Contents
You have almost certainly scrolled past one of those colourful charts on LinkedIn, the ones that promise to tell you exactly how long your password would survive an attacker. They look convincing, but they are also only telling you a fraction of the story.
That gap matters because the missing part is where most real accounts actually get broken into. This post walks through how password cracking works in practice, why a “complex” password can still be a weak one, and what genuinely keeps your accounts safe.
The chart you have seen a hundred times
Charts like the one above get shared constantly, and the maths behind them is not wrong. Read one and you might conclude that a nine character password mixing upper case, lower case and numbers would hold out for months.
The trouble is that the chart assumes one very specific kind of attack, and it is rarely the one that gets used. Take “Password1”. It ticks every complexity box, with upper case, lower case and a number, yet nobody would call it safe. The chart cannot see that, because it only measures a single method.
Brute force, and why the chart stops there
The charts describe a brute force attack. This is the version most people picture when they imagine password cracking: a computer working through every possible combination in turn until it lands on yours.
A, B, C and on to Z, then AA, AB, AC, then AAA, AAB, and upward from there. Add more character types and the pool grows fast. Bring upper case, numbers and symbols into play and there are far more combinations to churn through, which is exactly why length and a mix of character sets slow a brute force attempt down.
If that were the only method available, the charts would be sensible advice. It is not.
Why complex passwords still fail
Passwords are an awkward compromise. To be useful they have to be memorable, but memorable tends to mean guessable, and guessable rarely satisfies the complexity rules that most organisations enforce. So people take a predictable route to keep both sides happy.
It usually starts with something easy to recall, such as a pet, a football team or a favourite film. Say you land on “wookiee”, the tall hairy characters from Star Wars. To meet the rules you then mangle it into shape, adding a capital, a number and a symbol:
- Wookiee1!
- Wookiee123!!!
- Wookiee0?
Or you swap letters for lookalike numbers and symbols, so “wookiee” turns into “W00k!3e”. Millions of passwords are built this exact way. If that feels a little too familiar, you are in very large company.
Now look at “Wookiee1!” through the chart’s eyes: four character sets, eight characters, apparently solid. An attacker does not see it that way at all.
Wordlists, RockYou and rules
Rather than grinding through every combination, attackers usually start with a wordlist, a ready made list of passwords that people genuinely use.
The most famous is rockyou.txt. It takes its name from RockYou, a company that built widgets for social platforms like MySpace and Facebook. In 2009, its entire user database was stolen, and to make matters worse the passwords were stored as plain text, so every single one was readable.
The list holds roughly 14 million unique passwords drawn from around 32 million accounts. Sit with that ratio for a moment. On average each password was shared by more than two people, which tells you a small pool of obvious choices was reused endlessly, with only a handful of genuinely unique ones mixed in. Wikipedia even publishes the 10,000 most common passwords, and they make for uncomfortable reading.
Wordlists are only the starting point, though. Attackers layer “rules” on top that automatically mangle each entry the same way people do: capitalise the first letter, tack a “1!” on the end, swap an “o” for a “0”. So “Wookiee1!” is not hiding at the far end of some brute force search. It is a common word with the most predictable tweaks applied, and a rules based attack reaches it in no time.
This is also why the NCSC is blunt about character swaps like turning “o” into a zero. Attackers know every one of those tricks, so the swap buys you almost nothing.
Related Reading: How to Share Passwords Securely at Work
What actually keeps accounts safe
Good news first. You do not have to memorise long random strings to stay safe. A few habits do most of the heavy lifting.
Use a password manager
Password managers exist precisely for this problem. They generate long random passwords, store them, and fill them in for you, so every account can have something unique that no wordlist will ever contain.
There is one honest caveat. A password manager concentrates your risk, so if the master password is weak or gets compromised, that becomes a single point of failure. Even accounting for that, the trade is worth making for most people, and it remains one of the most effective steps you can take.
Turn on multi-factor authentication
Multi-factor authentication (MFA) works on the principle of something you know and something you have. The thing you know is your password. The thing you have is usually your phone, which receives a prompt or a one time code. Even if an attacker cracks your password, they still cannot get in without that second factor. Switch it on wherever it is offered, and prioritise your email, since that is the account capable of resetting all the others.
When you have to remember it yourself
Sometimes neither a manager nor MFA is available and you need a password you can actually recall. The UK’s National Cyber Security Centre recommends stringing together three random words, which gives you length without an unmemorable soup of symbols. A few principles help here:
- A space usually counts as a symbol, so a short phrase beats a single word, and the extra length makes cracking far harder.
- Steer clear of dictionary words and proper nouns such as names, brands and teams where you can.
- Break real words up in a way that means something to you.
As a rough illustration, “Wookookies ARE h41ry!?” is far stronger than anything earlier in this post and no harder to remember. “Wookookies” is not a real word, so no wordlist contains it, yet it sticks in the mind because it sounds daft. It runs long, mixes cases and numbers, and scatters spaces and punctuation throughout.
Please do not actually use that one. Any password printed in a public blog post has stopped being a secret, which means it has stopped being secure.
The short version
- Turn on MFA wherever you can, starting with email.
- Use a password manager to generate and store unique passwords, and check whether your accounts have already been exposed at Have I Been Pwned.
- Favour non-dictionary “words” and length over fiddly character swaps.
- Remember that a password is only secure while it stays secret. Once it leaks, retire it, however fond of it you are.
Weak and reused passwords remain one of the easiest ways into an organisation, and they are exactly the kind of gap a penetration test is built to find before an attacker does.
