In an interview with IMI TechTalk, Michelle Mazurek, assistant professor of computer science with joint appointments in the Maryland Cybersecurity Center and the Human-Computer Interaction Lab, said falling victim to a phishing attack or re-using passwords puts people in danger of password theft. She says it is possible to make stronger passwords, thereby making them more difficult for attackers to crack.
Phishing, she says, is when people are fooled into typing their passwords into fake websites. In this case, the strength of ones password is irrelevant because it is simply being handed over to an attacker. This does, however, prove the importance of using different passwords for different accounts. Attackers use tools and algorithms from password data that has been discovered, look at a pile of passwords, try to crack as many as possible and try to re-use them on other accounts.
Password guessability is a way of measuring the strength of a password by considering how many attempts it takes a smart attacker to guess it. According to Mazurek, they start by guessing the most common password, something people are most likely to use, and continue guessing in a frequency order. Princess, for example, comes up a lot because many people have pets named Princess.
When studying the guessability of 25,000 users' passwords at Carnegie Mellon University, she found that the location of digits, special characters and capital letters is very important. People tend to put digits and special characters at the end and capital letters in the beginning. Attackers know this, so these passwords are much easier to guess.