Bad passwords

Policy Type: 
Best Practice

When you choose a password, you are also choosing whether it is easy or hard for a malicious attack to gain access to your account. A password is bad when it is:

  • Easy for humans or computers to guess
  • Hard for you to remember

Easy for humans or computers to guess

Here are some examples of passwords that are relatively easy for humans or computers to guess.

Category

Examples

your own birthday

april10, aprilten, 1124, 11-24, 112480, 11-24-80, 11241980

people's names

David, Maria, Johnny, david, maria, johnny

any personal information such as your license plate number, your social security number, your phone number

2N3BB5Z, 555-55-5555, 111223333, 415-555-5555, 4153334444

dictionary words - words in any language that can be found in a dictionary or on the Internet

Constantinople, secret, password, adios, bonjour, willkommen

words or phrases from books, films, poems, songs (song lyrics), famous speeches, etc.

Ihaveadream; Game over, man!; When you're a Jet, you're a Jet all the way!

dictionary words with simple algorithms applied, such as using the same word backwards or concatenating two words or concatenating two words with a punctuation character in between

Elponitnatsnoc, yenoh, eipragus, yellowtiger, regitwolley, cat?dog, star!search

These are bad passwords because

  • Malicious attackers can guess that your password is your birthday or the name of someone you know or some other piece of information related to you.
  • Malicious attackers can program computers to repeatedly guess that your password is made up of one or more words in a wordlist or default password list. This is called a dictionary attack.
  • Malicious attackers can take wordlists and apply commonly recommended algorithms: spelling words backwards, using h4x0r language, interleaving words, etc. Since malicious people can easily find recommended algorithms for how to choose a good password, they can modify their password cracking software accordingly. If you like using an algorithm for passwords, use a complex one not a simple one.

Security Warning: If you use a password algorithm, don't use one which can be easily deduced if one of your passwords is compromised. For example, if your password for Yahoo! is ybaihnogoo ("yahoo" interleaved with "bingo"), anyone who steals the password list at Yahoo! might be able to guess that your PayPal password is pbaiynpgao or pbaiynpgaol.

Hard for you to remember

Now consider these passwords

Category

Examples

hard to remember

ia5pl/yCzxFh9ozB/iw0, x0PKPXVup96+M3hX/557, 5pBGtHfu43TXljrx3LhR, g1sJOj1Oo3bp3cyvLr63.

Don't use these passwords since they are published on a public web page.

If your password is so hard to remember that you need to write it down on a sticky note and put it on your monitor or bulletin board, it's worthless. Passwords like these can be good passwords if you don't have to remember them. For example, you can store passwords like these in a password manager and use a master password to retrieve them when needed.

How good passwords turn bad

Even good passwords can become bad passwords if they aren't handled correctly.

  • Never share your password.
  • Never let others watch while you type your password.
  • Log out properly.
  • Change your password regularly and never reuse it.
  • Store your password securely.

For details, see How to Keep Your Accounts Secure.

How to choose a good password

See How to Choose a Password.