A user creates the password 'P@ssw0rd!' — 9 characters with uppercase, lowercase, a number, and a special character. A security expert still calls it weak. What is the most likely reason?
AIt uses a special character (@), which some websites reject and attackers therefore never try
BIt is based on a common word with letter-substitution patterns that cracking software specifically targets
CNine characters is technically below the minimum threshold for any real security
DNumbers should appear at the start of a password, not embedded in the middle
Patterns like replacing 'a' with '@' or 'o' with '0' are so well-known that cracking tools include them in their rule sets — they are tested before purely random strings. A password built on a common dictionary word with predictable substitutions falls far faster than a truly random 9-character string. Genuine strength comes from randomness, not just from using special characters.
Question 2 Multiple Choice
A user has a strong 20-character password that they use on both their email account and a small news forum. The forum is breached and its password database is stolen. What is the most direct risk to the email account?
ANo risk — the password is 20 characters and cannot be cracked even from the stolen database
BAttackers can use credential stuffing: test the stolen username and password directly against the email service
CRisk only arises if the email provider was also breached in the same attack
DMinimal risk because major email providers automatically detect and block reused passwords
Credential stuffing doesn't require cracking anything. Attackers take the plaintext (or cracked) username/password pairs from the breached forum and automatically test them against hundreds of other services. If you reused the password, login succeeds instantly — no guessing needed. Password strength is irrelevant here; uniqueness is the only defense. This is why a strong reused password offers almost no protection against a breach at any one of the sites that shares it.
Question 3 True / False
Replacing letters with similar-looking symbols — such as 'a' with '@' or 's' with '$' — is an effective way to significantly strengthen a password.
TTrue
FFalse
Answer: False
These substitutions are so widely used and well-documented that password cracking tools include them as default rules. 'P@ssword' is tested almost as quickly as 'Password.' Real strength comes from length and true randomness, not from predictable symbol substitutions. A long random passphrase like 'correct horse battery staple' is far stronger than a short word with symbols, because its length exponentially expands the search space.
Question 4 True / False
A random four-word passphrase such as 'lamp blanket orbit fence' can be a strong password even though each individual word is common.
TTrue
FFalse
Answer: True
Strength is about the total search space, not the complexity of individual components. If you pick four words randomly from a 2,000-word list, there are 2,000⁴ = 16 trillion possible combinations — far more than many shorter passwords with symbols. Length is the dominant factor in resisting brute-force attacks, and a long passphrase is also memorable. The words must be chosen randomly; a phrase that has personal meaning is much more guessable.
Question 5 Short Answer
Why does uniqueness matter just as much as strength when creating passwords, and what specific attack does uniqueness defend against?
Think about your answer, then reveal below.
Model answer: Uniqueness defends against credential stuffing: when a site is breached and passwords are stolen, attackers automatically test those username/password pairs on other services. A strong but reused password protects nothing if it appears in a stolen database — the attacker logs in directly without needing to crack anything. Uniqueness ensures that a breach at one site cannot unlock any other account.
Strength and uniqueness defend against completely different threats. Strength defeats brute-force and guessing attacks (where the attacker doesn't know the password). Uniqueness defeats credential stuffing and breaches (where the attacker does know the password, obtained from a different site). A user who has both — strong AND unique passwords on every account — is protected against both attack classes. A password manager is the practical tool that makes this achievable.