skip to content

School of Pharmacy

UCSF School of Pharmacy

Bad Passwords

When you choose a password, you are also choosing whether it is easy or hard for malicious people to gain access to your account. We say that a password is bad when it is:

  • Easy for humans or computers to guess, or
  • Hard for you to remember.

Easy for humans or computers to guess

Here are some examples of passwords that are relatively easy for humans or computers to guess:

Category

Examples

your own birthday (or any date which might have significance for you)

april10, aprilten, 1124, 11-24, 112480, 11-24-80, 11241980

people's names (or any name that might have significance for you)

David, Maria, Johnny, david, maria, johnny

any personal information such as your license plate number, your social security number, your phone number

2N3BB5Z, 555-55-5555, 111223333, 415-555-5555, 4153334444

dictionary words -- words in any language that can be found in a dictionary or on the Internet

Constantinople, secret, password, adios, bonjour, willkommen

words or phrases from books, films, poems, songs (song lyrics), famous speeches, etc.

Ihaveadream; Game over, man!; When you're a Jet, you're a Jet all the way!

dictionary words with simple algorithms applied, such as using the same word backwards or concatenating two words or concatenating two words with a punctuation character in between

Elponitnatsnoc, yenoh, eipragus, yellowtiger, regitwolley, cat?dog, star!search

commonly used passwords or passwords used in fiction

Can any of the passwords you use be found in these lists?

  1. Revealed: The most commonly used passwords in hacked accounts... and 'password' is one of them
  2. 25 most-used passwords revealed: Is yours one of them?
  3. High Probability Password List
  4. Passwords used by the Conficker worm

These are bad passwords because:

  • Malicious people can guess that your password is your birthday or the name of someone you know or some other piece of information related to you.
  • Malicious people can program computers to repeatedly guess that your password is made up of one or more words in a wordlist. This method is called a dictionary attack.
  • Malicious people can take wordlists and apply commonly recommended algorithms: spelling words backwards, using h4x0r language, interleaving words, and so on. Since malicious people can easily find recommended algorithms for how to choose a good password, they can modify their password cracking software accordingly. If you like using an algorithm for passwords, use a complex one instead of a simple one.

Security warning: If you use a password algorithm, don't use one which can be easily deduced if one of your passwords is compromised. For example, if your password for Yahoo! is ybaihnogoo ("yahoo" interleaved with "bingo"), anyone who steals the password list at Yahoo! might be able to guess that your PayPal password is pbaiynpgao or pbaiynpgaol.

Hard for you to remember

Now consider these passwords...

Category

Examples

hard to remember

ia5pl/yCzxFh9ozB/iw0, x0PKPXVup96+M3hX/557, 5pBGtHfu43TXljrx3LhR, g1sJOj1Oo3bp3cyvLr63.

Don't use these passwords since they are published on a public web page.

If your password is so hard to remember that you need to write it down on a sticky note and put it on your monitor or bulletin board, it's almost worthless. Passwords like these can be good passwords if you don't have to remember them. For example, you can store passwords like these in a password manager and use a master password to retrieve them when needed.

How good passwords turn bad

Even good passwords can become bad passwords if they aren't handled correctly.

  • Never share your password.
  • Never let others watch while you type your password.
  • Log out properly.
  • Change your password regularly and never reuse it.
  • Store your password securely.

For details, see How to Keep Your Accounts Secure.

How to choose a good password

See How to Choose a Password.

More information

Go To: Good Passwords

image preload