Good and Bad Passwords How-To

An Example List of Common and Bad Passwords

I have removed the long list of common passwords due to excessive traffic levels, and may restore it sometime after they return to normal. I wish I had never created this list, even though it has become by far the most popular page on this site. All such lists are intellectually dishonest, regardless of how accurate they may be, or how carefully they were prepared. Most people who do not find their password in such a list develop a false sense of security. The simple fact is that any competent cracker will be working from a list many times larger than the largest common password list, and the cracker's list will include virtually every word in any common password list. If your password can be found in any dictionary or online "word" list, where words include such character sequences as "qwerty", "abcd1234", or "thx1138", you have a password just as bad a those listed in common password lists. If you have made any or several transformations (such as described in Craking Tool Feature List) you still have a bad password.

It's not easy to make a good passwords. There is common advice on forming good passwords, but while better than nothing, leaves much to be desired. If you can get through this long and sometimes technical section you will know what makes strong or weak passwords and have a pretty good idea when a fair password is OK, and when you need a really strong password. The one constant is that good passwords don't appear in any word list, and have certain minimum length and character diversity requirements. The less character diversity, the longer the password needs to be. An all lower case password may be OK, but it needs to be about 14 characters to be strong.

Top of Page - Site Map

Copyright © 2000 - 2012 by George Shaffer. This material may be distributed only subject to the terms and conditions set forth in http://GeodSoft.com/terms.htm (or http://GeodSoft.com/cgi-bin/terms.pl). These terms are subject to change. Distribution is subject to the current terms, or at the choice of the distributor, those in an earlier, digitally signed electronic copy of http://GeodSoft.com/terms.htm (or terms.pl) from the time of the distribution. Distribution of substantively modified versions of GeodSoft content is prohibited without the explicit written permission of George Shaffer. Distribution of the work or derivatives of the work, in whole or in part, for commercial purposes is prohibited unless prior written permission is obtained from George Shaffer. Distribution in accordance with these terms, for unrestricted and uncompensated public access, non profit, or internal company use is allowed.