Weak passwords and how to choose a strong complex memorable password

LoginWhat makes a password weak?

A weak password is one that can be easily guessed or broken.

This might be because it’s made up of public information associated with you. For example:

  • You or your family’s dates of birth
  • Names of your family members
  • Your pet’s names
  • Your nickname
  • your car
  • your favourite football team
    etc.

Your password might be a known default password.

Many items of computer hardware which connect to the Internet have factory default usernames and passwords. These are often variations of the words admin and password.

Recently installed, but unconfigured software or content management systems will often use a default password which is publicly known and published in online manuals.

So far these are examples of public information being used as passwords.

For passwords made up of secret information, brute-force methods can be used to guess a password.

Common passwords

You might think your password is so easy to remember and type but so obscure, that no-one else would have ever thought of it, but you’re probably wrong.

Here are the top 100 most popular passwords that crop up on the leaked lists:

123456hello12341234chelseaadmin123
passwordfreedomferrarisummerpussy
12345678whatevercheese1990pass
qwertyqazwsxcomputer1991asdf
12345trustno1corvettephoenixwilliam
123456789654321blahblahamandasoccer
letmeinjordan23georgecookielondon
1234567password1mercedesashley1q2w3e
football1234121212bandit1992
iloveyourobertmaverickkillerbiteme
adminmatthewfuckyoumeandyoumaggie
welcomejordannicolepepperquerty
monkeyassholehunterjessicarangers
logindanielsunshinezaq1zaq1charlie
abc123andrewtiggerjennifermartin
starwarslakers1989testginger
123123andreamerlinhockeyyankees
dragonbusterrangerdallasthunder
passw0rdjoshwasolopasswordMichelle
master’s degree1qaz2wsxbananafuckyouassholeaaaaaa

In 2017, it was estimated that almost 10% of people used at least one of the 100 most popular passwords and almost 3% of people have used 123456 as their password.

These lists are regularly used for brute-forcing passwords, so anything on this this list should be avoided.

You can check whether your password is on one of the leaked lists using this website: https://haveibeenpwned.com/Passwords

Password complexity

The more complex a password is, the more difficult it will be for brute-force methods to succeed.

Password complexity can be improved by doing one or more (or all) of the following:

  • Avoid using a single word from a dictionary as your password. This will be found straight away when a list of dictionary words are tried one after another.
  • Increase the number of characters in the password. A four character password is much weaker than an eight character password for example.
  • Include upper and lower case characters in the password. Don’t just use a single uppercase letter followed by all lowercase letters.
  • Include numbers and symbols in the password.

It used to be popular to replace letters with numbers that look like their alphabetic counterparts. For example, replace O (oh) with 0 (zero), L with 1 (one), A with 4, S with 5 etc. to created words like:

Baseball = b455b411
password = pa55w0rd
secret = s3cr3t

However, the brute-force algorithms have long been wise to this, so this sort of character replacement is one of the first things they try.

The most secure passwords

The most secure form of password is a long string of random uppercase and lowercase letters, numbers and symbols like this:

zKa4zD#5    (8 chars)
$f4qX6rxBU&B    (12 chars)
1!^B5qUA$t0iU7l%    (16 chars)

The disadvantage of these un-guessable context-free, complex passwords, is that they’re almost impossible to remember and as a result are then written-down – which completely defeats their purpose.

Passwords are often found written on Post-it notes and stuck under keyboards, in front or back covers of notebooks or on computer monitors.

Hawaii Emergency Broadcast System now broadcasting their passwords

Using a Password Manager

I would always recommend the use of long strong complex passwords in conjunction with a Password Manager. A password manager will generate, remember and enter long strong complex passwords for you, so you don’t need to remember them or write them down.

Read my guide about setting up and using a password manager.

Of course, you’ll still need at least one strong complex memorable password to protect your password manager, so read-on.

Choosing a strong complex memorable password

  1. Think of 3 or 4 random words. Look around you and get some inspiration. Don’t choose words that can be guessed by someone else or could be associated with you.
  2. Imagine a silly or weird situation in your mind that can be described using those words. This image is the key to memorising your password.

If you’re forced to use special characters by someone’s password policy:

  1. Choose where to put your capital letters. Don’t use a capital letter as the first character. Maybe the start of the 2nd and/or 3rd words?
  2. Can one of your words be a number? Change it to its numeric version.
  3. Pick one or more symbol characters and put them somewhere in the middle of the password. Don’t use them as the 1st or last characters.

Here’s a fun cartoon from xkcd.com

xkcd Password Strength

This is a really popular cartoon, so please don’t use correcthorsebatterystaple as your password as I’m certain its now in every password cracking dictionary  🙂

Leave a comment