The Authentication Reference

Your go-to place for authentication information

Successful Authentication with Incognia

The Authentication Reference

What makes a password weak?

What makes a weak password and how to check for vulnerabilities

The number sequence “123456” has occupied the top of the list of most common passwords in recent years. However, what makes a password weak is not just the fact that it is some obvious sequence, but a combination of factors that involve the number and variety of characters, as well as the type of information associated with the secret word.

To understand what a weak password is, it is necessary to understand the main methods used by hackers to steal credentials. Phishing attacks, for example, use social engineering to manipulate a victim into providing their personal information, including passwords. In this case, it doesn't matter if the password is weak or strong, as the attacker doesn't need to try to decipher it. That is the problem with any type of identity verification based on static credentials.

The same applies to data leak incidents. The difference is that, even if the hacker cannot obtain the victim's password, they may have access to other sensitive data, such as birth dates, social security numbers and addresses, which can make the job easier of deciphering a password. 

Finally, a common technique is called the “brute force attack”, in which the attacker tries a series of character and number combinations in the hope of discovering the password. For this, software capable of performing billions of attempts per second is used. Thus, passwords that contain a smaller number of characters are the most vulnerable in this type of attack. 

The first step in securing information in a digital environment is knowing how to check whether a password is weak. 

How to check for a weak password

Password combinations are often easy to memorize and are used repeatedly over many services since users usually prefer to reduce the effort on their memories, and that is the reason passwords usually are low in complexity. But what exactly is a weak password? To verify the strength of a password, it is necessary to analyze the following factors:

[banner_1]

Password is shorter than eight characters

During the process of creating a password, many websites require a minimum number of characters. This condition is a way to make the work of attackers more difficult, considering that a six-digit password can be cracked in just 16 seconds. Increasing to nine digits, the time changes to 18.48 hours. In the case of combinations with 12 digits, the period it would take for the password to be deciphered would be 854.45 years. 

Password uses repeated or sequential characters

Selecting a large number of characters, however, is not enough. The string “123456789”, for example, is the second most popular password and, despite containing nine digits, it would be cracked in a few seconds. The same applies to combinations like “AAAAAA” or “abcdefgh”, as well as obvious words like “password” or “password123”.

Password uses Keyboard patterns

An alternative technique that is commonly used when creating passwords is to simply choose a string that matches a keyboard pattern, such as “qwerty” or “1qaz2wsx”. While not as obvious as “123456”, this type of combination would also be deciphered with extreme ease.

Password uses Personal Information

Another factor that determines when the password is too weak is the use of personal information. Names of family members or pets, birthdays, addresses and identification numbers are data that can be easily found if they are publicly available or even after data leak incidents. 

Even if a person is aware of what a weak password is and takes all the necessary precautions to create a strong match, it is still important to ensure that this information is stored correctly. Since complex sequences can be difficult to memorize, it is common to write them down on paper or on a notepad. The problem with this approach is that, although the password may not be easily deciphered, it can be easily found.

Strengthening Password Security

Based on the factors listed above that describe what makes a password weak, here are some tips on how to strengthen credential security:

  • Use a long-phrase or word and replace some letters with special characters
  • Don't reuse passwords
  • Don’t share passwords with anybody
  • Change passwords regularly
  • Use password managers


Although passwords are still used as the main access key in today’s digital world, they are gradually being replaced by other forms of authentication, such as behavior biometrics, facial recognition and location behavior. Given the growing security risks associated with passwords, companies are looking to protect users with the help of more advanced technologies that do not rely on human creativity and memory.