Why is Gbt3fC79ZmMEFUFJ a weak password?

I was curious about the same thing, so I put Gbt3fC79ZmMEFUFJ into Google, and lo! and behold it found something that wasn't just a paraphrase of "Don't use this password" advice — the password itself was embedded in example source code that showed how you could send a password to a server! (link to page, and screenshot below)

TcHmi.Server.UserManagement.addUser('newUser', 'Gbt3fC79ZmMEFUFJ' function(data) {})

So I think the real goal of that advice is not that Gbt3fC79ZmMEFUFJ is a mysteriously weak password because of the keyboard layout or because of low entropy or because it doesn't include symbols or Unicode or emoji or whatever: It's simply to remind you that you should never use a password that's been published somewhere, especially one published as an "example" password!

[Update: This is intentionally a screenshot and not simply a code snippet; the content of the code is far less important than seeing how it appeared verbatim on somebody's website!]


As you noticed, it doesn't have any symbols, which makes it weaker than a password of similar length which does, but there's no other 'obvious' defect with this password. A password does not have to use symbols to be strong, as long as it's long enough (obligatory XKCD link).

But, now that this password appears in plain text on a website (dedicated to passwords), it's likely that some attackers will include it in their dictionary. After all, there might be users less proficient in English, or audacious types, who still use this password since it looks random and reasonably long. In this way, saying "Gbt3fC79ZmMEFUFJ is a weak password" is some kind of self-fulfilling prophecy.


There is nothing wrong with this password, other than it being published somewhere on the internet. The password is 16 characters of varying upper case, lower case, and numbers. This equates to a search space of 6216, or about 95 bits of entropy. This is massive, and can't be brute forced.

So why did the author of this website consider it a bad password? Being published on the internet is unlikely to be the reason. A list of "good passwords" is also included, which are obviously also published on the internet, making them immediately "bad passwords" using this line of thinking.

The most likely scenario is the author doesn't understand password entropy, and thinks that passwords MUST contain special characters. This is simply false. Entropy is a function of the number of possible symbols, AND length.

If generated at random, the entropy (in bits) can be calculated by log2(number-of-symbolslength). For an alpha-numberic with variable case, this is simply log2(6216), or about 95.

The rub is of course most passwords are NOT generated at random, so this simple formula isn't often useful.

Tags:

Passwords