Let's talk about weak passwords.
Obvious weaknesses
The following passwords must be avoided:
taylor21
qwerty
abcdefgh
iloveyou7
123456
123456789
buddy123
Many similar passwords are available in public Brute-force wordlists such as Rockyou.
E = log2(Rᴸ)
The formula does not really matter. Focus on the length and the randomness.
Of course, it's best if you can mix uppercases and lowercases with special chars and numbers, but the longer, the better. This is precisely what the fomula highlights.
8 chars, even with a complex combination, can still be discovered way much faster than a long series of 22 lowercase letters.
The necessary time to guess the password by Brute-force will be exponentially bigger with long passwords, like minutes vs. years.
Some counterintuitive examples
You can find the following passwords in the rockyou.txt list:
!@#$%^
P@ssw0rd
@
for a
and 0
for o
are often used in the hope of obfuscating chars but Brute-Force software include them.
Nice try!
People who are not cybersecurity-aware yet may have interesting but unsafe approaches. For example, they might use a weak password deliberately and think hackers won't try such trivial combinations.
It does not work like that. Hackers use dictionaries and wordlists that include the most basic passwords.
Even good security policies can be misleading
Many websites and apps have broken passwords policies. Some of them push their users to very predicatable strategies, for example, by forbidding special chars or limiting the total length to 8.
However, even seemingly strong policies can lead to unexpected outcomes:
At least 1 lowercase
At least 1 uppercase
At least 1 number
At least 1 special chars
At least 8 chars
While the above rules look legitimate, users can still set passwords that are easy to guess.
For example, my name is Julien. I can enter Julien$7
, which complies with the policies but is terrible in terms of security.
The hacker only needs a short list that include my firstname and free tools such as John the Ripper will do the rest.
7 solutions that work
- set long passwords (more than 16* chars if possible)
- don't reuse passwords (1 login, 1 password)
- don't save passwords in the browser or ensure it's encrypted with something like a master password
- change passwords regularly
- use passwords managers
- use haveibeenpwned to determine whether your password has been leaked or not
- enable 2FA/MFA whenever you can
* 16 because most security policies set the minimum length to 8 chars. I'm not saying it's the magic number for bullet proof passwords. If you can set longer passwords like 22, 23, 24 chars, it's great.
The extremely rare cases where a weak password can be good
Source: Memcenter
Some organizations use weak passwords and vulnerable applications to track and hunt cybercriminals.
This approach is called Honeypot. The idea is to lure hackers into thinking they’re infiltrating a system when in reality, they’re being trapped by the cybersecurity team.