← Back to Blog

Why Attackers Love Human-Created Passwords

2025-12-23

This article draws on publicly available cybersecurity research, industry reports, and widely accepted security practices. Where personal experience is mentioned, it is stated explicitly.

A Breach Most People Forgot — But Shouldn’t

Back in 2012, LinkedIn was hit by what was, at the time, one of the largest data breaches in history. Later analyses showed that roughly 167 million account records were exposed, and around 117 million of them included email addresses and password hashes.

When security teams examined the cracked passwords, the results were painfully familiar. password1, linkedin123, and similar low-effort choices showed up by the millions. More interestingly—and more worryingly—even passwords that looked clever, such as L!nk3d1n2020, fell quickly. Why? Because they followed patterns humans almost always use.

I’ve spent over fifteen years working in cybersecurity penetration testing. My job is to break into systems—legally—using the same methods real attackers rely on. Passwords aren’t a theoretical topic for me; they’re something I see fail in practice every single day.

How Passwords Are Actually Attacked

To understand why some passwords survive and others don’t, you need to look at the attacker’s side. Attackers don’t sit there guessing passwords one by one. They automate everything.

  1. Dictionary Attacks: These rely on massive collections of real passwords, words, phrases, and variations gathered from years of data breaches. These dictionaries contain billions of entries and keep growing.
  2. Rule-Based Attacks: These are devastatingly effective against human creativity. Tools automatically apply common habits: swapping "o" for "0", adding "123" or "!" at the end, capitalizing the first letter, inserting a year, and so on. Most "clever" passwords fall right here.
  3. Brute Force: Trying every possible combination. This sounds scary, but against long, truly random passwords stored with modern hashing algorithms, brute force quickly becomes impractical simply because it takes too long.

The Problem with Self-Created Passwords

We like passwords we invent ourselves because they feel personal and memorable. Unfortunately, research—and experience—shows that they’re also highly predictable.

  • Patterns Repeat: Large-scale studies, including work from Carnegie Mellon University, consistently show the same structures: a word or name, a capital letter at the start, and numbers or symbols at the end. The content changes, but the shape stays the same. Once attackers model that structure, cracking becomes dramatically faster.
  • Length Hits a Ceiling: Most user-created passwords sit between 8 and 10 characters. Not because people don’t know longer is safer, but because memory pushes us toward shorter strings.
  • Personal Information Leaks In: Birthdays, pet names, anniversaries—people use them constantly. And in the age of social media, attackers often don’t even need to guess.

Why Random Passwords Play a Different Game

A password created by a secure random password generator—something like r8$NpL#2qW9—isn’t just "more complex". It’s fundamentally different.

Each character is chosen independently. There are no words, no substitutions, no human logic. That single fact removes the attacker’s most powerful tools: dictionaries and rules.

From a numbers perspective:

  • An 8-character password using only lowercase letters has about 26⁸ possibilities (~209 billion).
  • Add uppercase, numbers, and symbols, and you’re suddenly around 95⁸ (~6 quadrillion).
  • Push that to 12 characters and the space becomes astronomically large.

But the real advantage isn’t just size—it’s that random passwords force attackers into brute force, which is slow, expensive, and often not worth the effort.

What Breaking These Passwords Looks Like in Practice

From a penetration tester’s point of view, the difference is stark:

| Password Type | Example | Attacker Method | Time to Crack | | :--- | :--- | :--- | :--- | | Self-Created | Tiger2021! | Dictionary & Rule-based | Minutes to Hours | | Randomly Generated | r8$NpL#2qW9 | Pure Brute Force | Years / Centuries |

If the password is properly hashed with something like bcrypt or Argon2, brute force against the random string implies a timeframe that makes the attack unfeasible. In most real-world cases, the attacker simply moves on.

The Real Trade-Off: Humans vs. Randomness

The biggest weakness of random passwords isn’t security—it’s usability. Humans are terrible at remembering meaningless strings. That’s the core tension in password security:

  • Passwords humans remember well tend to be weak.
  • Passwords that are strong tend to be unmemorable.

Modern security practices exist to bridge that gap.

What Actually Works Today

Based on industry consensus and real-world experience:

  1. Use a Password Manager: Tools like Bitwarden or 1Password let you rely on one strong master password while everything else is long, random, and unique. This is widely considered the best option for most people.
  2. If You Must Memorize, Use Length: A string of unrelated words (e.g., coffee-zebra-battery-stapler) is often more resistant to attack—and easier to remember—than a short, symbol-heavy password.
  3. Never Reuse Passwords: Once one site is breached, reuse turns it into a domino effect.
  4. Enable MFA: Email, banking, cloud accounts—always use multi-factor authentication.
  5. Check Breach Exposure: Services like Have I Been Pwned allow you to see whether your email appears in known breach datasets.

Final Thoughts

This isn’t a philosophical debate about whether humans or machines make "better" passwords. It’s about risk management.

Computers are good at generating randomness. Humans are good at protecting a single secret and responding to prompts like MFA. The safest approach is letting each do what it does best.

Ready to upgrade your security? Generate a strong, offline password now to protect your accounts immediately.