Slashdot Mirror
Yep, People Are Still Using '123456' and 'Password' As Passwords In 2014
Nerval's Lobster writes "Earlier this week, SplashData released its annual list of the 25 most common passwords used on the Internet — and no surprise, most are so blindingly obvious it's a shock that people still rely on them to protect their data: '12345,' 'password,' 'qwerty' '11111,' and worse. There were some interesting quirks in the dataset, however. Following a massive security breach in late 2013, a large amount of Adobe users' passwords leaked onto the broader Web; many of those users based their password on either 'Adobe' or 'Photoshop,' which are terms (along with the ever-popular 'password') easily discoverable using today's hacker tools. 'Seeing passwords like "adobe123" and "photoshop" on this list offers a good reminder not to base your password on the name of the website or application you are accessing,' Morgan Slain, CEO of SplashData, wrote in a statement. Slashdotters have known for years that while it's always tempting to create a password that's easy to remember — especially if you maintain profiles on multiple online services — the consequences of an attacker breaking into your accounts are potentially devastating."
If your password for Adobe is Adobe123, and Adobe leaks your password (AGAIN), nobody is going to be getting into your email, or your facebook account, or your bank account, etc., etc.
Repetition does not transform a lie into the truth. - FDR
Many of the accounts you are forced to create nowadays are for the benefit of whoever wants to track you, not for your own benefit. When I was forced to sign up for an Apple Developer or iTunes Store account to get software updates for my MacBook I hoped there would be a pool of shared profiles people had set up for anybody to re-use, but not finding them I assume Apple detects and de-activates them.
I knew it was a good idea to change my password to 'dvorak'.
Coder's Stone: The programming language quick ref for iPad
Quoth, "It's a shock that people still rely on them to protect their data".
Important fact that many of these studies miss: not everybody cares about their data, and not all data is the same. Anyone using a password like this to protect their bank account, or their email address (that they use to send forgotten password requests from their bank account) deserves to have their money stolen.
On the other hand, anyone who uses a password like this to protect the fact that they once logged into some random crappy site that they joined to post one comment, and which they have subsequently never used again and have forgotten about, deserves... absolutely nothing bad to happen to them as a result. Who cares if someone gets their password to some random crappy site? I certainly don't. It would be a much worse idea to use a more secure password to those throwaway sites, because then you'd be tempted to use the same password you used on more secure sites you actually cared about.
There are probably a lot of passwords to throwaway sites like that in any database of stolen passwords, specifically because people are more likely to use better passwords on the sorts of sites that are also (I certainly hope!) less likely to get all their passwords leaked.
Create a password: password
Everyone is using "password." We need to stop that.
Create a password containing both letters and numbers: password1
Everyone is using "password1." We need to stop that.
Create a password containing numbers and both capital and lowercase letters: Password1
Everyone is using "Password1." We need to stop that.
Create a password containing numbers, both capital and lowercase letters and a special symbol: Password1!
And so it goes.
Considering the internet is still used by the same set of people from 2013, and 2012, and 2011, etc, it shouldn't be surprising they're using the same kinds of crappy passwords.
Better known as 318230.
Let's call it what it is. It is not a list of the most common passwords used on the internet. It is a list of the most common passwords used at Adobe,.. maybe. They don't know what the Adobe passwords are right now. They cannot know all the passwords used on the internet, so they cannot know the most common ones used on the internet. It's a bullshit article written for morons.
Proverbs 21:19
Of course they do. Anyone surprised?
One of the reasons (one, it's a complex topic) is that we, the security professionals, are too dense to properly explain things in a language the user understands correctly.
For example, we tell them their password should be difficult to guess. But "guess" is the entirely wrong word to use, because it implies something that's not happening in the real world. When you say "guess" to a normal person, his mental image is that of some attacker thinking there, trying a few different things. What we experts mean is that some script will do 10,000 login attempts with a dictionary attack, or some hacker will check your pilfered password hash against a rainbow table.
Quite a few regular users are seriously convinced that "123456" is a "hard to guess" password, because it wouldn't be their first or second guess for someone elses password.
Here's what you need to do, IMNSHO:
We've had several of these breaches with leaked passwords over the years. Collect them, take the top 10,000 or so passwords and put them into a list. Add that list to John with a simple (because you want to be fast) ruleset for permutations. When the user picks a password, run that in the background. And instead of telling him to use a "difficult to guess" password, tell him that you run the same program that some evil people use, and if it can crack his password, he needs to use a different one.
Tell him that John needed 0.0253 (or whatever) seconds to crack his password, and show him the rule so he understands (e.g. "passw0rd" is a permutation of "password", the #2 most often used password).
It'll take 20 minutes for him to find a password that works, and he'll have to write it down to remember it. Problem solv... oh, wait...
Maybe, you know, the problem is in the method. Passwords suck.
Assorted stuff I do sometimes: Lemuria.org
*Anyone* can crack *any* password using brute force: https://xkcd.com/538/
A site like Adobe, if I had to have an account there for some reason, would have no relationship to other accounts, would need no particular security because it would be unimportant, and even remembering a password would be too much bother.
Now Slashdot, my password for that is important, it's *************8**
Is that 12 or 13 stars before the 8? I keep trying to log in as Anonymous Coward with the password you provided and it's not working. Or does the 8 need to be capitalized?
My password was Edoba123 !
Ha! Capitalization, numbers, and a non dictionary word! STRONG PASSWORD!
I am so smrt!
my cat's name is &%GRang876$%#lkkjhaeyluihjsdkaClghiu.
If the hackers decide to use a dictionary attack, then an xckd-style password is about as good as one 4 characters long. It needs to create randomness in the domain where the hackers might be looking for it. Of course, the old method of switching out letters for number or whathaveyou don't really fare well either.
Is 1563649 a prime number?
i'm going to use '123456' from now on. If somebody is knocking doors with that password, odds are they will access else's account before mine.
Trust me, the NSA uses statistics and not fuzzy logic. Trust me, in the general case, it's an entropy leak. As someone with apg-generated unique passwords for every place I visit (as short as 10 characters if I really don't give a shit) I might have one such password in my portfolio, but it would be a joke, a highly self-conscious joke. It's still an entropy leak. I'm sure the NSA has a special folder for people with my sense of humour.
Now to trash on the story summary.
And worse than "password"? Oh, please. In the most contrived example, you might find a way. But generally, "password" has a death grip on most worstest. Just couldn't resist tacking on the rubber-necker woot-woot, could you?
The reason passwords suck is: This one wants eight characters, with a symbol and letter This one wants eight characters, with NO symbols, and a letter This one wants upper and lower case letters This one wants upper and lower case with a symbol and number This one want upper and lower with no symbols. The formats change all the time, so it is no wonder that most people end up with a post it note stuck to the computer, or if stealthy, inside the draw.
Pfff, is that it? My password for everything is "correct horse battery stable". Apparently, some smart guy has proven it's veeery secure!
What sort of site is storing their passwords in plaintext to allow this study to be done? Probably the crappy sites that people use throwaway passwords on. Value of study? zero.
If they use a non-salted hash, they could do a database query to get the top 25 hashes by count, and then run rainbow tables on those hashes. That might not work if any of the top 25 were strong passwords, but they're all simple alphanumerics, which a rainbow table should be able to chew through in short order.
They cracked my password. Now I'll have to change my dog's name again.
Have gnu, will travel.
Even to read some news site requires that you go through the stupid account creation process. I doubt that most are using these simple passwords for anything important, just for the stupid sites who are so full of their own self importance that the creators believe that at some stage in the future a huge corporation i going to offer them $100M for their database of users.
Look, I bought a box to hook up to my tv to watch youtube on my tv. It requires me to enter a google email address. Well, I did not want to use my usual email address. What if I give the box to somebody Do I have to spend an hour trying to delete my account details from the stupid thing? So I did what everybody else does. I spent half an hour creating YET ANOTHER F*CKING GOOGLE ACCOUNT with a fake name and simple password (123456 or something like that so just so that I could use the thing.
If you try to watch "Tayo The Little Bus" it asks you to sign in because apparently some idiot user has marked it as not "Age Appropriate" or some other nanny state BS like that.
That is why there are so many "easy" passwords. Because the idiots in charge have created a situation where we have to have so many passwords.
Wrong. Four words, out of 20,000 or so words that a typical literate person would know, gives 20,000^4 combinations, or a total of 1.6e17 possible combinations. That's about 57 bits of randomness right there, harder to crack than a DES key, and that's only if you *know* for certain that they're using an XKCD 936-style password. Yeah, I know that's in range of a massive distributed cluster: a DES cracker can be built for US$10,000, that can recover a key in six days, but it's still a fair sight better than the rubbish we have today. If you really care, use more words. Nine words is all you need to get to 128 bits of entropy.
Qu'on me donne six lignes écrites de la main du plus honnête homme, j'y trouverai de quoi le faire pendre.
You might be seeing stars, but I see hunter2.
"If a nation expects to be ignorant and free in a state of civilization, it expects what never was and never will be."
Pfff, is that it? My password for everything is "correct horse battery stable". Apparently, some smart guy has proven it's veeery secure!
You've made a typo, that makes the password vastly less secure.