Passwords

Passwords That Look Strong But Aren’t

  • Reading Time: 3 mins
  • Source: The SecDev Foundation
  • Last Update: 8 February 2022
  • Type: Explainer
Illustration of a person with weak arms trying to hold a big key in the air.

Almost all online services now require users to create complex passwords by adding upper-case letters, numbers and special characters. Fortifying a password to satisfy Gmail or Facebook requirements gives users a renewed sense of security. But this sense is often false. Creating a password that meets minimum complexity requirements is not the same as creating a genuinely strong and secure password.

The problem is that most users follow the same pattern when they beef up their passwords to meet an online service’s requirements. Hackers know these patterns very well and use the knowledge to crack passwords. So, a lot of passwords that look strong are actually not very difficult to crack.

Below is a list of the most common mistakes users make when trying to strengthen their passwords. Do not make these mistakes.

  • Adding a number at the end

    Many users mistakenly believe that they make their passwords strong by adding a number at the end. Most often it is a single-digit number, commonly 1. Hackers know this, and when they try to crack a password, they assume that it follows this common pattern.

    To create a genuinely strong password, add several random numbers in a random order.

  • Capitalizing the first letter

    Users also tend to create passwords with a single upper-case letter, typically by capitalizing the first letter in a password. Again, this is something hackers know and use to crack passwords.

    To create a strong password, use random combinations of upper-case and lower-case letters.

  • Adding a special character at the end

    Another common mistake users make is adding a single special character at the end of a password. Most often the character they go for is !. Adding a special character in this way does not really make a password much more difficult to crack.


    To create a genuinely strong password, add several randomly selected special characters in a random order.

  • Using common words or character sequences

    You would be surprised to know how many users have the same common words (e.g. password, welcome, football, superman, etc.) or computer keyboard sequences (e.g. qwerty, asdfgh, qazwsx, etc.) in their passwords. Hackers use all these words to crack passwords through brute force attacks. These attacks involve the use of software that tries different combinations of common words and characters until it finds the one that works. Other common words used in millions of passwords include first names, the names of cities, countries, and sports teams.

    To create a password that is really difficult to crack, use random combinations of upper-case and lower-case letters, numbers, and special characters, rather than common words or computer keyboard and smartphone patterns.

Learn more about

Digital Risks Icon Digital Risks Passwords Icon Passwords Devices Icon Devices Data Icon Data Conversations Icon Conversations Digital Identity Icon Digital Identity

This site is licensed as Creative Commons BY-NC-SA 4.0. Please read our attribution policy to learn about freely redistributing out work.