Most websites that we use today generally give you feedback on the passwords that you have created when setting up a new account, rating them either weak or strong. They also advise you to use a mix of upper and lower case letters, along with numbers, to ensure a secure password. However good the advice may be, it doesn’t tell you exactly which order the mix should be in.

By sheer coincidence, it appears that all of us tend to put the upper case letters at the start of the passwords with the numbers taking up the final spaces. This was discovered by a group of security experts who work for Eurecom, an investigation institute based in France.

The results of their study, presented at the last ACM Conference on Computer and Communications Security in Denver, has shown that we are confusing what constitutes a secure password, and that this is putting out privacy at risk.


The programs traditionally used by cybercriminals to guess passwords only handled certain combinations until finding the right one.

However, modern methods aren’t based on random guess work. Criminals can now train the software with large lists of passwords – such as the 130 Adobe user passwords that were leaked in 2013 – so as to find the most common combinations. This method allows them to have a greater chance of success in their attacks.

Using this premise as a base, the experts have used a program – similar to the one used by the criminals – to analyze over 10 million passwords. They’ve done this to compile a list of the easiest passwords for criminals to guess.

The result is a “predictability index” that they tested on another 32 million passwords to verify its effectiveness. According to the results, the least common passwords were the most secure. This means that it is important to have a long password that includes symbols as opposed to just upper and lower case letters.

password strength

The aim for users from now on should be to create passwords that are not at all predictable, no matter if they include numbers, upper case, or lower case letters. The group behind the study say that passwords should be longer, even adding a few extra words in necessary.

Their investigation should help people to become more aware when creating new login codes which will help to protect their accounts better. Although they can’t guarantee a bulletproof way of creating passwords, they assure us that their method is the safest yet.

On the other hand, the investigators advise that technology companies begin to place less emphasis on passwords as a means of accessing accounts, and that they look at alternative means where possible. There are always new ways of decrypting login details, which makes them ever more ineffective.