So you think your password is strong

In this post, I wrote about a passwordless world and how to measure passwords strength. Here are practical examples of weak passwords.

Permalink to heading Obvious weaknesses Obvious weaknesses

The following passwords must be avoided:


Many similar passwords are available in public Brute-force wordlists such as Rockyou.

Permalink to heading E = log2(Rᴸ) E = log2(Rᴸ)

The formula does not really matter. Focus on the length and the randomness.

Of course, it’s best if you can mix uppercases and lowercases with special chars and numbers, but the longer, the better. This is precisely what the fomula highlights.

8 chars, even with a complex combination, can still be discovered way much faster than a long series of 22 lowercase letters.

The necessary time to guess the password by Brute-force will be exponentially bigger with long passwords, like minutes vs. years.

Permalink to heading Some counterintuitive examples Some counterintuitive examples

You can find the following passwords in the rockyou.txt list:


@ for a and 0 for o are often used in the hope of obfuscating chars but Brute-Force software include them.

Permalink to heading Nice try! Nice try!

People who are not cybersecurity-aware yet may have interesting but unsafe approaches. For example, they might use a weak password deliberately and think hackers won’t try such trivial combinations.

It does not work like that. Hackers use dictionaries and wordlists that include the most basic passwords.

Permalink to heading Even good security policies can be misleading Even good security policies can be misleading

Many websites and apps have broken passwords policies. Some of them push their users to very predicatable strategies, for example, by forbidding special chars or limiting the total length to 8.

However, even seemingly strong policies can lead to unexpected outcomes:

At least 1 lowercase At least 1 uppercase At least 1 number At least 1 special chars At least 8 chars

While the above rules look legitimate, users can still set passwords that are easy to guess.

For example, my name is Julien. I can enter Julien$7, which complies with the policies but is terrible in terms of security.

The hacker only needs a short list that include my firstname and free tools such as John the Ripper will do the rest.

Permalink to heading 7 advices that work 7 advices that work

* 16 because most security policies set the minimum length to 8 chars. I’m not saying it’s the magic number for bullet proof passwords. If you can set longer passwords like 22, 23, 24 chars, it’s great.

Permalink to heading The extremely rare cases where a weak password can be good The extremely rare cases where a weak password can be good

Source: Memcenter

Some organizations use weak passwords and vulnerable applications to track and hunt cybercriminals.

This approach is called Honeypot. The idea is to lure hackers into thinking they’re infiltrating a system when in reality, they’re being trapped by the cybersecurity team.

Of course “don’t try this at home”.