What makes a password weak?
A weak password is one that can be easily guessed or broken.
This might be because it’s made up of public information associated with you. For example:
- You or your family’s dates of birth
- Names of your family members
- Your pet’s names
- Your nickname
- your car
- your favourite football team
etc.
Your password might be a known default password.
Many items of computer hardware which connect to the Internet have factory default usernames and passwords. These are often variations of the words admin and password.
Recently installed, but unconfigured software or content management systems will often use a default password which is publicly known and published in online manuals.
So far these are examples of public information being used as passwords.
For passwords made up of secret information, brute-force methods can be used to guess a password.
Common passwords
You might think your password is so easy to remember and type but so obscure, that no-one else would have ever thought of it, but you’re probably wrong.
Here are the top 100 most popular passwords that crop up on the leaked lists:
123456 | hello | 12341234 | chelsea | admin123 |
password | freedom | ferrari | summer | pussy |
12345678 | whatever | cheese | 1990 | pass |
qwerty | qazwsx | computer | 1991 | asdf |
12345 | trustno1 | corvette | phoenix | william |
123456789 | 654321 | blahblah | amanda | soccer |
letmein | jordan23 | george | cookie | london |
1234567 | password1 | mercedes | ashley | 1q2w3e |
football | 1234 | 121212 | bandit | 1992 |
iloveyou | robert | maverick | killer | biteme |
admin | matthew | fuckyou | meandyou | maggie |
welcome | jordan | nicole | pepper | querty |
monkey | asshole | hunter | jessica | rangers |
login | daniel | sunshine | zaq1zaq1 | charlie |
abc123 | andrew | tigger | jennifer | martin |
starwars | lakers | 1989 | test | ginger |
123123 | andrea | merlin | hockey | yankees |
dragon | buster | ranger | dallas | thunder |
passw0rd | joshwa | solo | password | Michelle |
master’s degree | 1qaz2wsx | banana | fuckyouasshole | aaaaaa |
In 2017, it was estimated that almost 10% of people used at least one of the 100 most popular passwords and almost 3% of people have used 123456 as their password.
These lists are regularly used for brute-forcing passwords, so anything on this this list should be avoided.
You can check whether your password is on one of the leaked lists using this website: https://haveibeenpwned.com/Passwords
Password complexity
The more complex a password is, the more difficult it will be for brute-force methods to succeed.
Password complexity can be improved by doing one or more (or all) of the following:
- Avoid using a single word from a dictionary as your password. This will be found straight away when a list of dictionary words are tried one after another.
- Increase the number of characters in the password. A four character password is much weaker than an eight character password for example.
- Include upper and lower case characters in the password. Don’t just use a single uppercase letter followed by all lowercase letters.
- Include numbers and symbols in the password.
It used to be popular to replace letters with numbers that look like their alphabetic counterparts. For example, replace O (oh) with 0 (zero), L with 1 (one), A with 4, S with 5 etc. to created words like:
Baseball = b455b411 password = pa55w0rd secret = s3cr3t
However, the brute-force algorithms have long been wise to this, so this sort of character replacement is one of the first things they try.
The most secure passwords
The most secure form of password is a long string of random uppercase and lowercase letters, numbers and symbols like this:
zKa4zD#5 (8 chars) $f4qX6rxBU&B (12 chars) 1!^B5qUA$t0iU7l% (16 chars)
The disadvantage of these un-guessable context-free, complex passwords, is that they’re almost impossible to remember and as a result are then written-down – which completely defeats their purpose.
Passwords are often found written on Post-it notes and stuck under keyboards, in front or back covers of notebooks or on computer monitors.
Using a Password Manager
I would always recommend the use of long strong complex passwords in conjunction with a Password Manager. A password manager will generate, remember and enter long strong complex passwords for you, so you don’t need to remember them or write them down.
Read my guide about setting up and using a password manager.
Of course, you’ll still need at least one strong complex memorable password to protect your password manager, so read-on.
Choosing a strong complex memorable password
- Think of 3 or 4 random words. Look around you and get some inspiration. Don’t choose words that can be guessed by someone else or could be associated with you.
- Imagine a silly or weird situation in your mind that can be described using those words. This image is the key to memorising your password.
If you’re forced to use special characters by someone’s password policy:
- Choose where to put your capital letters. Don’t use a capital letter as the first character. Maybe the start of the 2nd and/or 3rd words?
- Can one of your words be a number? Change it to its numeric version.
- Pick one or more symbol characters and put them somewhere in the middle of the password. Don’t use them as the 1st or last characters.
Here’s a fun cartoon from xkcd.com
This is a really popular cartoon, so please don’t use correcthorsebatterystaple as your password as I’m certain its now in every password cracking dictionary 🙂