This post is more than three years old so may contain incorrect information, or opinions I no longer hold.

Why Your Password Is Probably Crap

04 Jan 2018 | ~3 minute read

You’re a technical person. You don’t need to use a password manager, because you have mastered the art of obfuscating your password so it can never be cracked, right? Wrong! Let’s have a chat about why your password is probably crap…

First of all, if you’re not running a password manager, why not? They will make your online accounts infinitely more secure, but that’s a discussion for another post. Let’s talk password security.

If you know anything about Cyber Security, you wouldn’t be caught dead using a password like Password123, amirite? However, obfuscating your password in such a way to make it more cryptic for a would-be threat actor is surely the way to go? So Password123 becomes P@$$w0rd123 – IMPOSSIBLE TO CRACK! Look, even How Secure Is My Password says so:

With Password123 entered:

With P@$$w0rd123 entered:

Apparently, it will take 400 years to crack P@$$w0rd123. So who cares if someone cracks it, right? As none of us will be around then anyway. Problem is…

It’s Not True

41 years to crack Password123, c’mon! If that doesn’t prove how useless password strength indicators are, I don’t know what will.

We have all been duped in to thinking that obfuscated passwords are more secure, and will make it much more difficult to crack passwords.

The problem is, online strength indicators use very basic mathematics to work out how long it would take a standard computer to brute force a password by recursive guessing. Threat actors are more technical than that (shock horror) and any password list worth its salt (haha salt…get it?) will have obfuscated versions of common passwords within it.

Getting a password list with billions of passwords in is very simple to do. They’re readily available from many places online, so don’t be thinking you need to be up against a hacking ninja to have your “awesome” obfuscated password circumvented – script kiddies can do this stuff.

So what does all this mean? Well, it means that obfuscated passwords, like P@$$w0rd123 are just as crap as their non-obfuscated counterpart, like Password123 when it comes to real-world password cracking.

Here is the same example in Twitter, when I enter Password123 it simply won’t accept it and asks me to enter a different password:

Change the password to P@$$w0rd123 and not only does Twitter accept it, but it also shows that your password is super secure, by way of a completely filled in (and green) strength indicator to the right of the field:

What’s The Answer?

Well, if you want to make your passwords more secure, stop using your crappy passwords and get in to the habit of using a passphrase instead.

For example, something random like The yellow apple is 12. is much more secure and probably won’t be in any password lists. It’s 23 characters long, has a capital letter, numbers and punctuation (full stop and spaces). Plus, it’s super easy to remember!

Do not use that passphrase ANYWHERE, as it’s now “out there” and probably added to a password list!

Just think of a random passphrase, not a password. That will make things much more secure for you. Or, better yet, get a password manager, as there is no substitute for randomly generated, long passwords.

But still use a passphrase to access your password manager!

I’ll leave you with this XKCD cartoon that makes my point succinctly. Maybe I should have saved myself the trouble and just shared this cartoon instead.

Are you using obfuscated passwords? If so, please stop. Or, feel free to justify your reason(s) in the comments below.

← The one before
Are Password Managers Really Worth It?

Up next →
Why HTTPS Is Important

Get in touch!

Receiving emails from my readers is my favourite thing, so if you have something to say, feel free to drop me an email or sign my guestbook.

Want more content?

Say no more, dear reader. Here's three random posts from this blog for you to peruse:

⚠️ Severe Snow Warning ⚠️
08 Feb 2024

A Reality Where CSS And JavaScript Doesn't Exist?
08 Nov 2021

We Need to Talk About Kevin
11 Apr 2022

Want to be informed when I post new articles? Simply enter your email address below and you will get an email whenever new posts are published.

Alternatively, you can subscribe via RSS instead.

Enjoyed this post?

I put a lot of work into maintaining this site and I really enjoy interacting with my readers.

My fuel of choice is coffee, so if you did enjoy this post, or found it in any way useful, I'd appreciate more fuel to keep me going. ❤️

Buy me a coffee