Home / Blog / Using patterns in passwords, or how to ruin your own security

Using patterns in passwords, or how to ruin your own security

Posted on 07/11/2016, by Miguel Herrero (INCIBE)

When choosing passwords to protect your online services, there is a mantra we must keep repeating to ourselves:

  • At least eight characters.
  • Alternate at least three of the following groups: upper case letters, lower case letters, numeric characters and special characters.
  • Do not reuse passwords for different services.

In spite of this mantra, news frequently report cases such as the hacking of 167 million LinkedIn passwords. And so we wonder what might be going on with the passwords of our online services.

In order to fulfil the mantra's requirements, many people choose a 6-letter word or more, for example "telefono", capitalise the first letter and add a number and a special character (or two numeric characters) at the end. And there you go. It's all safe, three of all four groups, ten characters. Who could guess that my password is "Telefono10"?

So you enter it into your online service and a groovy colour-coding strength meter tells you the password is secure. Of course it is, well done, now you can sit back and relax. Nobody will be able to guess your LinkedIn password. And since it's so strong, let's use it also for your Paypal account, why not? Let's ignore the third point of the mantra, it doesn’t seem that important, otherwise it wouldn't be the last one!

Password meter

Security of Telefono10 according to Password meter

One day, you find out about the LinkedIn case, but you don't worry much because your password was strong. However, when somebody purchases gift cards at some online store and pays using your Paypal password, you freak out.

However, it's not just your fault. LinkedIn stored the SHA1 hash of your password without salt, which makes them easier to crack than if they weren't bland.

What you could have done instead would be to avoid using one of the easiest patterns to create your password. In your case, it was [C]-[ccccccc]-[nn] (Upper case, Lower case... Number Number). Using a pattern reduces the spectrum of possibilities.

The math to this is simple: the Spanish alphabet has 27 letters, 10 digits and let's say 50 special characters (there are more, but we're not really counting). In total, for each character in your 10-character password, there are more than 100 possibilities (27 upper case letters, 27 lower case letters, 10 digits and 50 special characters), which results in more than 3.7 x 10^20 possible passwords.

Using the pattern above, you have narrowed the possibilities to 2.8 x 10^13, which is much easier to handle. As online credentials keep getting stolen (just take a look at ourCybersecurity Highlights to check out some news on this), more information is being collected on the patterns that people use to create passwords to access devices.

KoreLogic security, a company that performs penetration tests in companies, published in its blog the 100 most common topologies found in their tests. The 5 most common would be:

[C]-[ccccc]-[dd] (one 6-letter word with the first letter capitalised and 2 digits: Folder11)

[C]-[cccccc]-[dd] (one 7-letter word with the first letter capitalised and 2 digits: Picture11)

[C]-[ccc]-[dddd] (one 4-letter word with the first letter capitalised and 4 digits: John2014)

[C]-[cccccc]-[d] (one 7-letter word with the first letter capitalised and 1 digit: Picture1)

[C]-[ccccccc]-[dd] (one 8-letter word with the first letter capitalised and 2 digits: Telefono10)


Any password that follows these patterns (or any of the first 100) should be considered weak, even if the letters don't make up an existing word. We recommend website administrators to bear this in mind when implementing a security policy for their services, taking these topologies into account and somehow preventing them. And as a user, you should think about changing all of your passwords matching any of these topologies.

In fact, online password strength checkers are starting to take these patterns into account:


Warning at howsecureismypassword.net for password Telefono10.



Kaspersky warning for Telefono10


There are simple ways to make passwords more secure without relying on password managers, always advisable but widely underused outside the cybersecurity world. Some of the recommendations you could bear in mind could be:

  • Try not to hide known words: H4ck3r! is not a secure password.
  • Use several special characters in the same password (it's advisable to not use the exclamation point (!), since it’s the most widely used).
  • Do not place numbers after the letters (Compute1r0 is more secure than Computer10).
  • Make sure that your password does not start with a letter.


Of course, any pattern that may become popular must be immediately ruled out for these purposes. Since passwords are increasingly easy to crack, other methods are starting to be used to access our online service accounts.

Two-factor authentication (2FA) is a straightforward example. Through an external application (such as mobile SMS as in services like PayPal, or other applications such as Google Authenticator), users receive a unique and temporary verification code to access the service.

The 2FA adds an extra layer of security, but is making cybercriminals work hard on finding a way to render it useless. Attacks to 2FA through SMS pretending to be from Google are being detected, attempting at having users send their 2FA to criminals.

Other companies implement "digital padlocks", such as Latch, so when somebody tries to access your user account, the status of the padlock is checked and access is blocked. 2FA and padlocks don't protect your accounts from service password databases being stolen, which means that if you reuse your password you could have trouble with the services not implementing 2FA or padlock security.

Since these methods don't really solve the problem, companies are moving forward and aiming to add another layer of security and working on biometric recognition techniques. Recently, Amazon has patented a technology that will require users to take a selfie before making any payment. Such selfies will allow facial recognition and authorisation or rejection of the operation depending on the result. In addition, so as to avoid the use of false pictures, Amazon will require users to make specific gestures (winking, for example) for each operation.

Apple's Touch ID technology is currently integrated in last-generation mobile phones which allow the use of electronic signature in some banking apps, requiring digital fingerprints to sign. However, according to Kaspersky, entrusting your digital signature data to this technology may not be fully recommended. Still, this technology is an innovation and marks a starting point for authentication solutions to keep thriving.