Enhance your password security.

Get Started
CTA icon
computer login screen

The Truth About Terrible Passwords

December 11, 20204 min read

Password Management

“Password” is indeed a bad password to use. You are right to roll your eyes if you hear somebody has used it. But there’s a good chance your password sucks as well.

Several times a year, mainstream and tech media will report on the latest list of the “worst” passwords. Several different organizations make an annual list but they almost always use the same (lack of) criteria. It’s simply based on how often the password appeared in leaked and stolen databases of account passwords.

It's not the fact a password was in such a list that makes it “worst” in this scenario: the database being exposed in plain text form is the fault of the hacked website, not the users. Instead the logic is that a password being used most often makes it “obvious” and thus a terrible choice.

Virtually every time this top ten comprises terms like “password”, “123456”, “letmein” and the occasional cultural reference: chances are “COVID” will be all over the lists for 2020. The usual media response is that such obvious terms appearing in the list prove the computer-using public are a bunch of idiots and society is doomed.

The problem is that these terms appearing in the lists don’t tell us much useful about users as a whole because these terms will always be in the list. It’s completely circular logic because inherently the most commonly used passwords will always be obvious and predictable choices.

What would actually be useful would be to know what percentage of all passwords fall into the “obvious category” or even what proportion are rarely used or even unique. That would tell us much more about trends in behavior.

Let’s look instead at some of the factors that really determines how secure a password is.

Dictionary Words

A password that’s simply a word is about as bad as it gets, and that’s the case whether you use “password” or “rhubarb”. The former is certainly worse in the scenario of somebody literally typing in a guessed password to try to access an account. That’s a very small part of overall cybercrime, however, particularly given most sites will lock after a set number of failed login attempts.

Instead, most attempts to crack a password involve thousands or millions of attempts, whether that involves bypassing the attempt limit or trying to decrypt a stolen database of encrypted passwords. The first run will often involve trying a list of words, which could be a list of known common passwords (including allegedly clever workarounds like “pa55w0rd”), the most common words in a language, or even a literal dictionary.

This won’t usually be the only tactic an attacker uses, but a “real” word as your password puts you at much greater risk.


The next step after a dictionary attack is a brute force attack. This involves literally trying every possible combination of letters and in this scenario, longer passwords are exponentially more secure. Think of it this way: you can guarantee to guess a single letter within 26 attempts. For two letters, you’d need 26 x 26 attempts, totaling 676. Follow this logic and simply using eight characters gets you to five trillion possibilities. Even with incredibly fast computers, it only takes a few extra characters to increase the average time to crack a password from a few hours to thousands of years.

Special Characters

Using just letters makes for a bad password for the same reason that length matters. For a single character, using numbers takes the number of possibilities from 26 to 36. Use symbols on the average keyboard and you can easily add another 26. Use capital letters rather than just lower case and that’s another 26. Even with a (very much not recommended) four-character password, you’re talking about the difference between 11 million possibilities and nearly 6 billion.

The Most Terrible Password

The truth is that while length and characters matter, the worst password is the one you use on more than one site. Whenever an unencrypted database of usernames and passwords gets exposed (either because hackers decrypted it or they found it stored in plain text), the first thing they’ll do is try the details on other websites and services, particularly ones that will grant access to sensitive personal data. When you reuse passwords on multiple accounts, you’re effectively putting all those accounts at the same level of risk as the least-well secured.

The Truly Good Password

The most secure password is one that’s unique to an account, is a good length (12 characters is often recommended as a minimum) and uses a combination of upper and lower case letters, numbers and symbols. If that sounds like it would be impossible to remember, don’t worry: it’s not smart to let your memory be a limit on your security. Instead the most practical way to generate and use unique reliably secure passwords for every account is a password manager. 

facebook social icon
twitter social icon
linkedin social icon
Enhance your password security

The best software to generate and have your passwords managed correctly.

TeamPassword Screenshot
Recommended Articles
KeePass logo with arrow pointing to 10 alternatives

Password Management

May 15, 202410 min read

Top 10 KeePass Alternatives for 2024

KeePass is a solid software for certain use cases, but there are a few reasons you might look ...

Silver keys on a dark background.

Password Management

May 6, 20249 min read

Password Protection Best Practices for Digital Agencies

Password protection for digital agencies is more important than ever as hackers continue to target businesses working with ...

How to safely share passwords with coworkers

Password Management

May 3, 202410 min read

How to Securely Share Passwords With Your Team

Sharing passwords with coworkers requires a higher level of security. Learn how TeamPassword can help you with keeping ...

The Password Manager for Teams

TeamPassword is the fastest, easiest and most secure way to store and share team logins and passwords.