As with any security measure, passwords vary in effectiveness (i.e., strength); some are weaker than others. For example, the difference in weakness between a dictionary word and a word with obfuscation (i.e., letters in the password are substituted by, say, numbers — a common approach) may cost a password cracking device a few more seconds. The examples below illustrate various ways weak passwords might be constructed, all of which are based on simple patterns which result in extremely low entropy:
- Default passwords (as supplied by the system vendor and meant to be changed at installation time): password, default, admin, guest, etc.
- Dictionary words: chameleon, redsox, sandbags, bunnyhop! Intensecrabtree etc
- Words with number substitutions: password1, deer2000, john1234, etc
- Words with simple obfuscation: p@ssw0rd, l33th4x0r, g0ldf1sh, etc
- Doubled words: crabcrab, stopstop, treetree, etc
- Common sequences: qwerty, 12345678, mnbvcxz, etc
- Numeric sequences based on well known numbers such as 911, 314159, or 27182, etc
- Identifiers: jsmith123, 1/1/1970, 555-1234, “your username”, etc
- Anything personally related to you: license plate number, social security number, current or past telephone number, student id, address, birthday, relatives’ or pets’ names/nicknames/birthdays/initials, etc.
There are many other ways a password can be weak, corresponding to the strengths of various attack schemes; the core principle is that a password should have high entropy (usually taken to be equivalent to randomness) and not be readily derivable by any “clever” pattern, nor should passwords be mixed with information identifying the user. If you ever lose your password you may click on “forgot password” in login area or contact us and we will be glad to assist.