Everyone has terrible passwords

Earlier this year, GCHQ’s National Cyber Security Centre division issued a report that stated the most commonly used passwords include words such as ‘password’, ‘liverpool’ and ‘123456’.

This is a worrying headline, but depressingly, not a surprising one to anyone who follows web security. This article will try to explain why having ‘password1’ as your password really is a TERRIBLE idea, and how to keep your passwords safe online.

Major websites (and lots of smaller ones) are getting attacked and hacked every single day – large companies such as Equifax, Talk Talk, LinkedIn and Adobe have all had their password databases stolen in the last few years. When they are breached, the attacker will generally end up with a list of hashes. Hashes are pseudo-encrypted versions of your passwords, which are used to obscure your password. They work by taking your password as an input, and making them look random. However, they’re not random, as the same input text will always produce the same output hash.

So the password `password1` will always generate:


However, if you change the input text even slightly to `Password1` (uppercasing the first letter) then the result hash will look completely different:


It is therefore mathematically impossible given just the hash, to reverse and get back to the original password. These properties make hashes great for storing passwords.

However, not all hashing protocols are created equal, and some are considered very weak. Despite this, a number of big companies and websites still use lower quality hashing algorithms (such as MD5 and SHA1). Given this knowledge, the attacker will then (having acquired the stolen hash list) attempt to guess various passwords, at scale. With specialist software and powerful computer hardware, it’s not unrealistic to say attackers can attempt to guess password hashes at a rate of tens or hundreds of BILLIONS per second.

Which means, if your password is something basic, such as an 8 letter, all lowercase password, then this will be guessed very quickly.

Hackers use numerous techniques for guessing passwords. These range from basic to more complex, time-consuming methods. For example…

Brute Force Attacks

Brute force attacks take a certain character set and length and attempt every possible combination of those characters at this length. So, if attempting to get an 8-character all-lowercase password, the algorithm will attempt:


Then it will try:


Followed by:


This will continue until it has tried every possible combination of the lowercase letters. Then the attacker will give it different characters sets (“8 lowercase letters, 1 number”, “1 uppercase letter, 7 lowercase letters, 1 number” etc). This will successfully get a lot of poor-quality passwords, but as the character sets get longer (9/10 characters or longer) and with lots of different characters (uppercase, lowercase, numbers, symbols etc) the effectiveness of this method starts to drop off.

Dictionary Attacks

Dictionary attacks work by taking a list of possible passwords, generating hashes for everything in that list, then comparing that to the stolen list of hashed passwords.

These password lists contain hundreds of thousands, or millions of words (the entire English dictionary, brand names, city names, countries, common first names, swear words etc). This means that if your password is a whole word (such as a city name, a person’s name etc), it is likely that it is on one of these password lists, and therefore would be cracked almost instantly. This means that a password like:


Despite being 12 characters long, is still probably a weak password, as there’s a good chance this exists on password lists like these.

Dictionary Text Manipulation

Hackers can (and will!) go even further with dictionary attacks, by making alternate versions of all the passwords on the list. These are based on common behaviours that people exhibit when writing passwords, such as:

Capitalising the first letter – `johannesburg` to `Johannesburg`
Adding a number at the end – `johannesburg` to `johannesburg1`
Swapping letters for common substitutes – `johannesburg` to `johanne5burg`

This, in combination with an extensive dictionary, makes it possible to guess very varied passwords, and makes passwords that traditionally would be considered very secure, relatively easy to crack.

To see this in action, this Computerphile video goes through the process in some detail.

In my next article, we’ll talk about how to ensure you have a password that a nefarious cracker can’t guess!

Written by:

Jordan Peck Senior Data Analyst


What we think



You may also like

What we think


/  15 Sep 2020

Evolving video to deliver the knockout blow

“Everyone has a plan until they get punched in the mouth”, as Mike Tyson famously put it. At the beginning of the year no one expected to be sharing the ring with a global pandemic, so from a marketeer’s perspective, Covid dealt an unexpected b

Read more

What we think


/  28 Aug 2020

Reassessing media planning with The 4R’s

Every agency has a ‘media planning process’ of sorts. They vary in complexity and terminology, but the process tends to follow a similar path. Once the client objectives are defined, the process begins with an insight gathering phase. This inform

Read more