Why 'password' is Not a Secure Password

“Password” is not a secure password. That may seem like the most obvious statement in the world. Yet for some strange reason, “password” is still the 4th most popular password choice, according to an annual study from SplashData.   Here are the other gems from their Top 10 most popular (and most hacked) password list.

  1. 123456
  2. 123456789
  3. qwerty
  4. password
  5. 1234567
  6. 12345678
  7. 12345
  8. iloveyou
  9. 111111
  10. 123123

Any of these weak passwords can be hacked within seconds, yet people still use them to safeguard important online accounts. 80% of data breaches still occur because of weak, stolen, or default passwords.
If you see your password on this list, you definitely need to change it.


computer password meme

Some of you are probably scoffing by now. You’ve heard about using strong passwords. You don’t use any of these weak, default examples. Plus, many services now enforce more complicated passwords with more characters, upper and lowercase letters, and numerals. So you must be safe, right?
But how secure is your password, really?

Short passwords are easy victims

One of the ways hackers get passwords is a “brute-force” approach, where they simple guess every single combination of letters and characters. Because computers today are so powerful, they can make billions of guesses every second. This raw processing power makes quick work of short passwords.
Back in 2012, a password-cracking expert created a computer cluster that could crack every standard Windows password in less than 6 hours. Making more than 350 billion guesses per second, the system could brute force every 8-characer combination, including upper and lowercase letters, digits, and symbols.

So even random, complex passwords are no protection if they’re too short. The number of characters you use exponentially increases the number of guesses the computer needs to make. And with technology today getting faster and faster, you want to keep your passwords long to keep them guessing.

What they call “strong” may not be strong

Many online services now include a password strength meter when you create a new password. While they can help increase the strength of your passwords, they’re not a perfect system.
Take, for example, these three passwords checked on Password Meter:

password123 – Good

1q2w3e4r5t – Strong

Robert12345 – Very Strong

By “brute force” machine logic, these may be decent passwords, because they’re reasonably long and contain a mix of letters and numbers. But to the human eye, they’re pretty obvious. Adding sequential numerals to a basic word or name does not make for a secure password. And 1q2w3e4r5t is simply a keyboard pattern – one common enough to hit #22 on the earlier hacked passwords list. 

Substituting characters isn’t enough

Another method that hackers often use are dictionary attacks, which systematically use common words (like dictionary terms or names) to try to guess your passwords.  To protect against this, many sources tell you to substitute letters with numbers. So for example, exchange a zero for an “o” and a “1” for an “i,” like this password:


The problem with these substitutions is that they’re very common, and hackers know them too. Hacking algorithms are smart enough to decode these commonly swapped numbers. The above password was just one of the 14,800 cracked in under an hour during a test in 2013. So when it comes to secure passwords, don’t rely on simple patterns.

Don’t use personal information

One common way people choose passwords is to use names: their own, their family, their pets, etc. Many also use places, like their current city, or a favorite vacation spot. These make weak passwords. Personal information like that is usually readily available on social media for any hacker who searches for it.
Another common choice is birthdays. Not only can they be found online, but they’re also entirely numeric, which makes them easier to crack. One source suggests that a date, even separated by punctuation, could be cracked in just 13 seconds.

Simple Suggestions for Stronger Passwords

Maybe now you’re wondering if your passwords are strong enough. But the problem with strong passwords is that they can often be complex and hard to remember. Here are some simple tips for stronger passwords:

Use multiple random words

One easy-to-remember tactic is to use 3 or 4 unrelated dictionary words, with spaces in between. Dictionary attacks are great at cracking one word, but using multiple random words makes your password nearly impossible to crack.

how to create a safe password
Source: xkcd

Use passphrases, not passwords

One growing trend is the use of passphrases, rather than passwords. Passphrases are, like they sound, longer phrases or full sentences that are easy for you to remember. For example:

I love to walk my hairy dog, Max.

Many services will let you have really long passwords, so you can write long phrases or sentences. Since most still do require numerals and special characters, you can easily include them in your passphrase:

I love 2 walk my (hairy) dog, Max!

It’s still easy to remember, but much more secure than a typical password.

Don’t reuse the same password

Most people have too many passwords to easily remember, especially if they’re obscure and complex. That’s why 39% of adults use the same or very similar passwords across multiple services. That means that once a hacker gets access to one account, it’s much more likely they’ll break into more. This is a huge problem for businesses, especially, because employees often use the same credentials for personal and business use.
Passphrases can help here. You can create multiple passphrases and relate them to the services they belong to, so they’re easier to remember. For example, maybe you’re using the above passphrase for your email. You might change it to:

I love 2 walk my (hairy) dog, Max, 2 the mailbox!

Another good option is using a password manager like KeePass or LastPass. These services will store all of your passwords. To access everything, you only have to remember one master password (so make it a good one!)

No Password is Perfect

have your password been hacked?

Ultimately, no password is a 100% guarantee of protection. Many hackers rely on phishing attacks or malware to steal your password. You can have the strongest password in the world, but if you type it into a fake login page, you’re handing it right to the criminal.
Even worse, most people don’t know if and when their passwords have been stolen. And if you’re reusing passwords, a hacker may be able to access many of your accounts before you realize there’s a problem.
That’s not to say that you should ignore good password practices. Get in the habit of using strong passwords (or passphrases). Don’t reuse the same password for multiple services, and use a password manager if you’re having trouble remembering passwords.