Which of the following passwords would be hardest for an automated cracking tool to guess?
AP@ssw0rd123!
Bcorrect-horse-battery-staple
CTr0ub4dor&3
DMyD0gNameIsR3x!
Length dominates over complexity. 'correct-horse-battery-staple' is 28 characters of four random common words — an attacker guessing random words faces an enormous search space. The other options use predictable substitution patterns (@ for a, 0 for o, 3 for e) that cracking tools explicitly test. A long passphrase of random words is both more secure and easier to remember.
Question 2 True / False
Replacing letters with symbols — such as 'p@ssw0rd' instead of 'password' — significantly increases a password's security against automated attacks.
TTrue
FFalse
Answer: False
Automated cracking tools (like Hashcat) include substitution rules as a standard step — they try p@ssw0rd, p4ssword, passw0rd, and thousands of similar variations automatically. These patterns are well-known and do not meaningfully increase the search space. Length and randomness are far more effective than substitution tricks.
Question 3 Short Answer
Why is using the same password on multiple sites riskier than using a unique password for each?
Think about your answer, then reveal below.
Model answer: If one site is breached and your password is exposed, attackers immediately try that same password on other popular sites (credential stuffing). A single reused password can compromise every account that shares it.
Credential stuffing attacks are automated and widespread — attackers take leaked password lists and test them across banks, email providers, and social networks within minutes of a breach. Unique passwords contain the damage to the one compromised site.