PASSWORD! A set of characters that everybody treats as a secret and a private entity. A magical word that verifies your identity. A phrase that grants you access to the otherwise denied areas. A lock combination that unlocks safe to precious gems. A security layer to protect sensitive areas, objects, information, portals, people and what not. A risk you carry on your tongue and and save in your head. A world that denies the principle of “Keep It Simple, Stupid!”. More complex a password is, more good it is and the vice versa. If leaked or communicated to the wrong person by any means, can cause destruction, reputational damage, life risk, theft, and whatever you can think of. In this article, we will discuss the importance of a PASSWORD and how hackers guess the password.
What is a password
The term PASSWORD is the combination of two words “PASS” and “WORD”. The literal meaning of PASS is to be allowed entry or to go through. As for WORD means a phrase. So literally, a password means “a phrase that lets you pass”. In ancient times, this term was used by armies to identify friend from foe and whether to grant or restrict access to the sensitive areas. In this era, even with the advancement of technology, the term remains same and serves the purpose of securing digital identity.
Habit (Good/Bad)
Password is like a habit that can either be good or bad. If good, it can be an armor to strengthen your guard. Otherwise, it could just be a weight on your body making yourself weaker. Since the password serves as a means of digital identity, it is crucial to make it complex enough so that the malicious users cannot guess it easily.
Why guess the password?
Guessing a password means having the ability to impersonate anyone in the specific digital realm. This means having the authority and access to the resources similar to that of the actual person. Despite the technological advancements, the human minds seek comfort and majority of the people choose the weak passwords. At the same time, hoping that they are secure enough and the world is good and ideal enough to not abuse the simplicity of the passwords.
With the increased digitalization in each field, it has become important to streamline the process of granting access to resources while ensuring the confidentiality and availability of the resources to the right person. Attackers tend to find novel techniques to find or guess the correct password against any account or digital identity. The aim behind finding a password is to gain access to someone’s account whether social, financial, gaming, educational, corporate, or other account.
How to guess a password?
People seek easiness and following that comfort, they choose the password that they can easily remember. The most common ideas behind a person creating their password are their
- Own name, date of birth like Bob1969
- Pet’s name, date of birth like tomMy2012
- Loved one’s name, date of birth like Alice2003
- Country name like Pakistan1947
- Company name like Microsoft123
- Sequence of words like qwerty
- Sequence of numbers like 12345678
Despite this, people tend to share most of this information openly on the basis of which they create their passwords. There have been multiple data breaches that disclose the passwords of the users and the most common passwords as per seclists are
- 111111
- 1234
- 12345678
- abc123
- iloveyou
- letmein
- monkey
- password
- qwerty
- tequiero
- test
Attackers like to solve puzzles and tend to create connection between people and their digital/personal life to create a list of passwords. The list contains all the permutations of the possible passwords. Suppose Bob was born in Amsterdam in 1992 and is working in Microsoft since 2012. With this much information, an attacker can create the following list
- BobA1992
- Amsterdam
- Amsterdam92
- Microsoft123
- Microsoft2012
This technique can be used to create a list of passwords and try each password until you hit success.
Leaked Credentials
With the pace of trend shifting towards digital world and making everything online, the data breaches have also joined the pace. The frequency of data breaches has increased and a large part of the data breaches is the leaked credentials. Leaked credentials contain the username and the password at the minimum and some also contain the website URL for which data is leaked. Attackers buy the credentials either from dark web or via the subscription of famous sites including
All of these provide a set of credentials and some even provide the breach source. Attackers use these services to get the credentials and try out on the respective sites. Sometimes, the credentials do not work and there comes the creativity of the attacker. Suppose a breach contains the credentials tommy.golden:Italy2024 for the website TripAdvisor but upon trying the credentials, it says incorrect credentials. An attacker would then first search for tommy.golden profiles across social media and other online presence sites and assume attacker finds a public instagram profile. Upon checking, the highlights, attacker found that the victim is a travel influencer and visited Italy in the start of 2024. On the basis of this data, it can be said that the user changes the password in the start of each year and creates it as Country + Year. So checking through the profile, it was found that the victim visited Turkey in January of 2025. So following up the pattern, the password could be Turkey2025 and upon trying this password worked and attacker got control of the victim’s TripAdvisor account.
Password Reuse and Spraying
People hate remembering long complex passwords and that too different for each profile. And this mindset is the goldmine for the attackers where they need to find one password and BOOM!!! They will be getting access to all accounts belonging to that victim. This is because, most of the people use the same password everywhere without noticing that they are binding different locks with one single MASTER KEY. Attackers upon finding or guessing a password, try to check whether the same password has been reused for other services or not. They use a technique called Password Spraying where attackers use same password against different profiles or accounts to takeover other accounts by abusing password reuse.
Conclusion
You are as secure as your password is. Attackers guess the password based on multiple factors. People trade their digital security for a little bit of mental comfort. Although remembering a simple password is easy, but guessing or breaking its hash is even easier. It is recommended to choose a complex password consisting of upper and lower case letters, digits and special characters. Also, never reuse a password and do not create a password based on your basic information as well as do not create too common password. As the famous saying goes “Passwords are like toothbrushes, change them often, keep them private & never share them with anyone”.