6 Sure Signs Your Password is WEAK

We use passwords for everything, which makes strong and secure passwords for online security a must.

However, you're probably using weak passwords that can be easily compromised.

These are the sure signs that your password is weak. If your password uses even just one of the points highlighted here, you should get to work by changing it immediately.

1. Your password is on a list

Did you know that some cybersecurity companies generate lists of the most compromised passwords just about every year?

One of the more well-known lists is compiled by SplashData.

Here it is:

1 - 123456 (rank unchanged from 2018)
2 - 123456789 (up 1)
3 - qwerty (Up 6)
4 - password (Down 2)
5 - 1234567 (Up 2)
6 - 12345678 (Down 2)
7 - 12345 (Down 2)
8 - iloveyou (Up 2)
9 - 111111 (Down 3)
10 - 123123 (Up 7)
11 - abc123 (Up 4)
12 - qwerty123 (Up 13)
13 - 1q2w3e4r (New)
14 - admin (Down 2)
15 - qwertyuiop (New)
16 - 654321 (Up 3)
17 - 555555 (New)
18 - lovely (New)
19 - 7777777 (New)
20 - welcome (Down 7)
21 - 888888 (New)
22 - princess (Down 11)
23 - dragon (New)
24 - password1 (Unchanged)
25 - 123qwe (New)

You can also find most commonly breached password lists and trends from other sources such as the National CyberSecurity Centre or NordPass.

If your password is or is even similar to any of these lists, you'll want to change it. Cyberattackers will frequently pull from these lists and launch various password attack methods from there.

2. Your password uses personal information

When creating your passwords, you should stay away from using personal information.

This is especially true if you're using personal information that people know about you, or if that information can be easily found or guessed.

identification card icon

For example, don't use your pet's and children's names. Think about how many people know your pet's or children's names.

Plus, more than likely, that information can be easily found out by strangers by using sources such as social media.

If your passwords use your birthdate and/or any part of your social security number, you should change it immediately.

2a. Birth Date

Social media officially killed what little "security" there was in using your birthday for an online password.

Yes, once upon a time, when the internet was more decentralized and concerned with privacy/anonymity, using your birthday in (or as) a password was somewhat viable.

I say "somewhat viable" because it was always shaky to start.

Think about it, how many people know your birthday - including the year you were born?

red blue yellow balloons

Well, if you use your birthday in your passwords, now all your friends and family know your password at minimum.

When we add social media into the mix, our problem turns into a bigger one.

All those birthday posts? Yeah, we all know your birthday.

Hell, your birthday is required to even create an account for most of these sites.

The bottom line is that if any of your passwords contain all or part of your birth date, then change your password(s) ASAP. Your birthday is easy to crack, and even easier to guess.

2b. Social Security Number

You might think that using your social security number should be more secure than using your birthday.

Unfortunately, it's not.

Let's not forget about the great and infamous Equifax Data Breach, which compromised the sensitive data of approximately 147 million Americans.

However, most people will use the last four of their social versus the entire number.

Don't do that; it's easy for a computer to crack.

With all the sensitive data breaches in recent years, your social (or part of it) is getting easier for the thieves to find or buy.

Now, I will say that a valid argument is that if your entire social security number is stolen, then you might have bigger problems to sort out in the first place.

The point is... don't use your social security number for a password.

In fact, never use your social security number unless it is required for verification from an extremely trusted party.

3. Your password isn't long enough

I've talked about the importance of longer passwords in a couple of other posts.

I'll touch on it again here.

Password length beats password complexity.

Generally, that means the longer your password is, the more secure it is.

better buys password length infographic

Infographic provided by Better Buys

I understand that many web services and websites have limits on how long you can make your passwords.

Many won't let you create a password longer than 10 characters. Which kind of sucks, because passwords less than 8 characters are easy to crack.

However, remember that 10 is better than 5. 9 is better than 5. Even 8 is better than 5.

4. Your password follows a predictable formula

chalk board pythagorean theorem

Chances are you might have stumbled across a way to create "strong" passwords and remember them.

Awesome, right?

Odds are you're using a formula to generate your passwords (and you might be reusing some).

Here's an example:

Let's say you create your passwords like this ! + animal + 3 numbers

So your possible passwords could be:

!cat123
!dog123
!cat456
!bird987

Now, let's say !cat123 gets leaked in a data breach.

As a hacker, I might bet that you changed your password to something pretty similar, like !cat456. But, it could also be !dog1231 or even !bird987.

Well, then I'm going to structure my attack around this hunch - because I might have your formula figured out.

You might also choose to use easy-to-recognize and easy-to-remember character substitutions as well, which leads into the point below.

4a. Usage of common substitutions

You're not any safer if you use something like P4ssw0rd123. or even pa$$word1.

Hackers aren't dumb and their tools have grown increasingly sophisticated to include common substitutions.

This is especially true when hackers are password spraying or performing dictionary attacks.

For example, a hacker might gather lists of the most commonly exposed passwords (or purchase leaked password lists on the dark web).

Let's say on that list is the password iloveyou (which is number 8 on SplashData's most hacked list).

In addition to trying iloveyou directly, your attacker might also include tries of:

1loveyou
iluvyou
il0veyou
ilovey0u
iloveyou123
iloveyou1
ilov3you
iloveu

You should be aware that the hacker's tries of these variations are rarely manual.

They typically use bots and botnets, which can try thousands of different combinations across millions of different accounts in many different attack styles.

This is why common substitutions of common words or even common passwords are unsecure. This is also why you should avoid this practice.

5. You never changed passwords after a data breach

Did you know that researches at Carnegie Mellon University found that many people don't change their password after a known data breach?

In the study, 63 participants were affected by a data breach. Only 21 out of the 63 participants bothered to change their passwords.

That's only 33% of that sample size changing their passwords after being notified of a data breach that affects them and their data.

What does all of this mean?

monitor padlock secure shield

Well, I can reasonably assume that lots of people don't change their passwords after a data breach.

So, that might mean that you haven't changed a password or two - or several - after knowing about a data breach.

And if you happen to reuse that password elsewhere, you're leaving yourself wide open for credential stuffing attacks, which can affect you across way more than just one web service.

6. Your password uses keyboard or keypad patterns

You'll find that if you use keyboard patterns as passwords that they're super easy to remember.

For you, and everyone else.

qwerty keyboard icon

I'm talking keyboard patterns like:

  • qwerty
  • 123456
  • 1q2w3e
  • zxcdsa

and keypad (like the pin input screen for a 6-digit pin on iPhones) patterns:

  • 147258
  • 123321
  • 123456 (again)
  • 987654

If you haven't noticed, many of these keyboard patterns are also on multiple "most hacked password lists."

For that reason alone, you should avoid using them as passwords.

These are also passwords hackers attempt to guess or crack first because they know people use them because the patterns are easy to remember.

Final thoughts

The ultimate solution to weak passwords are strong, unique, and securely stored passwords.

Specifically, each password for each of your online accounts should:

  1. Be lengthy (at the very least, more than 8 characters. Ideally, more than 10 where possible.)
  2. Be complex (you should use a combination of upper and lowercase letters, numbers, and symbols.)
  3. Be unique (stop reusing your passwords, no matter how strong they are!)
  4. Be stored securely (avoid storing your passwords in unsecure places like your phone notes or a word document. I recommend storing your most important account info in your head.)

There are countless methods out there for generating and remembering passwords with just your brain power.

But with the average user having nearly 70 accounts and corresponding passwords to keep up with, I'm sure you can see where that easily turns into too much.

The best and most convenient way to avoid dealing with the large hassle that weak passwords can bring is to use a password manager .

Password managers generate strong (meaning, long and complex) passwords and store them in a highly secure vault.

In short, they take a lot of work off your hands and can be a big factor in keeping your online accounts safer from attacks and password breaches.

It's all up to you when it comes to how you handle your passwords. You should always remember that your passwords are ultimately what stand between you and the person who wants to steal your information.

So, with that, stay safe out there!

Next Post Previous Post