Slashdot Mirror

← Back to Stories (view on slashdot.org)

Yep, People Are Still Using '123456' and 'Password' As Passwords In 2014

Posted by Soulskill on from the get-a-password-manager-for-pete's-sake dept.

Nerval's Lobster writes "Earlier this week, SplashData released its annual list of the 25 most common passwords used on the Internet — and no surprise, most are so blindingly obvious it's a shock that people still rely on them to protect their data: '12345,' 'password,' 'qwerty' '11111,' and worse. There were some interesting quirks in the dataset, however. Following a massive security breach in late 2013, a large amount of Adobe users' passwords leaked onto the broader Web; many of those users based their password on either 'Adobe' or 'Photoshop,' which are terms (along with the ever-popular 'password') easily discoverable using today's hacker tools. 'Seeing passwords like "adobe123" and "photoshop" on this list offers a good reminder not to base your password on the name of the website or application you are accessing,' Morgan Slain, CEO of SplashData, wrote in a statement. Slashdotters have known for years that while it's always tempting to create a password that's easy to remember — especially if you maintain profiles on multiple online services — the consequences of an attacker breaking into your accounts are potentially devastating."

6 of 276 comments (clear)

  1. XKCD nailed this ages ago by Ralph+Spoilsport · · Score: 1, Informative
    You don't need a "complex" password to have a strong password. You need a long password. Uppercase / lowercase / weird chars don't matter as much as sheer length in brute force attacks.

    https://xkcd.com/936/

    --
    Shoes for Industry. Shoes for the Dead.
  2. Re:On the contrary: by Desler · · Score: 3, Informative

    And yet when an attacker can recover their plaintext password is doesn't really matter how "secure" the password was. I could have the strongest, most random password possible but if an attacker can steal it from you in plaintext, so what?

  3. Re:Password Evolution by ackthpt · · Score: 4, Informative

    Create a password: password

    Everyone is using "password." We need to stop that.

    Create a password containing both letters and numbers: password1

    Everyone is using "password1." We need to stop that.

    Create a password containing numbers and both capital and lowercase letters: Password1

    Everyone is using "Password1." We need to stop that.

    Create a password containing numbers, both capital and lowercase letters and a special symbol: Password1!

    And so it goes.

    I was on an information system a few years back, if it didn't like your password, you couldn't use it and had to choose something more arcane. The downside of that is really nasty passwords, with changes of case, numbers and symbols end up written on Post-it notes and stuck on the fronts of computers.

    --

    A feeling of having made the same mistake before: Deja Foobar
  4. Re:rubber-necker woot-woot by geekoid · · Score: 4, Informative

    Never trust someone who says 'trust me', especially if they say it twice.

    --
    The Kruger Dunning explains most post on /. http://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect
  5. Re:On the contrary: by ewibble · · Score: 3, Informative

    Indeed. I keep waiting for retina scan or DNA analysis, but it hasn't happened, yet.

    and when a hacker get hold of those good, luck changing them.

  6. Re:Where are they getting their study data? by JDG1980 · · Score: 4, Informative

    What sort of site is storing their passwords in plaintext to allow this study to be done? Probably the crappy sites that people use throwaway passwords on. Value of study? zero.

    If they use a non-salted hash, they could do a database query to get the top 25 hashes by count, and then run rainbow tables on those hashes. That might not work if any of the top 25 were strong passwords, but they're all simple alphanumerics, which a rainbow table should be able to chew through in short order.