Your company requires passwords to contain uppercase, lowercase, a number, and a symbol. An employee creates 'Welcome1!' and considers it secure. A security auditor flags it as weak. Why is the auditor correct?
AIt doesn't have enough character types for a truly complex password
BPredictable patterns and common words appear near the top of cracking dictionaries, regardless of character substitutions
CThe password is too short — it needs at least 20 characters to be secure
DSymbols are not accepted by most modern authentication systems
Password-cracking tools use dictionaries of common words and known substitution patterns. 'Welcome' is a common password word, and replacing letters with numbers or symbols (e→3, o→0, appending '1!') follows patterns attackers specifically target. The password meets the technical complexity requirement but fails the unpredictability requirement — the most important property. Length and unpredictability matter far more than meeting a character-type checklist.
Question 2 Multiple Choice
You use a different strong password for each of your 50 online accounts. One small online store gets hacked and your credentials are exposed. What is the damage?
AAttackers can now access all 50 of your accounts through credential stuffing
BOnly the hacked store account is at risk — your other accounts are safe because each has a unique password
CYour email account is automatically compromised since it is linked to all other accounts
DAll accounts sharing the same username are vulnerable regardless of password uniqueness
Credential stuffing attacks work by trying a stolen username/password pair against many other websites. When each account has a unique password, a breach at one site gives attackers nothing usable elsewhere. Only the compromised site's account is at risk. This is the core reason uniqueness matters — it contains the blast radius of any single breach to exactly one account.
Question 3 True / False
A randomly generated 16-character password is stronger than a memorable 8-character password even if the 8-character one uses all four character types (uppercase, lowercase, numbers, symbols).
TTrue
FFalse
Answer: True
Length exponentially increases the number of possible combinations. Every added character multiplies the search space by the size of the character set. A 16-character random password has vastly more possible combinations than any 8-character password regardless of character variety. Length is the single most important property of password strength, which is why passphrases (long strings of random words) can be both memorable and very strong.
Question 4 True / False
Two-factor authentication (2FA) is mainly useful if your password is weak — a strong, unique password makes 2FA unnecessary.
TTrue
FFalse
Answer: False
Passwords can be compromised through data breaches entirely outside your control, not just guessing attacks. Even a strong, unique password can be stolen when a server's database is breached. 2FA protects against this scenario: even with the correct password in hand, an attacker who lacks your phone cannot log in. 2FA and strong passwords are complementary layers, not substitutes — the explainer describes this as 'a deadbolt in addition to the door lock.'
Question 5 Short Answer
Why is using the same password on multiple sites dangerous even if the password itself is very long and random?
Think about your answer, then reveal below.
Model answer: Because data breaches expose passwords directly — attackers don't need to guess a password they already have. Once stolen from one site, that credential is used in credential stuffing attacks on other sites. No matter how strong the password, reuse turns a single breach into a master key for all accounts sharing that password.
Password strength protects against guessing and brute-force attacks, but a data breach bypasses this entirely — it hands attackers the actual value. Uniqueness is the safeguard against credential stuffing, which is among the most common account-compromise techniques in practice. This is why password managers exist: they make having dozens of unique passwords practical.