Hackers are constantly trying to gain unauthorized access to computer systems and networks. One of the main ways they do this is through guessing weak passwords. But what kinds of passwords do hackers themselves use? Let’s take a look at some common password strategies employed by hackers.
One of the simplest password strategies used by hackers is just using dictionary words or names. Many people still use plain dictionary words like “password” or “monkey” as their passwords. These are incredibly easy for hackers to guess using password cracking tools that run through dictionaries. According to the annual list of worst passwords, some of the most commonly used passwords are simply “123456”, “password”, “qwerty”, “12345”, and “iloveyou”.
Hackers often use dictionary words in their own passwords, but they tend to make modifications to them to make them harder to crack. For example, they may capitalize some letters, replace letters with numbers that look similar (like 3 instead of E), or add special characters like @ or ! at the beginning or end of the word. So they might use a password like “Monk3y!” instead of just “monkey”.
Another common tactic is using keyboard patterns as passwords. Some examples are “asdf”, “qwerty”, “1234”, or “1q2w3e”. These kinds of passwords use adjacent keys on the keyboard, which makes them easy to remember. But keyboard patterns are also some of the first things checked by password cracking tools. More complex variants include using shifted patterns like “QWERTY” or “IamtheB3ST”.
A more secure option that some hackers use is passphrases. These are passwords made up of multiple words together like “correct horse battery staple”. The advantage of passphrases over single passwords is that they can be much longer while still being easy to remember. But hackers using this method will often include substitutions like “c0rrect h0rse batt3ry stapl3” to throw off cracking tools.
Many hackers are aware of the risks of relying solely on passwords. So when security is critical, they will use two-factor or multi-factor authentication in addition to a complex password. This adds another layer of protection such as:
- A one-time code sent via text message or authenticator app
- A physical security key that must be plugged in
- Biometric authentication like fingerprint or face scan
By requiring multiple factors to gain access, it becomes much more difficult for an unauthorized person to get in even if they determine the password.
Given how many complex and unique passwords are needed for different accounts, most hackers utilize password managers. These tools securely store long, random passwords for each account behind one master passphrase. This allows them to have high security without the effort of remembering many different complex passwords.
Some of the most popular password managers used are:
Randomly Generated Passwords
When creating passwords for new accounts, hackers will often use password generators to create truly random passwords that are difficult for either humans or computers to guess. These generators allow setting parameters like password length, use of uppercase/lowercase letters, numbers, and special characters. The result is a completely random string like “P&e4RTg+9”.
Randomly generated passwords of sufficient length (12+ characters) provide very strong protection against brute force attacks when used properly with a password manager.
Examples of Hacker Passwords
Here are a few examples of what actual passwords created by hackers might look like:
As you can see, hackers tend to use complex passwords with upper and lowercase letters, numbers, and special characters when security is important. They also frequently change passwords to stay ahead of cracking attempts. But they balance security with memorability by using hints like basing a password on a memorable phrase.
Common Password Security Mistakes
Here are some password mistakes that hackers avoid:
- Using simple dictionary words or names without any modification
- Reusing the same password across multiple accounts
- Making simple substitutions like password1, p@ssword1, etc.
- Using easy keyboard patterns like “asdf” or “1234”
- Having no system for remembering complex passwords
Hackers know that these types of passwords are easily compromised. That’s why they use password managers, two-factor authentication, and random generators when possible.
In summary, expert hackers use many of the same password best practices that are recommended for everyone:
- Randomly generated passwords of 12+ characters for high security accounts
- Passphrases for moderate security needs
- Modified dictionary words when memorability is important
- Two-factor authentication whenever available
- Password managers to organize all their credentials
Following this kind of advice is important for building strong defenses against the very password cracking tools and techniques that hackers use themselves. While no password system is completely foolproof, using proactive password management and multiple layers of security makes life much harder for hackers trying to gain access.