Selecting a secure, unique password is not science, but it can be a frustrating experience for Internet users especially if they don't use a password manager program to assist them in the task.
To make matters worse, there is no clear definition of when a password is considered safe (from brute force or guessing attempts) which means it is up to you to select a minimum character length and character set for your passwords.
Weak passwords are included in every password dictionary list, and good brute force applications take variations into account as well.
The list of "worst passwords of 2015" and "worst passwords of 2014" did not change all that much, and weak passwords like 123456 or password are still found at the top of the list after years of tech sites hammering it into people's brains that these passwords are bad.
There is no excuse for making these password mistakes. All modern browsers support the saving of passwords so that you don't need to remember them, and passwords manager are available in abundance for all devices you can possibly run.
Short and common-word passwords are easy to remember, and that is likely the main reason why they are used by many Internet users.
Even if your password is not on the list of bad passwords of 2015 or previous years, you are not necessarily safe as brute force dictionaries include lists of thousands of passwords that are commonly used.
Any password that is a sequence on the keyboard
Passwords that are sequences on the computer keyboard are used often as you only have to look at the keyboard to remember them.
You can be certain that all obvious sequences, as well as repeat sequences, are used by crackers and hackers in brute force attacks.
Not only are the majority found high on "weak passwords" lists, anyone with a keyboard can spot these sequences easily as well.
This includes pattern passwords on mobile devices as well as they follow the same rules.
Examples are 123456, qwerty, 1234567890 or asdfasdf.
Any password that is found in a dictionary
Any word that is found in a dictionary is a bad choice for a password, even the ones that are not used a lot in modern days.
The reason is simple: It is easy enough to use a dictionary, say English words, in a brute force attack. Simply run through all words of the dictionary, or the most x-common ones. It takes no time and effort to create these attack list.
Examples are password, private, football, or princess.
Any password that substitutes letters with characters
Some users like to substitute letters with characters to improve password security which is another password mistake. They replace I with 1, O with 0, or e with 3 in hope that it improves the strength of the password.
Since these substitutes are known, or easily identified, it is not improving the strength of the password by much.
Many brute force programs ship with options to use password variations, e.g. substitutions or adding characters like 1 or ! to the end of the password to test these variations as well.
Examples are f[email protected], pr1ncess or pa$$word.
This one is obvious. Short passwords are easier to crack as computers have become powerful enough to run attacks quickly on passwords below a certain length. There are simply not enough variations available to make short passwords secure even if special characters are used.
Examples are short, ice or pass.
Pop culture passwords are popular which is why they are included when it comes to password mistakes. They may include a favorite sports team, your favorite singer or band, or a popular movie character among other things.
It is no coincidence that Solo and Star Wars made the Top 25 worst passwords of 2015 list.
Examples are Broncos, Eminem or DanielCraig.
Keeping default passwords
Hardware and software may ship with default passwords. The router or modem is a prime example, and you often see admin/admin, root/blank or admin/password as the default usernames and passwords for access.
Not changing these immediately can have severe consequences as default passwords are public knowledge as well.
Instead of having to brute force the device or account, an attacker could try default passwords first to see if they have not been changed by the user or admin.
Not using numbers or special characters
Passwords that exceed a certain length are secure which means that a password like GNLxypVVoCZDfAvSpiZZuluFySJUCuXe is generally considered secure.
You can increase the complexity of a password by adding numbers, e.g. GVdEwjaTc5N9c1z7khbpSl097xMMcwo3 and/or special characters to it like ZoXhEi"C6G"Op6s_oMxHhrf`t/+6-3UU.
Doing so forces the attacker to include all characters in the attack and not only letters (52 if you consider upper and lower case). And if they don't, they will never crack the password using brute force attacks even if they have access to the most powerful machine in the world.
You may not want to choose passwords that can be linked to you. This includes your license plate or social security number, name of your boyfriend, your favorite football team or the name of your dog or cat.
Social engineering may come into play to get these passwords. It may be as easy as looking at photos that you have published on Facebook (showing your brand new car and its license plate).
Now You: Got anything to add or correct?
Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.
We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats (video ads) or subscription fees.
If you like our content, and would like to help, please consider making a contribution:
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.