Why is my password considered "weak" and cannot be used?

I cannot set my desired password for my GitHub account, because it is considered “weak” and so I’m not allowed to use it.

But it’s strong enough according to the rules:

**Eight characters long, if it includes a number and a lowercase letter**, or
16 characters long with any combination of characters

My password has 9 characters, one number and several lowercase and uppercase letters.

Even if this would be considered a weak password, why does the information above states that 8 characters, one number, and one lowercase letter should be enough?

Hi there! :wave: Welcome to the Community!

Our password policy is dictated both by the composition of the password (as indicated above) but we also do check against datasets of passwords that have been published.

In short, while your password may pass basic compositional validation, we know that the password you’re trying to use is not only vulnerable to attack but has already been included in datasets used by malicious actors to gain access to others’ accounts.

I hope that explains why we’d like you to use something else!

1 Like

Thanks for the explanation. I did not know that my password was published. According to https://haveibeenpwned.com/Passwords it has been seen once.

Then I will choose another one.