Many years ago, I had a friend who was not the brightest crayon in the box, figuratively speaking. Especially when it came to computer security.
One day, he came up to me and asked me, “why is your password so long?” I told him the obvious, “It’s a lot more secure.” Then, he bragged “well my password is super easy to remember. It’s 1
“.
I was in disbelief. Who in their right mind would make “1
” their password? But before I could say any more, he told me to watch carefully. Meticulously and deliberately, he entered his username, pressed the 1
key, and hit enter. The monitor then displayed none other than the blue “Logging in” screen. Inside, I was laughing uncontrollably. That was indeed one heck of an “are you serious?” moment.
Surprisingly though, “1
” is not the most common password on the Internet. It’s not even on the Top 25. However, that doesn’t make it a very secure password either. A plain brute-force dictionary attack, starting at one-character passwords, would be able to crack such a password in a split-second.
Then again, is this really how password crackers work? Or, would they start with six-to-eight-letter passwords (which seem to be the norm), work their way through the billions of permutations, and then branch out from there? If this is the case, then the password “1
” would be considered at the end of the brute-force search.
The question about the security of a one-character password could also be considered from a human standpoint. Which passwords would a human guess first? Perhaps he or she could start with the Top 25, of which “1
” is not a part. Then, he/she would move on to words or phrases that represent the account user’s interests, such as rock n’ roll, Chinese restaurants, racecars, and the like. Perhaps she would even try letter-to-number substitutions like “f3rr4r1”. At any rate, the amount of passwords to go through using that method is substantial. When would he/she think of guessing a password as simple as “1
“? That one-character password would be hiding in plain sight the whole time!
But if someone asked me if I would ever pick “1
” as a password, I would promptly say no. While humans may not think of guessing one number as a password, the possibility cannot be ruled out. Add this to the possibility of brute force dictionary attacks, and the choice is manifest. Longer, non-dictionary passwords consisting of upper- and lowercase letters, numbers, and symbols are your best bet.