Yep, People Are Still Using '123456' and 'Password' As Passwords In 2014

Nerval's Lobster writes "Earlier this week, SplashData released its annual list of the 25 most common passwords used on the Internet — and no surprise, most are so blindingly obvious it's a shock that people still rely on them to protect their data: '12345,' 'password,' 'qwerty' '11111,' and worse. There were some interesting quirks in the dataset, however. Following a massive security breach in late 2013, a large amount of Adobe users' passwords leaked onto the broader Web; many of those users based their password on either 'Adobe' or 'Photoshop,' which are terms (along with the ever-popular 'password') easily discoverable using today's hacker tools. 'Seeing passwords like "adobe123" and "photoshop" on this list offers a good reminder not to base your password on the name of the website or application you are accessing,' Morgan Slain, CEO of SplashData, wrote in a statement. Slashdotters have known for years that while it's always tempting to create a password that's easy to remember — especially if you maintain profiles on multiple online services — the consequences of an attacker breaking into your accounts are potentially devastating."

On the contrary:

[iroll]

If your password for Adobe is Adobe123, and Adobe leaks your password (AGAIN), nobody is going to be getting into your email, or your facebook account, or your bank account, etc., etc.

Re:On the contrary:

Except now they know your email address and the fact you use the name of the company in your password...

Re:On the contrary:

[Desler]

And strong passwords are meaningless if the company is storing them in a really stupid way such that they can be recovered in plain text by an attacker. At that point, adobe123 is no less secure than a 64-character randomly-generated password.

Re:On the contrary:

[ackthpt]

If your password for Adobe is Adobe123, and Adobe leaks your password (AGAIN), nobody is going to be getting into your email, or your facebook account, or your bank account, etc., etc.

Even if the user is stupid, it's not like the site author couldn't dedicate a few minutes to to code evaluation of the password and tell the user 'Not good enough, not even secure in the least, do you want to see a picture of people who think that password is secure?' and display some of those Faces of Meth people.

even this lolcat is smarter than you

Re:On the contrary:

Won't work. People would use a blank password if the websites which require registration to download something free or access a support forum allowed it. So what do you start with? Name of the company. Nope, has to have letters AND numbers. So adobe123. That's a password which says "I don't give a fuck. I'm not even going to use this account again. Just let me download this file." It does not mean that people use the same scheme for passwords to sites where a hacked account could actually do them some harm. Anyway, remember how we know what passwords people use: The companies which demand ever more complex passwords don't properly secure them and lose them, in cleartext form! How can you expect users to care when not even the companies whose business depends on customers' trust care?

Re:On the contrary:

[brunes69]

You are missing the point. Adobe.com should not be telling me my password is insecure. Adobe.com should not be asking me for passwords in the first place, because the idea that I should need a seperate password for Adobe.com is stupid. Implement OpenID properly and allow people to log in with an already existing identity. The biggest problem with passwords on the internet is every single mom and pop website thinks they need to have their own login and authentication mechanism when in reality all they need is a way to confirm an identity. My nirvana is every single website in existance allows me to log in with my OpenID account, which is nice and secure and has two factor authentication. Then I only have ONE password to remember.

There is absolutely no reason the internet could not work this way if site admins would get their heads out of their asses and stop rolling their own authentication schemes, because between Google, Yahoo, Twitter, Facebook, and other 3rd parties, every web user already HAS an OpenID capable login..

Re:On the contrary:

[brainboyz]

And forcing everyone to use one is just as bad. I don't want any of those sites authenticating me everywhere I go. One more way to tie your life together online.

Re:On the contrary:

[brunes69]

Then use OpenID.org. Or run your own. That is why it is called an Open Standard.

Re:On the contrary:

[Bill,+Shooter+of+Bul]

If they had hashed them without a salt, then you'd be better off with a random password.
If they had hashed them with the same salt, then you'd be better off with a random password
If they had them plain text, and you reused the same weak password on multiple sites, then you'd be better off with a random password.

In general there are so many benifits to using a strong random password on each site, that its really stupid not to.

Re:On the contrary:

[xenobyte]

Actually I treat 'forced' accounts on places like Adobe very differently than other places where I use passwords - basically I don't trust a company like that to be secure so I use a different password system there than elsewhere. My password were in the Adobe list, as were my business email, but I don't work for that company anymore so the email is obsolete, and the password... Well it won't be used elsewhere.

"it's a shock"

[neminem]

Quoth, "It's a shock that people still rely on them to protect their data".

Important fact that many of these studies miss: not everybody cares about their data, and not all data is the same. Anyone using a password like this to protect their bank account, or their email address (that they use to send forgotten password requests from their bank account) deserves to have their money stolen.

On the other hand, anyone who uses a password like this to protect the fact that they once logged into some random crappy site that they joined to post one comment, and which they have subsequently never used again and have forgotten about, deserves... absolutely nothing bad to happen to them as a result. Who cares if someone gets their password to some random crappy site? I certainly don't. It would be a much worse idea to use a more secure password to those throwaway sites, because then you'd be tempted to use the same password you used on more secure sites you actually cared about.

There are probably a lot of passwords to throwaway sites like that in any database of stolen passwords, specifically because people are more likely to use better passwords on the sorts of sites that are also (I certainly hope!) less likely to get all their passwords leaked.

Re:"it's a shock"

[lgw]

Anyone using a password like this to protect their bank account, or their email address (that they use to send forgotten password requests from their bank account) deserves to have their money stolen.

No one deserves to have their money stolen. The concept you're looking for is "responsibility". Anyone using an easy password for a bank account is irresponsible, but if they get their money stolen what they deserve is our compassion.

Currently banks seem to be proud of the level of fraud protection they offer customers, perhaps even competing on that basis. That's a good thing. Not everyone is capable of remembering a complex password, after all.

No surprise

[Dan+East]

Considering the internet is still used by the same set of people from 2013, and 2012, and 2011, etc, it shouldn't be surprising they're using the same kinds of crappy passwords.

Re:Maybe people don't care

[khasim]

My simple process for this is that if the site does not have my credit card info or even my name then I don't care what the password is.

And I don't care if your site is cracked any my 12345 password is revealed. All they're going to get is the cat's name and a birthdate of 1900-01-01.

our fault

[Tom]

Of course they do. Anyone surprised?

One of the reasons (one, it's a complex topic) is that we, the security professionals, are too dense to properly explain things in a language the user understands correctly.

For example, we tell them their password should be difficult to guess. But "guess" is the entirely wrong word to use, because it implies something that's not happening in the real world. When you say "guess" to a normal person, his mental image is that of some attacker thinking there, trying a few different things. What we experts mean is that some script will do 10,000 login attempts with a dictionary attack, or some hacker will check your pilfered password hash against a rainbow table.

Quite a few regular users are seriously convinced that "123456" is a "hard to guess" password, because it wouldn't be their first or second guess for someone elses password.

Here's what you need to do, IMNSHO:

We've had several of these breaches with leaked passwords over the years. Collect them, take the top 10,000 or so passwords and put them into a list. Add that list to John with a simple (because you want to be fast) ruleset for permutations. When the user picks a password, run that in the background. And instead of telling him to use a "difficult to guess" password, tell him that you run the same program that some evil people use, and if it can crack his password, he needs to use a different one.

Tell him that John needed 0.0253 (or whatever) seconds to crack his password, and show him the rule so he understands (e.g. "passw0rd" is a permutation of "password", the #2 most often used password).

It'll take 20 minutes for him to find a password that works, and he'll have to write it down to remember it. Problem solv... oh, wait...

Maybe, you know, the problem is in the method. Passwords suck.

Re:our fault

[brunes69]

A much bigger reason is that no one gives a crap if someone knows their password to Adobe.com

I am a security professional myself. You know what my password is for 1/2 the sites I have accounts on? 1234. Why? Because I don't care.

The solution is identity federation. The whole concept that Adobe.com or Mom & Pop Blog have passwords at all is ridiculous. If they allowed OpenID logins and stuck nice Google / Facebook / Twitter / Yahoo / OpenID buttons on there then no one would need all these crappy passwords, they would just use their already created and secure federated ID.

Re:our fault

[Tom]

It's that the average user is so dense that they cant understand the security professional and they're also so lazy that they wont learn or even take basic self preservation measures unless their forced to.

I think I want your bosses phone number, because I'd just love to get a consulting gig where I set you guys straight.

Lack of understanding for the actual user is the #1 security risk of our time.

I understand your sentiment. I've been there. 8 years ago I was on the expert panel of a security conference and one of the questions asked was which security risks we estimate will still be there 10 years down the road. We five experts quickly agreed and I was the one to tell it to the audience that "dumb users" was the primary answer. 3 years ago I went back to that conference as the keynote speaker and began my talk with "I was wrong".

Users aren't lazy, or stupid, or anything like that. Going into the discussion with that assumption is a basic logic flaw. As we all know from logic 101, if your assumption is wrong, your conclusion is worse then wrong, it's meaningless.

Your biggest problem are people and the fact they don't take security seriously.

Assumptions like this is what causes security to be so fucked up. It's a typical shifting-the-blame response.

I am advocating that every security problem is the result of some security professional fucking up. Every single one, including people choosing "123456" as their password. It might not be a technical fuck-up, but one of communication or design (that one is the elephant in the room most people overlook) or empathy.

Once you stop making other people responsible and check back to see if you could change anything to make this problem go away, you almost always find out that heck yes, you can.

Re:Password Evolution

I don't understand what it being 2014 has to do with anything. Do we expect humanity to get smarter about passwords every year?

They all vary

[speedlaw]

The reason passwords suck is: This one wants eight characters, with a symbol and letter This one wants eight characters, with NO symbols, and a letter This one wants upper and lower case letters This one wants upper and lower case with a symbol and number This one want upper and lower with no symbols. The formats change all the time, so it is no wonder that most people end up with a post it note stuck to the computer, or if stealthy, inside the draw.

Too many sites want a password

[mtthwbrnd]

Even to read some news site requires that you go through the stupid account creation process. I doubt that most are using these simple passwords for anything important, just for the stupid sites who are so full of their own self importance that the creators believe that at some stage in the future a huge corporation i going to offer them $100M for their database of users.

Look, I bought a box to hook up to my tv to watch youtube on my tv. It requires me to enter a google email address. Well, I did not want to use my usual email address. What if I give the box to somebody Do I have to spend an hour trying to delete my account details from the stupid thing? So I did what everybody else does. I spent half an hour creating YET ANOTHER F*CKING GOOGLE ACCOUNT with a fake name and simple password (123456 or something like that so just so that I could use the thing.

If you try to watch "Tayo The Little Bus" it asks you to sign in because apparently some idiot user has marked it as not "Age Appropriate" or some other nanny state BS like that.

That is why there are so many "easy" passwords. Because the idiots in charge have created a situation where we have to have so many passwords.

Re:Maybe people don't care

[QuesarVII]

He used iso date format - arguably the best and most universal way to represent a date. Get over yourself.