How secure is using car number plates as a password?

All we need is an easy explanation of the problem, so here it is.

My car license plates tend to have 3 or 4 digits and 3 or 4 characters.

If I were to combine two (or more?) of them, throw in a plus sign or similar and uppercase one or two characters, how secure would that be?

Let’s not worry about someone looking over my shoulder and recognizing me typing a few characters of my current license plate (I will use 20-year-old plates, which no one but me would know).

This would be easy for me to remember, but there should be no dictionary match.

Wow! For some reason, there are several random license plate generators out there! There is also an option of 4D reg plates.

From this one, I took the first 3, which were

NUB 8256
EDD 8015
EVO 5499

If I take only two of them, and throw in a plus sign, I get


which looks reasonably secure to me and says that it would take 16 billion years to crack.

Obviously, I can’t be sure about the accuracy of that site, or future advancement in computing, but how secure is this method?

How to solve :

I know you bored from this bug, So we are here to help you! Take a deep breath and look at the explanation of your problem. We have many solutions to this problem, But we recommend you to use the first method because it is tested & true method that will 100% work for you.

Method 1

It is sufficiently secure, provided you use randomly generated license plates, not license plates that have significance to you, but creates extra work for you that is completely unnecessary. The weakness is passwords are re-use and storage, not generation.

Best Practices:

  1. Assume your adversary knows how you generated your password.
  2. Use a password manager to avoid reusing passwords.
  3. Pick a password that has a brute force time greater than twice its reset period.

So lets look at these in order –

  1. You’ll be up against adversaries trying to brute force 1000 * 10000 * 1000 * 10000 combinations. That’s 100 trillion combinations. A moderate GPU with Hashcat can pass billions of hashes per second, for faster hash algorithms. If an adversary knows your algorithm, it will be cracked in a fraction of a second. I can discuss why you should assume that an attacker knows your algorithm, but it boils down to “You don’t know that they DON’T know your algorithm”. Please be aware that there’s a big difference between “a randomly generated password that looks like a license plate number” and “a password generated from a random collection of your previously owned license plates”
  2. If you ever reuse a password, you are trusting each vendor to not capture your password in plain text and use it to compromise your other accounts. You are also trusting that they’ll never get breached. You’re trusting that if they are breached, they’ll notice. You’re trusting that if they notice, they’ll tell you. You’re trusting that you’ll remember all the places you reused that password, and change all of them. That’s a lot of trusts – perhaps you don’t care for some websites (I personally reuse a weak but memorable password for accounts that truly don’t matter to me – Subaru forums, nexus mods, etc.) but for banks, email, and other services, you surely don’t want anything to be compromised due to malice or negligence. So, you will use different passwords per service.
  3. Now, you’ll need to check that your password is strong enough to last twice as long as your password reset period – If you’ll never reset a password, assume you’ll live to be 100 and go for 2+ centuries. Your password scheme passes this provided that your “license plates” you choose are randomly generated. If they’re not… they won’t last long if someone wants in to your account.

So, now we have long, secure passwords that aren’t shared between sites. If you’re like me, you have at least 10 different important online accounts that could cause you deep financial pain, or at least a large time investment, if compromised. I know I can’t keep 10 passwords straight in my head – I’ll end up just remembering my email password, and then resetting my password every time I go to log in to other services. Not very convenient, eh?

So, like all security minded people, we’ll use a password manager. I’m partial to KeePass. So, I put all my cleverly generated passwords in KeePass, right? And when I make a new account, I generate a new password using your online license plate generator, or I put in even more effort digging into my list of previously owned license plates and making a password by hand. Now I’m all set. BUT WAIT, WHAT’S THIS? KeePass has a password generator! I can just click this little button and get a password that I know to be sure automagically! Why don’t I just do that!?

**So – While your password is secure on its own, you need to use a password manager to avoid re-using passwords. Because you’re using a password manager, just use the password generator that’s built in. It’s easier.

Now, for the password to secure your KeePass database, use your password generation scheme if you want.**

Method 2

Tools like you mentioned above will only check for few cases like dictionary words, inclusion of upper case, lower case characters, non-alphanumeric symbols and so on. But they probably fail at finding out the pattern.

In your case, you have a pattern, which, if gets out in public(which has, by the way), can be used to crack the password. The fact that the plus symbol always comes in between and the left and right parts are made up of licence plates makes it much easier to crack.

how secure is this method?

It’s not. You should probably switch to a password manager, which would ideally generate a password which is practically really hard to crack, if not impossible.

You seem to be ignoring what is known as shoulder surfing, where as it shouldn’t be. Experienced “shoulder surfers” would definitely crack the pattern of your password.

Method 3

Here’s how I look at it. I’d make these very pessimistic assumptions:

  1. You’re dealing not with an opportunistic attacker that’s trying to crack anybody‘s password, but a targeted attacker that’s trying to crack yours specifically.
  2. The attacker has read your question here and figured out that you, their target, are the one who asked it.
  3. The attacker is very resourceful and can get access to DMV records that show all the cars you, your family and associates.
  4. The number of cars you have registered is very small—like, in the dozens. Let’s use a round number and say 64 cars (6 bits).

So the attacker only needs to consider 2^12 distinct combinations. Trivial.

This scenario is all but certainly overblown, but here’s the point: a proper password generation strategy would do much, much better under these circumstances. As other answers have said, use a password manager and let it pick random passwords for you.

Method 4

You have a password XYZ, and you think about replacing it with XYZ. The license plate might have personal significance to you, like your first car, the car that almost killed you in an accident.

It makes your password safer. If there is a generic attacker, and the attacker doesn’t try license plates, then adding seven characters makes it an awful lot harder to crack. If someone includes a dictionary attack trying say all possible UK license plates, that’s still adding maybe 27 bits to yor security. Only if there is a targeted attack against you, this will add significant effort for the attacker to figure out which license plates you might have used, while adding not too many bits of entropy (but still some).

As long as you add the license plate to your password, the password will get stronger.

Note: Use and implement method 1 because this method fully tested our system.
Thank you 🙂

All methods was sourced from or, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

Leave a Reply