Slashdot Mirror

← Back to Stories (view on slashdot.org)

Passwords That Should Never Be Used

Posted by timothy on from the not-even-worth-trading-for-chocolate dept.

The Original Yama writes "Strong passwords are your first step in securing your systems. If a password can be easily guessed or compromised using a simple dictionary attack, your systems will be vulnerable to hackers, worms, Trojans, and viruses. PCLinuxOnline provides an alphanumerical list of list of commonly used weak passwords that should never be used. If any of these passwords look hauntingly familiar and are being used, you should change the password immediately."

20 of 239 comments (clear)

  1. missed one... by Anonymous Coward · · Score: 5, Funny

    I worked ISP tech support and the one I remember showing up way too often was:

    thx1138

    1. Re:missed one... by Prior+Restraint · · Score: 5, Informative

      I'm sure a thousand people will reply, but here: THX 1138.

  2. I've secured my Internet privacy by prostoalex · · Score: 4, Funny

    I've protected my privacy and use Gator for all my passwords.

  3. I keep it simple by Anonymous Coward · · Score: 5, Funny

    I use PASSWORD for everything.

    1. Re:I keep it simple by ConceptJunkie · · Score: 4, Funny

      Yeah, I could have guessed that. I think a lot of people are using your /. account to post. I see that username dozens of times in every story.

      I'm surprised that the classic "xyzzy" isn't in the list. Other words I would have expected to see "fred", "bofh", "windows", and "billgatescanbitemyshinymetalass".

      --
      You are in a maze of twisty little passages, all alike.
  4. Top 10 Passwords Not to be Used by AtariAmarok · · Score: 5, Funny

    10. iluvalqueda

    9. idareyoutoguessthis

    8. oldfattylumpkinwhosewisenoseledushere

    7. *******

    6. (my actual password)

    5. cowboyneal

    4. pencil

    3. neo

    2. secret

    1. password

    --
    Don't blame Durga. I voted for Centauri.
    1. Re:Top 10 Passwords Not to be Used by Josh+Booth · · Score: 4, Funny

      I'm surprised "gandalf" is not there. Everyone knows that it's the password of every other root account in the world.

    2. Re:Top 10 Passwords Not to be Used by Anonymous Coward · · Score: 4, Funny

      Posting anonymously to not get myself in trouble... hi mike!

      I worked with this engineer, call him mike, who had an account on a customer's machine. He was on vacation when the customer wanted a little help with that machine. The other engineer and I call mike to get his login and password to do some remote maintenance. Mike is reluctant to tell us the password. We think he's just being secretive, until he asks to be taken off speaker phone so he can tell us. His password: bigblackdonkeydick.

      Sometimes password isn't so bad...

  5. strong passwords = broken by design by eraserewind · · Score: 4, Insightful

    Your users shouldn't require anything more than a 4 digit pin & a magnetic card. If it's enough to protect their money, it's surely enough to protect some stupid data.

    Any lame brained security system that depends on people choosing difficult to remember passwords and changing them every 3-6 months is broken by design.

    1. Re:strong passwords = broken by design by babbage · · Score: 4, Interesting
      A mag-strip card IS a type of password

      Kinda... not really.

      The important thing to keep in mind for any authentication system -- not just computers, but any system that requires people to identify themselves -- is that there are basically three ways to go about it:

      1. Something you know. (A password or passphrase; your mother's maiden name; your favorite song.)
      2. Something you have. (Some kind of physical token like an ATM card, the key for your car or house, the hardware decorder in a DVD player, or one of the hardware dongles that was briefly popular for enforcing software licenses a few years ago.)
      3. Something you are. (Biometrics: your thumbprint or retina scan; your photo & physical description on a license or passport [which itself is something you have -- see above]; DNA samples; voice or handwriting recognition; etc.)

      Good security systems use at least two of these authentication classes: the ATM doesn't work unless you insert your card (something you have) and enter your PIN (something you know); when travelling abroad, customs agents will examine your passport (something you have), will cross-check your appearance against the passport's photo & description (something you are), and may ask probing questions about your travel plans (something you know).

      Bad security systems rely exclusively on one of these elements. Basically all Internet security comes down to things you know, a/k/a passwords. From your point of view, an online purchase may seem to involve something you know (a password) and something you have (the numbers on your credit cards), but from the merchant's point of view they're just taking your word for it because they have no way to validate that the security token you're using is actually in your possession -- hence, credit card fraud. Likewise, I've voted in every election since I turned 18, and not once has an election worker asked for anything more than my name & address (something I claim I know) -- they never ask for an ID (something I have) or a fingerprint (something I am) etc. With this kind of scrutiny, it wouldn't be very hard for someone to spend all day voting in every precinct around. (I'm hopeful that electronic voting may actually fix this problem, but if as seems likely it introduces even more avenues for fraud then forget it.)

      So, a password is essentially something you know, while an access card is something you have. There's a subtle but essential difference. If it was a string of numbers stamped on the card in an easily human readable way, then it could be considered as a form of password, but the fact that you need a machine to read it really enforces the point that it's something different. And that's why it's a good thing! A computer security system that relied on both traditional passwords as well as this kind of physical token would stand a much better chance of being robust than any system that used only passwords or tokens.

      The problem is, almost nobody has a computer capable of reading such tokens. Aside from point of sale systems, almost no one has any use for card reading wedges, so building an authentication system around a requirement for card readers would be difficult to deploy broadly. Setting it as a general company policy might not be hard to do for most companies, if only because there you have a hope of installing the reader hardware for all users. Requiring a dual "know/have" or "know/are" system only for certain systems (access to sensitive areas, etc) would be prudent for any business to implement, but going from there to building a business of providing such systems to the general public would be much harder as long as the infrastructure doesn't exist -- that is, as long as Dell isn't shipping access card readers with every machine they sell.

      So: something you know, something you have, something you area. Keep these in mind and the analysis of secure authentication mechanisms gets much clearer.

      --
      DO NOT LEAVE IT IS NOT REAL
  6. huh? by Hythlodaeus · · Score: 4, Interesting

    Q54arwms is a commonly used password? Is this some part of the collective unconscious I'm unaware of? Half the things in the list seem like they came out of a random generator, yet they are common?

    --
    For great justice.
    1. Re:huh? by Josh+Booth · · Score: 4, Interesting

      I'm assuming that most of the passwords are defaults that some guy in a computer lab decided looked strong. However, when every system you ever produced uses the same password, even if it is completely random, you'll have a security problem.

    2. Re:huh? by jfdawes · · Score: 4, Informative

      Google is your friend

      Explained

    3. Re:huh? by m.koch · · Score: 5, Informative
      Q54arwms is a commonly used password? Is this some part of the collective unconscious I'm unaware of? Half the things in the list seem like they came out of a random generator, yet they are common?

      As google told me, these are default passwords from this list which is in fact much more useful.
  7. Hmm, not really trolling... by smoondog · · Score: 4, Informative

    OK, every once in a while we get an article similar to this. The links change but the article is the same. Passwords are inherently insecure to some sort of guessing attack, is the statement.

    I'm going to suggest something here that is perhaps a little controversial. Perhaps, if password zealots spent less time complaining about passwords and spent more time protecting machines from this sort of attack (w/o making an easy path to a DOS attack) this wouldn't be an issue. Imagine this: Passwords are never transfered as plain text. Any systematic attempt at guessing a password is prevented before the attacker gains access. Users make mistakes a few times, even for the most simple passwords, one must sample tens of passwords to break in. Systematic attempts are predictable, just like trolls on slashdot are (generally) identifiable (remember those page lengthening posts?) and spam is filterable.

    In my not so humble opinion, password guessing attacks are an administrator problem, not a user problem. And the administrators seem more interested in pestering users than actually developing systems to prevent this type of attack.

    -Sean

  8. John the Ripper by Dammital · · Score: 4, Informative
    Last July I installed John the Ripper on my home firewall. John is a password cracker, something like crack and l0phtcrack. I wanted to see how vulnerable my own passwords were.

    From what I can tell, John runs a dictionary-based attack against your master.passwd file, then runs the dictionary with various shifts in capitalization, then runs the dictionary again with an assortment of numeric digits inserted into its guesses.

    Finally John just runs a brute-force attack, generating passwords with successively longer and longer lengths until it lucks out.

    In my case John finally did luck out, finding one of my passwords after 18 days of crunching numbers. This particular account had a relatively weak password -- though no dictionary attack would have found it, it was still only five bytes long. That's a wakeup call for me. I've been using shorter passwords for years, thinking that by avoiding common words I was safe. But I can see that they're breakable now.

    It's one thing for someone to preach that you should really have longer passwords; it's quite another to see it for yourself. If your passwords are easy to guess, or are variants of dictionary words, or can be generated easily by brute force -- there are widely available tools that can give the keys to the city to any lowlife that wants into your machine.

    Run one of the password crackers on your own system today, and become enlightened! And don't be comforted by the 18 days it took to crack my easy five-character password on a 300MHz Celeron notebook: there's also a distributed version of John the Ripper that divides up the work of cracking your password file among many computers.

    The more I learn about security, and the tighter I make my systems, the more afraid I am. If you aren't afraid, you are either very very good at what you do -- and I humbly bow before you -- or you haven't much of a clue.

  9. An honest look at password creation by WarPresident · · Score: 5, Funny

    (January)
    User: Tim
    Password: NEWUSER

    YOU MUST CHANGE YOUR PASSWORD EVERY 30 DAYS
    PASSWORD MUST HAVE AT LEAST 6 ALPHA AND 2 NUMERIC/OTHER CHARACTERS
    New Password: password

    PASSWORD MUST HAVE AT LEAST 6 ALPHA AND 2 NUMERIC/OTHER CHARACTERS
    New Password: password01

    OK ...
    (February)
    User: Tim
    Password: password01

    YOU MUST CHANGE YOUR PASSWORD EVERY 30 DAYS
    PASSWORD MUST HAVE AT LEAST 6 ALPHA AND 2 NUMERIC/OTHER CHARACTERS
    New Password: password01

    THIS PASSWORD HAS BEEN USED RECENTLY
    YOU MUST CHANGE YOUR PASSWORD EVERY 30 DAYS
    PASSWORD MUST HAVE AT LEAST 6 ALPHA AND 2 NUMERIC/OTHER CHARACTERS
    New Password: password02

    OK ...
    (March)
    User: Tim
    Password: password02

    YOU MUST CHANGE YOUR PASSWORD EVERY 30 DAYS
    PASSWORD MUST HAVE AT LEAST 6 ALPHA AND 2 NUMERIC/OTHER CHARACTERS
    New Password: password03

    OK ...

    repeat ad nauseum

    --
    Here come da fudge!
    1. Re:An honest look at password creation by BRSloth · · Score: 5, Funny

      Login: yes
      Password: i dont have one
      password is incorrect

      Login: yes
      Password: incorrect

  10. REALLY bad password by utahjazz · · Score: 4, Interesting
    Given that most web developers write code like this:
    sqlexec("SELECT * FROM users where pwd = '" + pwd + "'")
    I find a good password to be:
    '; DELETE FROM USERS; SELECT '
  11. Re:Universal Passwords by Eivind · · Score: 4, Interesting
    You're rigth, in principle, practically however, you are wrong.

    It is true, for example that excluding 5-and-under passwords reduces the keyspace. But that is still a win if that part of the keyspace was overpopulated.

    Put differently, if everyone has passwords 8 characters or less, choosen from a set of 64 characters (I realise there's more, but some are much more used than others, so the effective strength of a password choosen by a user is seldom more than 6bit/char)

    • There's 2^(5*6) = 2^30 passwords that are exactly 5 characters long.
    • There's 1.015 * 2^30 passwords that are 5 or less characters wrong.
    • There are about 2**(8*6) = 2**48 passwords in total.
    • So, by excluding the shorter ones, you've excluded 0.00038% of your keyspace.
    If users choose passwords randomly, then one in 262000 users would choose a password with 5 or less characters, and for an attacker, searching this keyspace would be no more fruitful than searching any other random part of the keyspace.

    Problem is, users do NOT typically choose passwords anywhere close to randomly. A more typical scenario is that 10% of all the users choose passwords 5 characters or less.

    In that case, searching the 5-or-less part of the keyspace is 26000 times more likely to net you a working password than choosing a random part of the keyspace to search.

    In practice, you can brute-force the 30-bit 5-and-under keyspace in minutes, and you'll have passwords for 10% of the user-accounts, allthough you only searched less than one thousandth of one percent of the keyspace.

    THAT is why requiring users to have passwords over a minimum length does not, as you claim, harm security. (instead it helps quite a bit)