Passwords are one of the most popular authentication methods – they are widely used and everyone knows how it works. It also doesn’t require any additional devices or credentials. Simplicity goes hand in hand with convenience – the password can be changed at any time, unlike the methods that use biometrics. It is difficult to change your fingerprint, face shape or eye retina.
But passwords also have some disadvantages – security depends primarily on the length and quality of passwords – the more complex the better, but therefore the more difficult to remember. Moreover, it is possible that other people will guess the password used or will try to crack it.
Read Also: Hidden features of iOS 16. From password recall to haptic keyboard
Contents
What passwords are weak?

Generally , the simpler the weaker . These include low complexity passwords – those that are less than 12 characters long and contain only one group of characters (for example, only numbers or only letters). Another group are passwords that can be guessed from the context – this applies primarily to information that a person who knows the victim has access to (directly or via social media). It is about using the name or surname , name of a partner or child, date of birth, or the name or surname of favorite bands, actors, etc. as the password.
Passwords that use popular strings are also easy to decode : qwerty, 123123, 123456, 11111, qwe123 or the immortal “password”, as well as passwords that can be found in dictionaries .
A weak password is also one that is used in the same form in different services or when the user uses the same password structure for individual services (such as gmail123, adobe123 or D7 $ 4 – gadobe, D7 $ 4 – gmail). In this way, the attacker, once he gets to know the structure and one password, can get into other accounts and services of the victim.
Read Also: Passkeys is the biggest revolution since “face logging”. We explain how it works
How are passwords exposed?
Passwords are methods that use something you know , i.e. information that is solely in the possession of the authorized entity. At least in theory. There are many ways to get to know them.

Guessing passwords
This is a surprisingly effective method when the user uses a default login (e.g. admin, guest, test) and password (which sometimes sounds the same as login), an easy-to-guess name (real name or surname) and weak, simple passwords. According to research, around 10% of users set their first name as a password. Moreover, many do not change the default logins and passwords in the devices they use, e.g. routers.
Cracking passwords
It is carried out by systematic testing of subsequent character combinations and comparing them with available sources (e.g. with available dictionaries, lists of typical passwords, etc.) and by a brute-force attack. In this case, all possible combinations of all characters are tested successively, and modern computers can carry out billions of such operations per second, using both the processing power of the processor and the graphics card. These types of attacks are basically 100% effective, but if the password is long enough, the process can take a really long time – from an almost immediate result to centuries …
Now some math will come in handy. How to easily count the number of possible password variants based on the length and number of characters used.
We have to use:
- Capital letters: A to Z (26 characters)
- Lowercase: a to z (26 characters)
- Numbers: 0 to 9 (10 characters)
- Symbols (33 characters): (space)! “# $% & ‘() * +, -. /:; <=>? @ [\] ^ _` {| }
The number of possible combinations can be calculated from the equation:
Number of passwords = (number of characters) password length
Suppose we have a 5-character password that uses 36 characters in its structure (e.g. a set of lowercase letters and a set of numbers).
Like this: 36 5 = 60 466 176 combinations
What it looks like with passwords of different lengths and using different character sets:
Despite the millions of possible combinations, a computer is able to decode them in less than a second – assuming you can generate 100 billion passwords per second. Therefore, the longer a password that uses a diverse set of characters (upper and lower case letters, numbers, and special characters), the longer the time will be, the longer it will take to crack it.

User password choices are usually predictable, so past passwords are tested first, i.e. dictionary words and passwords obtained from various leaks, hacks and databases. At https://haveibeenpwned.com/Passwords , you can check if your password has ever been disclosed, making it less secure.
Capturing passwords
This is another method that sniffing software can use – an attacker intercepts network packets and searches them for usernames and passwords. This is also done through keyloggers and malware (e.g. Trojans).

Many social engineering methods can be used to obtain passwords . They are extremely effective and victims unknowingly reveal sensitive data. Let’s add to this phishing, based on fake e-mails, encouraging you to log in, open a file or install an application (also using spoofing , i.e. the substituted data of a reliable sender).
Data can be accessed by an attacker trying to reset the password, provided the user has implemented extremely weak security – for example, the mother’s maiden name, which can be “extracted” by rummaging through the victim’s social media.
What passwords are strong?
Long, non-dictionary and unique. Strong passwords are complex and difficult to guess, but are usually impossible for the user to remember.
To make it as difficult to guess or crack the password as possible, use uppercase and lowercase letters, as well as numbers and special characters ($% & :; -_? §!…) And set the minimum length to 12 characters. Anyway, many websites have specific guidelines for building a password and force their use on users. You can also use, instead of a typical password , more complex phrases ( passphrases ), i.e. combinations of several words.
An example of a password that is practically impossible for a machine to break (because with the current technology it would take several hundred trillion years), for example:
123 @ ndrO ! D4568Dz1eW! Ęć

You probably know a few recommendations for creating passwords – but it is worth adding that many of them are currently being abandoned, because they did not translate into increased security. Such a practice ingrained in the environment was, for example, periodic password expiration, i.e. forcing users to change passwords every few weeks / months.
This resulted in the use of simple passwords and predictable algorithms when changing them. Imposing a character set will not necessarily work either, because when the website rejects the password because it does not contain a special character, it is almost certain that the user will add an exclamation point at the end of the password.
Of course, even the strongest password will not help when servers are hacked and databases with user data are stolen. If the logins and passwords stored by individual applications or companies are not properly secured, everyone is at risk – regardless of the strength of the security settings.
main photo: photo: Canva Photo / Getty Images / designer491