How to Avoid Creating Weak Passwords

You have likely heard that using strong passwords is an integral part of protecting a company’s data and weak passwords are a definite cyber security risk. But do you know what makes a password strong or weak? To find out, here is a quick quiz:

Take a look at the list of passwords below. (The quotes are not part of the passwords.) Which of the following are strong passwords?

  • “football”
  • “123456”
  • “qwertyuiop”
  • “passw0rd”
  • “1qaz2ws”

The answer is none of them. In fact, all these passwords were on  SplashData’s “Worst Passwords of 2015” list. Knowing why these passwords are weak can help you avoid making the same mistakes when you create your own passwords.

“football” (No. 7 on the Worst Passwords List)

The password “football” is weak on several fronts. First, it includes only lowercase letters instead of a mix of uppercase and lowercase letters. Further, it is a word that you can find in a dictionary. Cybercriminals often use software that systematically tries every word in a dictionary as a password. This is known as a dictionary attack.

Besides not using words in the dictionary as passwords, you should not use proper nouns or foreign words. You should also steer clear of creating passwords that incorporate business or personal information. For example, do not use a password based on when and where you started your business, or an activity you enjoy. It is easy for cybercriminals to obtain business and personal information on social networks, such as LinkedIn and Facebook.

“123456” (No. 1 on the Worst Passwords List)

What is wrong with using a password like “123456”? To begin, it is too short. The shorter the password, the easier it is to crack. More important, it incorrectly uses numbers. Passwords should contain numbers but not in obvious strings (e.g., “7777777”). Cybercriminals often try entering strings of numbers before launching the more time-consuming dictionary attacks.

“qwertyuiop” (No. 22 on the Worst Passwords List)

While the length of “qwertyuiop” is adequate (10 characters long), this password does not include any numbers or uppercase letters. What is worse is that this password is common, as it is the top row of letters on a computer keyboard. Cybercriminals know which passwords are popular, so they will try them first.

“passw0rd” (No. 24 on the Worst Passwords List)

This password contains both letters and a number, which is good. However, it does not contain any uppercase letters and it is commonly used. It is not as popular as “password”, though, which is No. 2 on the worst passwords list.

“1qaz2wsx” (No. 15 on the Worst Passwords List)

At first, “1qaz2wsx” might look like it is a strong password, but it is not. Besides containing only lowercase letters, it is a well-known password among cybercriminals. On a computer keyboard, it is the first two columns of keys containing numbers and letters.

Guidelines for Creating Strong Passwords

When creating a password, follow these guidelines:

  • Think of a long, random password that is hard to guess. At the minimum, the length should be eight characters — the longer, the better.
  • Use numbers but not in a predictable pattern.
  • Use uppercase and lowercase letters.
  • Use special characters (e.g., percent sign, exclamation point, dollar sign) when possible.

An example of a strong password is “8%&KY4&$XzwMhfrk”. On an average computer, it would take a cyber criminal more than 10,000 centuries to crack this password using a brute-force password-cracking tool, according to Kaspersky Lab. These tools try every possible character combination as a password. Even on the world’s fastest supercomputer,  Tianhe-2, it would take a cyber criminal a year to crack “8%&KY4&$XzwMhfrk”. In contrast, it would take a cyber criminal one second to crack “passw0rd”, “qwertyuiop”, “football”, and “123456” on a home computer. Cracking “1qaz2wsx” would take 33 seconds.

As part of a security assessment, your IT service provider can help you determine whether your organisation is using adequate or weak passwords. If you are having trouble creating strong passwords, ask your IT service provider to recommend a password manager that you can use. Password managers automatically create strong passwords and securely store them for you.

If you need any assistance with your cyber security strategy or you don’t know where to start please call us on  1300 478 738 or email us at

Further reading:

Why Good Cyber Security is a Positive for your Business

Contact Us

This field is for validation purposes and should be left unchanged.

Find out how we can help with your IT challenges.

About the author:

Picture of Ash Klemm

Ash Klemm

Ash has over 20 years of experience in sales and marketing. His journey from a casual salesperson at Chandlers to State Manager at a national IT distribution company, while battling health issues, including a double lung transplant in 2015, gave him the experience, know-how, tenacity, and marketing insight, to find solutions and help businesses grow. After spending several years in the ivory tower of state management, Ash missed the genuine connection of face to face meetings and helping make a difference to businesses in need. His authentic, conversational, and easy-going nature helps our customers feel at ease and shows them we are a brand to trust. Ash spends his days advocating for our customers to ensure they receive the best possible service in a timely fashion. Ash is also the in house chair builder. His curiosity and natural problem-solving ability make him the perfect first call for all our new customers to help determine what is wrong, how Surety IT can help and what the best solutions are moving forward.
Scroll to Top