Why is appending numbers (e.g. Hausgarten14) almost no improvement over Hausgarten?
Attackers know everyone does it, so cracking tools test these patterns first — appended digits add maybe seconds, not security.
What attackers do:
Password-cracking tools like Hashcat support rule-based attacks — they take a wordlist and apply transformations:
- Append
0-9999to every word - Capitalize the first letter
- Replace
a→@,s→$,o→0(leetspeak) - Append common years (
2023,2024,1985…)
Real-world data:
Analysis of leaked password dumps shows people increment numbers when forced to rotate:
Welcome1 → Welcome2 → Welcome3 …
Attackers know this and build it into their rules.
The lesson:
Predictable patterns add nothing. Either commit to truly random characters (via a password manager) or use truly random words (passphrase). Hybrid "dictionary word + decoration" is the worst of both worlds.
Try it: https://hashcat.net/wiki/doku.php?id=rule_based_attack — see the rules attackers actually use.
Go deeper:
Hashcat mask attack (wiki) — shows numerically how "word+digits" collapses the keyspace an attacker assumes.
Hashcat rule-based attack (wiki) — appending trailing digits is a cheap rule crackers already apply.