The Truth About Terrible Passwords

“Password” is indeed a bad password to use. You are right to roll your eyes if you hear somebody has used it. But there’s a good chance your password sucks as well.

Several times a year, mainstream and tech media will report on the latest list of the “worst” passwords. Several different organizations make an annual list but they almost always use the same (lack of) criteria. It’s simply based on how often the password appeared in leaked and stolen databases of account passwords.

It's not the fact a password was in such a list that makes it “worst” in this scenario: the database being exposed in plain text form is the fault of the hacked website, not the users. Instead the logic is that a password being used most often makes it “obvious” and thus a terrible choice.

Virtually every time this top ten comprises terms like “password”, “123456”, “letmein” and the occasional cultural reference: chances are “COVID” will be all over the lists for 2020. The usual media response is that such obvious terms appearing in the list prove the computer-using public are a bunch of idiots and society is doomed.

The problem is that these terms appearing in the lists don’t tell us much useful about users as a whole because these terms will always be in the list. It’s completely circular logic because inherently the most commonly used passwords will always be obvious and predictable choices.

What would actually be useful would be to know what percentage of all passwords fall into the “obvious category” or even what proportion are rarely used or even unique. That would tell us much more about trends in behavior.

Let’s look instead at some of the factors that really determines how secure a password is.

Dictionary Words

A password that’s simply a word is about as bad as it gets, and that’s the case whether you use “password” or “rhubarb”. The former is certainly worse in the scenario of somebody literally typing in a guessed password to try to access an account. That’s a very small part of overall cybercrime, however, particularly given most sites will lock after a set number of failed login attempts.

Instead, most attempts to crack a password involve thousands or millions of attempts, whether that involves bypassing the attempt limit or trying to decrypt a stolen database of encrypted passwords. The first run will often involve trying a list of words, which could be a list of known common passwords (including allegedly clever workarounds like “pa55w0rd”), the most common words in a language, or even a literal dictionary.

This won’t usually be the only tactic an attacker uses, but a “real” word as your password puts you at much greater risk.

Length

The next step after a dictionary attack is a brute force attack. This involves literally trying every possible combination of letters and in this scenario, longer passwords are exponentially more secure. Think of it this way: you can guarantee to guess a single letter within 26 attempts. For two letters, you’d need 26 x 26 attempts, totaling 676. Follow this logic and simply using eight characters gets you to five trillion possibilities. Even with incredibly fast computers, it only takes a few extra characters to increase the average time to crack a password from a few hours to thousands of years.

Special Characters

Using just letters makes for a bad password for the same reason that length matters. For a single character, using numbers takes the number of possibilities from 26 to 36. Use symbols on the average keyboard and you can easily add another 26. Use capital letters rather than just lower case and that’s another 26. Even with a (very much not recommended) four-character password, you’re talking about the difference between 11 million possibilities and nearly 6 billion.

The Most Terrible Password

The truth is that while length and characters matter, the worst password is the one you use on more than one site. Whenever an unencrypted database of usernames and passwords gets exposed (either because hackers decrypted it or they found it stored in plain text), the first thing they’ll do is try the details on other websites and services, particularly ones that will grant access to sensitive personal data. When you reuse passwords on multiple accounts, you’re effectively putting all those accounts at the same level of risk as the least-well secured.

The Truly Good Password

The most secure password is one that’s unique to an account, is a good length (12 characters is often recommended as a minimum) and uses a combination of upper and lower case letters, numbers and symbols. If that sounds like it would be impossible to remember, don’t worry: it’s not smart to let your memory be a limit on your security. Instead the most practical way to generate and use unique reliably secure passwords for every account is a password manager.