Bad Passwords
When you choose a password, you are also choosing whether it is easy or hard for malicious people to gain access to your account. We say that a password is bad when it is:
- Easy for humans or computers to guess, or
- Hard for you to remember.
Easy for humans or computers to guess
Here are some examples of passwords that are relatively easy for humans or computers to guess:
|
Category |
Examples |
|---|---|
|
your own birthday (or any date which might have significance for you) |
april10, aprilten, 1124, 11-24, 112480, 11-24-80, 11241980 |
|
people's names (or any name that might have significance for you) |
David, Maria, Johnny, david, maria, johnny |
|
any personal information such as your license plate number, your social security number, your phone number |
2N3BB5Z, 555-55-5555, 111223333, 415-555-5555, 4153334444 |
|
dictionary words -- words in any language that can be found in a dictionary or on the Internet |
Constantinople, secret, password, adios, bonjour, willkommen |
|
words or phrases from books, films, poems, songs (song lyrics), famous speeches, etc. |
Ihaveadream; Game over, man!; When you're a Jet, you're a Jet all the way! |
|
dictionary words with simple algorithms applied, such as using the same word backwards or concatenating two words or concatenating two words with a punctuation character in between |
Elponitnatsnoc, yenoh, eipragus, yellowtiger, regitwolley, cat?dog, star!search |
|
commonly used passwords or passwords used in fiction |
Can any of the passwords you use be found in these lists? |
These are bad passwords because:
- Malicious people can guess that your password is your birthday or the name of someone you know or some other piece of information related to you.
- Malicious people can program computers to repeatedly guess that your password is made up of one or more words in a wordlist. This method is called a dictionary attack.
- Malicious people can take wordlists and apply commonly recommended algorithms: spelling words backwards, using h4x0r language, interleaving words, and so on. Since malicious people can easily find recommended algorithms for how to choose a good password, they can modify their password cracking software accordingly. If you like using an algorithm for passwords, use a complex one instead of a simple one.
Security warning: If you use a password algorithm, don't use one which can be easily deduced if one of your passwords is compromised. For example, if your password for Yahoo! is ybaihnogoo ("yahoo" interleaved with "bingo"), anyone who steals the password list at Yahoo! might be able to guess that your PayPal password is pbaiynpgao or pbaiynpgaol.
Hard for you to remember
Now consider these passwords...
|
Category |
Examples |
|---|---|
|
hard to remember |
ia5pl/yCzxFh9ozB/iw0, x0PKPXVup96+M3hX/557, 5pBGtHfu43TXljrx3LhR, g1sJOj1Oo3bp3cyvLr63. Don't use these passwords since they are published on a public web page. |
If your password is so hard to remember that you need to write it down on a sticky note and put it on your monitor or bulletin board, it's almost worthless. Passwords like these can be good passwords if you don't have to remember them. For example, you can store passwords like these in a password manager and use a master password to retrieve them when needed.
How good passwords turn bad
Even good passwords can become bad passwords if they aren't handled correctly.
- Never share your password.
- Never let others watch while you type your password.
- Log out properly.
- Change your password regularly and never reuse it.
- Store your password securely.
For details, see How to Keep Your Accounts Secure.
How to choose a good password
More information
- Most Common iPhone Passcodes
- Study: Hacking Passwords Easy As 123456
- Password Production
- Password Cracking
- Passwords
Go To: Good Passwords
