When you choose a password, you are also choosing whether it is easy or hard for a malicious attack to gain access to your account. A password is bad when it is:
- Easy for humans or computers to guess
- Hard for you to remember
Easy for humans or computers to guess
Here are some examples of passwords that are relatively easy for humans or computers to guess.
your own birthday
april10, aprilten, 1124, 11-24, 112480, 11-24-80, 11241980
David, Maria, Johnny, david, maria, johnny
any personal information such as your license plate number, your social security number, your phone number
2N3BB5Z, 555-55-5555, 111223333, 415-555-5555, 4153334444
dictionary words - words in any language that can be found in a dictionary or on the Internet
Constantinople, secret, password, adios, bonjour, willkommen
words or phrases from books, films, poems, songs (song lyrics), famous speeches, etc.
Ihaveadream; Game over, man!; When you're a Jet, you're a Jet all the way!
dictionary words with simple algorithms applied, such as using the same word backwards or concatenating two words or concatenating two words with a punctuation character in between
Elponitnatsnoc, yenoh, eipragus, yellowtiger, regitwolley, cat?dog, star!search
These are bad passwords because
- Malicious attackers can guess that your password is your birthday or the name of someone you know or some other piece of information related to you.
- Malicious attackers can program computers to repeatedly guess that your password is made up of one or more words in a wordlist or default password list. This is called a dictionary attack.
- Malicious attackers can take wordlists and apply commonly recommended algorithms: spelling words backwards, using h4x0r language, interleaving words, etc. Since malicious people can easily find recommended algorithms for how to choose a good password, they can modify their password cracking software accordingly. If you like using an algorithm for passwords, use a complex one not a simple one.
Security Warning: If you use a password algorithm, don't use one which can be easily deduced if one of your passwords is compromised. For example, if your password for Yahoo! is ybaihnogoo ("yahoo" interleaved with "bingo"), anyone who steals the password list at Yahoo! might be able to guess that your PayPal password is pbaiynpgao or pbaiynpgaol.
Hard for you to remember
Now consider these passwords
hard to remember
ia5pl/yCzxFh9ozB/iw0, x0PKPXVup96+M3hX/557, 5pBGtHfu43TXljrx3LhR, g1sJOj1Oo3bp3cyvLr63.
Don't use these passwords since they are published on a public web page.
If your password is so hard to remember that you need to write it down on a sticky note and put it on your monitor or bulletin board, it's worthless. Passwords like these can be good passwords if you don't have to remember them. For example, you can store passwords like these in a password manager and use a master password to retrieve them when needed.
How good passwords turn bad
Even good passwords can become bad passwords if they aren't handled correctly.
- Never share your password.
- Never let others watch while you type your password.
- Log out properly.
- Change your password regularly and never reuse it.
- Store your password securely.
For details, see How to Keep Your Accounts Secure.