Yep, People Are Still Using '123456' and 'Password' As Passwords In 2014

Nerval's Lobster writes "Earlier this week, SplashData released its annual list of the 25 most common passwords used on the Internet — and no surprise, most are so blindingly obvious it's a shock that people still rely on them to protect their data: '12345,' 'password,' 'qwerty' '11111,' and worse. There were some interesting quirks in the dataset, however. Following a massive security breach in late 2013, a large amount of Adobe users' passwords leaked onto the broader Web; many of those users based their password on either 'Adobe' or 'Photoshop,' which are terms (along with the ever-popular 'password') easily discoverable using today's hacker tools. 'Seeing passwords like "adobe123" and "photoshop" on this list offers a good reminder not to base your password on the name of the website or application you are accessing,' Morgan Slain, CEO of SplashData, wrote in a statement. Slashdotters have known for years that while it's always tempting to create a password that's easy to remember — especially if you maintain profiles on multiple online services — the consequences of an attacker breaking into your accounts are potentially devastating."

On the contrary:

[iroll]

If your password for Adobe is Adobe123, and Adobe leaks your password (AGAIN), nobody is going to be getting into your email, or your facebook account, or your bank account, etc., etc.

Re:On the contrary:

Except now they know your email address and the fact you use the name of the company in your password...

Re:On the contrary:

Unless I, as the criminal mastermind that I am, decide to try 'Facebook123', 'Chase123', etc, etc.

Re:On the contrary:

Isn't Adobe123 a little better than simply 123? How about using Adobe with 20 extra character (difficult) password on the end?

Re:On the contrary:

[Desler]

And strong passwords are meaningless if the company is storing them in a really stupid way such that they can be recovered in plain text by an attacker. At that point, adobe123 is no less secure than a 64-character randomly-generated password.

Re:On the contrary:

[The+Grim+Reefer]

Unless I, as the criminal mastermind that I am, decide to try 'Facebook123', 'Chase123', etc, etc.

You must have a fluffy white cat too.

Re:On the contrary:

[ackthpt]

If your password for Adobe is Adobe123, and Adobe leaks your password (AGAIN), nobody is going to be getting into your email, or your facebook account, or your bank account, etc., etc.

Even if the user is stupid, it's not like the site author couldn't dedicate a few minutes to to code evaluation of the password and tell the user 'Not good enough, not even secure in the least, do you want to see a picture of people who think that password is secure?' and display some of those Faces of Meth people.

even this lolcat is smarter than you

Re:On the contrary:

[Desler]

And yet when an attacker can recover their plaintext password is doesn't really matter how "secure" the password was. I could have the strongest, most random password possible but if an attacker can steal it from you in plaintext, so what?

Re:On the contrary:

Won't work. People would use a blank password if the websites which require registration to download something free or access a support forum allowed it. So what do you start with? Name of the company. Nope, has to have letters AND numbers. So adobe123. That's a password which says "I don't give a fuck. I'm not even going to use this account again. Just let me download this file." It does not mean that people use the same scheme for passwords to sites where a hacked account could actually do them some harm. Anyway, remember how we know what passwords people use: The companies which demand ever more complex passwords don't properly secure them and lose them, in cleartext form! How can you expect users to care when not even the companies whose business depends on customers' trust care?

Re:On the contrary:

[Algae_94]

They actually only know your email and that your Adobe password was 'Adobe123'. That might indicate that you reuse that password pattern, but you might not.

Re:On the contrary:

[ackthpt]

And yet when an attacker can recover their plaintext password is doesn't really matter how "secure" the password was. I could have the strongest, most random password possible but if an attacker can steal it from you in plaintext, so what?

Indeed. I keep waiting for retina scan or DNA analysis, but it hasn't happened, yet.

and when it does the NSA will store all of that, too

Re:On the contrary:

[brunes69]

You are missing the point. Adobe.com should not be telling me my password is insecure. Adobe.com should not be asking me for passwords in the first place, because the idea that I should need a seperate password for Adobe.com is stupid. Implement OpenID properly and allow people to log in with an already existing identity. The biggest problem with passwords on the internet is every single mom and pop website thinks they need to have their own login and authentication mechanism when in reality all they need is a way to confirm an identity. My nirvana is every single website in existance allows me to log in with my OpenID account, which is nice and secure and has two factor authentication. Then I only have ONE password to remember.

There is absolutely no reason the internet could not work this way if site admins would get their heads out of their asses and stop rolling their own authentication schemes, because between Google, Yahoo, Twitter, Facebook, and other 3rd parties, every web user already HAS an OpenID capable login..

Re:On the contrary:

Why anyone would trust Adobe with security is amazing. Only the Java web plugin and IE6 can hold a candle to the security fails of Flash and Acrobat Reader.

Re:On the contrary:

I'd argue against that from a perspective of assigning blame. If the site gets hacked and Louis User loses a billion dollars through having his password compromised, the site would probably be considered more liable for his loss if he could testify "I tried my first five favorite passwords and the site said they were weak. But when I tried password123456, the site didn't say it wasn't weak!"

Re:On the contrary:

[brainboyz]

And forcing everyone to use one is just as bad. I don't want any of those sites authenticating me everywhere I go. One more way to tie your life together online.

Re:On the contrary:

When I sign up to post comments on Gawker or another site that has been owned in the past, why would I care about having a secure (beyond the minimum of security) password? If anything, I would just want to use a throw-away that protects the accounts that I actually want to secure.

On top of that, any site author that requires actual security (like my bank) should spend those few minutes to put together two-factor access, which is infinitely more secure than PaSS$$Werd12 anyways.

Re:On the contrary:

[brunes69]

Then use OpenID.org. Or run your own. That is why it is called an Open Standard.

Re:On the contrary:

[ewibble]

Indeed. I keep waiting for retina scan or DNA analysis, but it hasn't happened, yet.

and when a hacker get hold of those good, luck changing them.

Re:On the contrary:

[mrmeval]

If you do that with every website then gmail123, amazon123 etc is your password.

This

dd if=/dev/random bs=10 count=1 | hexdump

and a good encrypted wallet are your bestest friends.

My bank sucks since it will not allow all of that output, just 8 characters.

Re:On the contrary:

[psithurism]

Oh no, they'll go read all the junk emails I'm probably getting at Junk123@google.com! And then they'll know every free software website that has username:Junk123 password:Websight123 Then they'll be able to download all the free trial software they want without having to make a new account! The horror!

Re:On the contrary:

[Bill,+Shooter+of+Bul]

If they had hashed them without a salt, then you'd be better off with a random password.
If they had hashed them with the same salt, then you'd be better off with a random password
If they had them plain text, and you reused the same weak password on multiple sites, then you'd be better off with a random password.

In general there are so many benifits to using a strong random password on each site, that its really stupid not to.

Re:On the contrary:

[Em+Adespoton]

Oh no, they'll go read all the junk emails I'm probably getting at Junk123@google.com! And then they'll know every free software website that has username:Junk123 password:Websight123 Then they'll be able to download all the free trial software they want without having to make a new account! The horror!

Actually, you might be surprised in the PII that can be gathered through junk email boxes. Plus, they'd probably coopt it to use as a spam source, which makes one more kitten die.

Re:On the contrary:

[Em+Adespoton]

If your password for Adobe is Adobe123, and Adobe leaks your password (AGAIN), nobody is going to be getting into your email, or your facebook account, or your bank account, etc., etc.

Even if the user is stupid, it's not like the site author couldn't dedicate a few minutes to to code evaluation of the password and tell the user 'Not good enough, not even secure in the least, do you want to see a picture of people who think that password is secure?' and display some of those Faces of Meth people.

even this lolcat is smarter than you

If a website knows enough about my password to know it's not secure, it knows too much about my password. All it should ever get is my password hash. Of course, they could build some logic into the endpoint code that checks for the obvious, but that should be as far as they're able to go.

Re:On the contrary:

If you think for one moment that having a 27-character camelcase password of obscure Unicode characters is any protection at all when your password is leaked in plain text (a la Adobe123), you're not the smartest lolcat in the cheezburger business yourself, friend.

Re:On the contrary:

If there were not a time/effort in remembering said password this would be correct, however for sites like adobe that you don't care about, it is a perfectly rational decision to risk a stranger getting access to an account you don't care about in exchange for no effort to remember your password.

Re:On the contrary:

[stoborrobots]

All it should ever get is my password hash.

You're just hiding the weakness: in this scenario, your "password hash" is becomes your real password. Anyone who steals the hash can now impersonate you, which means that your real password is also being saved in cleartext on the server.

Re:On the contrary:

[WuphonsReach]

Better is:

tr -dc [:alnum:]
Which has the advantage of 62 possibles per digit instead of only 16 possibles per password digit. For an 8-character password, using 62 possibles per digit instead of only 16 is about 50,000x more secure.

Re:On the contrary:

[rastos1]

My nirvana is that every single website does not require me to log in at all. Ok perhaps 1% of them really need to - such as ... internet banking and utility providers. Everybody else just uses it to track me (no, thanks), or customize the page for me (no, I want to give a link to a friend and have him see the same page I see), or create sites that are not needed in first place (such as web mail, facebook, ...).

Re:On the contrary:

And yet you log into Slashdot...

Re:On the contrary:

[xenobyte]

Actually I treat 'forced' accounts on places like Adobe very differently than other places where I use passwords - basically I don't trust a company like that to be secure so I use a different password system there than elsewhere. My password were in the Adobe list, as were my business email, but I don't work for that company anymore so the email is obsolete, and the password... Well it won't be used elsewhere.

Re:On the contrary:

[AlterEager]

All it should ever get is my password hash.

You're just hiding the weakness: in this scenario, your "password hash" is becomes your real password. Anyone who steals the hash can now impersonate you, which means that your real password is also being saved in cleartext on the server.

Salt.

Re:On the contrary:

[Big+Hairy+Ian]

Yep the morale of the story is a strong password will just keep script kiddies at bay if you use it with fucktards like Adobe, Facebook etc

Re:On the contrary:

[rastos1]

And you are the proof that I don't really have to.

Re:On the contrary:

I hate it when a company tells me "This password isn't secure enough."
Secure enough for what? I'm trying to order a pizza, not take out a loan. The *only* purpose of the login (from my perspective) is to automatically select the nearest store. (or, in Adobe's case, "to download the software").

There is no situation in which a password is the best option. Poor passwords are a symptom of people disagreeing that their password should be required.

Re:On the contrary:

I love the errors "your 40-character randomly-generated hexadecimal string is not secure. Please use between 8 and 16 characters, and use a punctuation character to make it more secure".

All my passwords are randomly generated and one-time-use. I only ever log in via "forgot your password?" links

Re:On the contrary:

that's copyright infringement. *SWAT team and FBI agents appear*

Re:On the contrary:

[AmiMoJo]

If it's Adobe you should be using a disposable email address anyway.

Re:On the contrary:

[Threni]

What's wrong with, say, a Slashdot approach; log in once, store the details in a cookie and have Chrome store your passwords, synced across machines. It's pretty low cost in terms of config. Does it need a better solution?

Re:On the contrary:

[ILongForDarkness]

That is exactly it. Some things require a password that you simply don't care that much about. My password to post comments on /. or CNN? I don't care if I lose it. Oh no some person I don't know might think I wrote a message that was actually written by someone else I don't know.

Facebook and other social media: I care a bit more just because of the tendency of people to use it for screening job candidates or even screening potential personal relationships.

Banking, taxes and other "important stuff" are at another level. Generally I try to use hard random passwords (though nothing is really hard with modern hardware) for the important stuff, the not important at all stuff can all use a common dummy password, the middle stuff I might use a different password for each site or not but will at least use a complex password. (Generally speaking if you own my FB or LinkedIn you might as well own the other because my contacts and the personal implications of your spamming in my name etc are the same).

Re:On the contrary:

[danbert8]

Except I hate that because every freaking website has different rules. Then I have to remember what stupid arbitrary rule I had to follow to make the password so I can remember what password I made up. Instead of being able to remember it, I email myself the password rules for the stupid website and a hint so I can remind myself what the password is.

Re:On the contrary:

[gnasher719]

If a website knows enough about my password to know it's not secure, it knows too much about my password. All it should ever get is my password hash. Of course, they could build some logic into the endpoint code that checks for the obvious, but that should be as far as they're able to go.

On the other hand, password strength could be checked on your computer with some JavaScript. Which might not be safe enough, so it could be a function of the browser itself.

Re:On the contrary:

f they had them plain text, and you reused the same weak password on multiple sites, then you'd be better off with a random password.

How do you figure?

Re:On the contrary:

Run your own? What a Libertarian bullshit answer. How the fuck are you going to make Web sites across the Internet accept your home-rolled authentication server? Good luck with that.

Re:On the contrary:

[Bill,+Shooter+of+Bul]

Really?

Say you registered at adobe with jimiscool78@gmail.com with the password "passwordissecret". Hackers comprimise adobe read your plain text password. See its non random and try to acess your gmail account with the same password. If you used the same weak passoword, they now have your email account too.

Say you registered at adobe with jimiscool78@gmail.com with the password "&%awj&JS82j(1[sok", which you only used to register with adobe. Even if they try accessing your gmail account with the password, it won't work. Because its a different password.

Note the gmail access is just an example, they could also try that username and password at other sites like twitter, facebook, your bank, healthcare.org, amazon.com, etc. When you reuse passwords and one website where you used that password is comprimised, they all are.

Re:On the contrary:

[Em+Adespoton]

Sorry; I was assuming salt -- but one should never assume when it comes to communicating password security.

Also, the GP was assuming that my hash was being saved in cleartext on his server. This is also a bad idea -- the only thing I should *present* to the server is the salted hash; the server should then offload verification to a verification server and not store anything but the fact that my current session is authenticated (and this should be done with a keypair token). We've got lib_pam for free; we should always be using it.

Re:On the contrary:

[RespekMyAthorati]

If there were not a time/effort in remembering said password

Then let lastpass, keepass, etc. remember it for you.

Re:On the contrary:

[david_thornley]

On the assumption that I've got easy access to my passwords wherever I want to log in. I'm not so sure of that.

Re:On the contrary:

Memory. You have to remember or store this crap. One requires allocating brainpower, the other requires a tool that you must carry.

Re:On the contrary:

[lsatenstein]

My favourite passwords are with words I made up. Gronk, eilsel and rabuf (or is that fubar), Then I add a character or two of punctionation, from the dollar sign, to the octothorpe (# ) to the pound £ and even the character which is not part of the USA keyboard () or Euro Symbol.
If the word is too short, I append a 001 to extend it.

Re:On the contrary:

[stoborrobots]

I assume by "salt" you guys are referring to a different salt per session (a.k.a. a nonce).

If you really mean just an ordinary salted hash, then you still haven't changed anything - the salted hash is the "real" password, and any intermediary or eavesdropper can see it.

If you're talking about a nonce, then yes, now you're protected from eavesdropping - but the machine doing the verification needs to have your secret available in cleartext. This requires that you have a locked-down verification server probably separate from your application server.

Contrast this situation with a cryptographic system: The server stores your public key. When you attempt to connect, the server provides you with a nonce. You encrypt with your private key. The server can verify your connection, and your secret is never stored or seen by anyone except yourself. Nothing that the server has visiblity of, nor anything overheard in transit can be used to impersonate you in the future.

Re:On the contrary:

[Em+Adespoton]

Exactly this. Thanks for spelling it out.

Maybe people don't care

[timeOday]

Many of the accounts you are forced to create nowadays are for the benefit of whoever wants to track you, not for your own benefit. When I was forced to sign up for an Apple Developer or iTunes Store account to get software updates for my MacBook I hoped there would be a pool of shared profiles people had set up for anybody to re-use, but not finding them I assume Apple detects and de-activates them.

Re:Maybe people don't care

[khasim]

My simple process for this is that if the site does not have my credit card info or even my name then I don't care what the password is.

And I don't care if your site is cracked any my 12345 password is revealed. All they're going to get is the cat's name and a birthdate of 1900-01-01.

Re:Maybe people don't care

[dejanc]

Ditto.

So many sites nowadays require you to register so I use throwaway emails in combination with throwaway passwords. E.g. if I want to try out Trove (that was mentioned in a previous article), I really don't want to put in more than a few seconds thought into it, so my email will be trove@domain-which-i-use-to-collect-spam.com and password probably something along the lines of asdf1234. If I find the service useful, Firefox will remember my email and password for login and/or I'll be able to recover the password using their system. If, more likely, I forget about them, I don't care if my credentials get compromised.

Re:Maybe people don't care

I think you must be the oldest person on Slashdot!

What's your secret?

Re:Maybe people don't care

[maxwell+demon]

Ah, so that's what I have to enter at the password reset question "what is your cat's name?" ;-)

Re:Maybe people don't care

[zlives]

hey!! we share a birthdate

Re:Maybe people don't care

[slapout]

Dear Mr. Tinkles,
We at the AARP would like to congratulate you on your recent birthday. We notice that you're not yet a member and would like to tell you about the benefits...

Re:Maybe people don't care

My simple process for this is that if the site does not have my credit card info or even my name then I don't care what the password is.

And I don't care if your site is cracked any my 12345 password is revealed. All they're going to get is the cat's name and a birthdate of 1900-01-01.

Let me FTFY 01-01-1900

Re:Maybe people don't care

[WuphonsReach]

If I find the service useful, Firefox will remember my email and password for login and/or I'll be able to recover the password using their system.

If you are going to let Firefox remember the password for it anyway -- then why not come up with some random gibberish for your password in the first place?

For example: Extended Password Generator. Or putting the following shell script in your ~/.bashrc file:

passgen ()
{
tr -dc [:alnum:] < /dev/urandom | head -c${1:-20};
echo
}

Re:Maybe people don't care

Well dude, all I can say is that we're both glad your /. password is not actually 12345. [I checked.]

Re:Maybe people don't care

[QuesarVII]

He used iso date format - arguably the best and most universal way to represent a date. Get over yourself.

Re:Maybe people don't care

Bah... here is yet another article where someone thinks they are a good guy and have recently discovered a unique way to figure out what passwords are being used by people.
Here's another approach: try asking the bad guys.
Here's a quick how-to:
Install Windows 95.
Connect to the Internet without a firewall.t
Wait 49.7 days for your system to reboot. Note that this has nothing to do with being connected to the Internet, or the rest of this comment.
Now that the computer is infected, go look at the files that are left there by the malware.
I've worked professionally for an IT support company that let a client's server be infected. The server was monitored. I responded to a report of high CPU usage, and figured out it was infected, and located the malware. The particular malware ended up containing multiple files. One of those files was a text file containing passwords that are clearly used commonly, like 12345 and P@ssw0rd! and so on. This was obviously the dictionary that was being used for the attack.
Now if these attackers are doing this for profit, you'd think that they would keep track of what passwords work most often, and use those most often (in order to have more successful attacks, more quickly). So that malware may be more accurate than the latest report that SplashData has publicly released for us.
Of course, I've also seen lots of malware that shows a lack of intelligence on the part of the malware author, so that aspect does kind of hurt my argument.

Re:Maybe people don't care

[AlterEager]

My simple process for this is that if the site does not have my credit card info or even my name then I don't care what the password is.

And I don't care if your site is cracked any my 12345 password is revealed. All they're going to get is the cat's name and a birthdate of 1900-01-01.

Let me FTFY 01-01-1900

But is that the 1st of January, or January 1st?

Re:Maybe people don't care

[N!k0N]

what, not 1970-01-01?

Re:Maybe people don't care

Once upon a time the global user was "cypherpunk". Most forms are set to reject identical credentials now, though (try cypherpunk1 in passwords). While this highly sensible idea has fallen out of use, I've been pleasantly surprised on a site or two for drivers or manuals when cypherpunk/cpyherpunk worked right away.

Re:Maybe people don't care

you all suck:
01JAN2001 is THE only unambiguous abbreviated dating method on the face of the earth...
(all others you have to presume what the order is)

qwerty?

[slapout]

I knew it was a good idea to change my password to 'dvorak'.

Re:qwerty?

[Tablizer]

Gesundheit

"it's a shock"

[neminem]

Quoth, "It's a shock that people still rely on them to protect their data".

Important fact that many of these studies miss: not everybody cares about their data, and not all data is the same. Anyone using a password like this to protect their bank account, or their email address (that they use to send forgotten password requests from their bank account) deserves to have their money stolen.

On the other hand, anyone who uses a password like this to protect the fact that they once logged into some random crappy site that they joined to post one comment, and which they have subsequently never used again and have forgotten about, deserves... absolutely nothing bad to happen to them as a result. Who cares if someone gets their password to some random crappy site? I certainly don't. It would be a much worse idea to use a more secure password to those throwaway sites, because then you'd be tempted to use the same password you used on more secure sites you actually cared about.

There are probably a lot of passwords to throwaway sites like that in any database of stolen passwords, specifically because people are more likely to use better passwords on the sorts of sites that are also (I certainly hope!) less likely to get all their passwords leaked.

Re:"it's a shock"

[lgw]

Anyone using a password like this to protect their bank account, or their email address (that they use to send forgotten password requests from their bank account) deserves to have their money stolen.

No one deserves to have their money stolen. The concept you're looking for is "responsibility". Anyone using an easy password for a bank account is irresponsible, but if they get their money stolen what they deserve is our compassion.

Currently banks seem to be proud of the level of fraud protection they offer customers, perhaps even competing on that basis. That's a good thing. Not everyone is capable of remembering a complex password, after all.

Re:"it's a shock"

[grnbrg]

This.

I've probably contributed a "Mr. Test Testuser, 123 Main St, Somewhere, CA, 90210" password 1234 once or twice a year for the last decade....

Re:"it's a shock"

[neminem]

Heh. I tend to use my real name everywhere that asks for my name, regardless of temporary-ness, because who cares if they have my name, and it's jarring seeing someone else's name (plus, maybe you do want to be able to prove that you're yourself for something later. It's difficult to prove you're yourself if you claim to be Mr ASDF ASDF in account creation.)

I do enjoy giving fake addresses, though. I generally claim to live on 666 Hell St. (Every once in a blue moon a site will inform me that there isn't actually a 666 Hell St, Texas, or at the very least that the area code isn't a Texas zip code (I'm way too lazy to look up actual Texas zip codes), but that's pretty rare.)

Re:"it's a shock"

I do enjoy giving fake addresses, though. I generally claim to live on 666 Hell St. (Every once in a blue moon a site will inform me that there isn't actually a 666 Hell St, Texas, or at the very least that the area code isn't a Texas zip code (I'm way too lazy to look up actual Texas zip codes), but that's pretty rare.)

That's why I know 10101 is a zip code in New York. It's the first made up zip code I found that worked. Then some site told me my state was wrong, so I looked it up. So far no one has ever given me problems with a fake street name.

Re:"it's a shock"

Anyone using a password like this to protect their bank account, or their email address (that they use to send forgotten password requests from their bank account) deserves to have their money stolen.

No one deserves to have their money stolen. The concept you're looking for is "responsibility". Anyone using an easy password for a bank account is irresponsible, but if they get their money stolen what they deserve is our compassion.

I like to use this analogy about people "deserving" things: Bishop Desmond Tutu does not deserve to get hit by lightning, but if he's playing golf during a thunderstorm he's certainly asking for it.

I don't really wish ill on anyone, but some people are just rolling the dice too many times (and as a cyclist I see this all the time with yahoos running reds and such).

Re:"it's a shock"

[femtobyte]

plus, maybe you do want to be able to prove that you're yourself for something later. It's difficult to prove you're yourself if you claim to be Mr ASDF ASDF in account creation.

For that, use an MD5 hash of (or the first several characters therefrom); that makes it easy to later prove it's you, if you want.
--fe0f91b18675bf2c7e813852aebf5072

Re:"it's a shock"

Oops, lost angle-bracket-enclosed text in formatting --- above should read "use an MD5 hash of <your full name + silly salt>."
Not a post I'm likely to worry about claiming authorship for.

Re:"it's a shock"

I use 10001, also a NY zip code.

Re:"it's a shock"

Schenectady, NY 12345 is another good one... Just so long as you don't mind spelling Schenectady.

Re:"it's a shock"

[neminem]

That would work for supergeeks. By "prove", I don't mean to a mad genius - I mean to a first-level phone tech grunt when you decided you wanted to buy something, and they won't let you because your name doesn't match the name on your card or something. (A friend had a hell of a time getting a problem sorted with Blizzard a couple years for that exact reason.)

Re:"it's a shock"

[fast+turtle]

or you use a god damn secure wallet that generates passwords for you as I've been doing for the last decade. Works quite well and I only have to remember one password and unlike anyone using Firefox, for those sites where it's critical that I have a secure PW, I don't ever allow FF/IE/Opera/What ever to save the damn thing. This provides another level of protection in case the site has been pawned. For those where I allow the browser to retain the PW, I don't give a rats ass as they're damn near throwaway identies anyhow.

Re:"it's a shock"

[Osgeld]

I cant even recall how many times I have been forced to sign up for a shitty little forum to grab some 12k utility script that I just wanted to look at to see how they did part of one function of it.... password = password, and I have a yahoo account that that crap goes to

Password Evolution

[thevirtualcat]

Create a password: password

Everyone is using "password." We need to stop that.

Create a password containing both letters and numbers: password1

Everyone is using "password1." We need to stop that.

Create a password containing numbers and both capital and lowercase letters: Password1

Everyone is using "Password1." We need to stop that.

Create a password containing numbers, both capital and lowercase letters and a special symbol: Password1!

And so it goes.

Re:Password Evolution

[Mashiki]

It would probably be easier if we let people use nonsensical pass-phrases instead of continuing to make it more difficult. I could walk around any government office, or business and probably find 90% of the passwords in no time. With that they'd be some form of incomprehensible jibberish that no one could remember unless they were using it for everything.

Re:Password Evolution

I've even seen p@ssw0rd used on production systems... there isn't enough hours in the day to clean up all of the security nightmares before they compound further.

Re:Password Evolution

I don't understand what it being 2014 has to do with anything. Do we expect humanity to get smarter about passwords every year?

Re:Password Evolution

Here's what you do then. Get an extra box, and every now and then feed it a copy of your triple-salted SHA-65536-encrypted passwords. Have the box continuously try to brute-force passwords, and everytime it gets one, make that user reset their password.

Re:Password Evolution

The thing is, we don't actually know the extent of the problem, at least not based on TFA. They don't attach "percent of all passwords" to each rank. So let's imagine a scenario:

In 2010, the most common password is "password." Let's say it accounts for 20% of all passwords. Security experts start making headlines saying "this is terrible!" and people actually start to listen.

In 2014, let's say 0.1% of all passwords are "password", and 0.9% are split up between other obvious passwords, but then 99% of the rest are unique, high-entropy passwords. Sure, maybe we'll find overlap, birthday paradox and all that. The bottom line is, the situtation is way better.

Now, is that actually the case? I have no idea. I'm not seeing real percentages attached. But the very nature of "good" and "bad" passwords is such that the most common passwords are always going to be the worst passwords.

Re:Password Evolution

[ackthpt]

Create a password: password

Everyone is using "password." We need to stop that.

Create a password containing both letters and numbers: password1

Everyone is using "password1." We need to stop that.

Create a password containing numbers and both capital and lowercase letters: Password1

Everyone is using "Password1." We need to stop that.

Create a password containing numbers, both capital and lowercase letters and a special symbol: Password1!

And so it goes.

I was on an information system a few years back, if it didn't like your password, you couldn't use it and had to choose something more arcane. The downside of that is really nasty passwords, with changes of case, numbers and symbols end up written on Post-it notes and stuck on the fronts of computers.

Re:Password Evolution

[TheloniousToady]

I don't understand what it being 2014 has to do with anything. Do we expect humanity to get smarter about passwords every year?

No, we expect people to be using "2014" in passwords.

Re:Password Evolution

[mark-t]

How about "Create a mixed-case password at least 8 characters long, having at least one upper case letter that is not in the initial position, at least one lower case letter, and at least one digit and one special symbol that are not in either of the final two positions, and which contains no english word that is more than 4 characters"?

Re:Password Evolution

Avoid the stupid numbering of "password" altogether and use my favorite password "assword."

Re:Password Evolution

so: we have either pwd that is easy to remember and guess and password that is difficult to crack and to remember and consequently is written somewhere on a yellow sticker. I use a special application for that but it is not better really as I keep a backup of the db and password written in special secrete place (on yellow sticker) of course. There is no really good way to get over this - you have to relate to physical objects not accessible from the tubes but then they can get stolen physically. A HW tocken that reads your iris for instance?

Re:Password Evolution

[CrimsonAvenger]

well, the constraints you put on the upper case letters, numbers, and special symbols should make it somewhat easier to brute force that password.

Re:Password Evolution

If nothing else, it would be cost ineffective way to warm up my home office...

Re:Password Evolution

[hermitdev]

How does it go again...the most frequently used passwords are (or some variant of) "password", "god", "sex", "secret"...and I forget the 5th...of course if you know the person you're attacking, you can usually toss in birthdates, family names (first names, surnames, maiden names), streets they've live on, etc.

Re:Password Evolution

[petermgreen]

If users are selecting randomly from the set of possible passwords of a given length then adding more rules would reduce the average crack time.

However by and large users don't do that. The trouble with having passwords like "at least one capital letter" is it has a habbit of translating into "exactly one capital letter in the first position" in the eyes of the users. Similar things apply to numbers and symbols, people are far more likely to put them at the end than in the middle. By ruling out the obvious places to put capitals/numbers/symbols you may improve the quality of the worst passwords in your system.

Re:Password Evolution

[Moof123]

This.

A point of frustration is that every gosh darn system has gotten idiosyncrasies about these extra characters, and the end result is bad practices.

Somehow authentication needs to go away from the password, as it has been empirically proven many times over that people will screw it up. With dozens of accounts out there, all with slightly different rules for both username and password, I end up trying my top few burner combos and then go into the annoying reset pit of despair.

My horrifying to me is Fidelity. They REQUIRE you to use a number only password, which is about as weak as you can get for surviving a brute force attack.

Re:Password Evolution

[mark-t]

Note that no constraints were made about the upper length of the password... only on its contents...and the restriction that I described on contents does not, in general, considerably simplify a brute-force checker (in fact, it would probably tend to complicate it). An 8 character password might be crackable in only a few seconds with today's fastest multicore GPU's, assuming that you knew in advance that it was not more than 8 characters... but without knowing the upper bounds of the domain to search, the problem gets massively more complex.

Re:Password Evolution

[Chemisor]

How about "I don't care enough about your stupid website to create yet another password just to download some mod file, so maybe I'll go to BugMeNot and see if somebody already created a damn account."

Re:Password Evolution

That's been happening to me alot recently. Systems both at work and personal web use are having changes of passwords every 3-6 months with rules that are making it hard to ever have anything you'd remember...
8-12 characters with at least 2 being special characters, one upper case, and no spaces. After 1 or 2 times, it has to be written down since there's a different one for each site since you don't want to use the same one everywhere...

Re:Password Evolution

[mark-t]

Who said I was talking about password requirements for a website?

Re:Password Evolution

fidelity.com allows upper/lowercase letters (not sure on specialty characters) - is this for phone access?

Re:Password Evolution

Eh? I use Fidelity for brokerage accounts and my password is definitely not just numbers.

Re:Password Evolution

[roc97007]

> The downside of that is really nasty passwords, with changes of case, numbers and symbols end up written on Post-it notes and stuck on the fronts of computers.

Or under keyboards. And that's the natural outcome of unreasonable password expiration schedules.

One place I worked, all passwords were kept on the mainframe (racf, I think) and had to be combinations of cap and lower case letters, numbers and at least one special character, rotated on the first of every month, could never be reused, and could not be written down on pain of termination.

Someone discovered empirically that "Pas(2 digit month)/(2 digit year) met all the criteria, so thereafter we all used Pas11/98, Pas12/98, Pas01/99 and so forth. Very easy to remember, met all the criteria, and wouldn't repeat for a long time. To my knowledge, they're still doing it.

As someone once said, life finds a way.

Re:Password Evolution

[roc97007]

Pas_wd01, Pas_wd02, Pas_wd03...

When you get to 99, you've probably exceeded the system's old password memory and can start over with 01. Or put the number in front of the string. And then in the middle.

Re:Password Evolution

[WuphonsReach]

The downside of that is really nasty passwords, with changes of case, numbers and symbols end up written on Post-it notes and stuck on the fronts of computers.

That's a social problem - one best solved via social means. Like disciplinary action via management.

On the training side, we tell our users that it's fine to write passwords down in case they forget, but they need to be kept secure. Which means keeping them in your wallet next to your money, or in a safe-deposit box, or a lockbox.

The important flip-side of the issue is that we don't force users to change passwords every 30 days. Which means that once they learn it (takes 1-2 weeks on average if they use it daily), they don't have to worry that it will change 30 days later. So they get validation for memorizing it, their life gets easier and is not made arbitrarily more difficult every 30 days.

Re:Password Evolution

[RuffMasterD]

Had that at a university CS department once, except the passwords had to be so insanely long you couldn't write it on a post-it. I ended up forgetting my password EVERY SINGLE TIME time, even after writing it on printer paper, and going to the admin to asking for a password reset. He would give me a nice short password and write it on a post-it for me, and I would have to change it to something unreasonable as soon as I logged in again. Rinse and repeat... At what point do we ditch passwords and use something that can't be forgotten, or written down?

Re:Password Evolution

[mjwx]

That's a social problem - one best solved via social means. Like disciplinary action via management.

Or education, it is possible to produce passwords that are both secure, user friendly and somewhat unique.

For most organisations I think phishing is the biggest problem, even if they haven't got it stuck on a sticky note on their monitor (I've been telling people to put it on the inside of the back cover of a book instead) a lot of people are still dumb enough to give it to Fred from Microsoft (who happens to have a thick accent) who calls them out of the blue.

Re:Password Evolution

Create a password that contains at letters, numbers, at least one capital letter, and a special character: F@#$you1

Re:Password Evolution

[sFurbo]

Great, so now, in stead of choosing 5 random words from the dictionary for a password, which I would be able to remember after a week of use, I now have to keep my password written down within reach of my computer for months, after which I will probably have to change the password, and go through the process again. So in stead of having a somewhat safe system, I now have a completely unsafe system. Oh, and my password space has gotten much smaller, because your system is already far too big a burden without me having a password longer than absolutely necessary.

Re:Password Evolution

[cyclomedia]

"Insanity is doing the same thing over and over again and expecting different results"

Developers should stop creating password based systems and think of something else.

Re:Password Evolution

[gnasher719]

How about "Create a mixed-case password at least 8 characters long, having at least one upper case letter that is not in the initial position, at least one lower case letter, and at least one digit and one special symbol that are not in either of the final two positions, and which contains no english word that is more than 4 characters"?

Note that for mobile users (iPad, iPhone, etc. ) it is much more convenient and just as secure to have a _long_ password just with lowercase letters than a shorter password with all this rubbish.

Now for something like an iPhone where the keyboard is bloody small compared to my fingers, it would be great if the OS knew my passwords and secretly corrected it. Lets say if my correct password contains an L and my finger lands between K and L, but slightly closer to the K (no visible indication so an attacker cannot use it). We can discuss security.

Re:Password Evolution

Create a password: password

Everyone is using "password." We need to stop that.

Create a password containing both letters and numbers: password1

Everyone is using "password1." We need to stop that.

Create a password containing numbers and both capital and lowercase letters: Password1

Everyone is using "Password1." We need to stop that.

Create a password containing numbers, both capital and lowercase letters and a special symbol: Password1!

And so it goes.

I was on an information system a few years back, if it didn't like your password, you couldn't use it and had to choose something more arcane. The downside of that is really nasty passwords, with changes of case, numbers and symbols end up written on Post-it notes and stuck on the fronts of computers.

Nothing wrong with that, so long as the computers with the passwords stuck on them are stored in locked offices.

An account with the password 7rfJn3f8eHft6 written on a Post-it in a locked office inside a locked building somewhere in Milwaukee is far more secure than an account with the password abc123 that's not written down anywhere.

Re:Password Evolution

[mark-t]

I think you'd be surprised, actually.... there are an almost unlimited number of mnemonics that a person can use to customize a password within the constraints I mentioned, and make it almost as easy to remember as reciting the alphabet.

Re:Password Evolution

[david_thornley]

Lots of sites won't make it easy to use passwords that are secure, user friendly, and somewhat unique. I have a financial services account that I can't change that allows 6-8 alphanumeric characters beginning with a letter, no spaces or other special characters. Education has to go both ways.

Re:Password Evolution

[david_thornley]

Oddly enough, that works pretty well for my work password generation system, except for the "no English word" part which would rule out some of them. That effectively means I have fewer possible passwords in the system, and will typically use less secure passwords. (A password is only made stronger by appending a more or less random English word.)

Re:Password Evolution

[mjwx]

Lots of sites won't make it easy to use passwords that are secure, user friendly, and somewhat unique. I have a financial services account that I can't change that allows 6-8 alphanumeric characters beginning with a letter, no spaces or other special characters. Education has to go both ways.

I agree,

The problem isn't with the sites for the most part, rather it's with the software (I.E. Microsoft's idea of what makes a strong password is firmly locked in the 90's) as most sites and organisations are limited by the settings their software has by default. However what I meant is it's entirely possible to make a complex, somewhat unique and hard to crack password that fits in with the description that you describe and all you have to remember is Bob4. You simply repeat Bob4 three times to produce Bob4Bob4Bob4, meeting your sites requirements and being simple to remember. Obviously you can pick your own 3 or 4 letter word and number.

Why?

Because you can't fix stupid and you can't fight indifference. Neither one dares and battling that is like pushing string.

12345?

That's the same combination that luggage jokes use.

Re:12345?

[hermitdev]

Prefer to travel as Mr. Ben Dover as Clarence Johnson of Lockheed's Skunkworks did. He also tended to use passwords along the lines of "123" according to the book, anyways.

No surprise

[Dan+East]

Considering the internet is still used by the same set of people from 2013, and 2012, and 2011, etc, it shouldn't be surprising they're using the same kinds of crappy passwords.

Re:No surprise

[maxwell+demon]

Considering the internet is still used by the same set of people from 2013, and 2012, and 2011, etc

I strongly doubt that. I'm pretty sure that some people started using the internet in 2014, and some stopped using it in 2013.
The sets certainly will have a very large overlap, but it's definitely not the same set.

Re:No surprise

[dotgain]

You must be fun at parties!

Re:No surprise

Yeah, like it's 1999

I would have thought....

[mark-t]

...that the decision to use such a password (or perhaps more correctly, the lack of a decision to utilize a good password) would usually just be a response to either a necessity or else a merely common convention of having one in a given context, and not out of any expectation that it actually offer any real protection for anything.

Oblig XKCD

http://xkcd.com/936/

Obligatory: I can memorize two dozen different randomly generated 20 char passwords and you can too

Obligatory: XKCD's solution is so insecure, anybody can crack his code using brute force

Re:Oblig XKCD

[sunderland56]

*Anyone* can crack *any* password using brute force: https://xkcd.com/538/

Re:Oblig XKCD

[Obfuscant]

*Anyone* can crack *any* password using brute force

Only if they're using the correct character space. I use lots of upside down and flipped left-right characters in mine, outside the range of even UTF8. And no, I don't have an APL keyboard.

Re:Oblig XKCD

[hermitdev]

And that's wonderful until a site restricts you to the "standard" US keyboard of a-z, A-Z, 0-9 and "!@#$%^&*()" and the likes. So many sites are unaware of unicode, and frankly don't care, that your scheme won't work in a large number of sites. (even those that are unicode aware may artificially restrict, as well). What also irks me is requiring at least one of a class of characters. Supporting, fine, but requiring a minimum of 1 from each of n classes artificially restricts the number of possible passwords given that you support using all n classes.

Re:Oblig XKCD

[Chris+Mattern]

You didn't read the cited XKCD, did you? Not that kind of the brute force, the *other* kind. The kind where they beat it out of you with a lead-lined hose.

completely agree

A site like Adobe, if I had to have an account there for some reason, would have no relationship to other accounts, would need no particular security because it would be unimportant, and even remembering a password would be too much bother.

Now Slashdot, my password for that is important, it's *************8**

Re:completely agree

A site like Adobe, if I had to have an account there for some reason, would have no relationship to other accounts, would need no particular security because it would be unimportant, and even remembering a password would be too much bother.

Now Slashdot, my password for that is important, it's *************8**

Way tougher than my slashdot password.

Re:completely agree

[The+Grim+Reefer]

A site like Adobe, if I had to have an account there for some reason, would have no relationship to other accounts, would need no particular security because it would be unimportant, and even remembering a password would be too much bother.

Now Slashdot, my password for that is important, it's *************8**

Is that 12 or 13 stars before the 8? I keep trying to log in as Anonymous Coward with the password you provided and it's not working. Or does the 8 need to be capitalized?

Re:completely agree

A site like Adobe, if I had to have an account there for some reason, would have no relationship to other accounts, would need no particular security because it would be unimportant, and even remembering a password would be too much bother.

Now Slashdot, my password for that is important, it's *************8**

Is that 12 or 13 stars before the 8? I keep trying to log in as Anonymous Coward with the password you provided and it's not working. Or does the 8 need to be capitalized?

Yes, the 8 must be capitalized. Some of the stars need to be capitalized as well, but I won't tell you which ones.

Re:completely agree

[maxwell+demon]

I'd guess it's the female stars.

Re:completely agree

[OneAhead]

Pfff, is that it? My password for everything is "correct horse battery stable". Apparently, some smart guy has proven it's veeery secure!

Re:completely agree

[achbed]

A site like Adobe, if I had to have an account there for some reason, would have no relationship to other accounts, would need no particular security because it would be unimportant, and even remembering a password would be too much bother.

Now Slashdot, my password for that is important, it's *************8**

Is that 12 or 13 stars before the 8? I keep trying to log in as Anonymous Coward with the password you provided and it's not working. Or does the 8 need to be capitalized?

Maybe we should use the old Trek phrase KAAAAAAAAHN and vary the number and capitalization of the A's. That should work.

Re:completely agree

[steelfood]

You might be seeing stars, but I see hunter2.

Re:completely agree

[AlterEager]

Pfff, is that it? My password for everything is "correct horse battery stable". Apparently, some smart guy has proven it's veeery secure!

You've made a typo, that makes the password vastly less secure.

Re:completely agree

Pfff, is that it? My password for everything is "correct horse battery stable". Apparently, some smart guy has proven it's veeery secure!

You may have a security problem. The secure one is "correct horse battery staple ". By having a horse and a stable, which are closely related words, you have reduced the password entropy by a quarter!

Re:completely agree

That actually makes it more secure, because what are the chances that a hacker will make the same typo?
Or if there's a spelling mistake, what are the chances that a hacker will make the same spelling mistake?

slashdot123

time to change your password!

BS article written for morons.

[wcrowe]

Let's call it what it is. It is not a list of the most common passwords used on the internet. It is a list of the most common passwords used at Adobe,.. maybe. They don't know what the Adobe passwords are right now. They cannot know all the passwords used on the internet, so they cannot know the most common ones used on the internet. It's a bullshit article written for morons.

our fault

[Tom]

Of course they do. Anyone surprised?

One of the reasons (one, it's a complex topic) is that we, the security professionals, are too dense to properly explain things in a language the user understands correctly.

For example, we tell them their password should be difficult to guess. But "guess" is the entirely wrong word to use, because it implies something that's not happening in the real world. When you say "guess" to a normal person, his mental image is that of some attacker thinking there, trying a few different things. What we experts mean is that some script will do 10,000 login attempts with a dictionary attack, or some hacker will check your pilfered password hash against a rainbow table.

Quite a few regular users are seriously convinced that "123456" is a "hard to guess" password, because it wouldn't be their first or second guess for someone elses password.

Here's what you need to do, IMNSHO:

We've had several of these breaches with leaked passwords over the years. Collect them, take the top 10,000 or so passwords and put them into a list. Add that list to John with a simple (because you want to be fast) ruleset for permutations. When the user picks a password, run that in the background. And instead of telling him to use a "difficult to guess" password, tell him that you run the same program that some evil people use, and if it can crack his password, he needs to use a different one.

Tell him that John needed 0.0253 (or whatever) seconds to crack his password, and show him the rule so he understands (e.g. "passw0rd" is a permutation of "password", the #2 most often used password).

It'll take 20 minutes for him to find a password that works, and he'll have to write it down to remember it. Problem solv... oh, wait...

Maybe, you know, the problem is in the method. Passwords suck.

Re:our fault

[Obfuscant]

It'll take 20 minutes for him to find a password that works, and he'll have to write it down to remember it. Problem solv... oh, wait...

Yeah, this.

I hate sites that force password changes after a given amount of time. I comply, and then I change my password right back.

One site I need to have access to goes one step further. They require regular changes and remember the last four passwords you've used. I have to write that one down. They're also the organization that sends regular emails to employees FROM AN OUTSIDE VENDOR reminding people that they need to log in with their company credentials to submit their mandatory timesheet. And they've created a Cyber Security department in IT to help train people to be secure and avoid phishing emails. Job security.

Re:our fault

[Ken+D]

Yes they do. Especially when you require people to jump through hoops they do not want to jump through, like register to comment.

At my office there is some complicated password policy, and they expire every 90 days. No one at my location has been able to compose an acceptable password from scratch. The only thing that works is to to subtly modify your existing password.

We suspect that the unique password rule actually compares your new password against all passwords every used by anyone else in the company. Which is about as unfriendly as sites that give you no help in choosing a unique username ("Sorry 'xX_Bob246783_Xx' is not available, try again")

Re:our fault

[tlhIngan]

One of the reasons (one, it's a complex topic) is that we, the security professionals, are too dense to properly explain things in a language the user understands correctly.

or the problem is the websites in question are so damn full of themselves that they believe they have the keys to Fort Knox.

I mean, a lot of my website passwords are ... "password" or "123456". I mean, who cares that some obscure blog or forum somewhere is using that password? They get compromised? So what? Oh yay, they can impersonate someone with a post count that can be counted on one hand.

You can bet my banking password is NOT on the list, nor my eBay, Paypal or other important password.

Hell, I bet /. has a lot of users with similarly simple passwords. Because the sites don't matter to the user. They had to register for some reason, so they did, But they did it with the probable intention of never coming back.

And that's the big problem - these password lists can be useless because they don't tell us anything - if the site was useless to begin with, does it really matter? Or if the site forced you to create an account to read some stupid blog post or get a document?

Re:our fault

[Tom]

No, stupidity.

Many IT people actually try, but they have no understanding for what this looks like from a regular users perspective. I've given talks on and consulted on the subject - I think I get through to the techies, but it does take some explaining to do, and it probably only works because I am one myself.

I've worked in a large corporation with a 400 page security policy. The security and compliance departments were very proud of it. Some individuals within IT liked it a lot. Nobody else in the company that I met even knew it existed.

Re:our fault

[brunes69]

A much bigger reason is that no one gives a crap if someone knows their password to Adobe.com

I am a security professional myself. You know what my password is for 1/2 the sites I have accounts on? 1234. Why? Because I don't care.

The solution is identity federation. The whole concept that Adobe.com or Mom & Pop Blog have passwords at all is ridiculous. If they allowed OpenID logins and stuck nice Google / Facebook / Twitter / Yahoo / OpenID buttons on there then no one would need all these crappy passwords, they would just use their already created and secure federated ID.

Re:our fault

One site I need to have access to goes one step further. They require regular changes and remember the last four passwords you've used. I have to write that one down.

You can always do what I do when my company password expires and needs to be changed (it also remembers the last 3 passwords). Change the password four times resulting in the 4th and final password change being the original password.

Re:our fault

[PRMan]

Which is a goldmine for attackers, since they can verify that SOMEBODY at the organization is certainly using that password.

Re:our fault

[maxwell+demon]

One site I need to have access to goes one step further. They require regular changes and remember the last four passwords you've used. I have to write that one down.

That reminds me of the script that was installed at one place where I worked. On login it automatically detected a request to change the passwords, and then just as automatically set it to as many different passwords as the system stored, to reset it it the old password afterwards which now had fallen off the system's list. I'm pretty sure that's not what the sysadmin intended. ;-)

Re:our fault

My company requires a password change every 30 days and you can't use any of your last 24. So what do I do? I keep the same first part, and have the last bit be YMM, so right now it ends with 401 and not too long from now it will be 402. Worse, they restrict to an 8 character max (old, stupid mainframes). I'd have a much more secure password if they didn't make me change it all the time.

Re:our fault

[petermgreen]

It'll take 20 minutes for him to find a password that works, and he'll have to write it down to remember it. Problem solv... oh, wait...

And even then he might come up with a way of permuting the word that your checking tool doesn't know about but the real crackers do.

Re:our fault

[dbIII]

For example, we tell them their password should be difficult to guess. But "guess" is the entirely wrong word to use,

Example - a tea drinker used "coffee" for their password. Combine that with the guy the system had been handed off too giving all new email users a shell account, making things "easier" by making the entire system read/write/execute for any user, opening up ssh for all users from anywhere and you have the story behind an owned box scanning the net for other vunerable systems.
Last week a consultant "IT professional" (says so on his card), gave me a two letter login with the password identical to the login with full access to an accounts system that I should not be allowed to touch on more than a superficial level - let alone potentially write my own paycheck. I changed the password (he was of course nowhere near professional enough to suggest this as he should have) but the initial choice was beyond stupid. The rot has spread far. There's too much blinkered thinking of single user non-networked devices when the reality is a malware swamp.

Re:our fault

[ewibble]

You are right passwords suck, people don't care, you can't make them care, people are bad at choosing them.

Instead of constantly trying to force people choose good passwords, we need a way to make it simple for people to get good access keys. I like challenge response where the actual site doesn't even know your password, that way even if they do get hacked they still can't log in as you. They should 1 way hash your password anyway but you have no guarantee they do.

No more picking/remembering passwords a computer does it for us. Isolated hardware, that requires physical button press, to do a challenge response would be best to avoid viruses, key loggers wouldn't help either.

Open Id is ok but I personally don't want every site knowing my id, you need a of having separate passwords for different sites. A password management systems that generate passwords are ok too, but are still vulnerable to viruses on the users computer.

Ok the hardware could be stolen, but that could be secured by a password if you wished, they would still need to know your login id.

Re:our fault

[master_kaos]

They're also the organization that sends regular emails to employees FROM AN OUTSIDE VENDOR.</p></quote>

I hate this SO much. Sometimes I can't even tell if it is a phishing email or not because they use some vendor never even heard of. What's even worse is if they don't even use your name / some other personable information so you can figure out if it might actually be legit or not. These aren't small companies either. I have received actual legit emails from EA, Dell, and some other huge companies that for some reason think they need to use an outside vendor.

Re:our fault

[TheloniousToady]

Here's what you need to do, IMNSHO:

"IMNSHO" isn't a bad password if that's what you need to do, but how about at least mixing the case up a little?

Re:our fault

Many people around here just add a one or a two to their password, depending on which six month period it is.

Re:our fault

[mjwx]

One of the reasons (one, it's a complex topic) is that we, the security professionals, are too dense to properly explain things in a language the user understands correctly.

You've got this so backwards its not funny.

It's that the average user is so dense that they cant understand the security professional and they're also so lazy that they wont learn or even take basic self preservation measures unless their forced to. The average end user would still be accepting candy from strangers well into their golden years if it wasn't drilled into them from the age of 2.

If you hadn't been so obnoxious I could have given you credit about understanding that few security professionals understand how to talk to users, but you have gotten it so horribly backwards I cant even credit you with this.

Security professionals do need to learn how to communicate with the average user, but this means they need to dumb down, not dumb up.

Maybe, you know, the problem is in the method. Passwords suck..

Maybe you'd like to suggest a better form of authentication that isn't easily forged (fingerprints), easily stolen (swipe cards), horribly insecure (personal details), horribly intrusive (sub dermal implants) or stupidly time consuming/expensive (DNA tests).

Again, you're dead wrong. Passwords are fine for their intended purpose, people are not. Passwords, even simple passwords like 123456 are most vulnerable to social attacks. Your biggest problem are people and the fact they don't take security seriously.

Re:our fault

[Tom]

I am a security professional myself. You know what my password is for 1/2 the sites I have accounts on? 1234. Why? Because I don't care.

You know what my passwords are for 80% of the sites I have accounts on? Something from a selection of fairly good passwords - because my browser remembers them for me. So yeah, that leaves one master password to crack, but we all have that anyways without realizing - it's the password to the email account that all those password reminders would be sent to. ;-)

The solution is identity federation.

Or something else that doesn't require people to remember passwords, yes.

Re:our fault

[Tom]

It's that the average user is so dense that they cant understand the security professional and they're also so lazy that they wont learn or even take basic self preservation measures unless their forced to.

I think I want your bosses phone number, because I'd just love to get a consulting gig where I set you guys straight.

Lack of understanding for the actual user is the #1 security risk of our time.

I understand your sentiment. I've been there. 8 years ago I was on the expert panel of a security conference and one of the questions asked was which security risks we estimate will still be there 10 years down the road. We five experts quickly agreed and I was the one to tell it to the audience that "dumb users" was the primary answer. 3 years ago I went back to that conference as the keynote speaker and began my talk with "I was wrong".

Users aren't lazy, or stupid, or anything like that. Going into the discussion with that assumption is a basic logic flaw. As we all know from logic 101, if your assumption is wrong, your conclusion is worse then wrong, it's meaningless.

Your biggest problem are people and the fact they don't take security seriously.

Assumptions like this is what causes security to be so fucked up. It's a typical shifting-the-blame response.

I am advocating that every security problem is the result of some security professional fucking up. Every single one, including people choosing "123456" as their password. It might not be a technical fuck-up, but one of communication or design (that one is the elephant in the room most people overlook) or empathy.

Once you stop making other people responsible and check back to see if you could change anything to make this problem go away, you almost always find out that heck yes, you can.

Re:our fault

[Tom]

+1 funny, but I'll give a serious answer anyways:

mixed-case is a strawman. As a matter of fact, on any new applications I write, I always lowercase passwords in the backend, so if the user has caps-lock on, his password still works.

mixing cases does almost nothing to increase the security of the password of the average user, because any case changes will be in very easily predicted places (beginning, CamelCase, etc.) I've done the math on that once, with real-world assumptions and it's basically one order of magnitude that you gain. That's not worth the trouble of people not being able to log in because they have caps-lock on or forgot if it was "password" or "Password", etc.

Re:our fault

[Tom]

Mod parent up, he's spot on.

I've given a keynote on this subject, and one of the points was that most password policies can be proven to result in less secure passwords. This is one of the reasons why.

Re:our fault

[TheloniousToady]

Good point, Tom. I've thought about that also. I haven't analyzed it carefully, but It seems like requiring punctuation also increases security only minimally because that just increases the size of the symbol set by a small percentage and probably also has predictable placement. I guess it would be more effective to increase the minimum password length than to do either of those.

Re:our fault

[Tom]

The problem with password-strength assessments is that the math most people apply is basically x^y where x is the number of possible characters and y the length.

But that's not how real people work. If your password policy requires at least one number, then you have not actually increased x by +10 for 95% of your users. Most of them will simply add a number to the end, or to the beginning. Basically, instead of turning x^y into (x+10)^y, you've turned it into a little over 10*(x^y). That's a massive difference between the amount of additional strength you thought you'd get and what you actually get.

Re:our fault

[david_thornley]

May I humbly (OK, I lied on that one) suggest that a computer system that is unsuited for use by people is not really all that valuable? Unless, of course, you have access to another intelligent race that innately understands computer security, and can hire from that planet.

Obligatory

[multimediavt]

[face palm]

Sometimes the password protects ... nothing

While it's true that a complex and perhaps unique password is an important element of security, it is *not* true that there is always something worth protecting. I don't mind using trivial passwords on services if I will only use the service once, and there are no consequences to the account being compromised.

We should take these statistics with a similar note of caution. Just because someone chooses a weak password for something, does not imply that that user is making a mistake - indeed, the user could know something that we don't, like that the account in question is throw-away.

When this happens, it is the service provider, whose services may be abused, rather than the user, who may be at risk.

Someone didn't bother reading...

[MugenEJ8]

...my carefully prepared memo on commonly-used passwords. Now, then, as I so meticulously pointed out, the four most-used passwords are: love, sex, secret, and god.

Fools!

[the_skywise]

My password was Edoba123 !

Ha! Capitalization, numbers, and a non dictionary word! STRONG PASSWORD!

I am so smrt!

Re:Fools!

[Nemyst]

My password was hunter2, which means all the hackers ever see is *******. It's the ultimate safe password.

Re:Fools!

I'd call that a pretty strong password, because it has a space in it. The number of sites where you're not even allowed to include a space in your password is just shocking.

Re:Fools!

Whatever, my SSN is ***-**-****.

WTF? Does Slashdot automatically recognize and block SSN's? Weird.

Re:Fools!

For those who don't get the joke, see: http://bash.org/?244321
Parent should be modded Funny, not Insightful.

Re:Fools!

[rmdingler]

C'mon Pedro, you don't really have a social security number, do you?

Throwaway accounts

[Jumunquo]

People make lots of throwaway accounts because every company wants to force people to register, so it's not surprising you keep seeing generic passwords used. Adobe has downloads that you have to register to get, so it's not surprising seeing lots of generic, insecure passwords. I imagine for a lot of these accounts, all you will get is a fake name, throwaway email address, and what was downloaded.

Hmm

My password today for mundane sites is: all those asshats that think they are so smart 123!"#
(numbers and special characters added for sites that requires them)

No surprise!

[Emmi59]

What do you expect to be the *most common* passwords used? Something like "nx4897)(/)hahaha98@79"? Would be more interesting to know *how often* simple passwords are used. If the highest percentage of a single weak password in use was about 0.0001%, everything should be fine. But if >=10% of all passwords used were a weak, that would be bad...

Add some non-ASCII characters

[Gabest]

You may be able to brute force 256*8 numbers, but never the whole unicode range. (pässwörd)

Re:Add some non-ASCII characters

[maxwell+demon]

Yeah, and you may not be able to log in again if the password request input encoding changes for whatever reason ...

XKCD nailed this ages ago

[Ralph+Spoilsport]

You don't need a "complex" password to have a strong password. You need a long password. Uppercase / lowercase / weird chars don't matter as much as sheer length in brute force attacks.

https://xkcd.com/936/

Re:XKCD nailed this ages ago

Look at what this cretin says about password length:

http://security.stackexchange.com/questions/33196/is-there-a-length-beyond-which-increasing-password-length-provides-no-additional

"So the strength of a password does not come from what it is, and in particular does not come from its length. The password length has no direct relation to password security. What makes a password strong is its randomness;"

Unbelievable.

Re:XKCD nailed this ages ago

And he is absolutely correct. His answer is to the point and explains in detail what is required for a good password. You just did not get it that both, XKCD and the guy on stackexchange are correct. So read both again, think and then come back here...

Re:XKCD nailed this ages ago

[SleazyRidr]

If the hackers decide to use a dictionary attack, then an xckd-style password is about as good as one 4 characters long. It needs to create randomness in the domain where the hackers might be looking for it. Of course, the old method of switching out letters for number or whathaveyou don't really fare well either.

Re:XKCD nailed this ages ago

[Carnildo]

If the hackers decide to use a dictionary attack, then an xckd-style password is about as good as one 4 characters long.

Four characters, yes, but four from a bloody huge alphabet (2048 characters). An XKCD-style password is almost as strong as four random Chinese characters.

Re:XKCD nailed this ages ago

[JDG1980]

If the hackers decide to use a dictionary attack, then an xckd-style password is about as good as one 4 characters long. It needs to create randomness in the domain where the hackers might be looking for it. Of course, the old method of switching out letters for number or whathaveyou don't really fare well either.

That kind of attack only works if the hacker knows everyone is using those type of passwords, and if the passwords contain only common words. You could foil it by making sure at least one word in the sentence is relatively unusual – or someone's name, which probably won't be in the dictionary. The hackers aren't going to be able to run an attack like this using the full unabridged dictionary – they'd have to use a list of only the most common few thousand words.

Re:XKCD nailed this ages ago

[DMUTPeregrine]

That's why I recommend Diceware. Strong entropy, big alphabet, easy to remember. Much better than trying to pick randomly, but with all the same benefits otherwise.

Re:XKCD nailed this ages ago

[Chris+Mattern]

If the hackers decide to use a dictionary attack, then an xckd-style password is about as good as one 4 characters long.

Wrong! At best, one character has only a couple of hundred possibilities--more likely, less than a hundred. There are a lot more words, even if you limit yourself to common words.

Re:XKCD nailed this ages ago

[roc97007]

> "So the strength of a password does not come from what it is, and in particular does not come from its length. The password length has no direct relation to password security. What makes a password strong is its randomness;"

This string would make a good password.

Re:XKCD nailed this ages ago

[dido]

Wrong. Four words, out of 20,000 or so words that a typical literate person would know, gives 20,000^4 combinations, or a total of 1.6e17 possible combinations. That's about 57 bits of randomness right there, harder to crack than a DES key, and that's only if you *know* for certain that they're using an XKCD 936-style password. Yeah, I know that's in range of a massive distributed cluster: a DES cracker can be built for US$10,000, that can recover a key in six days, but it's still a fair sight better than the rubbish we have today. If you really care, use more words. Nine words is all you need to get to 128 bits of entropy.

Re:XKCD nailed this ages ago

[AlterEager]

If the hackers decide to use a dictionary attack, then an xckd-style password is about as good as one 4 characters long.

Four characters, yes, but four from a bloody huge alphabet (2048 characters). An XKCD-style password is almost as strong as four random Chinese characters.

2048 characters! You have a very small vocabulary.

$ wc -l /usr/share/dict/words
390945 /usr/share/dict/words

Re:XKCD nailed this ages ago

[gnasher719]

Wrong. Four words, out of 20,000 or so words that a typical literate person would know, gives 20,000^4 combinations, or a total of 1.6e17 possible combinations. That's about 57 bits of randomness right there, harder to crack than a DES key, and that's only if you *know* for certain that they're using an XKCD 936-style password. Yeah, I know that's in range of a massive distributed cluster: a DES cracker can be built for US$10,000, that can recover a key in six days, but it's still a fair sight better than the rubbish we have today. If you really care, use more words. Nine words is all you need to get to 128 bits of entropy.

You can also use hashing algorithms that take longer. Apply the hashing algorithm a few million times, for example. For example, the iOS passcode hashing algorithm is calibrated to take about 1/10th of a second (and uses a 256 bit key burnt into the CPU and not extractable, so you can't run it on an array of GPU's, only on the original iPhone).

Luckily,

[tpstigers]

my cat's name is &%GRang876$%#lkkjhaeyluihjsdkaClghiu.

Re:Luckily,

[sconeu]

Based on her response to the can opener, my cat's name is apparently "rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr"

Re:Luckily,

So, how do you evade summoning Cthulu everytime you call your cat?

Re:Luckily,

[steelfood]

Your name must be Robert'); DROP TABLE students;--

Re:Luckily,

That reminds me: I was asked in person to *say* my password. I answered that they probably did not want to hear it, but they insisted. So I spelled out 0QE4m0x1B2TGZ - and the response was "wow, that's a secure password". Like nobody else ever came along with a decent password.

Where are they getting their study data?

What sort of site is storing their passwords in plaintext to allow this study to be done? Probably the crappy sites that people use throwaway passwords on. Value of study? zero.

Re:Where are they getting their study data?

[JDG1980]

What sort of site is storing their passwords in plaintext to allow this study to be done? Probably the crappy sites that people use throwaway passwords on. Value of study? zero.

If they use a non-salted hash, they could do a database query to get the top 25 hashes by count, and then run rainbow tables on those hashes. That might not work if any of the top 25 were strong passwords, but they're all simple alphanumerics, which a rainbow table should be able to chew through in short order.

dumb pic from link

[pouar]

I'm guessing the guys who picked those passwords is about as competent as that guy in that jpeg on the second link. He's trying to use a key to unlock a laptop and wears a mask so the monitor can't tell who he is.

Re:dumb pic from link

[achbed]

Given how many laptops have webcams now, it's not a bad idea. Especially when the NSA is activating them on a regular basis.

What do you expect

Let's be honest, we would still be mocking them if they used passwords shorter than 18 characters and/or any dictionary words.

Unless they a unique 18 character high entropy password for each of their sensitive accounts then obviously they are stupid and/or lazy.

The impossibility of passwords

For every site you are requested to come up with a random string that is hard to remember, and then remember it.

Re:The impossibility of passwords

[maxwell+demon]

For every site you are requested to come up with a random string that is hard to remember, and then remember it.

No. You are requested to come up with a string that is hard to guess. There's absolutely no requirement that it is hard to remember.

Scunthorpe

[I'm+not+god+any+more]

Don't append 123 to the website name to create a password. Instead append Scunthorpe, this will cause the Great Firewall of the UK to protect your data.

That's nothing!

One of my passwords is 63 characters long.

Though it is a combination of seven other different passwords.

Re:That's nothing!

Yeah well mine is 64!
passwordpasswordpasswordpasswordpasswordpasswordpasswordpassword

Pretty good right?!?

And apparently

[puppetman]

Websites, corporate domains, and so on, still allow "password" and "123456".

You can't use these silly passwords if there is a password-strength check that was set up with a bit of common sense.

Re:And apparently

[geekoid]

How do you check it, and yet have it so no one can crack it?

If they can check you password., someone is plain texting it.

Re:And apparently

[JDG1980]

How do you check it, and yet have it so no one can crack it?

At the time the user specifies or resets their password, the system handling it has access to that password in plain text. Of course it should be salted and hashed before it gets stored in a database, but that happens afterward. All they have to do is check it against an array of the 25-100 most commonly used passwords, and if it matches, tell the user it's being rejected and why.

If only they had a simple offline password keeper.

Like the open source one currently being developed by the Hackaday readers.... http://hackaday.com/tag/developed-on-hackaday/

Re:If only they had a simple offline password keep

[mathieu.stephan]

every suggestion is by the way very welcome...

Good news!

[hamster_nz]

i'm going to use '123456' from now on. If somebody is knocking doors with that password, odds are they will access else's account before mine.

Re:Good news!

[Chris+Mattern]

*And* you'll be able to use it to get into the presdient's luggage!

Re:Good news!

[sootman]

Good idea, but it won't work for me, because my last name starts with A, so they'd get me early on.

123465 FTW!

Re:Good news!

[hamster_nz]

Ha! If 00000000 is good enough for Minuteman missiles then it is good enough for me!

Re:Good news!

[roc97007]

That's brilliant. By the time they would have gotten to "ham[...]" they will have broken into enough accounts to retire, and won't bother with yours.

Re:Good news!

[purpledinoz]

I'm going to go even a step further, I'm going to use 1234567.

Re:Good news!

[AlterEager]

Modded you down for linking the Daily Fail.

rubber-necker woot-woot

[epine]

They actually only know your email and that your Adobe password was 'Adobe123'. That might indicate that you reuse that password pattern, but you might not.

Trust me, the NSA uses statistics and not fuzzy logic. Trust me, in the general case, it's an entropy leak. As someone with apg-generated unique passwords for every place I visit (as short as 10 characters if I really don't give a shit) I might have one such password in my portfolio, but it would be a joke, a highly self-conscious joke. It's still an entropy leak. I'm sure the NSA has a special folder for people with my sense of humour.

Now to trash on the story summary.

and worse

And worse than "password"? Oh, please. In the most contrived example, you might find a way. But generally, "password" has a death grip on most worstest. Just couldn't resist tacking on the rubber-necker woot-woot, could you?

Re:rubber-necker woot-woot

[geekoid]

Never trust someone who says 'trust me', especially if they say it twice.

Re:rubber-necker woot-woot

[Em+Adespoton]

and worse

And worse than "password"? Oh, please. In the most contrived example, you might find a way. But generally, "password" has a death grip on most worstest. Just couldn't resist tacking on the rubber-necker woot-woot, could you?

While you're probably right, so are they... even if it's by accident. I've actually seen people using their social security number as their password and the last 4 digits of their telephone number as their user ID. In fact, I've seen situations where this is generated by the site in question with no visible means for the account holder to change them.

Of course, that was way back in 2013.

Re:rubber-necker woot-woot

[Delarth799]

And if they tell you you're going to be safe, more than once, you're going to die.

Re:rubber-necker woot-woot

[skegg]

And never get into a car with them.

Re:rubber-necker woot-woot

[Stolpskott]

And if they tell you you're going to be safe, more than once, you're going to die.

Even worse, never, ever, agree to wear a red shirt and beam down to a planet with them. You probably have a better chance of survival by playing Russian Roulette with an automatic pistol...

Re:rubber-necker woot-woot

[ILongForDarkness]

If they tell you your going to be safe it will be them that robs/rapes/kills you :)

Re:rubber-necker woot-woot

[antdude]

Yeah, don't trust Sledge Hammer who always said "Trust me, I know what I am doing". ;)

Passwordmaker

[Hobadee]

This is why I use PasswordMaker. I get a separate, secure password for every site, only have to remember a single password, (and a simple configuration) and don't have a list of passwords stored anywhere.

I'm constantly advocating for it yet nobody ever listens to me...

Re:Passwordmaker

A similar but slightly more laborous method (but no installation necessary) is to use echo "salt+sitename" | sha512sum (or other hash of your choice) and copy paste the result as your password. And looking up pwm it seems like that's exactly what they are doing, so I approve.

End Users

In general you're never going to stop this. People (most) when it comes to selecting multiple usernames and passwords are sick of it. They become tired of the tedious requirements of managing over 100 sites of passwords and the others are just too lazy to care.

sigh

[geekoid]

" Slashdotters have known for years that while it's always tempting to create a password that's easy to remember "

Yes it's temping, and you should do it. Just becasue it's easy to remember doesn't mean it's easy to crack. Example:
Street I lived on when I was a kid:
Parakeet

Name of my first pet:
Toby

This is easi informaiton for me to rememberm but not information that random,e p[eople would know, in fact Oyther than my immediat family, no one would know.

So:
P4r4k33t_T0by_A

Rotate the A

I would never forget that. NO, it' s NOT what I used, but I do use a similar technique.

Want a harder one. fine.
yb0T_t33k4r4P_a

They all vary

[speedlaw]

The reason passwords suck is: This one wants eight characters, with a symbol and letter This one wants eight characters, with NO symbols, and a letter This one wants upper and lower case letters This one wants upper and lower case with a symbol and number This one want upper and lower with no symbols. The formats change all the time, so it is no wonder that most people end up with a post it note stuck to the computer, or if stealthy, inside the draw.

Re:They all vary

Don't forget the ones that have maximum character limits.

All of my passwords are eight characters minimum and most approach fourteen and fifteen. Nothing is more frustrating to me than websites (especially ones where security is actually a concern) that have maximum character limits!

Re:They all vary

Especially since they should be hashing or some other fancy modern technique that does not depend on password length.

Re:They all vary

You should not be using the same password for things anyhow. However you are correct that it is impossible to remember passwords for all your stuff. What i do is pick a good password for my email, and reset the password every time on things I do not use often.

Damn!

[PPH]

They cracked my password. Now I'll have to change my dog's name again.

The bigger tragedy?

[achbed]

What's the bigger problem here - that people choose insecure passwords, or that the systems involved ALLOW them to choose known insecure passwords? Any password system these days should be able to disallow these common passwords out of the gate. If they can't be bothered to make sure their customer's password is difficult to crack, how can we believe that any other aspect of their security is up to par? I would note that most of the password leaks have come from folks that use insecure methods to hash or simply obscure their password storage, against all recommendations by the security industry.

Re: The bigger tragedy?

Wouldn't that save a little time for an attacker? I mean, now they got a huge list of what to skip.

Re:The bigger tragedy?

[gnasher719]

What's the bigger problem here - that people choose insecure passwords, or that the systems involved ALLOW them to choose known insecure passwords?

You didn't read anything here, did you? Using a totally insecure password to download some rubbish stuff from the Adobe password _is not a problem_. What's the worst thing that can happen _to you_ if someone guesses your password on that site?

Now take passwords on Slashdot. That's just _slightly_ more serious. Someone could post rubbish under my username, which would be annoying but no big deal really. I bet the number of 123456 passwords on Slashdot is a lot lower. Now take passwords on Paypal. If you get my Paypal username and password, that could be mighty inconvenient and possibly costly. I bet that Paypal passwords are a lot more secure. And I would really, really hope that Paypal keeps my password a lot more secure than Adobe does.

Yep, People Are Still Using Passwords in 2014

Fixed that title for you.

Passwords are fucking bullshit and need to die.

Passphrases would be far, far better.

A key-based system (ala SSH) would be best.

Annoyingly

[PsyMan]

I have started using lastpass's automagic password creation doodah to randomly generate my passwords, I am of course (foolishly) trusting them to stay in business for the rest of my life and paying the measly $10 / sorry, now $12pa to keep them "safe". Is that safer than using the same memorable passwords (tiered for banking/work stuff/forum spamming/unimportant stuff) variations on the same theme just to memorise them? I dont know, SSO in a way but there comes a point in life where it all becomes too many to remember. What to do? For example, World of tanks did not allow me to use non alphabetic characters FFS, unbelievable how many times I use their "reset my password" facility as I cant remember it. Might just get a big bunch of post-it notes and put them around the monitor like my Bosses do.

Re:Annoyingly

[heypete]

Hasn't LastPass always been $12/year? I've been a subscriber for years and I don't remember it ever being $10.

Anyway, there's no need to rely on LastPass existing for the rest of your life: they give you the option of exporting your data to a CSV file which can be read by just about everything. Other password manager utilities can import CSVs, making any transition pretty simple. Hopefully that won't come to pass, but if it does it's not a big deal.

',.pyf

My password is ',.pyf you insensitive clod!

Another recent study shows 2% are "password"

...analyze about 5,000 production passwords set by end users over the course of a year. All of these passwords could have passed cursory PCI-DSS muster since they were more than seven characters long and contained both numeric and alphanumeric characters. ...some users (2%) actually used the word “password” or “pass” in their password

http://resources.infosecinstitute.com/beyond-password-length-complexity/

Too many sites want a password

[mtthwbrnd]

Even to read some news site requires that you go through the stupid account creation process. I doubt that most are using these simple passwords for anything important, just for the stupid sites who are so full of their own self importance that the creators believe that at some stage in the future a huge corporation i going to offer them $100M for their database of users.

Look, I bought a box to hook up to my tv to watch youtube on my tv. It requires me to enter a google email address. Well, I did not want to use my usual email address. What if I give the box to somebody Do I have to spend an hour trying to delete my account details from the stupid thing? So I did what everybody else does. I spent half an hour creating YET ANOTHER F*CKING GOOGLE ACCOUNT with a fake name and simple password (123456 or something like that so just so that I could use the thing.

If you try to watch "Tayo The Little Bus" it asks you to sign in because apparently some idiot user has marked it as not "Age Appropriate" or some other nanny state BS like that.

That is why there are so many "easy" passwords. Because the idiots in charge have created a situation where we have to have so many passwords.

Re:Too many sites want a password

[ObsessiveMathsFreak]

Amen.

I am literally drowing in passwords. Over the last week, I've had to create at least a half dozen new user/password combinations. I doubt I'll ever use most of them again, but I don't want to use the same password or variations thereof on multiple sites.

At this point, the "Register" prompt is enough to send me screaming in horror away from sites. Maybe this is for the best.

Fuck those fuckers

You can't protect people from their own stupidity

federation = tracking

The problem is that then Google, Facebook, Twitter, Yahoo or OpenID would know every site you are authenticating yourself to. To use those services you have no choice but to trust them with that information. Which they will use for their own nefarious purposes (read: collect into giant database and sell to dozens of other companies and gov't organizations).

Re: federation = tracking

[brunes69]

Its and open standard. If you are paranoid about Google knowing you visit Slashdot, then run your own service or use another provider.

The worst

[dreamchaser]

The worst I've seen in terms of potential risk was the admin password on a customer's primary firewall cluster. It was the same one I had used in class for the labs when I taught it, even though I'd admonished the students not to ever use such a weak password. It was qaz123.

I had another client using a different firewall vendor who used q1w2e3r4t5. On their production Internet gateway.

Throw-away accounts

[sir-gold]

There have been a few websites that I have used in the past which required you to register with them in order to access some part of the site or to access the download area. For sites like this I could see people using weak passwords, because the account has no particular value to them and they don't care if the account gets hacked.

Adobe is a good example of this. Most of those accounts were probably created for a one-time access to free downloads from adobe, and then promptly forgotten about.

"Emergency" passwords can be the worst

[msobkow]

The built-in automatic password for a certain banking transaction history system used for the equivalent of "root" access is "MMDD". Four easily predicted digits.

And this software is used by some of the biggest banks in North America -- several of them. It's used to maintain complete seven year transaction histories in compliance with the law and banking regulations.

Worse, there is no audit trail of the account used to access the emergency maintenance account. And you cannot disable the account!

Re: On the contrary: stop publishing my password

you slashdot are a security risk

people still rely on them to protect their data

No, people still rely on them to get passed password prompts protecting data they don't care about.

No!

no?

Really?

what pisses me off, the restrictions on passwords

[Osgeld]

why they fuck does my email have the ability and the use of a stronger password system than my bank? Not talking about making 255 charter high ascii stuff here just minimum length, with the ability to toss a ? or a { in the mix...

Re:If only they had a simple offline password keep

Bruce Schneier has Password Safe. There's KeepassX and many others. I personally use that because programs for reading them are available for all the platforms I care about: Linux, Windows, and Android.

2tasks is secure

Guys just sharing, I've found this interesting! Check it out! Http://www.2tasks.com

Re:what pisses me off, the restrictions on passwor

[mjwx]

why they fuck does my email have the ability and the use of a stronger password system than my bank? Not talking about making 255 charter high ascii stuff here just minimum length, with the ability to toss a ? or a { in the mix...

I'd be asking why your bank isn't using 2 factor authentication.

If anyone gets my banking username and password all they can do is look at my modest bank account. If they try to do anything then the bank sends a one time code to my phone via SMS and they cant do anything without that code. They cant even read my transaction history without a one time code.

I'm sure there are some pedantic /.ers rubbing their hands with glee telling me how this system is flawed, yep, I'm sure it's got flaws but it's a hell of a lot more secure than just a username and password. A thief now has to get my username and password _AND_ steal my phone or know me well enough to fraudulently transfer my phone no into their name (which is getting harder and harder for letterbox thieves as I have few paper bills now days).

This is also why I dont use banking apps. They store details and many banks emphatically trust them. So all a thief has to do is swipe my phone and they get full access... If I used them that is. Web sites work just as well (often have more functionality too) and mr phone thief only gets my aging handset and what little credit is left on there.

The number of Websites...

... requiring to choose a password is too damn high. At least not on Slashdot, unless you want your comments to be read ;-)

Really?

If your password for Adobe is Adobe123, and Adobe leaks your password (AGAIN), nobody is going to be getting into your email, or your facebook account, or your bank account, etc., etc.

And this is insightful? That applies if your passwords for those accounts aren't 123456 or password, even using your address, date of birth, the brand of your vehicle, Maiden name/s, ect.....

All are just as easy to obtain nowadays.... Follow what security experts say when changing from caps to small caps, using numbers or using symbols in combination. All mine are different and there written down in a small analog [aka paper] notebook, nowhere near any of my computers. After awhile you begin to remember them.

 

Password solution

[VlartBlart]

I was fed up with password hell so came up with this solution - it's not perfect but it does work...

1.Think of a song lyric such as "Welcome to the house of fun" (Madness)
2.Think of this as "wtthof" (the initial letters)
3.Extrapolate a letter for a number. In this case "to = 2". So we now have "w2thof".
4.Some sites require 8 letters so (at this stage) we need at least 7 letters (we only have 6 right now). The word "Welcome" could be "wc" instead of just "w". So we now have "wc2thof".
5.Finally, take the first letter of the website you want log in to, "F" for Facebook, "E" for eBay etc and add a capital of that letter to the front of the password.
So, Facebook password would be "Fwc2thof"
Ebay password would be "Ewc2thof"

This gives up to 26 different passwords that cover all the rules and is easy to remember (WelCome 2 The House Of Fun)

If the website name starts with a number (such as 123-reg.com), keep the original rule (the first letter) but make the last letter a capital. This would make "1wc2thoF

GPG

I'd still like a simple GPG key I can use with websites for authentication. Server send me a challenge, I use my secret key to decrypt, logged in!

Other than that, I think, the whole password issue, aside from being a PITA, is one big smokescreen given recent revelations. The fact is, while some people will be affected, in reality most people will not be, even if they have pretty 'weak' passwords!

My method...

[Buchenskjoll]

I skip all the vowels, then assign an integer to each consonant, p is 1, s is 2, w is 4, r is 5 and d is 6. If a letter is repeated I add 1 to the original integer. So now password is 123456, and I fooled all the bad guys.

Where does Splashdata get the passwords from?

[TigerPlish]

I certainly hope Splashdata isn't reading passwords from SplashID users who store their SplashID data in Splash's servers. For your convenience in backing up and restoring, etc, of course.

Forum Bots

[Martin+S.]

I wonder how many of these accounts are those created by forum posting bots. It would interesting to see the relative statistics.

You don't

When I was forced to sign up for an Apple Developer or iTunes Store account to get software updates for my MacBook...

You do not have to sign up for any kind of online account to get software updates for a Mac.

Just use passwordsafe...

[toonces33]

I have a different random password for every website on which I have an account. Relatively hard to crack with brute force. The problem is that as a user, I have no idea what the website is doing under the hood - they could be storing it in cleartext for all I know. But with a different password for every website I visit, even this possibility isn't something I lose much sleep over.

If you guys are all so smart...

[rcharbon]

...let's all post our passwords here and see who has the best one. Go!

slashdot123

is the password I would use if Slashdot forced me to create an account for commenting, and I would post it to bugmenot so other people can be AC too. People will always use weak passwords for throwaway accounts. There's nothing wrong with that.

problems

[gzuckier]

That's my password. ********. The problem is i can't get it not to display.

Dammit

My Slashdot password of slashdot123 is on that list.