Why “Password123” Is Not a Good Password Link to heading
Many people use simple passwords because they are easy to remember. That is understandable - but unfortunately it is a serious risk. In this article you will learn what happens behind the scenes, how to choose a strong password, and a method that makes strong passwords actually memorable.
How Are Passwords Cracked? Link to heading
Attackers do not need to guess your password. Instead, they use programs that automatically try millions of combinations per second. This method is called a brute force attack.
A 6-character, lowercase-only password can be cracked by a modern computer in seconds.
Another common method is the dictionary attack: the program runs through the most common words, names, dates, and known passwords. “Password123” is almost certainly on those lists.
What Makes “Password123” Weak? Link to heading
- It is short
- It contains a word found in dictionaries
- It follows a predictable pattern (capital letter at the front, number at the back)
What Makes a Password Strong? Link to heading
| Property | Weak | Strong |
|---|---|---|
| Length | 6-8 characters | 16+ characters |
| Characters | lowercase only | upper and lowercase, numbers, symbols |
| Pattern | word + number | random |
| Uniqueness | same everywhere | unique per account |
Length is the most important factor. The longer a password, the more combinations an attacker must try - this increases cracking time exponentially.
The Passphrase - Strong and Memorable Link to heading
You do not need to think in terms of random character chaos. There is a smarter approach: the passphrase.
This is simply a few randomly chosen, unrelated words joined together:
Perennial4-Garland-Outright-Unleaded
This password is 38 characters long. Four random words from a roughly 7,000-word dictionary - that alone gives 2.4 trillion possible combinations. The numbers and hyphens between them increase this even further.
Comparison Link to heading
| Password | Length | Approximate cracking time |
|---|---|---|
| Password123 | 9 characters | seconds |
| t$Kv9!mQzL2#pXwR | 16 characters | millions of years |
| Perennial4-Garland-Outright-Unleaded | 38 characters | astronomical |
A random character password and a passphrase are equally strong - but the passphrase has the major advantage of being something a human can actually remember.
Important: Randomness Matters Link to heading
The words must be truly random. If you choose words connected to your life - for example London-John-1987-Football - the password becomes weaker, because a targeted attacker can start from personal information.
For genuine randomness, you can use the Diceware method: you roll dice to select words from a specially designed list. This ensures you are not unconsciously choosing the words yourself.
A Simple Rule of Thumb Link to heading
If your password:
- is shorter than 12 characters,
- contains a name, date, or word connected to you,
- or is reused across multiple accounts,
…it is worth changing.
Summary Link to heading
A strong password is long, random, and unique to every account. This does not mean you need to think in unreadable character chaos - a few random words joined together can be equally strong and much easier to remember. If you manage many accounts, the next article explains why using a password manager is worth considering.
This article is part of a series aimed at explaining the basics of online security in plain language.