Stay Informed
Suggested Site

▸ Simple to add and manage gift lists for yourself, your kids, or your business

▸ Secret gift coordination

▸ Duplicate gift protection
How can I help you?
Contact Jeremy

Bad Passwords

Considering how important it is to have good passwords, you don't want to make one that's easy for bad guys to guess or discover with computer tricks. Here are some examples:

Easy to Guess


If your avatar, profile, and posts all point to your favorite car or sports team, maybe your password is related.
If your avatar, profile, and posts all point to your favorite car or sports team, maybe your password is related.

There are lists online of the most common passwords in existence and it's easy to see that people really do think alike. If you're using password, 123456, or qwerty, just stop reading and go change all your passwords now!

Ok, not really. You need to read the rest of this guide to figure out how to make a good password first.

Other obvious passwords are famous people, places, religious terms etc. How would a bad guy know what kinds of sports you like or your favorite cars? What's your screenname Mr. RedskinsLuva? Which hobbies did you list in your profile? How many pictures of your fishing boat did it take before I try some fishing terms or boat models as your password?

It's not hard to guess a password based on your hobbies and interests when you broadcast that information openly

Basic Information

Is your username <i>iwasbornindc</i>? Thanks! That helps.
Is your username iwasbornindc? Thanks! That helps.

Name, birthday, kid's names, pet's names (living or dead), birthplace, previous addresses (street name, city, or state) and, of course, all of the above with 123 or ! added to the end because gosh, no one would ever think of that!

I don't mean to mock, but please take to heart that if you make a password personal, then the only thing someone needs to know is personal information about you to guess it. And the number one way people learn your personal information is when you provide it online! (or from family, friends, or co-workers).

On a Sticky Note

Well... It doesn't get much more obvious than this!
Well... It doesn't get much more obvious than this!

You've probably heard the classic examples of people who put their password under the keyboard, behind the monitor or just pasted right out in the open. Though everyone laughs and thinks, "wow, how dumb!" we're still doing it! In 2005 my university had taken a promotional picture of the computer science people in front of some servers and in the background was a sticky note with the root administrator password! The photo made it to the university's computer science program brochures before anyone noticed.

Granted if no one ever comes in your house or into your office where they can see the sticky you might be safe, but the minute that changes (cleaning lady, relative, repair guy), you're at risk.

Easy to Discover

The techniques described above work for people who know you or take the time to learn a little about your obsessions, but your average hacker doesn't care. Their techniques rely on first getting access to a database or file full of system passwords.

If they get a copy of a system's password file, hackers can try thousands of password combinations a second until they find one that works!

If they can manage to break into a poorly secured web server (as in the TJX example), they can locate the password file/database and download a copy to their machine.

Using password cracking software found easily online or something they built custom (less likely depending on how pro the hacker is), they'll attack the password file itself at a rate of thousands to hundreds of thousands of tests per second.

Short Passwords

This would take about 50 minutes to crack by hand
This would take about 50 minutes to crack by hand
On a computer, this takes mere seconds
On a computer, this takes mere seconds

So consider that some hacker has a file with your password in it and can test passwords until one hits. That's like grabbing a combination lock, pulling on it to see if it's open, then turning the dial and trying again. Repeat until they get in.

This technique is called a brute force attack which is to say they just try every combination, one after another. Using this technique it is guaranteed that they'll get in eventually. To defend against this, length is key!

The thing about passwords is that every time you add a letter, you are exponentially raising the number of attempts that bad guys have to make. Check this out (rounding for simplicity):

  • 123: 1,000,000 combinations
  • 1234: 1,000,000,000 combinations
  • 12345: 10,000,000,000 combinations
  • 123456: 1,000,000,000,000 combinations
  • 1234567: 1.0 × 1014 combinations
  • 12345678: 1.0 × 1016 combinations

In theory, with current computing power trying to crack your 8 character password would take about 115 days. Increase that by one character (to a length of 9) and it will take them 31 years instead!


So having an 8 character password minimum is absolutely essential, but there are some problems with this. The first is that hackers aren't dumb. They know you're far more likely to have a password that looks like this:


Than this:


There are dictionaries in foreign languages too!

That means if they try all the more common phrases, words, and combinations first, they're likely to not have to search all those trillions of combinations at all! They do this with files called "dictionaries" that contain the most common passwords in order. Once they've done brute force through the first 5 to 7 character combinations, they try the dictionaries for longer passwords.

And yes, they have dictionaries for every language so if you think you're being clever by saying it in French or Spanish, you're not.

So if you choose anything like this, you're at risk:

  • Any word in a real dictionary no matter how long
  • Any two-word combination from a real dictionary
  • Famous places
  • Famous people
  • Anything sports related
  • Words relating to popular TV shows or movies
  • Religious terms or short phrases
  • Pop culture anything
  • Writing in 733t. We know that an "@" is substituted for A and a "!" looks like an L

And of course any of the above with modifications that people can easily think of. Adding numbers to the end, alternating case, putting punctuation between the words, etc.

And one last one: using patterns on the keyboard is also something hackers have thought of before.

Wrap Up

I know it seems like making a password that most other people wouldn't use is hard, but it really isn't once you learn some simple tricks.

Guide Navigation
|INDEX|next: Password Tips and Tricks

Making Good Passwords

To understand what makes a good password, let's talk about what makes a bad one first.
Making good passwords can be complex, but here are some tips and tricks that will make it easier.

Password Protection

Once you've taken the trouble to make a good password, the next step is to keep it safe!
Now that you've done all this work, you have to learn the most important rule of all: DON'T GIVE THEM AWAY!

2 Comments to “Bad Passwords”

» Comments RSS Feed

I’m not sure I follow “123: 1,000,000 combinations”

First, if you are only using the characters 1, 2, and 3 then there are only 27 combinations. If you are using all numbers (0-9), then there are only 1,000 combinations. If you are using all alpha-numeric and special characters, you are still only at around 100,000 combinations (depending on what special characters you allow).

The only way to get 1,000,000 combinations from three characters is if you are using a 100 character set. I doubt a 100 character set exists (unless you start counting Chinese characters).

    Fair enough. These calculations were based on 127 or 256 characters (I don’t remember which), but that’s probably not realistic since most people will only use alpha-num and special characters.

How to Steal Identities - Why It's So Easy
Credit Freeze
Data Defense
Credit Monitoring
Id Theft Insurance
The Identity Theft Victim's Mini-Guide to Recovery
The Geek Privacy Principle
Nothing to Hide
Data Abuse
RFID - Radio Frequency IDentification
Privacy Alias/Persona
Data Defense
Online Addiction
The Consequences of Posting Online
Photo Safety
Tricks and Scams
Account Hijacking
Trusting Companies
Bad Passwords
Password Tips and Tricks
Password Protection
Password Mugging
Computer Security
E-mail Safety
Kids and Computers
Shopping Online
All About Warranties

Bad Passwords

To understand what makes good passwords, first check out some of the worst passwords out there and what makes them so bad.

[Click for full description]

Password Tips and Tricks

It's impossible to expect someone to make good passwords by just giving them some rules. There are tricks that make your passwords secure and easy for you all at the same time.

[Click for full description]

Password Protection

It's really a skill to come up with secure passwords that you can remember. Once you've learned how, remember that it doesn't matter how good you are if you don't protect your password properly.

[Click for full description]

Password Mugging

A disturbing new practice among websites and services is where they ask you for your user name and password to other sites. I call this "Password Mugging"

[Click for full description]