What Professional Password Guessers Look For In Your Password

What Professional Password Guessers Look For In Your Password

As the recent LastPass security notification reminds us, it’s critical to use only strong passwords. Most people, though, use the same patterns when choosing their passwords, like having the number 1 at the end, making these easier for hackers to crack.

Photo by reidrac

Security expert Roger Grimes writes at InfoWorld how easily passwords can be guessed and says that these days passwords need to be longer than the mere six-to-eight characters typically used. The average password guesser can determine portions of a large majority of users’ passwords:

Most professional password guessers know there is a 50 percent chance that a user’s password will contain one or more vowels. If it contains a number, it will usually be a 1 or a 2, and it will be at the end. If it contains a capital letter, it will be at the beginning, followed by a vowel. The average person has a working vocabulary of 50,000 to 150,000 words, and they are likely to be used in the password. Women are famous for using personal names in their passwords, and men opt for their hobbies. “Tigergolf” is not as unique as CEOs think. Even if you use a symbol, an attacker knows which are most likely to appear: ~, !, @, #, $, %, &, and ?.

If you haven’t already done so, consider lengthening your password to more than eight characters and using a random password generator for the ultimate security. John Pozadzides’ previous feature here, How I’d Hack Your Weak Passwords is an excellent resource and also provides further reading on the most commonly chosen passwords.

Test the strength of your password policy [InfoWorld]


  • A five second lockout policy after a single failed password attempt is probably the single most effective way to prevent password guessing from ever being successful.

    Users won’t even notice, and even very weak passwords take ages to guess.

    Longer passwords with fewer randomness requirements in my experience, provide more security than shorter passwords that people write on postits.

Show more comments

Log in to comment on this story!