Password Patterns That Do Not Work: 123, 2026, and Birth Years
Most people know that a plain word like "Bella" is a weak password. So they add something to it. A few numbers. A year. Their birthday.
The intention is right, but the execution fails because attackers have been watching people do this for decades. They know exactly which numbers people add and in what order. Their tools test those combinations automatically, usually within the first few seconds of an attack.
This page covers the three most common number patterns people add to passwords, why each one fails for a specific reason, and what to do instead.
Adding 123: The Most Predictable Suffix in Existence
The sequence "123" is the single most commonly appended number to passwords worldwide. It appears in virtually every breach dataset ever published. When attack tools run through their rule sets, "word + 123" is not just included. It is one of the first rules applied.
Why do people use it? Because websites say "your password must include a number," and 123 is the fastest way to satisfy that requirement. It is three characters, easy to type, and easy to remember. But that same convenience is exactly why it provides almost no additional security.
In technical terms, adding a predictable suffix does not meaningfully increase entropy. Entropy measures how many possible combinations an attacker would need to try. If the attacker already knows you probably added 123, 1234, or 111, those are just three extra guesses on top of the base word. That is not a meaningful barrier.
Here is what attack tools typically test after finding a dictionary word:
- word + 123
- word + 1234
- word + 12345
- word + 111
- word + 000
- word + 1
- word + 01
All of these are tested in the same pass, usually within seconds. If your password is Bella123 or Rocky1234, it falls in this first wave.
Adding the Current Year: Predictable by Design
Adding "2026" to a password has a different problem than adding 123, though the result is the same. The issue is not just that it is common. The issue is that the search space is incredibly small.
Think about it from the attacker's perspective. If they assume someone added a year, how many years do they need to test? The current year, the previous two or three years, and maybe a handful of older ones. That is roughly 5 to 10 guesses. Even without automation, that is trivial.
Attack tools handle this by appending a range of recent years to every word in their dictionary:
- word + 2026
- word + 2025
- word + 2024
- word + 2023
- word + 2022
They also test the year at the beginning (2026Bella) and with separators (Bella_2026, Bella.2026). The total number of combinations is still tiny.
There is also a social engineering angle. If an attacker sees that your account was created or last updated in 2026, they will prioritize that year in their guesses. Account metadata narrows the search even further.
Adding a Birth Year: Two Pieces of Public Information Combined
Birth year passwords like Charlie2019 or Bella1997 combine two things that are often publicly available: a pet's name (shared on social media) and a year (either the owner's birth year or the pet's birth year, both frequently posted online).
This is where password attacks overlap with basic social engineering. An attacker does not need to be sophisticated. A quick look at someone's Instagram or Facebook profile often reveals their pet's name, approximate age, and sometimes the pet's exact birthday. From there, the password practically writes itself.
Even without social media research, the math is still unfavorable. Attack tools test birth year ranges systematically:
- Common owner birth years: 1970 to 2005 (about 35 guesses)
- Common pet birth years: 2015 to 2026 (about 11 guesses)
- Combined with a list of popular pet names: 20 to 50 names
That gives roughly 2,000 combinations for the pet birth year range and about 1,750 for the owner range. A modern cracking tool tests millions of combinations per second. These numbers are nothing.
The fundamental issue is that both parts of the password (name and year) come from a small, guessable pool. Combining two weak elements does not create a strong one. It creates a slightly longer weak one.
Side by Side: Why Each Pattern Fails Differently
| Pattern | Example | Why It Fails | Guesses Needed |
|---|---|---|---|
| word + 123 | Bella123 |
Most common suffix, tested first in every rule set | Under 10 (immediate) |
| word + current year | Max2026 |
Tiny search space, only 5 to 10 recent years to test | Under 10 per word |
| name + birth year | Charlie1997 |
Both parts are publicly guessable, often on social media | ~2,000 total combinations |
| word + random digits inside phrase | Bella$kettle42rain |
Not predictable, not in any rule set | Billions+ |
The last row shows what happens when you break the pattern. The password is not dramatically harder to remember, but it is orders of magnitude harder to crack.
What Actually Makes Number Additions Useful
Numbers are not the problem. Predictable numbers are the problem. There is a big difference between Bella123 and Bella$kettle42rain, even though both contain digits.
Numbers strengthen a password when they meet three conditions:
- Placement: Numbers in the middle of a phrase are far less predictable than numbers at the end. Attack rules overwhelmingly test suffixes first.
- Selection: Random or personally meaningless numbers work better than years, birthdays, or sequences. The number 73 is harder to guess than 2026 because there is no reason for an attacker to prioritize it.
- Context: Numbers surrounded by unrelated words force attackers out of their dictionary and rule-based approach and into pure brute force, which is exponentially slower.
Applying This
| Instead of This | Try This | What Changed |
|---|---|---|
Bella123 |
Bella$kettle!rain42 |
Numbers moved mid-phrase, unrelated words added, length tripled |
Max2026 |
Max.plank!52vault |
Year replaced with meaningless digits, words unrelated to name |
Luna2019 |
Luna_spoke_44_craft |
Birth year removed, passphrase structure, easy to type |
Charlie1997 |
charlie&Frost_27_lamp |
Both public data points removed, replaced with random elements |
These stronger versions are still readable and memorable. The difference is that no part of them can be guessed from public information or predicted by a standard rule set.
For a broader look at password strength principles, read our guide on what makes a password strong. To see how these patterns fit into the bigger picture of pet name passwords, visit our analysis of common pet name passwords.
Test Your Password
If your password uses any of these patterns, run it through our Pet Name Password Checker. It checks strength, pattern predictability, and whether your password has appeared in known breaches. Everything runs locally in your browser. Nothing is stored or transmitted.