millions of password combinations within seconds. Furthermore, many people reuse passwords across multiple accounts. If just one of these accounts gets compromised in a data breach, cybercriminals can access all other accounts that use the same password. For instance, imagine a user with the same password for their email, social media, and online banking accounts. If a hacker obtains this password from a leaked database, they can log in to all of the user’s accounts, steal personal data, and even conduct fraudulent transactions. A single weak password can lead to identity theft, financial loss, and significant privacy concerns.

Hackers often use dictionary attacks, which try common words and phrases, but adding symbols (!@#$%^&) and numbers disrupts these patterns, making passwords much harder to guess. A password like “Sunshine123” is easier to crack than “S#un9h!ne2@” because of the added randomness. Including numbers and special characters in passwords is essential because it greatly increases complexity and reduces predictability.

Another real-world example involves corporate environments. Employees often use predictable passwords, like “CompanyName2024” or “Welcome123!”, which are easy targets for attackers using password spraying attacks. If a hacker successfully accesses an employee’s email or internal system, they can steal confidential business information, launch phishing attacks, or install ransomware, potentially causing millions of dollars in damages.

To stay protected, individuals and organizations must implement strong password policies. Using Multi-Factor Authentication (MFA) adds an extra layer of security, ensuring that even if a password is compromised, unauthorized users cannot access the account without a secondary verification step. MFA requires users to provide two or more verification forms before granting access to an account. This can include something you know (a password), something you have (a mobile authentication app, security key, or one-time code sent to your phone), or something you are (biometric verification like a fingerprint or facial recognition). Even if a hacker obtains a password, they would still require the second authentication factor, which is typically inaccessible to them, making unauthorized access highly unlikely.

RECOMMENDATION

By following these best practices, individuals can significantly reduce the risk of password-related cyber threats:

Use unique passwords for each account because this prevents hackers from accessing multiple accounts if one gets breached;
Enable Multi-Factor Authentication because it adds an extra security layer by requiring more than just a password to log in;
Use a password manager because it helps store and generate strong, unique passwords so one does not forget them;
Change passwords regularly because updating passwords from time to time reduces the risk of unauthorized access;
Never share passwords because keeping login credentials private prevents unauthorized access and potential security breaches; and
Stay informed about data breaches because checking if your credentials have been leaked helps you update passwords if necessary.

For additional information, please refer to the following websites:

https://www.cm-alliance.com/cybersecurity-blog/why-strong-passwords-matter-and-how-to-create-them
https://www.sangfor.com/blog/cybersecurity/csam-2024-importance-of-strong-passwords
https://www.ehealthireland.ie/news-media/news/2024/importance-of-strong-passwords/

POINT OF CONTACT

Please contact PLTCOL JERRY V EMPIZO, Officer-In-Charge, Cyber Security Unit, thru e-mail address csradacgroup@gmail.com or contact us by telephone number (632) 723-0401 local 7488 for any inquiries related to this CYBER SECURITY BULLETIN.