0PricingLogin
Security+ Academy · Lesson

Password Policies and Multi-Factor Authentication

Understand strong password requirements, MFA factors (something you know/have/are), and why layering factors dramatically reduces account compromise risk.

Passwords: The Weakest Link

Passwords remain the most common authentication mechanism despite being the most frequently compromised. Attackers steal passwords through phishing, credential stuffing (reusing breached credentials), brute-force attacks, and keyloggers. Even a 'strong' password provides limited protection if an attacker can silently capture it. Password policies set minimum requirements for complexity and rotation to reduce risk, but the most impactful security improvement is adding a second factor — because knowing the password is no longer sufficient to gain access.

Password Complexity Requirements

Effective password complexity policies define minimum standards that make passwords harder to crack. Traditional requirements include: minimum length (12-16 characters minimum; length matters more than complexity), required character types (uppercase, lowercase, numbers, symbols), prohibition of common passwords (password dictionaries), and prohibition of the username or organization name within the password. NIST SP 800-63B guidelines updated in 2017 recommend prioritizing length over arbitrary complexity rules and checking passwords against breached credential databases rather than requiring frequent rotation.

# Check if a password appears in known breach databases
# NIST recommends this approach vs forced periodic rotation

# Example: Using Have I Been Pwned (HIBP) API
# Hash the password first (k-anonymity model - sends only first 5 chars of SHA-1)
echo -n 'mysecretpassword' | sha1sum
# Returns: e5e9fa1ba31ecd1ae84f75caaa474f3a663f05f4  -

# Send first 5 chars to HIBP API:
# GET https://api.pwnedpasswords.com/range/E5E9F
# Response includes suffix of any matching hashes
# If found: this password is compromised - reject it

All lessons in this course

  1. Password Policies and Multi-Factor Authentication
  2. Biometrics and Token-Based Authentication
  3. Authorization Models: RBAC, MAC, and DAC
  4. Federated Identity: SAML, OAuth, and OpenID Connect
← Back to Security+ Academy