Good and Bad Passwords How-To
An Example List of Common and Bad Passwords
I have removed the long list of common passwords due to excessive traffic levels,
and may restore it sometime after they return to normal. I wish I had never
created this list, even though it has become by far the most popular page on this site.
All such lists are intellectually dishonest, regardless of how accurate they
may be, or how carefully they were prepared. Most people who do not find
their password in such a list develop a false sense of security. The simple fact
is that any competent cracker will be working from a list many times larger than
the largest common password list, and the cracker's list will include virtually
every word in any common password list. If your password can be found in any
dictionary or online "word" list, where words include such character sequences as
"qwerty", "abcd1234", or "thx1138", you have a password just as bad a those
listed in common password lists. If you have made any or several transformations
(such as described in Craking Tool Feature
List) you still have a bad password.
It's not easy to make a good passwords. There is common
advice on forming good passwords, but while better than nothing, leaves much to
be desired. If you can get through this long and sometimes technical
section you will know what makes strong or weak passwords and have a pretty
good idea when a fair password is OK, and when you need a really strong password.
The one constant is that good passwords don't appear in any word list, and have
certain minimum length and character diversity requirements. The less character
diversity, the longer the password needs to be. An all lower case password may
be OK, but it needs to be about 14 characters to be strong.
Top of Page -
Copyright © 2000 - 2013 by George Shaffer. This material may be
distributed only subject to the terms and conditions set forth in
These terms are subject to change. Distribution is subject to
the current terms, or at the choice of the distributor, those
in an earlier, digitally signed electronic copy of
http://GeodSoft.com/terms.htm (or cgi-bin/terms.pl) from the
time of the distribution. Distribution of substantively modified
versions of GeodSoft content is prohibited without the explicit written
permission of George Shaffer. Distribution of the work or derivatives
of the work, in whole or in part, for commercial purposes is prohibited
unless prior written permission is obtained from George Shaffer.
Distribution in accordance with these terms, for unrestricted and
uncompensated public access, non profit, or internal company use is