Passwords That Should Never Be Used

The Original Yama writes "Strong passwords are your first step in securing your systems. If a password can be easily guessed or compromised using a simple dictionary attack, your systems will be vulnerable to hackers, worms, Trojans, and viruses. PCLinuxOnline provides an alphanumerical list of list of commonly used weak passwords that should never be used. If any of these passwords look hauntingly familiar and are being used, you should change the password immediately."

missed one...

I worked ISP tech support and the one I remember showing up way too often was:

thx1138

Re:missed one...

[linzeal]

One that I have seen more than ofter, fuckyou. Heh, when you make registration too difficult they get pissed at you.

Re:missed one...

[zoloto]

I don't get it... help anyone?

but back on topic. this list is interesting:


P PAPER, pass, PASS, Pass, passwd, Passwd, PASSWORD, password, Password, pat, patrick, PBX, pc, PCUSER, PDP11, PDP8, PFCUser, PHANTOM, phoenix, piranha, pmd, PO, PO8, poll, Polrty, POST, Posterie, postmast, POSTMASTER, postmaster, POWERCARTUSER, powerdown, PRIMARY, prime, primenet, primeos, primos, primos_cs, PRINT, PRINTER, PRIV, private, prost, PSEAdmin, public, PUBSUB, pw, pwd, pwp

nowhere in there is pussy. seriously when I was admining a smaller isp in a far away state this and it's variants would come up quite a bit.

Re:missed one...

[Prior+Restraint]

I'm sure a thousand people will reply, but here: THX 1138.

Re:missed one...

[kmh071]

Back when I was working support, I had tons of people who would simply leave a text document called "important" or "passwords" on their desktop with all of their passwords, credit card info, personal phone numbers, etc. Unbelievable. Some of these weren't home computers either and any coworker could get all that info so easy.

Re:missed one...

I had a user come to me for help because she could not log on. I assumed she was new so went through the usual steps with no success. Finally I did a little digging and found out that she had had an account previously and that the system still had her password from a mass account import script. I looked up the password and then calmly went back to her and attempted to keep a straight face while I told her that her account from the previous term was still activated and asked if she remembered the password... to which she quickly said yes and logged in. Her password was Will694U and yes she was damn good looking... I think that was the last time I ever looked up someone's password...sigh.

Re:missed one...

[ajs318]

I call BS {though as porny fantasies go, it's not bad}. Passwords are stored internally in scrambled form, so there is no way anyone can find out someone's password. If you're root or administrator {or have a boot CD in your shirt pocket} you can change it without ever knowing the old one; but you can't find out what a password was except by guessing various words and applying the scrambling algorithm thereto.

Re:missed one...

[Hognoxious]

I call BS

I double call BS on you. If they had been created from a mass imported script (as the post says), presumbably the script (or the input file thereof) had them in undscrambled form.
And how do you know they're stored in scrambled form anyway? Are you a mindreader, becuase the post doesn't say what type of system it was.

but you can't find out what a password was except by guessing various words and applying the scrambling algorithm thereto.

Crikey! Just imagine if someone were to automate that process. Better yet, they could speed it up by first trying a list of common words. Let's hope that idea never gets out, eh?

Re:missed one...

[ajs318]

(Assuming it's a UNIX-like system) The useradd command expects the argument to the -p switch to be a pre-scrambled password, such as you would find in /etc/shadow. Nobody except the user in question ever needs to know the unscrambled password. When the user enters it, it is scrambled and compared against the stored version. It's half-safe to print out the file of scrambled passwords, because knowing the scrambled password is no help if you can't unscramble it and you can't prevent the scrambling operation which happens before the check. And anyway, the only way you'll get to see even the scrambled passwords is if you are the one person who doesn't need to know them!

I don't know for sure how Windows stores its passwords; but Samba stores scrambled passwords in its configuration files, so I guess it uses its own scrambling algorithms.

Alternatively the sysadmins there could have just been clueless .....

Re:missed one...

private, prost, PSEAdmin, public

First prost?

I've secured my Internet privacy

[prostoalex]

I've protected my privacy and use Gator for all my passwords.

Re:I've secured my Internet privacy

[ThumbSuck]

I've protected my privacy and use Gator for all my passwords.

This would be funny, but when I've seen Microsoft 'how-to-be-safe-on-net' brochure recommending use of Gator I simply cannot see anything funny here.

Re:I've secured my Internet privacy

[kunudo]

Link please :D

I keep it simple

I use PASSWORD for everything.

Re:I keep it simple

[ConceptJunkie]

Yeah, I could have guessed that. I think a lot of people are using your /. account to post. I see that username dozens of times in every story.

I'm surprised that the classic "xyzzy" isn't in the list. Other words I would have expected to see "fred", "bofh", "windows", and "billgatescanbitemyshinymetalass".

Re:I keep it simple

[Brandybuck]

"billgatescanbitemyshinymetalass"

It's eery how close that is to my own password!

Re:I keep it simple

I just leave all my servers logged in on the console and paste the password on a post-it note on the monitor in case a power outage occurs.

Re:I keep it simple

[oldwarez]

I have that problem, too. I'm not sure why.

Anonymous Coward NY Times passwd

[me98411]

I do not see "slashdotcoward" in the list. Looks like it is a strong passwd. Isn't that the login and passwd used by Anonymous Coward for NY times?

Top 10 Passwords Not to be Used

[AtariAmarok]

10. iluvalqueda

9. idareyoutoguessthis

8. oldfattylumpkinwhosewisenoseledushere

7. *******

6. (my actual password)

5. cowboyneal

4. pencil

3. neo

2. secret

1. password

Re:Top 10 Passwords Not to be Used

[Josh+Booth]

I'm surprised "gandalf" is not there. Everyone knows that it's the password of every other root account in the world.

Re:Top 10 Passwords Not to be Used

[zerblat]

Don't you mean "friend" (or possibly "mellon")?

Re:Top 10 Passwords Not to be Used

[jrumney]

I guess AtariAmarok will be changing "(my actual password)" now you've pointed that out.

Re:Top 10 Passwords Not to be Used

You forgot "GOD".

Re:Top 10 Passwords Not to be Used

> I'm surprised "gandalf" is not there. Everyone knows that it's the password of every other root account in the world.

Nah, at least make it Mithrandir or Olorin.

Re:Top 10 Passwords Not to be Used

Posting anonymously to not get myself in trouble... hi mike!

I worked with this engineer, call him mike, who had an account on a customer's machine. He was on vacation when the customer wanted a little help with that machine. The other engineer and I call mike to get his login and password to do some remote maintenance. Mike is reluctant to tell us the password. We think he's just being secretive, until he asks to be taken off speaker phone so he can tell us. His password: bigblackdonkeydick.

Sometimes password isn't so bad...

Re:Top 10 Passwords Not to be Used

[Norman+Lorrain]

You forgot

Re:Top 10 Passwords Not to be Used

[Norman+Lorrain]

You forgot (I didn't preview the last post!)

Re:Top 10 Passwords Not to be Used

[Carnildo]

Don't you mean "friend" (or possibly "mellon")?

No. Gandalf is the wizard.

Re:Top 10 Passwords Not to be Used

[Uber+Banker]

The default password for many Reuters engineers is Frodo21.

strong passwords = broken by design

[eraserewind]

Your users shouldn't require anything more than a 4 digit pin & a magnetic card. If it's enough to protect their money, it's surely enough to protect some stupid data.

Any lame brained security system that depends on people choosing difficult to remember passwords and changing them every 3-6 months is broken by design.

Re:strong passwords = broken by design

[lambent]

A mag-strip card IS a type of password. Depending on the institution that issued it, it's a rediculously long propietary password. It's a string of encoded bits. Nothing magical about it.

Furthermore, most people (and by most, i mean just about everyone), NEVER change either their PIN or their card, unless it's stolen. Is that type of system any more secure?

Re:strong passwords = broken by design

[babbage]

A mag-strip card IS a type of password

Kinda... not really.

The important thing to keep in mind for any authentication system -- not just computers, but any system that requires people to identify themselves -- is that there are basically three ways to go about it:

1. Something you know. (A password or passphrase; your mother's maiden name; your favorite song.)
2. Something you have. (Some kind of physical token like an ATM card, the key for your car or house, the hardware decorder in a DVD player, or one of the hardware dongles that was briefly popular for enforcing software licenses a few years ago.)
3. Something you are. (Biometrics: your thumbprint or retina scan; your photo & physical description on a license or passport [which itself is something you have -- see above]; DNA samples; voice or handwriting recognition; etc.)

Good security systems use at least two of these authentication classes: the ATM doesn't work unless you insert your card (something you have) and enter your PIN (something you know); when travelling abroad, customs agents will examine your passport (something you have), will cross-check your appearance against the passport's photo & description (something you are), and may ask probing questions about your travel plans (something you know).

Bad security systems rely exclusively on one of these elements. Basically all Internet security comes down to things you know, a/k/a passwords. From your point of view, an online purchase may seem to involve something you know (a password) and something you have (the numbers on your credit cards), but from the merchant's point of view they're just taking your word for it because they have no way to validate that the security token you're using is actually in your possession -- hence, credit card fraud. Likewise, I've voted in every election since I turned 18, and not once has an election worker asked for anything more than my name & address (something I claim I know) -- they never ask for an ID (something I have) or a fingerprint (something I am) etc. With this kind of scrutiny, it wouldn't be very hard for someone to spend all day voting in every precinct around. (I'm hopeful that electronic voting may actually fix this problem, but if as seems likely it introduces even more avenues for fraud then forget it.)

So, a password is essentially something you know, while an access card is something you have. There's a subtle but essential difference. If it was a string of numbers stamped on the card in an easily human readable way, then it could be considered as a form of password, but the fact that you need a machine to read it really enforces the point that it's something different. And that's why it's a good thing! A computer security system that relied on both traditional passwords as well as this kind of physical token would stand a much better chance of being robust than any system that used only passwords or tokens.

The problem is, almost nobody has a computer capable of reading such tokens. Aside from point of sale systems, almost no one has any use for card reading wedges, so building an authentication system around a requirement for card readers would be difficult to deploy broadly. Setting it as a general company policy might not be hard to do for most companies, if only because there you have a hope of installing the reader hardware for all users. Requiring a dual "know/have" or "know/are" system only for certain systems (access to sensitive areas, etc) would be prudent for any business to implement, but going from there to building a business of providing such systems to the general public would be much harder as long as the infrastructure doesn't exist -- that is, as long as Dell isn't shipping access card readers with every machine they sell.

So: something you know, something you have, something you area. Keep these in mind and the analysis of secure authentication mechanisms gets much clearer.

Re:strong passwords = broken by design

[eraserewind]

A mag-strip card IS a type of password. Depending on the institution that issued it, it's a rediculously long propietary password. It's a string of encoded bits. Nothing magical about it.

Yes, of course it is. It is not however a password that a human has to remember (besides keeping it in their pocket or whatever). Any security system that relies on humans behaving un an unhumanlike way (remembering numberous frequently changing complicated passwords) is inherently broken. People just won't do it with any reliability. They will find some way around it, even if it means writing down all their passwords on a post-it stuck to their monitor.

Furthermore, most people (and by most, i mean just about everyone), NEVER change either their PIN or their card, unless it's stolen. Is that type of system any more secure?

Well, as you said yourself, the PIN is not the password, just one component of a much bigger password. If it's big enough, and if the physical card part of the system is well designed, then the only time they should change the is when it is stolen, right?

Re:strong passwords = broken by design

[hyc]

Well, that's all great, but the "something you have" is turned into "something you know" by the computer itself. And if all you're doing is logging into a local box so that you can use it to access a remote server or application, then once again you're only dealing in terms of "something you know" (or perhaps, something your computer knows and asserts on your behalf).

It's OK when the electronic security system is just an interface to a physical lock, like an electronic gate control. You seldom/never have interactive command access to the actual computer that operates the lock, so it's relatively safe from hacking. But if you're just logging into a computer for the sake of using that computer, then you can easily extract the transform of "what you have" into "what the computer knows" and propagate it further from there.

Re:strong passwords = broken by design

> The problem is, almost nobody has a computer capable of reading such tokens.

Almost everybody has a computer with an USB port. Heck, almost everybody had a computer with a floppy drive and a cdrom.

Re:strong passwords = broken by design

[babbage]

Almost everybody has a computer with an USB port. Heck, almost everybody had a computer with a floppy drive and a cdrom.

That's true, and it isn't a bad idea if followed through. A floppy drive may not be such a great idea -- read/write access to tokens probably wouldn't be a good thing -- but if they could be mass-produced than I don't see any reason why you couldn't put some kind of ID tokens on a CD-ROM (maybe one of those business card ones, so you could carry it around) or have some kind of USB dongles for the same purpose

The point though was that, while as you say the interfaces for such access devices are currently available, there's still almost no one putting these into practice on anything like a wide scale deployment. Cards with magnetic stripes are ubiquitous, but almost no one has a reader for them at home. Access token CD-ROMS or USB dongles could work, but I've never heard of anyone doing these things. I've seen recent Sun workstations that shipped with actual molded into the slick little case smart card readers -- cool! -- but what kind of nut uses a Sun machine on his home desktop? Almost no one, that's who.

It's a boostrap problem. Consumers won't start demanding such access methods until merchants require them, and merchants can't make them a requirement until there's a viable population of customers that have them installed. Until both sides of that start to move, we're stuck with purely "what you know" authentication systems for all e-commerce. That's not to say that e-commerce as implemented is insecure by design -- it isn't, there's a lot of clever algorithms / processes at work in e-commerce -- but there's still room for improvement and adding a "what you have" or "what you are" component to the mix should only make things stronger.

(This is actually the one bright side of Microsoft's "Trusted Computing" initiative. The evil DRM stuff notwithstanding, if they work some kind of viable "what you have" mechanism into future computer architectures, that could potentially be a very useful thing. But then, it could also be a tremendous violation of your privacy, depending on how it's implemented. Knowing Microsoft, they'll probably take the one grain of good idea and bury it under a mountain of bad implementation and things you didn't want to begin with...)

Re:strong passwords = broken by design

[Anonymous+Cow+herd]

Likewise, I've voted in every election since I turned 18, and not once has an election worker asked for anything more than my name & address (something I claim I know) -- they never ask for an ID (something I have) or a fingerprint (something I am) etc. With this kind of scrutiny, it wouldn't be very hard for someone to spend all day voting in every precinct around.

Not really. Provisional (or walk-in) votes are specially tagged in our state and election officials ensure that additional votes in other districts from the same registered voter get discarded. HTH, HAND,

Re:strong passwords = broken by design

[John+Hasler]

> Your users shouldn't require anything more than a
> 4 digit pin & a magnetic card. If it's enough to
> protect their money...

But it isn't.

Re:strong passwords = broken by design

[babbage]

Not really. Provisional (or walk-in) votes are specially tagged in our state and election officials ensure that additional votes in other districts from the same registered voter get discarded.

I didn't mean that I would vote using my own identity. What I mean is that voting records are public information, so if you wanted to do so, you could compile a list of registered voters [optional extra: registered voters that never bother to vote], and then go around claiming to be different registered voters in each precinct.

You'd have to be brave to try this stunt more than once in the same precinct -- the election volunteers would probably recognize you -- but pulling it off in different precincts probably wouldn't be very hard at all.

The important thing, in this context, is the reason why this attack is possible: the election officials generally don't do any kind of cross check against who you claim you are -- they never ask for any kind of ID, a piece of mail from the same address, etc. The honor system controls things here, but we all know that a lot of people aren't honorable.

Not that I'm advocating voter fraud of course -- the opposite in fact. I think the status quo is very trusting, and I'm nervous that that leaves it open to abuse by unscrupulous voters. And I think that at least on some level, the problem comes down to a weak implementation of a single form of voter authentication, and I think the obvious way to fix it is to either [a] choose a better technique along the same lines (I have no idea what off the top of my head), or [b] supplement the current "accept what you know" authentication with a "enforce who you are" method. A lot of budding democracies have a great solution to this too: when you show up at the polling station to cast your vote, you dip your thumb in indelible blue ink that takes a week to wash away. If you have a blue thumb, you already voted; if your thumb is clean, you may vote. Simple. Anonymous. Reliable. ...Probably untenable in these fashion conscious United States, but still a great solution to consider...

Re:strong passwords = broken by design

[I+confirm+I'm+not+a]

The UK has just started issuing (and advertising) "chip & pin" debit and credit-cards. AFAIK, you just have to enter the PIN to validate the card at point-of-sale. If that's true, it means all a mugger needs from me is my PIN - no longer do they need to march me a knife-point to the nearest ATM. Hooray for Britain: where knee-jerk reactions govern tech adoption.

(Incidentally, while I've had my chip & pin card for a while, no store's actually made me use the PIN. I figure they're waiting until I've forgotten it, as a sort-of uber-security mechanism).

Re:strong passwords = broken by design

[Quattro+Vezina]

From your point of view, an online purchase may seem to involve something you know (a password) and something you have (the numbers on your credit cards), but from the merchant's point of view they're just taking your word for it because they have no way to validate that the security token you're using is actually in your possession -- hence, credit card fraud.

Of course, just because you have something in your possession doesn't mean you own it. If one were to steal someone's wallet, go to a store, and buy something with the stolen credit card, one has just committed credit card fraud while having the credit card in one's possession.

Unless the ``something you have'' contains a picture of the owner or the like (i.e. something you are), a system that relies on something you have + something you know is just as flawed as a system solely based on something you know. Sure, there's extra effort involved in stealing a credit card, but there's also extra effort involved in guessing a particularly strong password.

Re:strong passwords = broken by design

[babbage]

Well, exactly -- that's the trick.

It's possible to build a strong authentication system based purely around something you know / have / are, but any system that relies on only one of these classes is prone to certain types of attacks.

1. "Things you know" systems are vulnerable to you forgetting, or to other people finding out the secret (Frank Abagnale showed lots of variants of this form of attack in the movie "Catch Me If You Can").
2. "Things you have" systems are vulnerable to loss or theft of the authentication token (see almost every suspense or spy movie ever made).
3. "Things you are" systems are vulnerable to various identity theft attacks ("Catch Me If You Can" showed some of this, but "Gattaca" was written around the idea).

The easiest way to cover up the gaps is to build systems that overlap these approaches. As you say, putting identity data on an access token (like a driver's license) makes the token stronger, as does requiring something you know (a PIN) to activate the something you have (an ATM card). Mixing in all three is even better.

The thing is, none of this is a guarantee that the system is unbreakable; rather, adding on these authentication layers just narrows the opportunity window for attacks, but it can never close it. You just have to evaluate how much risk you're willing to accept and then come up with a system that tries to deliver no more than that level of risk.

BOFH mode on

[Professor+Cool+Linux]

so "isadumbass" and "rectumanomalys" arn't on the list

nor is "fuckingbeancounters" or "phbskissmyass"

This one real cool password I had...

[Kevin+Stevens]

It used to be so great...

There was this obscure OS that no one had ever heard of... man it was cool... it was like unix on the pc... and this guy that developed it... this guy from scandanavia. You see it was really clever because it was a play on his actual name, and easy to remember.

Then... 1998 came. Its been downhill from there. I wouldnt even trust it to a hotmail account now.

Re:This one real cool password I had...

[Teddy+Beartuzzi]

For a second, I thought you were heading for this one

huh?

[Hythlodaeus]

Q54arwms is a commonly used password? Is this some part of the collective unconscious I'm unaware of? Half the things in the list seem like they came out of a random generator, yet they are common?

Re:huh?

[Josh+Booth]

I'm assuming that most of the passwords are defaults that some guy in a computer lab decided looked strong. However, when every system you ever produced uses the same password, even if it is completely random, you'll have a security problem.

Re:huh?

[jfdawes]

Probably the default for some piece of enterprise software that can't do it's job without creating an account to use.

Re:huh?

[CeramicNuts]

explain this one: I5rDv2b2JjA8Mm

Re:huh?

[Kris_J]

explain this one: I5rDv2b2JjA8Mm

OMG, That's the password I use at my local video rental store!

Re:huh?

[jfdawes]

Google is your friend

Explained

Re:huh?

[m.koch]

Q54arwms is a commonly used password? Is this some part of the collective unconscious I'm unaware of? Half the things in the list seem like they came out of a random generator, yet they are common?

As google told me, these are default passwords from this list which is in fact much more useful.

Re:huh?

http://www.google.com/search?q=+Q54arwms&start=0&s tart=0&ie=utf-8&oe=utf-8

Re:huh?

[stickb0y]

Along the same lines:

The site lists 7061992 and 19920706 among the common numeric passwords.

That can't be a coincidence, can it? What happened on July 6, 1992 that was of such significance?

Re:huh?

[jrumney]

SAP R/3 was released. They use those as default passwords for their software.

Re:huh?

[Ashtead]

I am really wondering more why 23, 42, 69, and 8675309 were not on that list of numbers...

Re:huh?

eight six seven
five three oh niiiiiieyiiine

Hmm, not really trolling...

[smoondog]

OK, every once in a while we get an article similar to this. The links change but the article is the same. Passwords are inherently insecure to some sort of guessing attack, is the statement.

I'm going to suggest something here that is perhaps a little controversial. Perhaps, if password zealots spent less time complaining about passwords and spent more time protecting machines from this sort of attack (w/o making an easy path to a DOS attack) this wouldn't be an issue. Imagine this: Passwords are never transfered as plain text. Any systematic attempt at guessing a password is prevented before the attacker gains access. Users make mistakes a few times, even for the most simple passwords, one must sample tens of passwords to break in. Systematic attempts are predictable, just like trolls on slashdot are (generally) identifiable (remember those page lengthening posts?) and spam is filterable.

In my not so humble opinion, password guessing attacks are an administrator problem, not a user problem. And the administrators seem more interested in pestering users than actually developing systems to prevent this type of attack.

-Sean

Re:Hmm, not really trolling...

Any systematic attempt at guessing a password is prevented before the attacker gains access. Users make mistakes a few times, even for the most simple passwords, one must sample tens of passwords to break in. Systematic attempts are predictable, just like trolls on slashdot are (generally) identifiable (remember those page lengthening posts?) and spam is filterable.


Password guessing works from a passwd file -- attackers do not actually try to log in with 100s of passwords until they find the right one. You'll notice that most systems impose a delay of a few seconds whenever you enter an incorrect password.

Re:Hmm, not really trolling...

[Seahawk]

You mean just as it is silly to demand people get a drivers license - when car builders should just make cars sure to drive for everyone? :)

I know that dictionary attacks would be simpler to solve than my example, by why not try to remove the SOURCE of the problem - instead of trying to solve the problems people lack of knowledge generate?

IMO BOTH measures should be used - it is a problem of BOTH lazy(stupid) users and lazy(stupid) sysadmins.

Re:Hmm, not really trolling...

[thogard]

At one a minute, it takes a year to guess a 1/2 million passwords.

Re:Hmm, not really trolling...

[trukfixer]

I agree on this one.. for example, I use a unique password based on a 17-digit Vehicle Identification number for a vehicle that is no longer registered (long since processed through the scrapyard) and the ONLY place it is used is on this single system, and only via SSH2 connection... so I'm reasonably confident (not 100%) that nobody is gonna hack my root...:)

anyone who would use an easily remembered password for root or administrator logins definitely deserves to be hacked.

Re:Hmm, not really trolling...

[John+Hasler]

> Any systematic attempt at guessing a password is
> prevented before the attacker gains access.
> Users make mistakes a few times, even for the
> most simple passwords, one must sample tens of
> passwords to break in.

Bill has been showing everyone in the office pictures of his new daughter Betsy. Fred, always on the alert for a way to make a quick buck, notices that Bill has just been given an account on the sensitive financial system. Since you are system administrator here, users are allowed to choose there own passwords and no password checking is done.

How do your superior system adminstration skills prevent Fred from guessing that Bill's password for his new account is 'betsy'? He isn't going to make multiple sequential attempts. He's going to make one try and if it works he's in. If he fails he will chat up Sally, who has told everyone that she uses one really easy to remember password for everything, about her pets.

Re:Hmm, not really trolling...

[Niet3sche]

Wait a minute. We have disposable passwords. Have we forgotten about S/Key and OPIE, or am I missing something here? I've not touched it in years, so I'm not quite certain if this has fallen by the wayside. I typically use a virtual 2-phase authentication process through use of an identity file and a tunnel. Not too bad, I think.

You forgot...

[omarius]

0. idkfa -1. spispopd

Universal Passwords

[Schezar]

The uni I work for (RIT) is working to migrate their entire campus to a Microsoft Active Directory environment. Part of the reason for this is to give users a universal username/password for any and all university services.

Now, they enforce basic password etiquette (minimum length, non-alpha character requirement, etc...), which helps the situation somewhat (aside from the office biddies who write them on post-it notes on their CRTs), but the situation is far from secure.

Students use their webmail (Exchange... I won't even get into that one...) and register for classes (telnet), and generally aren't careful with their passwords. I couldn't tell you how many times I've sat down at a public terminal to find someone else's account all set up for me to exploit. And since the password is universal, I can do anything I want.

Myself, I use a different password for everything I connect to, and thus don't have to worry about being wholly compromised in an instant. Then again, I'm a geek, so I'm not exactly the norm.

Does anyone else see this push toward universal logins/passwords as a problem?

Re:Universal Passwords

[jfdawes]

Now, they enforce basic password etiquette (minimum length, non-alpha character requirement, etc...), which helps the situation somewhat

Er, no? Most "password etiquette" schemes are a complete crock. Generally all they do is reduce the key space and therefore make the passwords easier to brute force attack.

You must have a password of at least 6 characters? Well, there goes everything 5 characters and less - don't have to check those.

Hmm, and while we're at it, most people are going to have a password between 6 and 9 characters, don't bother trying anything else until the second pass.

You have to have at least one non-alpha, well - I can reduce my attack to constrain my guesses around that requirement - just reduced the number of attempts necessary by 24%.

Any other rules you want to add to make attacking the password easier?

Re:Universal Passwords

i know you're password

Re:Universal Passwords

[CanSpice]

Limiting passwords to 6 characters or longer doesn't significantly reduce your keyspace. If you only allow lowercase letters, there are 12356630 possible combinations that are 5 characters and shorter, and there are 321272406 that are 6 characters and shorter. Thus if you don't allow anything shorter than 6 characters you've reduced your keyspace by roughly 3 percent.

If you allow upper and lowercase characters, there are 387659012 combinations that are 5 characters and shorter, and 20158268676 that are 6 characters and shorter. If you limit your passwords to being exactly 6 characters long then you've reduced your keyspace by 1.9 percent.

Those percentages only go up if you allow passwords that are longer than 6 characters, and if you allow characters other than letters in your passwords.

Sure, you're reducing your keyspace but it's not nearly as catastrophic as you make it sound.

Re:Universal Passwords

[Frnknstn]

Okay, let me give you some numbers. If you don't have any password scheme, all your users will have a password from one to six chars long. That is:
321272406 possible passwords.

If you limit them as you suggest, and they all pick between 6 and 9 chars, with one number, that makes:
98814936052800 possible passwords

Since 98814936052800 is clearly larger than 321272406, you are clearly an idiot.

Re:Universal Passwords

[jfdawes]

98814936052800 minus 321272406 is some larger than 98814936052800?

Sir, you are a savant.

Thank you for enlightening me to a definition of "minus" that I was not aware of.

If you were thinking clearly, you would start your attack with a dictionary that you could prune based on known password rules.

Re:Universal Passwords

[jfdawes]

Yup. The length being constrained to greater than some number (typically 6 or 8) characters is about the only password constraint that makes sense some kind of sense, but still - any reduction in keyspace means less work.

Assuming we take the example of the guy who had the 5 byte password that takes 18 days to crack, 1.9% still saves you 8 hours. Not an unuseful amount of time.

It's the daft "must include an non-alpha" and "must start with an alpha (or worse, a capital)" and other brain dead, crack smoking, glue sniffing password "rules" that are the real killers

Re:Universal Passwords

[Frnknstn]

Forgive me, but I have no idea what you are talking about. Nowhere do I claim any such thing. I do claim that 98814936052800 is greater than 321272406 (98814936052800 > 321272406).

98814936052800 is the number of all passwords with lengths from six to nine with at least one number.

321272406 is the number of all passwords with lengths from one to six, as would be picked by unregulated users.

Re:Universal Passwords

[Prior+Restraint]

One of my credit cards (which I have since cancelled) demanded that the 4-digit PIN not start with zero or one.

Re:Universal Passwords

[jfdawes]

The number of unconstrained passwords of 9 characters or less would then be: 98,815,257,325,206. No?

Because you don't have to check anything with 5 or less, you reduce the key space to 98,814,936,052,800 combinations, the number you give.

This is less work. Not much, granted, but it's still less. Anything that reduces the key space only needs to be coded into the cracking routines once to achieve that reduction in work every time.

Re:Universal Passwords

[Frnknstn]

Furthermore, you seem to be laboring under the misconception that REDUCING the number of words in a dictionary INCREASES the chance of a successful match.

Of the 804 words in the presented common-use list, only 140 match your suggested password scheme. Instead of having 804 chances to crack any particular password, you now only have 140.

Certainly, you can bulk out your password list with randomly generated entries, but that is not what dictionaries of commonly used passwords are used for! Now you are again faced with the vastly increased number of possible passwords.

Re:Universal Passwords

[jfdawes]

...

Your initial attack is a dictionary attack. You eliminate passwords from the dictionary that do not meet the rules for the password you are trying to break. This means that IF the dictionary attack was going to succeed, you now succeed sooner.

If the dictionary attack fails, you then do the brute force attack which simply searches the full key space, which has been reduced by the constraints on the password.

Software enforced password constraints cause low hanging fruit to hang lower.

Re:Universal Passwords

[Frnknstn]

You are still not understanding the basic premise of this topic. If you do not limit the number of chars in a password, almost all your passwords will be six or less chars.

If you do limit as per your suggestion, you will increase the number of passwords by over three hundred thousand times. How does this make the passwords LESS secure?

Re:Universal Passwords

[Frnknstn]

Not at all! You have reduced the amount of time to test a dictionary by 5/6ths, but you have also decreased the chance of a match by the same amount, and increased the length of an already-long brute force attack fo 3000 times.

And this is ignoring the benificial effect that making the end users THINK about their password has.

Re:Universal Passwords

[aePrime]

I'm going to have to back Frnknstn here.

Here's the way I looked at it. If you allow 5 characters or less, you get n^1 + n^2 + n^3 + n^4 + n^5 possible passwords, where n = number of valid characters. This recurses out to n(1 + n(1 + n(1 + n(1 + n)))). For example, let's say we allow lower-case letters and numbers (n = 36). This means there are 62,193,780 possible passwords of 5 characters or less. Now, lets say you have a limit of 6 characters, and all of your users are lazy and use the minimum. This is 36^6 possible passwords. This means that there are 2,176,782,336 possible passwords. The passwords of 5 characters or less is a tiny fraction of the total space!

Re:Universal Passwords

[CuriHP]

In all fairness, the Exchange e-mail system is about 8 billion times better than the old one. I used to routinely have mail that would not delete unless I telnetted into grace and removed it with pine.

Re:Universal Passwords

[Frnknstn]

Want some more numbers? Assuming that 18 days is time it takes to test the entire space that was limited to a 4 or 5-byte (8 bit) password, it would have taken him at most 23 seconds to find the unrestricted, 3 byte password that the unrestrected user had chosen.

Re:Universal Passwords

[james+b]

Thinking out loud: the thing about 'must include non-alpha' is that it essentially forces the users to pick non-dictionary words. That's good all by itself. Sure, some of them will just use 'password1' or whatever, which is still dictionary-able (but not much *more* so, since they're probably going to pick the word they always choose anyway and just add a number). And with many users, you'll get stuff that's somewhat hard to do a dictionary attack on, like 'jack4betty' or 'y311ow'.
Does this make any sense? I mean, I can see how suboptimal use provides no further protection, but is it likely to reduce the keyspace much in a real world scenario?

Re:Universal Passwords

[jfdawes]

Er, I guess you're just a troll, but what the hell, I've got ten minutes before I have to leave.

Let's assume you have two passwords, X and Y. X and Y both meet some arbitary password constraints.

You also have a dictionary, D1 of 1000 entries.

Let's further assume that X is in the dictionary and Y isn't.

Now, remove all entries from the dictionary that do not meet the password constraints in use giving dictionary D2.

To search the dictionary for X will now take 83% of the time and you WILL find it. The probability of is THE SAME as it was before you reduced the dictionary because the probability of X being one of the removed entries is 0.

To search the dictionary for Y will also take 83% of the time and you WON'T find it. You have again saved time because you were going to do the dictionary attack anyway, but you now finish earlier.

Now you get to do a brute force search for Y and AGAIN, the key space is reduced because you do NOT need to generate/check passwords that do not meet the rules. The brute force attack is shorter because you don't need to check some stuff.

Example: rule: passwords must be at least 2 characters and must include a non alpha.
Given: We're only using 2 character passwords.
Using simple maths and 101 possible key strokes: 101 * (101 - 52) possible entries, is 4949.
No constraints: 101 * 101 + 101 is 10302.

With constraints you have to check less than half the unconstrained set.

And the same users that pick stupid passwords with no constraints are the same users that pick stupid passwords with some alpha shoved in it because the software insists on it.

If you really want a piece of software to eliminate bad passwords, just run some crack utility on your own password file and notify users with ones that turn up.

Re:Universal Passwords

[Frnknstn]

I am no troll, but you sir, remain an idiot.

Of course forcing users to have ONLY TWO chars (101*101) is going to produce less passwords than allowing users to have EITHER one or two chars (101 * 101 + 101).

That means absolutely nothing for the issue at hand, as nobody would limit their users to a two-char password. When the number of chars scale up, the number of passwords also scales up, but geometrically, not linearly.

Thus, even limiting the number of chars to 9 ONLY is still 25 times better than allowing the choice of any password from 1 to 8 chars.

Your gasp of probablity is very weak. If half the entries are removed from a list, the chance of ANY PARTICULAR PASSWORD, be it assigned X, Y, Z or any other variable name, is also halved. We could carry your reasoning to its illogical conclusion: Given that any password may appear on a cracker's dictionary, and given that the cracker could prune his list to contain only that password, that cracker can and will defeat any password with only one attempt.

Then with your password Y, in a perfect world, you would save some time over an identical test with no non-alpha requirement. But as this is NOT a perfect world, the test is not identical, as people pick fewer chars. Thus, you in fact save no time, because you now have to check passwords far longer than you would have otherwise checked.

Users that pick stupid passwords with no constraints may be the same users that pick stupid passwords with some alpha shoved in it because the software insists on it, BUT SHOVING THE EXTRA NUMBER IN MEANS THAT THE CRACKER NEEDS TO CHECK FAR MORE PASSWORDS.

Once again, look at the example you gave at the start, and look at the numbers. Shoving the number in increased the number of passwords from:
(26^6 + 26^7 + 26^8 + 26^9)
= 5646671469504
to:
(36**6 + 36**7 + 36**8 + 36**9) - (26^6 + 26^7 + 26^8 + 26^9)
= 98814936052800

Once again I ask, how can that be easier to crack?

Can you give me even one example where adding a number to a password of length greater than two decreases the number of possible passwords?

Re:Universal Passwords

[Frnknstn]

I must apollogise for calling you an idiot. Statistics can often be counter-intuitive (as in the case of the Monty Hall problem.) You are wrong, but I am sorry for insulting you.

Re:Universal Passwords

[Eivind]

You're rigth, in principle, practically however, you are wrong.

It is true, for example that excluding 5-and-under passwords reduces the keyspace. But that is still a win if that part of the keyspace was overpopulated.

Put differently, if everyone has passwords 8 characters or less, choosen from a set of 64 characters (I realise there's more, but some are much more used than others, so the effective strength of a password choosen by a user is seldom more than 6bit/char)

• There's 2^(5*6) = 2^30 passwords that are exactly 5 characters long.
• There's 1.015 * 2^30 passwords that are 5 or less characters wrong.
• There are about 2**(8*6) = 2**48 passwords in total.
• So, by excluding the shorter ones, you've excluded 0.00038% of your keyspace.

If users choose passwords randomly, then one in 262000 users would choose a password with 5 or less characters, and for an attacker, searching this keyspace would be no more fruitful than searching any other random part of the keyspace.

Problem is, users do NOT typically choose passwords anywhere close to randomly. A more typical scenario is that 10% of all the users choose passwords 5 characters or less.

In that case, searching the 5-or-less part of the keyspace is 26000 times more likely to net you a working password than choosing a random part of the keyspace to search.

In practice, you can brute-force the 30-bit 5-and-under keyspace in minutes, and you'll have passwords for 10% of the user-accounts, allthough you only searched less than one thousandth of one percent of the keyspace.

THAT is why requiring users to have passwords over a minimum length does not, as you claim, harm security. (instead it helps quite a bit)

Re:Universal Passwords

[Eivind]

But 5 byte-and-under passwords aren't 1.9% of (say) a 8-byte password keyspace. If users use a small set of characters (64) then it's 0.00038 % of the keyspace. If they use a better (i.e. larger) set of characters, then it's even less.

I agree that rules that restrict the keyspace *more* than they force users to increase entropy are pointless or even harmful. "Must start with a capital" is obviously in this category. "Must include some sign that is not a letter" is probably not, because, again, the rule excludes maybe 0.0005% of all passwords, but forces 10-30% of users, the ones which otherwise would choose "all alphas" to select a better password.

Re:Universal Passwords

Yeah, but most users chose something they can remember. The number of memorable 6+ character combinations is much smaller than the number of memorable <6 combinations, so 6+ is easier to crack.

Re:Universal Passwords

[thogard]

Remember the needed search keyspace is dictionary words with simple additions and l33t speak.

Re:Universal Passwords

[Sharkford]

he "single sign-on" effort as having great risks. Where I work, the materials-management system has a poor authentication model, in which a requisition can be tracked only by the person who submitted it - not their secretary, or boss, or colleagues. A guaranteed recipe for password-sharing ("we use my secretary's account for that so we can all see it") - except your password gets you into personal stuff like the HR system, in which you can change your benefits!

I think that conceptually different realms (like "employee personal" and "office business") should never be linked under a universal password scheme. And applications need to have workable access models, or people will need to make poor security choices to get their jobs done.

S.

Re:Universal Passwords

It takes relatively little time for a program to try everything every combination of 1-5 characters. Since people are lazy, they will often pick short passwords, so permitting 5 character passwords will immediately make it possible to crack a large percentage of accounts.

The non-alpha requirement sounds silly if you think in terms of random sequences of characters, but it helps prevent users from simply selecting a common word or name, which again is very easy to crack. Adding a number to a word does make it slightly more secure (though not nearly enough).

Re:Universal Passwords

[jfdawes]

You think I'm wrong because you do not understand my argument. You sound like someone who has coded a password routine and are defending yourself.

Get this straight: imposing a minimum length on passwords is not a bad password constraint and should be the only one used as it does not reduce the key space significantly. You are incorrect to argue that there is no reduction as that is simply not true.

Imposing additional rules, such as insisting on an non-alpha significantly reduce the key space. For a password of any given length, if you know at least one character must belong to a subset of the allowable characters, then simply have less work to do.

A very simple example that even you should understand:

You have red balls and green balls. All possible sequences of balls of length two:
GG,GR,RG,RR.
If you insist on at least one character being a subset (must be green) you reduce your key space to:
GG,GR,RG.
Searching the reduced key space is less work.

Re:Universal Passwords

[jfdawes]

It makes some sense, except the crackers had the same thoughts years ago. A good dictionary will not be simply a list of words. It will be a meta-list that the crack algorithm builds passwords from.

It knows that "hello" can be spelled "hello", "h4110", "He1l0" and every other variation. Good ones also will do things like adding a single non-alpha to the end and try combinations of two or more words separated by a non-alpha. A half way decent cracking algorithm will get "H3l10&W0r1D". Don't be surprised if they also get "G2k`9^Q9e`S" and "J4;2-*E-t;F" - both those are also variants on "Hello World".

Sorry, but "y311ow" is almost as weak as "yellow". "jack4betty" is better, but still not good.

Re:Universal Passwords

[jfdawes]

It might seem like it only causes a 0.0005% reduction but it's a much much larger fraction.

For example, assuming a 101 keystroke keyboard (being nice and letting you put F keys and other non-printing characters in your password). For a password of length 8, the number of combinations is something like:

101 * 101 * 101 * 101 * 101 * 101 * 101 * 101 = 10,828,567,056,280,801

If you constrain passwords to contain a single non-alpha, you get:

101 * 101 * 101 * 101 * 101 * 101 * 101 * (101 - 52) = 5,253,463,225,324,349.

You have reduced your keyspace by 50%.

Re:Universal Passwords

True...the old email system at RIT is shit....however, it wasn't the software that's the problem, it's the hardware. If they took half of the shiny new machines that they're running Exchange on and ran Sendmail/procmail, the new system would be 8 billion times better.

Re:Universal Passwords

[Frnknstn]

You are once again stating the obvious. I agree with you entirely on that matter, as I have from the beginning. However, once again I submit to you that the only way to get most users to include numbers in their passwords at all is to force the inclusion of at least one number. The password that has at least one number is more secure than the password that will not have any numbers.

Re:Universal Passwords

[jfdawes]

You're being too simplistic about it. Do not get your password checking algorithm to do anything except require a certain length (and there are arguments against that), allow the users to enter whatever they like. Imposing software rules in the password generation just weakens your security.

Instead, try this: once they enter their password, run it through a decent, up to date cracking algorithm with a good dictionary.

If you find anything, alert the user that they have a weak password. If your users ignore your password requirements, start disabling their accounts.

Re:Universal Passwords

[Carnildo]

"Not starting with a 0" is probably a software limitation, not a crazy rule.

Re:Universal Passwords

[Frnknstn]

Are you saying that users do regularly select passwords with numbers and capitals in them?

I have been ignoring your repeated suggestion about checking the passwords in the hope you would RTFA. What you suggest is standard practice for all good SysAdmins, and the whole purpose of this article was to provide additional too-common passwords for a SysAdmin.

Re:Universal Passwords

[2short]

Sorry, but I'm not crazy about your example, and your math is just bad.

The keyboard may have 101 keys, but you can't use them all in passwords. Then you use 52 (# of alpha charachters) instead of 26 (# of keys), which is correct, but confusing.

My keyboard (which I beleive to be standard) has 47 keys that produce unique non-whitespace charachters, each of which can be shifted, so 94 password charachters, 52 of them alpha. Assuming an 8 charachter password that's 6,095,689,385,410,816 combinations.

OK, not much different. A little less, which actually should help your argument.

But you really go wrong on the constraint. Your math is requiring the last charachter be non-alpha. To require that any charachter be non-alpha, we just have to compute the number of pure-alpha passwords and subtract.

The number of pure alpha 8 charachter passwords is

52 * 52 * 52 * 52 * 52 * 52 * 52 * 52 = 53,459,728,531,456

leaving

6,095,689,385,410,816 - 53,459,728,531,456 = 6,042,229,656,879,360

8 charachter passwords with at least one non-alpha charachter.

The keyspace has been reduced by 0.877%. I'd call that trivial, especially in light of the percent of users who would use a password out of the dictionary if allowed to (I'm guessing high 90s).

Most password attacks aren't going to try to search the whole keyspace. They're going to search some subset of it the attacker thinks is likely to contain the password (e.g. dictionary words spelled forward and backwards, all combinations of two dictionary words, etc.). Password rules make sense if they force people out of this subset.

Re:Universal Passwords

[Eivind]

Nope. Sorry. That calculation is correct if I had required that the *last* position MUST be a non-alpha. Then I would indeed have 101 keys to choose from in all positions, except the last, where I'd only have 49.

To simplify your example a bit, let's say the user chooses between a total of 100 characters, half of which are non-alphas.

*if* the user choose only alphas for the first 7 characters, then he is indeed forced to choose between only half the characters in the last position, halving this part of the keyspace.

However, in most cases (99.2% of the cases) there is already atleast one non-alpha in the first 7, and thus there's no reduction at all.

So, this example works out to about 0.8% chanse of halfing the choise on the last position, a total reduction in keyspace of 0.4%.

If you don't believe my maths, try it yourself with a smaller example:

Assume that you are to choose a random 4-digit number, but that the evil admin has required that atleast one of the digits be 5-9 (i.e not all lows).

By your logic this should also lead to a halving of keyspace, but in actual fact there is only a 6.25% keyspace-decrease. You can check this yourself with this simple script:

seq 0 9999 | grep '5|6|7|8|9' | wc-l

It'll tell you 9375. So, of the total keyspace of 10000, you've excluded 625, or 6.25%

Re:Universal Passwords

[jfdawes]

You're right, my maths is bad - it overestimates the danger.

However, my point doesn't I think that most password rules don't force people out of the subset. If someone is going to pick a weak password without the rules then they will still pick a weak password with the rules. Instead of "password", a user might use "password1" - which probably passes the software enforced rules but is also probably in most dictionaries.
Yeah, it's going to take longer to search for all simple variations on a dictionary word, but it's still cheaper and faster than doing a brute force attack.

The maths used gives the theoretical number of combinations, yet you yourself guess that 90% of the population are going to base their choice on some miniscule subset of those possible.

Re:Universal Passwords

[Prior+Restraint]

I assume that's so, but it's a incredibly stupid mistake to make, especially considering these are the same people who insist on a sixteen digit account number.

Re:Universal Passwords

[Eivind]

I never argued with that. Obviously any restriction whatsoever limits keyspace. For example, if everyone has 8-char passwords, then requiring atleast one non-alpha reduces the keyspace (and thus the required searching) by around 0.4%.

The thing which you don't understand, or pretend you don't understand is that absent this restriction *much* more than 0.4% of the users would choose passwords in this small subset of the keyspace.

If 0.4% of all passwords are all-alpha, but 40% of all actually used passwords as choosen freely by users are all-alpha, then searching the all-alpha keyspace is 100 times as likely to net you a working password as searching any random part of the keyspace.

Guess I should change my password

[lightspawn]

I've been using that same old password from one of my favorite movies.

Of course, I use the variant spelling.

Re:Guess I should change my password

The password you're referring to is actually a Welsh village with the longest name in the world.

It actually means something, though I can't really remember what exactly (the town near the small brook, under the tree something something).

Re:Guess I should change my password

Check out www.llanfair.com

Shift a key over and throw in some numbers...

[pr0c]

My policy for a long time has been to pick two words and shift my keys over one sometimes alternating and then I throw a number (or its shift key version) into it somewhere. An example of this would be SlashdotNews = A2kaagsirMred or Aka$agsirMred it is easy to remember even for non techie people. It is secure enough for me...

Re:Shift a key over and throw in some numbers...

I'm a fan of choosing some letters of a meaningful sentence, and throwing in a punctuation mark, capital letter, and/or number.

iaF0cs!l seems pretty random to me. It doesn't look like a dictionary word, and the number of permutations needed to brute force it is (26+26+10+14)^8 or 1.11e15.

Re:Shift a key over and throw in some numbers...

[kunudo]

I always take some random sentence, take the first letters of each word, put in some numbers or something, shuffle, and after having used it 3 times or so, it's locked in my head (or fingers?). You can always derive the password again from the sentence.

Like this: My Policy For A Long Time Has Been To Pick Two Words = mpfalthbtptw == pmfal4thbtp41tw

Strong enough for my uses.

Some pretty complex ones are there too...

[Artega+VH]

As a comment at the bottom says:
A52896nG93096a

but also:
dn_04rjc
ksdjfg934t
sldkj754

----
I was going to ask why how this list was compiled,
but since I got really interested I happened to
google these and found the following:
This seems to indicate that ksdjfg934t is a default
password for a SuperMicro PC BIOS Console.

And from the same site: Micronics has a PC-BIOS
which uses dn_04rjc as the default password as
does Micron for the password sldkj754.

I want to know how often these passwords are used
for services that a open to the internet, or even
to the local network. I would imagine that these
bios passwords are only able to be entered
locally? If so why does that merit a place on this
"Passwords that should NEVER be used!" list...
apart from the fact that now this list will be
used in lame dictionary attacks....

Re:Some pretty complex ones are there too...

[gl4ss]

it's just a stupid list to made up to get some 'content' into a contentless article, f'kin waste of time really(the whole article). they could have just linked to some dictionary file used in these attacks and saved the hassle since they can't possible cover the passwords one shouldn't use and since they decided to go for the default/master bios passwords and shit like that the whole point is lost.

Re:Some pretty complex ones are there too...

[Emnar]

Interesting. Those passwords are mostly made up from the home row on a qwerty keyboard. Obviously somebody just banged them in (literally) instead of using any kind of random character generator.

I wonder if anybody has written a password cracker that focuses on the "asdfghjkl;" row. That's certainly a much, much more limited set of combinations than the full keyboard, especially without capitals!

Re:Some pretty complex ones are there too...

[rthille]

I worked on some software where I requested a password from the user and didn't want to just pick something that every customer would know was the default for every install. So I ended up using 'ps' and transforming the output quite a bit, figuring that the odds the output would be the same on two different boxes were minimal.

Favorites from the Real World

[angst_ridden_hipster]

Of course, none of these are very good as passwords (mostly vulnerable to dictionary attacks), but amusing nonetheless:

Mr.Root

logout

friend
friend and enter

open sesame
open tahini

open the door HAL

admit1

lemmeIN

hey,babe
what'syoursign?

Since I'm a little slow, the last two had me puzzled. It was explained to me that they were "pass words," i.e., words used in making passes.

Weed the idiots out...

[identity0]

Am I the only one here who thinks we need to have an Ask Slashdot called "What's your Slashdot Password" to weed the idiots out?

Wow, I'm suprised how few there are on that list. I would have thought things like city/state names, zip codes, and movie/band names would be more common.

John the Ripper

[Dammital]

Last July I installed John the Ripper on my home firewall. John is a password cracker, something like crack and l0phtcrack. I wanted to see how vulnerable my own passwords were.

From what I can tell, John runs a dictionary-based attack against your master.passwd file, then runs the dictionary with various shifts in capitalization, then runs the dictionary again with an assortment of numeric digits inserted into its guesses.

Finally John just runs a brute-force attack, generating passwords with successively longer and longer lengths until it lucks out.

In my case John finally did luck out, finding one of my passwords after 18 days of crunching numbers. This particular account had a relatively weak password -- though no dictionary attack would have found it, it was still only five bytes long. That's a wakeup call for me. I've been using shorter passwords for years, thinking that by avoiding common words I was safe. But I can see that they're breakable now.

It's one thing for someone to preach that you should really have longer passwords; it's quite another to see it for yourself. If your passwords are easy to guess, or are variants of dictionary words, or can be generated easily by brute force -- there are widely available tools that can give the keys to the city to any lowlife that wants into your machine.

Run one of the password crackers on your own system today, and become enlightened! And don't be comforted by the 18 days it took to crack my easy five-character password on a 300MHz Celeron notebook: there's also a distributed version of John the Ripper that divides up the work of cracking your password file among many computers.

The more I learn about security, and the tighter I make my systems, the more afraid I am. If you aren't afraid, you are either very very good at what you do -- and I humbly bow before you -- or you haven't much of a clue.

Re:John the Ripper

In my case John finally did luck out, finding one of my passwords after 18 days of crunching numbers.

Is your password on a high-profile system? If not, I'm sure spending 18 days of crunching numbers isn't really worth it for stealing credit card numbers since there are plenty more easy targets.

I'm safe!

[babbage]

Woohoo! My trusty old 1234567890 didn't make the list!

/me wipes brow at his well-chosen password

Re:I'm safe!

[Josh+Booth]

"So the combination is one, two, three, four, five? That's the stupidest combination I've ever heard in my life! The kind of thing an idiot would have on his luggage!" Obligatory Spaceballs quote.

Re:I'm safe!

If I had mod points now, I'd give you the obligatory "redundant" mod.

Re:I'm safe!

Remind me to change the combination on my luggage.

An honest look at password creation

[WarPresident]

(January)
User: Tim
Password: NEWUSER

YOU MUST CHANGE YOUR PASSWORD EVERY 30 DAYS
PASSWORD MUST HAVE AT LEAST 6 ALPHA AND 2 NUMERIC/OTHER CHARACTERS
New Password: password

PASSWORD MUST HAVE AT LEAST 6 ALPHA AND 2 NUMERIC/OTHER CHARACTERS
New Password: password01

OK ...
(February)
User: Tim
Password: password01

YOU MUST CHANGE YOUR PASSWORD EVERY 30 DAYS
PASSWORD MUST HAVE AT LEAST 6 ALPHA AND 2 NUMERIC/OTHER CHARACTERS
New Password: password01

THIS PASSWORD HAS BEEN USED RECENTLY
YOU MUST CHANGE YOUR PASSWORD EVERY 30 DAYS
PASSWORD MUST HAVE AT LEAST 6 ALPHA AND 2 NUMERIC/OTHER CHARACTERS
New Password: password02

OK ...
(March)
User: Tim
Password: password02

YOU MUST CHANGE YOUR PASSWORD EVERY 30 DAYS
PASSWORD MUST HAVE AT LEAST 6 ALPHA AND 2 NUMERIC/OTHER CHARACTERS
New Password: password03

OK ...

repeat ad nauseum

Re:An honest look at password creation

[BRSloth]

Login: yes
Password: i dont have one
password is incorrect

Login: yes
Password: incorrect

Re:An honest look at password creation

[dtfinch]

I've dealt with setups like that. Started with a password nobody would ever guess, and it gradually got weaker and weaker every time I was forced to change it. Now I just toggle back and forth between two weak passwords.

Re:An honest look at password creation

[squiggleslash]

Interestingly "NEWUSER" isn't on the list, and most organizations I've worked with use that as the initial password for new accounts...

Ok, now the mind boggles. The other password I see all the time as a "default" is "welcome". That's not on the list either. How does 240653C9467E45 make the list, but not WELCOME or NEWUSER?

Re:An honest look at password creation

[WarPresident]

I've dealt with setups like that. Started with a password nobody would ever guess, and it gradually got weaker and weaker every time I was forced to change it. Now I just toggle back and forth between two weak passwords.


More than two dozen accounts here, only 7 different passwords, sad to say. Once they all had different passwords, but then I lost my slip o' paper from my wallet and had to change them all at the same time. It's easier to have a few passwords and change them regularly on a particular day. Though I did have the idea for a relatively simple hash that I could do in my head to generate a password for each system. Still had to have a slip o' paper for IDs, and had to spend time thinking up the password. Not too much of a time waster til you have to ssh 5 systems deep...

Re:An honest look at password creation

Another very common one for new accounts is the name of the company.

Re:An honest look at password creation

[KnightStalker]

That's the default password for a Windows user created for some sort of Compaq management utility. (No, I don't really know that. I just know... um, someone, who, um, knows everything.)

Disappointed ...

[jc42]

... I couldn't find any of my passwords there. Not even the ones that were machine generated.

It was especially disappointed that the numeric section didn't include 17 or 42. Or 1742, for that matter. Where are they getting their lists.

And "mrroot" wasn't there, either. (A shout-out to my old Project Athena cohort. ;-)

Security is control!

I use just "enter" for my password. You should too.
- rms

abc I understand

[platipusrc]

But why the heck is A52896nG93096a a regularly used easy to guess password? Is there some significance to the pattern that I'm missing?

Re:abc I understand

[platipusrc]

Oh now I see. According to this default password list, it's the default password for a couple of IBM products.

Only an idiot

[chaotica1974]

Would have the password 12345 on his luggage!

That's the same combo on my luggage!

[TheWanderingHermit]

Kind of like setting the password for your atmospheric shield to 1-2-3-4-5, then later finding out it's the same combination President Skroob uses for his luggage.

Re:That's the same combo on my luggage!

Evil will always triumph over good because good is dumb.

Re:That's the same combo on my luggage!

[TheWanderingHermit]

Evil will always triumph over good because good is dumb.

Must be. On any stupidity scale, I'd rank using an obvious combo for an atmosphere shield that protects the whole planet a lot higher than using the same combon on luggage!

Where on earth did they get this list?

[0x0d0a]

Where did they come up with these passwords? It looks like the result of a run someone did a tech university back in the day with crack or sniffing or something. I mean, while I agree that many of the passwords listed there were weak, I'm dubious about how common they are, unless g6PJ, 3ep5w2u, or I5rDv2b2JjA8Mm are particularly common egregious offenders.

Honestly, this is filler as far as content quality goes.

How are my passwords?

[MBCook]

Lets see...

fizzlebop... OK
coodleschmidt... OK
sneedalbiz... OK
testripithia... OK
crumblehip... OK
skazeltank... OK

OK, all my passwords are safe. No one will ever guess 'em.

.

.

Crud!

Use and algorithm to generate your password

[Zugok]

Given the case a password has to be changed every month

pick as day from every month of the year which has some significance and is easy to remember. This date remains the same year after year, which I think is sufficient variability because you are going to do more with the date.

arrange the date and the current year in numerical format such as MMDDYYYY or YYYY-MM-DD

use date seperator . / or - as their mathematical operators, combine different operators be creative e.g. YYYY.MM-DD or DD/MM-YYYY or simply YYYY-MM-DD.

take the result and convert it into hex (because hex can also contain letters A-F)

if the hex result is does not meet password etiquette (unlikely), attach a description of the signifcance to the date chosen, if the date is a birthday, choose that person's name for exapm. Say the hex result is 1FF0, and the name is Stacey, generate a password like Stacey1FF0 or S1tFaFcoey or Sta1FF0cey. Again, be creative.

Dates are easy to remember, not a lot of effort is required. In this method, all that needs to be remembered is an algorithm.

Granted with each passing year, the variation in the password is not going to change a lot to the password that month a year ago, so it is still important to change how the the mathematical operators are used, how the YYYY MM DD are aranged. To add more variability, perhaps throw in the day into the mix like 1 for Monday, 2 for Tuesday. That's rather simplistic, but there is a lot more that can be done be creative. It's not hard.

Fundmental Numbers

[Theory+of+Everything]

I'm surprised that some common fundamental numbers didn't make the list:

271 (or 271828, 2.71, etc).
314 (or 3.14, 314159, P!=3.14, etc).
137

and so on.

Re:Fundmental Numbers

[bersl2]

The first passnumber I ever put on my voice mail was pi to 15 digits.

Needless to say, that was going a bit overboard.

Password rules at IBM Watson Research

[Latent+Heat]

There is this story I heard attributed to IBM Watson that some wag has concocted a detailed list of password restrictions (no all numbers, no all characters, and so on) where the joke was that if you rigorously applied all of the rules, there was only one legal password.

Re:Password rules at IBM Watson Research

[SpaceLifeForm]

'Sc0su><s'

Re:Password rules at IBM Watson Research

College I used to go to has an insane set of requirements
similar to that. When trying to change a password,
one can expect to spend an hour just trying to figure
out a legal password. The only thing that saved
me when changing passwords was the system never
checked to see if you are using a different password. :)

Yes, its wrong, but then again, a system where its
almost impossible to create a new password is wrong too.

This is perfect...

[km790816]

If any of these passwords look hauntingly familiar and are being used, you should change the password immediately...because if someone hasn't tried it yet, they will now.

That's nothing

[dacarr]

Once I was working for a pharmaceuticals distributor of an undisclosed location. I happened to watch my supervisor type her password into the mainframe.

It was APPLE2.

wtf

What happened to, "beer?"

How about?

Well I might use fmdidgad...frankly my dear I don't give a damn or the first letters of a slogan. If I want to really be nasty I use the windows calculator "1.4121235445157648123104397328816e+497"=pi^1000! for encrypted files, I don't know how effective something like that will be though.

Excellent, I'm not on the list...

[hatrisc]

i'd be frightened if my 33 character password was listed!

REALLY bad password

[utahjazz]

Given that most web developers write code like this:

sqlexec("SELECT * FROM users where pwd = '" + pwd + "'")

I find a good password to be:

'; DELETE FROM USERS; SELECT '

Re:REALLY bad password

Or, if you just want to play around without breaking things, a common scenario is code like

sqlexec("SELECT * FROM USERS WHERE USERNAME = '$username' AND PASSWORD = '$password'")

...and you can get cute results with any valid username plus a password of

' OR 1 = 1--

Re:REALLY bad password

[hyc]

That seems rather odd, selecting all records that match a given password. The point of the example is fine, but the example itself is weird.

I used to routinely embed control characters in my passwords (tab, ctrl-C, ctrl-G, ctrl-M, whatever) but then discovered that not all programs performed "raw" input the same way. There's nothing quite so annoying as having your system login program crash (and so deny you access to a system) as you're entering your password, because the program couldn't deal with embedded non-printing characters...

Re:REALLY bad password

[justMichael]

Given that a lot of web developers use MySQL, your password is going to do nothing but error out.

MySQL doesn't support multiple queries, yet ;)

Re:REALLY bad password

lucky for me, cold fusion or mysql (don't know which to blame) doesn't support multiple queries per request.

PHBs seriously love "password"

[Wylfing]

I can't count how many technologically ignorant managers I've met who, giggling and leaning in close, explain that they've thought up the cleverest password ever. It's "password"! It's so obvious no one will think of it!

Re:PHBs seriously love "password"

while they're leaning in close, that's your best chance to give them a *slap*.

Pencil

[billh]

Enough said.

It's a secret!

[arhar]

My friend told me this story: he put a password on his computer at home and periodically changed it. He had only two passwords, really: "guessit" and "secret". His kids asked him all the time, what is his password, to which he truthfully replied, "It's secret" or "Guess it!". Needless to say, they never did.

Re:It's a secret!

[pyrrhonist]

He had only two passwords, really: "guessit" and "secret".

I had a conversation like this once:

Him: "I need to do a pkgadd for the ATM cards. What's the root password?"
Me: "thereisnone"
Him (disbelief): There's NO root password?!?!
Me: *snicker*
Him (typing): What the? I hit return, but it didn't let me in. I thought you said there wasn't a pass... Wait a minute...
Me: *cough*
Him (typing): You greasy bastard!!!!

Short passwords??

The only SAFE password is a long one: http://support.microsoft.com/default.aspx?scid=kb; en-us;276304!

Honey Pot Passwords?

[LoveMe2Times]

Does anybody out there use honeypot passwords? It seems like such an obvious idea, but it doesn't seem to be generally implemented -- at least no system that's ever given me a password has let me configure honeypot passwords. Personally, I'd really like to have a honeypot PIN for my bankcard and honeypot passwords for all of the online shopping/bills/finance stuff--ie, the stuff where it's important.

For those unfamiliar, the idea behind a honeypot password is either

1. to pick one or many "guessable" passwords like those in the article and use them as honeypot passwords. Allow somebody to log into the system using them but set off a silent alarm. Presumably, any would-be hacker will "crack" the honeypot password before the "real" password and will quit trying to get the real one.
2. Have one "real looking" password (especially PIN) that you can give out if somebody demands it at gun or knife point (you get the idea). If used, it immediately notifies the authorities (silently) and shuts down the account/card in say 1/2 hour (presumably enough time for you to get away). For the would-be mugger etc there's no way to tell if they got the "real" or the honeypot password.

Re:Honey Pot Passwords?

How would one implement this on a standard GNU/Linux system using Pluggable Authentication Modules (PAM)? Suppose you wanted your normal login and password to log you in, and your normal login with a given fake password to log you in to a fake account and keep you busy while running "rm -rf /" in the background?

Re:Honey Pot Passwords?

[Technician]

I prefer a 3 strikes and you are out system. It kills a dictionary attack almost everytime. My home safe has it. My ATM uses it. Why doesn't user accounts? My login at work uses it. Why don't more systems use failed login lockout?

Re:Honey Pot Passwords?

[stevey]

Because it's a simple way of locking out other people of their accounts.

I could go over to a colleagues PC and deliberately enter the wrong password five times when she's away to lunch.

When she comes back she finds her account has been disabled, and she's locked out until the sysadmin resets it.

At home this might not be a problem, but allowing people to lockout a remote worker from their VPN connection when they're working on something important isn't a good idea.

I log failed passwords on our machines sure, but disabling them automatically is too much for me.

Re:Honey Pot Passwords?

It doesn't help if they have read access to the password file, because in that case they don't have to try to log in, they can just compare hashes until they find a duplicate. This is why shadow passwords are a Good Thing.

Re:Honey Pot Passwords?

[hyc]

The draft LDAP password policy spec lets you do a lockout after a failed number of attempts, along with an expiration (so the lockout is automatically lifted after a specified idle period). I think that's a decent approach that (a) slows down attackers without (b) making life miserable for users and sysadmins.

Things get trickier when you have a cluster of machines using a distributed authentication service. E.g., you have a bunch of machines using pam_ldap, so all of them are authenticating against a single database. Do you count 3 strikes per client machine, or 3 strikes total in the LDAP database?

Re:Honey Pot Passwords?

[44BSD]

It isn't used because it makes for a great denial of service mechanism.

Re:Honey Pot Passwords?

[plover]

Have one "real looking" password (especially PIN) that you can give out if somebody demands it at gun or knife point (you get the idea). If used, it immediately notifies the authorities (silently) and shuts down the account/card in say 1/2 hour (presumably enough time for you to get away). For the would-be mugger etc there's no way to tell if they got the "real" or the honeypot password.

The common name for this is the "duress code". Most alarm systems provide for a code that triggers a silent alarm while appearing to deactivate.

And before you run out to patent this, I learned about them in the early 1980s, so the patents have probably already expired.

Whew!

[multiplexo]

Thank goodness that the password I use for all of my systems and accounts, "thr0bbingl0v3m3at", wasn't on the list!

Re:Whew!

Hah, it doesn't work! Someone else must have taken over your account already!

When I was working in IT

[einTier]

When I was working in IT, I often said, "give me the names of a given person's children, their pets, their significant others, the kind of car they drive, their job title, and any hobbies, and I'll guess 95% of all passwords."

It's scary how many people think the name of their child makes a great password.

Re:When I was working in IT

[jhunsake]

Professor Falken.

Re:When I was working in IT

It's scary how many people think the name of their child makes a great password.

Or possibly, they simply don't care if other people break into their account. After all, why would anyone want to break into little old me's account.

And as a sysadmin, the main reason you care is that a user account is the first and hardest step to root-access to the machine. But ordinary users either don't care or don't know about that.

Re:When I was working in IT

I'm upgrading an old mail server to Mac OS X (importing all existing users), when I noticed our "webmaster" uses the first half of his/her email address for his/her password... *shakes head*

Re:When I was working in IT

[beggarstune]

Add to the list all the people one has ever had sex with, and I think you're right.

Re:When I was working in IT

well when you name your kids things like

tXVg9GAJobypS
MMSHDSq
dHyQdGwhQF
zdRi1amfct
r5PTB9Xv
IdTBzyJrpKvdPP

you sorta figure it wouldn't be too bad.

doesn't anyone else use 'makepasswd' to name their children?

Re:When I was working in IT

[pyrrhonist]

It's scary how many people think the name of their child makes a great password.

I use the name of my cat as a password. Her name is "qzX184v.sdR19", but I change it monthly. She's so confused.

Well, it's time to update the authentication token again. Here kitty, kitty...

YEAH BUT

[GNAA+Goat-See]

Don't forget "God". System administrators LOVE to use "god", the whole male ego thing.

Uncanny!

[crawdaddy]

Numeric insecure password list: 0, 1, 1.1, 2, 5, 7, 12, 30, 110, 111, 123, 1111, 1234, 2002, 2003, 2222, 2600, 8429, 12345, 54321, 111111, 121212, 123123, 123456, 166816, 256256, 654321, 1234567, 1322222, 7061992, 11111111, 12345678, 19920706, 22222222, 88888888, 123456789, 1. 1, 1234qwer, 123abc, 123asd, 123qwe, 1RRWTTOOI, 240653C9467E45, 24Banc81, 3098z, 3ep5w2u, 4Dgifts, 4getme2, 4tas, 57gbzb

12345?! That's incredible! That's the same combination I use on my luggage!

Re:Uncanny!

[sadler121]

OK, laugh all you want, but when I came into a Mission Office, while I was serving a mission (run by old guys) ~50% of the computers had the password 12345, and even after we told the old guys to change the password, they still reverted back to 12345. :-P

Things To Never Use

[Piquan]

MEMORANDUM

From: Information Services

To: All personell

Re: Secure computing practices

The following, found during a routine review of our authentication system, are insecure and should never be used:

• accounting
• admin
• backup
• boss
• cisco
• congress
• death
• engineer
• ibm
• internet
• kiddie
• love
• manager
• sex
• snake
• user
• windows
• www

Avoid anything on this list. Any personell using anything on this list will be required to attend a mandatory fnord security training class, and may possibly face reprimands for repeat offenses.

Re:Things To Never Use

don't forget:

nimda

and you think system administrators know better.

Public Key Authentication

[rimu+guy]

Why are we still using passwords for everything? I must sign up for 2 or 3 new websites a week. I've been using the Internet for 32 years now. So that means I've signed up for just over 8388640 passwords.

Would someone please write a browser plugin that will enable public/private key authentication using my ssh agent

. Then I just need to tell them my public key.

ADV: Get your own 'no password required' virtual private server

Hey *what*?

[mibus]

That is the list of passwords I've been getting mine from for years. They must have it backwards, they're the passwords you're *supposed* to use. Right?

Everybody use those passwords, they're safe. Nobody knows about them.

Umm.. /me makes a worried face and starts running 'passwd' alot...

Remember Demolition Man

[bosef1]

The "something you have/something you know/something you are" paradigm for security is a good place to start (doubtlessly there are better forms overall, but the current state of security is so bad that most anything would be an improvement). However, whenever I hear this paradigm being being espoused, the thought that comes to my paranoid/gristly mind is that many of the something-you-ares that would be useful security measures are just something-you-haves that you have a lot tighter than an ID card. Of course, you are probably aware a lot sooner if someone steals you thumb than if they steal you badge or password. 'Course, if they tied you up first...

In any event, if you are building a something-you-have detector, it would be good to have it verify that the something you have is still attached to you, probably by measuring the presence of a pulse.

Re:Remember Demolition Man

[Hast]

I think the rule of thumb (har har) there is that you want to make sure that the "something you have/are" thing is something you can "throw to the ground and run".

So if you are going to spend a lot of money using biometrics you need to have physical guards there as well. (Naturally they can also work to help people.) These guards would make the systems better by stopping the biggest attacks on these system. To fool fingerprint detectors or to hold up an image in front of your face at the iris detector.

Re:Remember Demolition Man

[plover]

There are several important distinctions to be made between something you "have" vs something you "are".

Here are some points to ponder regarding something you "are":

• Your biometric data must be digitized before a computer system can make use of it.
• Your biometric data is not secret.
• Your biometric data is unchangeable.
• Your biometric data cannot respond uniquely to every request made of it.
• It may be difficult or impossible for the user to validate that they are being "read" by a legitimate scanner.

And here are some points regarding something you can have - a smart card:

• A smart card has an internal digital processor plus some data.
• A smart card responds uniquely to every challenge made.
• A smart card's contents cannot be casually read without sophisticated equipment.
• A smart card can be deactivated or disposed of and replaced in the event of compromise.

What do these points mean? Biometric information can be copied at many levels, and presented as "real" data at many points in the security perimeter. A fake fingerprint can be made for under $20 and almost no skill is required. Mallory can hold up a photo in front of an unattended camera to convince a system that Alice is at the reader. A "fake" retinal scanner could be placed in front of a "real" retinal scanner at the bank's Eye-ATM machine ('retinal skimming' just sounds evil.) Or, the thumbprint reader at the Bada Bing's cash register might actually be a thumbprint/DNA recorder manned by Tony Soprano. You, the biometric holder, have no way of validating every reader. And in every case, a compromised biometric is of negative value to the owner. If your thumbprint data is stolen, copies of it can be made forever and you can never get it back. Your own thumbprint is now a liability, not an asset.

In contrast, a smart card does not divulge its secrets willingly. Smart cards do not require trust in the card reader nor in the merchant. The merchant issues a challenge to the card, collects the response, and ships both the challenge and response to the bank. The bank records the challenge, validates that the challenge was never authorized before, and then validates that the response matched the challenge according to the secret rules the bank placed inside the card at the time of issuance. If a card is lost, the bank marks it lost/stolen and never authorizes it again. If a duplicate challenge is made, the merchant presenting the duplicate can be immediately suspected of fraud.

A smart card is good security, but poor authentication. But a biometric datum is poor security, and not necessarily good authentication.

Re:Remember Demolition Man

[sjwt]

back to reality,
iris readers wont work when your dead, even freshly removed eyeballs, also apprently they wont work when your crying or verry hihgly stresed..

fingerprint scaners IIRC will be fooled by a wax copy.

can someone explain this one?

it doesn't make much sense how this is common, or easily guessed, any help?
ksdjfg934t

no qwerty?

[Arngautr]

Yes!! qwerty wasn't one of 'em that means I'm safe, er... um, yeah....

Re:no qwerty?

[JoScherl]

That's the one I've looked for first, too.

notobvious

[richie2000]

The UUCP password for all customers on a certain large american ISP was for a very long time 'notobvious'. I still get a chuckle out of imagining how it came to be:

Technician: What should we set the password to, boss?
Boss: I don't care, just pick one that's not obvious.
Technician: Right, boss.

To be fair, it was just the password to login to the modem server, every customer had an additional real password to actually access the UUCP box behind it.

Single character passwords?

[MacroRex]

According to the list, the letters 'a', 'c' and 'q', and the numbers 0, 1, 2, 5 and 7 should never be used as passwords. This means I'm safe as all my passwords are the letter 'Z'. Capitalized no less, that'll confound them!

dear pclinux

Thanks for the beautiful list of words for my brute force sctipt!

C.R. Ack Er

US Army does this

[Amata]

The US Army (and the rest of the military) is in fact going to this type of approach. Every soldier, for an ID card, is issued a card with a smart chip. This card, among other uses, is inserted into a smart card reader that is hooked up to every Army AIS (around here at least) to log on. The old user/pass method may also be used to log on, but I'm not sure how long that will last.

Brief overview may be found here: army.carlisle.mil

It's useless

[toshka]

If you see some guy/gal trying to guess a password you're watching a movie. If someone has your passwd file you've already screwed up. At least that's what my experience as an ISP tech support, a network admin and a web programmer has taught me... In the real world we have security holes and yellow stickers with passwords on the monitors(no, I'm not talking about my workplace:)...

Re: Numerical passwords

[some+guy+I+know]

I'm surprised that 3.14 isn't in there (or 3.1415926535, etc.).

And what the heck are "240653C9467E45", "3ep5w2u", "3098z", and "57gbzb"?

Yeouch... [ot]

As a naive guy running a website before, I used to verify passwords that way. How do you avoid using an sql query that doesn't open the door for nasty hacks like this?

Re:Yeouch... [ot]

[JediTrainer]

Well, if you're using Java, you'd use a PreparedStatement.

But if you're smart, you'd know that storing a password in plaintext is insecure (in case your database is compromised). You should be using encryption. Something like MD5 or SHA would do the trick.

If you take the input string, then MD5sum it and store/compare THAT in the database, you should be fine.

Of course, you should still check all of your other input for any other queries you do, but I'll save that as an exercise for the reader.

/me is wondering how many people read the parent and instantly went into a panic :)

Re:Yeouch... [ot]

[Uzito]

1) Use a stored procedure
2) Use Oracle SYS.DBMS_OBFUSCATION_TOOLKIT.desencrypt to encrypt passwords

Re:Yeouch... [ot]

[cosmo7]

As a naive guy running a website before, I used to verify passwords that way. How do you avoid using an sql query that doesn't open the door for nasty hacks like this?

Compare the hash.

Re:Yeouch... [ot]

Simplest method - remember to escape any strings you put into an sql statement. eg in PHP

mysql_query("select * from user where password = '".mysql_escape_string($password)."'");

Obviously you should be comparing hashes instead of the actual plaintext password, but this advice holds for any user input you stick into queries

Re:Yeouch... [ot]

[utahjazz]

/me is wondering how many people read the parent and instantly went into a panic :)

That was my original thought when posting. I'm always amazed how I have to explain to developers that you don't concat strings send from the user (tainted-land) and pass them to the database. As I explain why, you can clearly tell the moment they get it. At that moment, you see their life of web coding passing before their eyes.

"Jesus Christ, how many times have I done that!!"

Having done many an app assessment job in my career. I can tell you, there are many really really really important apps out there that have the SQL injection vulnerability.

I feel like those guys that designed the air traffic control system, and can bring themselves to get on a plane.

(P.S. Yah the password SQL was a bad exapmle. Everyone MD5's their passwords anyway, and you would never WHERE on just the pwd, you need the username too. Meeya Gulpa)

Re:Yeouch... [ot]

[JediTrainer]

Everyone MD5's their passwords anyway

Don't be surprised, but I've come across cleartext passwords AND stupid concatenation right at the login with some apps I'd been hired to maintain. Let me tell you, that didn't last long after I discovered it.

What frightens me is that the idiot that wrote that is still out there, clueless, leaving security holes everywhere. He wasn't even a developer - he was just a guy who took a couple of MS courses (had every certificate in the book) and declared himself an architect. Charged a thousand bucks a day (Canadian).

Re:Yeouch... [ot]

[Monkeyman334]

If you're using PHP and magic quotes are enabled (which they are by default), then all get and post variables automatically get quoted for the database. So his

SELECT * FROM users WHERE user='username' and pass='';DELETE FROM users;SELECT'';
would be turned into
"SELECT ... pass='\'; DELETE FROM users; SELECT\'';

Which would be the desired result. In Perl you can (and should) use the DBI's quote function.

sorry, double-negative...

How do you use an sql query that doesn't open the door for nasty hacks like this?

Re:sorry, double-negative...

You run all user input through a filter that escapes special characters.

Re:sorry, double-negative...

or you do shit on php and use perl+DBI

Spaceballs

[jubitzu]

Dark Helmet: 1-2-3-4-5? That's the stupidest combination I ever heard in my life. That's the kind of thing an idiot would have on his luggage. President Skroob: 1-2-3-4-5? That's amazing! I've got the same combination on my luggage.

Re: Short vs. long passwords

[some+guy+I+know]

I'm a fan of choosing some letters of a meaningful sentence

Why not use the entire sentence?
It's much less susceptible to brute-force attack, especially if you deliberately misspell some of the words.
For example, "moh,Larry,Curly.3stuges" seems like it would be harder for a password-cracking program to guess than "mLC.3s".
(If I were to write a password cracker, I would have it test for abbreviations of words as well as words, so the abbreviation of a phrase would never be more secure than the phrase itself.)
I also find that the phrase itself is easier to remember.

"stff.tRtv0tse" or "spacethefinalfronteer.theseRthevoyages0fthesmarts hipEnterprise"?
"87ya,Rfbf" or "87yearsago,Rfathersbrangforth"?
"tAbr0tr!" or "theyresAbatroom0ntherite!"?
etc.

Of course, if you're logging in several times a day, you probably want to use the shorter password.

Outdated list

[MasterMnd]

I'm thinking that pdp8 and pdp11 are not likely to be that common anymore. Perhaps this list was a bit more accurate 20 years ago.

Ah, well, now I've got to change all of my root passwords from youwontguessme to p^$$w0rd. Hey, at least it's not on the list.

Of course...

[Tuxedo+Jack]

What about 42 or "forty-two?"

After all, they're the answer to Life, the Universe, and _Everything_. Why not some wimpy little password?

TOPS-20 passwords

[Engdy]

My all time favorite password was from DEC's TOPS-20 OS. You could set your password to a ctl-C if you prefixed it properly.

Finland isn't part of Scandinavia

[kunudo]

You may quote this, but that's just germans and brits getting it wrong. The scandinavian countries are Norway, Sweden and Denmark.

Phew! I'm safe!

[mactari]

This does give me the obvious idea of writing an app that culls hotmail addresses (heck, from the spam I get from my account for starters; they're usually nice enough to CC about 15 emails that are right close to mine) and tries each of these passwords at Amazon to see what I get. That'd be the true test of the story.

While I'm posting, where the heck do "dhs3mt" & "dhs3pms" come from? What's so common about dhs3 that would make it hit the list? Or "uwontguessme" & "youwontguessme". Though I could see that being more popular, the fact that those are both there and other right popular ones aren't make me think n is right small in this "study".

In any event, thank heavens. "amazoN" wasn't on the list. Guess my login at Amazon is still safe.

[submit]

What you submitted appears below. If there is a mistake or valid password...well, you should have used the 'Preview' button!

(doh!)

Whatever happened to

[Marxist+Hacker+42]

God being the normal root password? It didn't even show up in this list- nor any of the 15 non-English variants on that theme that I use.

What?

[Iron+Monkey]

No 31337?

Wow... They forgot the k-rad passwords

What about 1337, 31137, r00t, w00t, foo...

recommending passwords

[AndyChrist]

whenever someone would ask me what they should put as their password when I set up an account for them, I would tell them "Use the name of a dead pet." If it's not a common name, or a dictionary word, it's perfect. It's easy to remember, and hard for any but a handful of people to guess.

Hah, I have a foolproof password

[Cro+Magnon]

Nobody will be able to spell it right. It's snikclefritz, er I mean snucklefratz, er, Oh shit!

I saw kermit so I changed mine

[sparkywonderchicken]

To mspiggy. I didn't see 'plaintext' or 'mother' and of course the ever popular HR.

'Leet speak and letter/number substitution

[dspyder]

I had always recommended and sometimes used passwords written 'leet speak style, with numbers instead of letters.

I then found out somebody wrote a password cracker that uses those rules... out went that idea!

I have always suggested the following:

• non-dictionary words
• non-related to you words (kids, pets, town, etc.)
• Combination of numbers, in the middle of a word or 2

I once worked with a sysadmin who used song titles... I thought he was really clever until I learnt 2atgilb4 was "To All the Girls I Loved Before"... kinda clever... a bitch to type.

Our current sa password to most of our databases is !myday (not my day).

--D

Re:'Leet speak and letter/number substitution

[hp46168]

none of my passwords made the list!

Somebody already mentioned writing down passwords and putting them in your wallet/purse.

I agree with the posters about how ridiculous password policies can get.

I support the idea of a universal password on a network, but in reality, this is not a good idea for the amount of time somebody could go to the bathroom, a walk-by haxor could start doing mean and nasty stuff on the network.

Pyee

[cwis42]

I feel safe, as the article states explicitely that one should not use one of these as their password. Fortunately for me, I found one of my code in the list, but it is the one of my wallet.

My strategy

I have about 4 passwords sorted by sensitivity:

One that I use for web sites that insist I create an account. Hotmail, NYTimes, crap like that.

One for higher security stuff but that I may have to share with people in my company. The root password to some of our machines, for instance.

One that I use for anything related to personal finances like PayPal - websites that I assume are secure and that would be a problem if the password got out.

And, one for very high security stuff where it never has a chance to be stored on someone else's site. For instance, I sometimes put copies of the source code to our whole project on CDs that I send to customers. That code is blowfish encrypted using this highest security password.

Re: Short vs. long passwords

[plover]

"theyresAbatroom0ntherite!"

So THAT'S what CCR's been singing all these years! Thanks, dude!

Y'know, that implies that the most secure password of all has got to be the original lyrics to "Louie, Louie". Nobody's been able to guess them for over forty years, and it's not for lack of trying.

Re: Short vs. long passwords

[some+guy+I+know]

In case you are interested, I got the lyrics from this page on this site.
Here's some info on "Louie Louie".

Also don't forget

Christians are likely to have "ichthus" as a password.
Tree-huggers are likely to have "sequoia" as a password.

Because nobody outside their little cliques would ever guess such a password, obviously.

Another commonly used password...

3WayOlsenTwins

Yep, yep.

Resetting passwords

[Orion+Blastar]

Many times the users forget their password and a temp password that is easy to remember is used, so they can log on and change it.

We used "password" for the temp password at one employer. Many people did not change it afterwords. One woman kept forgetting her password, and then eventually complained about the temp password, she said "Could you please not use the word 'password'? It is too hard for me to remember." I think we used her first name instead.

Many people use easy to guess passwords that are based on:

Their name
Their spouse's name
Their children's names
Their favorite sports team
Their favorite drink or food
Their favorite color
etc.

Re: Numerical passwords

[crawdaddy]

And what the heck are "240653C9467E45", "3ep5w2u", "3098z", and "57gbzb"?

Default passwords for Compaq Insight Manager, Nortel Meridian MAX, Zenith BIOS, Joss BIOS, respectively. I googled for them in less than five minutes. Two of them came up on the first link.

Good security tactic, actually.

[abb3w]

Obscene passwords (or phrases) reduce the chance of anyone casually mentioning what their password is.

Parent is modded *insightful*?

[abb3w]

Um... most people don't have several million dollars in their bank accounts, which is what a bad password can cost a company in (a) industrial espionage, (b) lawsuits, or (c) embezzlement, depending what the password is to.

And I've been making noises to my bank about wanting at least a 5 digit pin since I got the damn card.

Forget passwords, dont use this username...

[pinkstuff]

"con" - at least not for anything MS based. I remember trying to log in as "con" on a friends computer after hearing about the bug - thinking nothing would happen, next minute the computer froze up and couldn't be rebooted. Needless to say my friend wasn't impressed! YHBW!

Whose Hotmail?

The great one in the defaultpassword.com list: as_secular@hotmail.com iloveyou