How and why to choose a strong password?

Choosing a strong and secure password is very important to protect your personal information online, especially when it comes to bank accounts and the like.

Below are some tips for choosing an effective password:

  1. use a different password for each website: if it is difficult for you to remember many passwords, there are various programmes for saving them;
  2. avoid using your personal details (first name, surname, date of birth) or user name; also avoid using pet names or similar names that can be easily traced back to you, through social media for example;
  3. use a password that is long (at least 16 characters) and contains at least one lowercase letter, at least one uppercase letter, at least one special character and at least one number;
  4. avoid using the same character more than twice in a row.

Furthermore, choosing a strong password is not enough to protect yourself: it is very important to stay alert to phishing attempts, change passwords regularly (especially if they have been exposed in a hacker attack) and activate two-factor authentication (when available).

If you are still not convinced of how important it is to choose a strong password, here are some examples of passwords and the time it takes to crack it in the event of a hacker attack:

qwertyaz Instantly
abcpqrzyxkwl 2 seconds
Pass734 7 seconds
Pass734ab 7 hours
R23ts!p@6Yj 34 years
R23ts!p@6Yj& 3.000 years
R23ts!p@6Yj&AFj4#9 438.000 billions of years


What controls can I make in a typical Bug Hunting Campaign?

Each product has its own characteristics and each Campaign has specific objectives and/or Out Of Scope, so remember to read the manual carefully before putting the following advice into practice:

  1. Check that the website and the application require strong passwords (see the relevant section above), that appropriate checks are made on compliance with password requirements, and that a clear and complete error appears in the event of an invalid password. For example, check that the password requirements are clear from the start and do not only appear if the password is too weak
  2. check that the password checks are also the same in the password change section of the profile;
  3. check that the password recovery links are received and cannot be used more than onceĀ 
  4. check that a ‘confirm password’ field is present
  5. checks that if the password does not match its confirmation, it is not possible to register and that a clear and precise error is displayed
  6. check that the password is case sensitive

What are the most used passwords in the past year (2022)?

Below you will find a table with the most used passwords globally, in Italy, the UK and Spain:


Remember also that TRYBER and Unguess Srl are in no way responsible for illegal actions performed by you, even if done in good faith. Therefore, avoid brute force attacks or similar and limit yourself only to the normal checks that are required on a Bug Hunting Campaign. If you are a computer security expert, you can register on to run Ethical Hacking Campaigns to run Ethical Hacking Campaigns.