5 Passwords you should never pick

I wanted to write a post about which passwords are best and how to find a strategy to pick up a good password.
Then I realized that it would be pointless, as at the same moment you tell a strategy to form a good password, it becomes an information manual for crackers and might be implemented in bruteforce methods.

What I will tell you is what are the 5 passwords you should NEVER pick.

1. password, 123456, qwerty and hunter2.

The first two are between the most used passwords of all time. There have been many passwords leaks and the Yahoo leak which was storing unencrypted passwords and usernames (foolish, I know) made possible interesting statistics: on 450,000 passwords leaked, an astonishing 0.38% was 123456 and 0.18% was password. Figure why those are the first passwords a cracker would check.

2. Vocabulary words.

Bruteforcers have already implemented methods to quickly spot those words. Even a random, only-letter 3 characters word would be safer than a vocabulary word.

3. Passwords without numbers.

Using numbers increases the possible characters used from 26 to 36, which becomes hugely significant if combined with a long password.

4. Passwords without capitals.

Using capitals doubles the possible combinations of characters, so from 26 possible permutation we would have 56, which combined with numbers would give 66. Symbols might be used as well to give extra security for smaller words, but many websites do not accept symbols in passwords.

5. L33t speak.

Crackers already know leet speak (even before normal users). They are already used to bruteforce passwords. If you don't know what it is, it is a technique to exchange letters with numbers which look like letters:

O -> 0
I -> 1
Z -> 2
E -> 3
A -> 4
S -> 5
G -> 6
T -> 7
B -> 8

This methods bypasses the vocabulary word check and potentially makes a good encryption, but it has become too popular.

This is the reason for which it is not good to tell encryption methods to form passwords. They will be used in the future generations of bruteforce software. It is much safer to create your own encryption.


Still, I can tell you a common good method which will not spoil much to crackers:

use mnemonics!

Transforming a sentence only known to you into letters and numbers will be as good as a totally random sequence of characters and numbers. For example: 

I hate to wake up at 8 o'clock every Monday

will become:

Ihtwua8o'ceM

which will give ~79 bits of entropy, which is safe enough. It might seem hard to memorize but it's very easy to retrieve if you forget it and as safe as it can get. It would be one of 5.4036 x 10^23 possibilities and would take 1.7135 x 10^13 Years to discover with 1000 checks per second.

Even if this is an excellent method enough (the only problem occurs if someone manages to guess your initial sentence, which completely destroys the safety of this method, but if you did not pick up something common as the first lines of a popular song or poem, it will be safe enough) there are many other ways to create passwords which are easy to remember and require one (or more) encryption methods as the one used above. I will let you have fun with finding your own method.

But why using encryption?

It is a good method to have easy-to-remember but difficult-to-guess passwords. Of course the encryption method must be only known to you and should be memorable enough.

Another good suggestion would be not to use the same passwords for many websites. This is because some websites might not care to store passwords safely (even Yahoo, as we have seen before) and a leak will give your ultra-safe and encrypted password away, which you also accidentally use for your internet banking. Surveys say that around 60% of people use the same password for every service.

There are, of course, also methods to encrypt a memorable password for different websites and then have a set of different passwords with only one encryption method to remember. I will leave you the fun to find a good one.

Now, quickly go to change your password!