The Most Popular Passwords Are Still "123456" and "password"

BarbaraHudson writes: The Independent lists the most popular passwords for 2014, and once again, "123456" tops the list, followed by "password" and "12345" at #3 (lots of Spaceballs fans out there?) . "qwerty" still makes the list, but there are some new entries in the top 25, including "superman", "batman", and "696969". The passwords used were mostly from North American and Western European leaks.

qwerty?

[by+(1706743)]

My password is ',.pyf, you insensitive clod!

Re:qwerty?

[kurkosdr]

My password is 'incorrect". So if I ever forget it, the computer will helpfully remind me that "password is incorrect"

Re:qwerty?

[unixisc]

Just hope that the system doesn't insist on you having a combination of letters, numbers, lowercase, uppercase and special characters

Re:qwerty?

[rasmusbr]

Just hope that the system doesn't insist on you having a combination of letters, numbers, lowercase, uppercase and special characters

Incorrect1!

Re: qwerty?

My password to my Capital One account is "Capital1". And my username is "Use Her Name". Clever, huh?

Re:qwerty?

[gatkinso]

I used qwerty on /. for about 9 years before I finally changed it. Funny thing - it was also my hotmail password for even longer.

Re:qwerty?

[sysrammer]

Good one. Or should I say Gud1?

I had a consultant that would frequently forget his password. I finally set it to "I forgot" and gave it to him. Three weeks later, sure enough, he drops by because he can't get in. I ask him "What's your password?" and he says "I forgot". So I just looked at him. Finally he got it. No issues since then.

Re:qwerty?

I had a user that came to get his password reset every week. On the 3rd time, I explained how to keep a note in his wallet. He never asked again.

Re:qwerty?

No issues since then.

-Simon Travaglia

Re:qwerty?

[Neil+Boekend]

I always rather like "Secret" and "Above your paygrade" as multiple user passwords but "I forgot" would be a cool one too.
Now I just have to go back to a place where multiple user passwords are a thing again.

I thought

[rossdee]

I thought the most popular password was just {enter}

Re:I thought

[ganjadude]

after reading the article, im still confused as there isnt enough info to really make anything of this

The data is compiled from leaked passwords in 2014, by password company SplashData.

ok, so it was leaked passwords....but from where? for what reasons? on what devices? I would wager alot of "stock" devices will have simple PWs. and to most people, if it works, it doesnt need to be addressed. Also if PWs are from web pages? what are the pages? because if they are not secure pages (work, banks, personal info) most people simply dont care. I mean to leave comments on damn near any page, you need to register. I know on some pages ive created accts to leave a post and never plan on going back, im sure ive used some weak passwords for those sites.

in the end, without a breakdown of types of accounts / passwords, its a little hard to claim anything based on this data that is worth anything.

Re:I thought

[JackieBrown]

I bought a Netgear AC1450-100NAR Dual Band Slim Gigabit Smart WiFi Router.

The instructions specifically state that it would be a bad idea to change the SSID and password. I did anyways, of course, but was surprised to read this advice.
http://ww.amazon.com/gp/produc...

Re:I thought

[ganjadude]

the fact that "admin" is on there as a PW, I would wager a lot of people dont change their router PW let alone SSID and SSID PW

Re:I thought

[crunchygranola]

after reading the article, im still confused as there isnt enough info to really make anything of this

Yep. There is much less to this than meets the eye.

In addition, a list of most common passwords will always have defaults and obvious simple strings as the top candidates, this will never change. What would be more useful to know is whether the relative proportion of passwords fitting this description is declining (I doubt it, but we need to see the data).

Re:I thought

[JackieBrown]

You are correct that this is the password to access the setting for the router through their webgui. The password to connect to the wifi, though, was similar to badorange456. (To be honest, it was actually harder than anything I ever manually set since I get frustrated typing long passwords into consoles using a gamepad.)

Re:I thought

[BarbaraHudson]

I don't think too many devices have "696969" as a default password (customers would complain); the same applies to "superman" and "batman" except this time it would be the trademark holders who would be doing the complaining.

And if they had revealed what web sites or devices used these passwords the most, everyone would be complaining about how they're making the net "less secure", same as when someone reveals a zero-day defect, instead of maybe just changing their password because "well, I use 'password' as my password, but I'm not on that site / own that device, so I'm pretty safe.

Re:I thought

[ganjadude]

yes, but im sure that someone out there has made, or is working on a way to crack those defaults too. Of the dozen or so routers ive set up in the past 3 years, almost all of them still follow a formula such as "color+number" or "fruit+number" . We are not getting passwords like 1nV@l!Dp2s$w04d by default yet

Re:I thought

[ganjadude]

I see no reason for anyone to complain about those as defaults. a string of numbers (696969) is not bad in anyway unless you really want to stretch the whole 69 thing. Batman and superman as a password I cant see how trademark owners could argue that a password is infringing on the trademark. As for the rest of your arguments I agree we shouldnt say "these are the most used passwords from slashdot" but I would like to know that they were talking about user submitted passwords over default PWs

Re:I thought

[The-Ixian]

Who would complain about a *default* password they didn't like? They already bought the widget and have the ability to change the password... Who bases their buying decision on the default password of the device?

Re:I thought

[Archangel+Michael]

Let me know when Gaming Consoles can do WPS and I'll be happy to put a huge long ugly password in. I would love to be able to use the button on my router.

Re:I thought

I thought the most popular password was just {enter}

That technically would not be a password.

That would be called a fuck-up, done by the dumbshit in charge of configuring said authentication system that accepts nothing as valid input.

Then again, we're talking about the general population who thinks "password" is the best choice for authenticating, so is it really a fuck-up when it's dumped into the middle of fuck-up island? I think not.

Re:I thought

after reading the article, im still confused as there isnt enough info to really make anything of this

The data is compiled from leaked passwords in 2014, by password company SplashData.

ok, so it was leaked passwords....but from where? for what reasons? on what devices? I would wager alot of "stock" devices will have simple PWs. and to most people, if it works, it doesnt need to be addressed.

Uh, I hate to point out the obvious here, but if ANY system is pre-configured with a weak password and the user is never prompted to change it, THAT IS A FUCKING PROBLEM THAT NEEDS TO BE ADDRESSED.

And it's a problem for the vendors to address, for they are doing nothing but exacerbating this overall security problem.

Re:I thought

[um...+Lucas]

Maybe more websites need to enforce strong password rules on their users. I know that plenty of sites either read the password entered or check the hash and reject it if it doesn't meet certain criteria. Ideally, end users would come up with secure passwords on their own, but since they can't, administrators need to do some prodding.

Re:I thought

Its mine when using ssh-agent.

Re:I thought

[retroworks]

NO! NO NO! My biggest risk is websites which I don't care about trying to force me to use a very secure password. I use a word like "password" for example to access the Boston Globe online because a) I don't have anything to secure there, b) I don't care if someone learns my password and reads the Boston Globe, and most important c) I don't want an employee in Boston to have access to one of my more secure passwords. Unfortunately, sites like this force me to use "strong password rules" and then when I go back to it, when I have to guess my password, I may enter in an actual secure password which I actually use on an important secure site.

Re:I thought

[bmo]

ok, so it was leaked passwords....but from where?

From everywhere. From pron.com, for example. Plaintext usernames, emails, and passwords. With .mil addresses and admin addresses to boot. They are there if you bother to look.

From a csv file I have of the pronz.com list:

Hi! We like porn (sometimes) so these are email/password
combinations from pron.com which we plundered for the lulz

Check out these government and military email
addresses that signed up to the porn site...

They are too busy fapping to defend their country:

for what reasons?

For money and for the lulz, as above.

on what devices?

Everything.

Also if PWs are from web pages? what are the pages?

Pron, government, banking, shopping, etc...

because if they are not secure pages (work, banks, personal info) most people simply dont care.

This is the problem, in a nutshell. People just don't care about even their banking passwords.

I mean to leave comments on damn near any page, you need to register. I know on some pages ive created accts to leave a post and never plan on going back, im sure ive used some weak passwords for those sites.

The thing is that people use the same "throw away passwords" everywhere. The same ones, across multiple sites including banking. Many of the above uname/password pairs worked in gmail and facebook.

"But it's too much trouble to have different passwords everywhere"

No it isn't. It's actually easier. Use a password manager. It's like a keyring, but not only do the keys fit only individual locks, the "keyring" (password manager) does the typing for you for password generation and logins. For example, through some of my own dumbassery (which I realized within 10 minutes of the dumbassery), I had to reset all my passwords one day. It took me only an hour with Lastpass including generating secure passwords. It would have taken me the better part of half-a workday to reset them manually.

Yahoo lost control of my login credentials twice. Apparently I have been to Sweden and Bulgaria. After that, I got a password manager and never looked back.

You will have to take my password manager from my cold dead hands.

"But what if the password manager goes tits-up?"

You export your credentials to a .csv file and print it out and save in a safe place offsite.

All my passwords look like this: GvY0H025195BfN2MleZWx5Sra

Try finding that in a rainbow table.

its a little hard to claim anything based on this data that is worth anything.

Only because you lack imagination.

--
BMO

Re:I thought

[bloodhawk]

you would be amazed at what people will make formal complaints about. I shit you not we had people submit formal complaints to our organisation over some error messages where we used a few names from greek mythology as they considered it blasphemous that we were using religious icons that did not represent their beliefs. We also received complaints about error number 666 and various other items. Their are so many retards in this world just looking for a reason to feel victimised or insulted, I am surprised some of them have time for anything else in their lives.

Re:I thought

[ganjadude]

So pretty much rule 34 of the internet, but for complaints. If it exists,someone will complain about it or be offeneded by it

Re:I thought

[Darinbob]

For many sites, 123456 is a perfectly fine password, but possibly too long. Too many sites require registering to do the most basic of mundane things, and the visitors don't care if anyone steals their throwaway account.

A better set of data would be to know what was the most common password on a banking site which should be considered high security by most users, versus twitter which should be medium security (possibility of causing embarrassment), versus a forum for some game you just want help on which is low priority unless you were stupid enough to use your real name, versus the site requiring a registration in order to get a free coupon.

Re:I thought

[Darinbob]

This is the problem, in a nutshell. People just don't care about even their banking passwords.

But what are the stats there? The article didn't claim what "123456" was the most popular banking password, only that it was the most popular password. I don't see stupid passwords as a problem if they're used in situations where it doesn't matter.

Of course I can't be bothered to spend a couple days mining all that data from questionable web sites just to get some actual useful information out of it, but the original article could have done so instead of just having yet another funny article that doesn't really mean much as it's presented with no context.

Re:I thought

[bmo]

I don't see stupid passwords as a problem if they're used in situations where it doesn't matter.

That's because the people who pick 123456 as passwords never consider if it matters or not. Most people consider their mail account something that matters, yet trying out various uname/pw combinations with gmail that come from a porn site invariably works.

I don't know what to tell you, man, people are stupid with passwords and it's a documented problem.

>complain about article summarizing the problem in general
>demanding hand-holding.
>your computer is connected to the largest information retrieval system ever invented.
>can't be bothered to do your own research or bother to even google

PEBKAC. Yours.

--
BMO

Re:I thought

For 'insecure' passwords, I often use a password pattern. For example: my initials, a number, and the site name. So, yours for the Boston Globe might be RW55bldc: (RW= RetroWorks, 55 is a number of significance to you, but not too obvious, and bgdc would be Boston Globe Dot Com.) It meets most requirements (upper/lower case, numbers), and is easy to remember, but not too obvious unless you know the pattern (for instance, you could mix it up by putting the numbers at the end instead, etc)

Re:I thought

[RespekMyAthorati]

You need LastPass or KeepPass. Completely eliminates that problem.

Re:I thought

[Neil+Boekend]

The past 3 routers I used had a random number sequence 20 or so number long on a sticker on the back. That sequence was the initial key and after a physical reset that will be the key again.

Very nice indeed

People like this are rightfully called incompetent. Hopefully they're not multi-billion dollar companies.

Re:Very nice indeed

[pushing-robot]

In fairness, it depends on what the passwords were *for*. If it's a bank site... that's bad. If it's some random site that hides content behind a pointless registration wall, '12345' is perfectly fine.
It comes down to 'if this were a door, would I lock it?'

Re:Very nice indeed

In fairness, it depends on what the passwords were *for*. If it's a bank site... that's bad. If it's some random site that hides content behind a pointless registration wall, '12345' is perfectly fine.
It comes down to 'if this were a door, would I lock it?'

I do the same, I have a fairly simplistic password (although not *that* simplistic as "password" :-P) for stupid sites that don't have any payment information and I've only signed up for to get past a paywall or to be able to post a rare comment. If someone hacked me I wouldn't really care, worst they could do is leave some nasty comments or something.

Anything I depend on, or that has any financial/personal information whatsoever, gets far tougher passwords that change way more frequently.

Re:Very nice indeed

[ShanghaiBill]

If it's a bank site... that's bad.

I don't know of any bank that would allow any of the passwords listed. Most (perhaps all) financial institutions will reject any password containing all digits, all letters, or any standard dictionary word (even if written in "L337 Speak").

These passwords are most likely for throwaway accounts for untrustworthy services. Since they were leaked, it is clear that the people running the services deserved the lack of trust.

Re:Very nice indeed

Not necessarily. Do they know if these passwords were being used for real accounts or just throwaway ones? Whenever I create a throwaway account, I'll use something like 12345 because I'm only ever going to use it once.

Re:Very nice indeed

[BarbaraHudson]

I don't know of any bank that would allow any of the passwords listed. Most (perhaps all) financial institutions will reject any password containing all digits, all letters, or any standard dictionary word (even if written in "L337 Speak").

Then I guess you don't know enough banks. Some definitely do, as well as passwords less than 8 characters.

Re:Very nice indeed

These passwords are leaked passwords, i.e. the passwords are from sites that didn't properly protect the information of their users. Why waste a good password on a shitty site?

Re:Very nice indeed

[Cro+Magnon]

One of my banks didn't allow special characters. They changed and now do allow them, but that was pretty recent.

Re:Very nice indeed

[Cro+Magnon]

My "main" password isn't on their list, but it is a dictionary word, it's short, and it doesn't have numbers or specials. It's also only used on unimportant websites.

Re:Very nice indeed

[cusco]

Panasonic, Sony, and a bunch of other very large manufacturers send out their **security** cameras with trivial username/password like admin/12345 (Panasonic) or admin/admin (Sony) and do not require the installer to change them. This is why we prefer cameras from Pelco and Axis, which at least require the installers to change the password from the factory default on first use (although they do allow idiots to change it back to the factory default if they're so inclined). A couple of the large manufacturers of very high-quality cameras (crappy software, but nice hardware) have only one user (root) and do not allow the password to be changed. It's a bit sad when a customer's security system becomes a security hole.

Re:Very nice indeed

[Harlequin80]

My bank is even worse. They REQUIRE a 6 character password, and the input method is clicking on the virtual keyboard on the screen. So no special characters no capitalisation.

Then they force that password into the mobile app where you type it on a normal keyboard. I hate it. The only good security aspect they have is you can request (note not standard) an RSA token that you have to enter the code for whenever you want to make a transfer.

Re:Very nice indeed

[ShanghaiBill]

My bank is even worse. They REQUIRE a 6 character password

Which bank is that?

Re:Very nice indeed

[sublayer]

I don't know if it is Harlequin80's bank, but Westpac (https://online.westpac.com.au/esis/Login/SrvPage) requires exactly 6 characters, with no lowercase.

Re:Very nice indeed

[Harlequin80]

Sublayer is right - Westpac....

Re:Very nice indeed

[Harlequin80]

Yeah westpac.

Re:Very nice indeed

[Darinbob]

What I hate is when those stupid sites require a complicated password, claiming that "password" is not secure enough, and "pa$23sw0rd97" isn't good enough because it doesn't have any capital letters, etc.

Then there are the places which I *want* to be secure that refuse to let me have a better password because the rules are too stupid. Such as no upper case letters allowed, no special characters except dash, or password is too long. I haven't seen this at a bank, but I have seen it in modern MMOs for example who should know better than to let a database designer too lazy to scrub the input be in charge of security rules.

Re:Very nice indeed

Congratulations. Your "free registration" identity is now being used by ISIS to pass messages back and forth through its chat utility.

Enjoy the no-fly list.

Re: Very nice indeed

I suppose the question is this - why do you keep your money there, when their security team is obviously incompetent? Are you really that stupid?

Re:Very nice indeed

[nmr_andrew]

My bank still doesn't allow special characters, and IIRC the whole password has to be 6-10 characters long. At least I can combine upper and lower case *eyeroll*

if only they used...

mooltipass!

Re:if only they used...

Yes, I know it's a multi-pass!!

Re:if only they used...

[camperdave]

The problem with that is that there are few machines that come with a multi-pass reader slot built in, and I don't know of anyone who sells them as an add-on peripheral.

Re:if only they used...

[tbuddy]

Could put a link in since the time it takes to google is above the average attention span.

Re:if only they used...

That's the trouble with memes!

Re:if only they used...

[Darinbob]

Yes, she knows it's a multipass, anyway we're in love.

Re:if only they used...

[Darinbob]

In the future, meme's will be the way to tell someone's age if you've only met them online.

In other news

People are still on the majority idiots.

Re:In other news

[fyngyrz]

Computer security is not a naturally intuitive domain for most human beings, absent some properly directed training and experience.

It doesn't make them idiots. But it does make them vulnerable.

Re:In other news

People are still on the majority idiots.

Why wouldn't they? Have you ever tried the minority idiots? They're much less convenient than the majority idiots. If you have to be on someone, why not go with what's convenient?

</snark>

Seriously, though, in a post calling out people as idiots, try to not use such horrible grammar.

CYA: Let's just say any grammar/spelling mistakes in this post were done on purpose. That's the ticket.

Joke's on you

Thing is, 'password' is so common, no one will guess that I'm using it. I'm outfoxing the foxes!

Re:Joke's on you

[fyngyrz]

Is that a fox I see hanging off your left ass cheek by his teeth?

Length does matter.

[auric_dude]

As illustrated by Stanfordâ(TM)s password policy shuns one-size-fits-all security http://arstechnica.com/securit... via https://itservices.stanford.ed...

If your us, what number are we thinking of?

69 Dude!

Hashed passwords?

The real question is why there were plaintext passwords to be leaked in the first place.

Re:Hashed passwords?

I'm more worried about bad password storage practices than I am people using bad passwords. Individually, poor passwords are bad because it leaves people vulnerable, but if a company isn't properly hashing their passwords and that list is stolen? It doesn't matter how strong my 12 character long alphanumeric password is, because it's right there for the hackers.

Re:Hashed passwords?

[BarbaraHudson]

I can think of a few ways that people leak their own passwords. Emails to a co-worker when you're sick or away, chat or IM logs, picking an easy password so that if they forget it they can just try a few easy ones at random, being in a rush to change it because "here is your temporary password. You may only use it to change your password, after which you can use your new account" (a security practice that in practice causes the human elephant to fail).

While storing passwords as a hash offers some defense, even that doesn't work for common passwords where the hash value is known - just look at the stored hash and use the corresponding password. And then their's rainbow tables ... get access to the server involved and you can quickly match a password for every account.

And none of this includes the "password on a post-it under the keyboard." Go through any office and you'll find at least one (if the post-it isn't just stuck to the corner of the screen).

I'm sure in 5 minutes you can think of more ways to leak passwords :-)

'admin'

Who doesn't love that one?

Mine is

hunter2. But I guess that all should appear as '*******' to you as it is encrypted.

Re:Mine is

[sumdumass]

Oh it does appear as *******. Its just that you can see it so you know you put it in correctly. Type another and it will do it again. You see, you could put your bank password in and it will only show the real password on your computer. Its microsoft's way of protecting you. Try it, you will see.

12345?

[BarneyGuarder]

That's the same combination I have on my luggage!

At least 123456 has one more digit.

Re:12345?

[Bob+the+Super+Hamste]

Well that makes it 10x as secure or possibly ~70x as secure depending on allowable values

Re:12345?

[halivar]

Well, *I* for one thought it was rather unsporting of the submitter to cut us off from potential (+5, Funny) Spaceballs references.

Re:12345?

[The+Grim+Reefer]

12345 is perfectly fine as long as you capitalize some of the characters. ;-)

Re:12345?

12345 is perfectly fine as long as you capitalize some of the characters. ;-)

!@#$%

Re:12345?

[Bob+the+Super+Hamste]

What did you say about my mother?!

Re:12345?

[Incadenza]

I always use 666 as the lock on my luggage, just to be sure I won't get anything stolen by a christian fundamentalist.

Re:12345?

[BarbaraHudson]

"darkHelmet": password hint "Vader"
"usetheschwartz", hint:"Use The Force"
"gone_plaid": hint: "Past Ludicrous Speed"
"Perri-Aire", : hint "More refreshing than Perrier"
"ImSurroundedByAsshoes" : hint: "management"
"goodisdumb" hint "goodisdumb" (think for a second :-),

See - plenty of password fun left for spaceballs fans.

Re:12345?

[marcello_dl]

I'll flip it and open it with "999".
Your move, atheists.

Re:12345?

[gatkinso]

12345....7

Re:12345?

[Darinbob]

There was a safe in the Thief reboot game, and nearby was a note that read "I've tried every number combination from 0-0-0 all the way up to 6-7-2. I give up."

Re:12345?

[Kittenman]

I'll flip it and open it with "999". Your move, atheists.

80085 ?

Re:12345?

[marcello_dl]

Don't forget traditions.
http://en.wikipedia.org/wiki/L...

Superman? Batman?

[R3d+M3rcury]

But no Marvel characters?

And?

[NitsujTPU]

1) Clearly bad passwords will be the most popular. Some people will blow off security and will pick a bad password.
2) There are no data in the article regarding how frequently these passwords are used.
3) There is no representation of what these passwords are protecting. Maybe these are passwords to something harmless like accounts in some children's game. In which case, who cares?

Re:And?

[gurps_npc]

I bet you my slashdot password vs your slashdot password that the passwords are protecting crap.

Re:And?

[schlachter]

1) Clearly bad passwords will be the most popular. Some people will blow off security and will pick a bad password.

Inversely, the most popular passwords will always be bad.

Re:And?

[Mr+D+from+63]

The most popular passwords are by nature the worst. Be it "123456" or "yy447dkwumm", if it is popular, it is not a good PW.

What would interest me in addition to what are they protecting would be what percentage of accounts using those PWs is ever hacked vs. more secure PWs.

Re:And?

[Drethon]

Yeah, my passwords to sites I'm not overly concerned about are a common single word or if I want to feel mildly more secure I toss a number in the middle of it. Just a throw away really.

Re:And?

[NitsujTPU]

Exactly!

Re:And?

because passwords to children's game are very popular among the leaks community. Lemme get in on that shit bro!

Re:And?

[NitsujTPU]

I see what you did there!

Re:And?

[Deadstick]

More precisely, it's a list of the most common bad passwords. If nobody cracks your password, it doesn't get on the list.

New and improved....

[colordotmatrix]

hackme didn't make the list?

God wouldn't be up this late

"Love", "secret", "sex", but not in that order, necessarily, right? Yeah, but don't forget "god".

Re:God wouldn't be up this late

god and sex are to short now days.

Re:God wouldn't be up this late

[agm]

Often the word "to" is too short.

Most popular hostname with those passwords

gbclrabu.

If only that were true. Sigh.

Pfft

Ha!.. no one will ever guess that I use password123456

I use password

[Drethon]

On my own computers behind a firewall. I consider use of the password password about the same as having none.

Why would they change their ways

[Ravaldy]

Because the media lost much of it's credibility a long time ago and because they keep fear mongering, people pay less attention to the news. What ends up happening is people don't react until they become a victim or someone close becomes a victim. Everybody thinks it happens to other people.

Re:Why would they change their ways

[Bob+the+Super+Hamste]

Well most of the people who's passwords are guessed and accounts cracked are dumb. About a month ago I went to try and log into my bank account to pay some bills and found the account had been locked. The password is 24 random characters as are the answers to the 5 security questions so it is highly unlikely that it would be broken. When I called to get the account unlocked they also asked one of the security questions. So long as the bank can manage to not leak the info I should be good. Granted that is a big if but it is a credit union so their customers are their shareholders so it is at least receptive to concerns mentioned by customers.

Re:Why would they change their ways

[Ravaldy]

I understand what you are saying. Even if the information was leaked it's encrypted so it would not be available to the hacker.

The point I was trying to make is that it's not a problem until it's a problem. I know so many people who give me their password at work and I tell them I do not want to know it. They don't understand that they can't trust anybody with their password. Its partially a generation issue but even the new generation is ignoring the consequences.

Re:Why would they change their ways

[Bob+the+Super+Hamste]

I understood your point and yes most people aren't proactive about their security as evidenced by their willingness to hand out their poorly chosen passwords like candy. Then they wonder why someone hacked their accounts, the whole photo hacking of apple's cloud storage thing should have taught people to choose better passwords. Companies do also share some of the blame for things poor security if they are getting hacked and having passwords and other account information stolen but it does seem to rarely wake people up.

What happened to "sex", "money" and "god"?

Anyone who works in retail can tell you, people be DUMB. The internet doesn't make people dumber, it just makes it easy for them to demonstrate it. The old way of demonstrating it, posting ignorant rants on Youtube or Usenet, was inefficient.

Hackers are simply streamlining the process to the point you don't have to do anything actively: If someone can log into your account with a 4KB file named 500_most_common_passwords.txt, you were offically suffering an outbreak of stupid when you set the password and everyone will shortly know it.

Re:What happened to "sex", "money" and "god"?

log into your account with a 4KB file named 500_most_common_passwords.txt

I tried that once, but the file was password protected.

Re:What happened to "sex", "money" and "god"?

500_most_common_passwords.txt

Technically, it's called rockyou.txt and it's a little over 130MB unzipped.
Just avoiding the top 500 isn't going to cut it.

Re:What happened to "sex", "money" and "god"?

[Svartalf]

Headupassians don't typically care about those things...

Re:Superman? Batman?

[the_skywise]

Marvel readers are obviously more intelligent. ;p
(or the built-in punctuation of the names just lends itself to passwords... spider-man, ant-man, S.H.I.E.L.D
Actually that last one isn't a bad idea... :) )

trustno1

[__aaltlg1547]

I got a kick out of this one.

(changing password now)

Re:trustno1

[camperdave]

Was that "Trust no one" or "Trust number one"?

Low Value SItes Compromised?

[Luthair]

The article mentions this is based on sites compromised, I wonder if this list isn't to some extent self-selecting towards bad passwords. Lower value sites are more likely to be compromised than high value sites like Amazon or Google, and on low value sites people are much more likely to use garbage. Personally I use a pw database but still use junk passwords on sites when its irrelevant if the account were to be compromised.

Re:Low Value SItes Compromised?

[BarbaraHudson]

The article mentions this is based on sites compromised, I wonder if this list isn't to some extent self-selecting towards bad passwords. Lower value sites are more likely to be compromised than high value sites like Amazon or Google, and on low value sites people are much more likely to use garbage. Personally I use a pw database but still use junk passwords on sites when its irrelevant if the account were to be compromised.

Do you really want to be low-hanging fruit anywhere on the net for an account whose creation can be traced back to you? Seems to me that having the DHS or FBI seizing your computers because some jerk used your account to post death threats in the name of Islamic Jihad for the lulz is not worth the ease of using a simple, throw-away password,

I actually use 12345

[Opportunist]

Really. Yes, really.

There are certain accounts that just don't matter. Until the "5-minutes-valid" mail provider existed, I did the same with gmx mail addresses. Create, use, never bother to use it again. Since with more and more services there is no sensible way to "disable" or "close" accounts, well, one more corpse floating in their sea of dead accounts.

For example, I sometimes want to read something on Facebook and they insist that it's only visible to people who hand them their information. And, well, creating a throwaway account for Ivana Beritsh is faster than finding one that already has 12345 as its password...

Re:I actually use 12345

[Poeli]

Try http://bugmenot.com/

It really helps a lot on those annoying sites.

Re:I actually use 12345

No it doesn't. They have banned anything worthwhile. Years ago it was good, now it's practically useless.

Re:I actually use 12345

Are you sure those accounts don't matter?

Maybe they don't matter *to you*, but they might matter to a malicious agent. For example, are any of these throwaway accounts associated with a publicly-viewable forum? Is there a non-zero chance that the site associated with that account will add a forum someday? If your account is compromised, then a malicious agent could post garbage to a forum to assist in a phishing campaign, or a campaign designed to falsely inflate SEO for a malicious business. This isn't just a fanciful theoretical scenario -- this kind of stuff actually happens, and weakly-protected accounts are a contributing factor to this problem.

That's just one example of a malicious use of a throwaway account. Sure, it may not impact YOUR financial data or YOUR integrity, but the existence of an easily-crackable account on some system could have a negative impact on an innocent third-party.

And, yes, website operators have a responsibility in making sure that maliciously used compromised accounts don't do damage. But, the fact is that this kind of thing still happens, and YOU, as a consumer of these accounts, can do a small part in helping reduce the problem. Is it really that hard to have a harder-to-guess, but still "garbage" password for your low-value accounts?

tl;dr: Don't litter. Put your low-value account in its place.

Re:I actually use 12345

Bugmenot went to shit awhile ago when they decided to create a blocklist and added Farcebook to it. what we really need is a fork of said site but this time no retarded blacklists.

Re:I actually use 12345

[Opportunist]

Allow me to delete my account and you won't have that problem. I only use such accounts when I know I will not have use for them for longer than a brief period, usually hours, at the most. After that, I'd gladly clean up after myself. Sadly, few sites allow it.

Allow me to actively delete my account and you won't have that problem.

Re:I actually use 12345

Too bad Slashdot has been barred from that site...

Life is Like a Box of Chocolates

What is Forrest Gump's password?

1forrest1

Bull Shit!

[Anon-Admin]

P@ssw0rd! did not make the list and half the places I have worked have used that as the password because it meets the windows complexity rules.

Biased to cracked sites

[RevWaldo]

Since a site with proper hashing, where in theory the actual passwords are unknowable, wouldn't be on the list. And presumably sites with proper security on the back end would have stronger password complexity requirements in the first place, and vice versa. The blame falls more on the bar than the drunkards it serves.

.

Re:Biased to cracked sites

[rgmoore]

Since a site with proper hashing, where in theory the actual passwords are unknowable, wouldn't be on the list.

This is simply not true. It may be impossible to reverse the hash and recover the password directly, but it is both possible and practical to carry out a dictionary attack on a file of hashed passwords. That's exactly why you're supposed to avoid easily guessed passwords and why those crappy passwords are crappy: they're susceptible to dictionary attacks.

Re:Biased to cracked sites

Fuck password complexity requirment. If I don't care too much about your site, I really don't care if my password is my username or something easier to remember. Only things I really want safe like for example my mail should actually have a strong password, and even then it should be up to me to decide what a strong enough password is. Password requirements will more often than not lead me to picking a worse password because now I can't use my good long password because it doesn't have a capital letter in it and fuck you.

But of course way worse than all that is sites forbidding certain characters. Why would you forbid an @ or a # or a / in the password. These characters shouldn't be a problem.

Re:Biased to cracked sites

You could get some of the passwords that way, but not all of them. Then how could you say which were the most common?

Re:Biased to cracked sites

Because unless there's per-user salting, if two passwords are the same, their hashes are the same. Therefore, you can find the most common hashes.
You'll often find that the most common hashes are already in the dictionnaries, so that gives you the most common passwords. And for the remaining 40% that weren't in the dictionnary, well, those aren't the most common anyways.

Re:Biased to cracked sites

[complete+loony]

I'd say it's the other way around. If these sites were hashing and salting passwords, these simple passwords were low hanging fruit that were easy to crack.

From "The Website is Down"

Admin - What is your password?
Chip - Er, is the letter a
Admin - just the letter a?
Chip - like Apple
https://www.youtube.com/watch?...

Not all passwords are created equal

Like most people in this forum, I have dozens of different passwords to access dozens of different sites. Some of those passwords I choose and protect carefully - those would be the ones that grant me access to my bank account, credit card accounts, etc. Most of the others, I couldn't care less about - I have a Facebook account exclusively so that I can easily post comments on many forums. The account itself, which I created with bogus data, can be hacked to death, for all I care.

I love these threads

I love the threads where we all jerk each other off about how smart we are. Next time we should skip the thread, meet up somewhere and jerk each other off for real!

Re:I love these threads

[sumdumass]

Well, my favorite BS password is "6uldvnc!"

Had that at work once for a few excel files when they imposed some stupid rules that eventually got ignored. But someone who had to access the file sounded it out and HR made me change it.

Shadow?

[Millennium]

18 shadow (Unchanged)

Please, please don't tell me that this word's popularity is an ill-conceived response to /etc/shadow. I may have to weep for humanity.

Re:Shadow?

[sound+vision]

People using "shadow" for a password have never heard of /etc/shadow.

Re:Shadow?

[Millennium]

Maybe not with that exact filename, but I can't help but wonder if some people hear that "shadow passwords are more secure" and think this means that changing your password to "shadow" helps.

I mean, why that particular word? Is there another explanation for how it could be that popular? Other than hedgehogs with guns, I mean?

Thanks

Thanks for sharing my password with the world. As if I needed that.

12345?

[SeaFox]

Why isn't everything requiring at least 8 characters now?
(Also at least 1 letter as well).

LOL ...

[gstoddart]

Geez, Babs, look at you all submitting and stuff.

That's several stories in the last few days.

Just don't go all Bassett Houndleton on us and start posting long, tedious opinion pieces.

Re:LOL ...

[BarbaraHudson]

Geez, Babs, look at you all submitting and stuff.

That's several stories in the last few days.

Just don't go all Bassett Houndleton on us and start posting long, tedious opinion pieces.

The latest weather
report from hell
forecasts "it be hot"
the next millennium as well
If stupid stories
you wish to peruse
there's my journal
for all to abuse.

Burma Shave

Short enough? :-)

Why don't movie and TV people try these?

I still find it hilarious that people in movies and TV still guess peoples' passwords based on things they know about the person. You'd think they'd start with 123456 and password.

Re:Why don't movie and TV people try these?

[PPH]

I did like the episode of Dexter where he had to guess his foul-mouthed sister's password. "password". Nope. "fuckingpassword". I'm in.

It doesn't matter how secure the password is..

[Dynamoo]

It doesn't matter how secure the password is, if a site or service gets compromised then it is highly likely that the password will get revealed. What makes a difference in those cases is how well encrytped or hidden the password is, and how determined the attacker is. Attackers can use precomputed tables made up of all sorts of phrases, letters, numbers etc which will get a handle on even very secure passwords.

It's far more important to have a different password on each site.. or at least a different password on each site you care about. For some sites is really doesn't matter if it gets hacked or not. The Gawker breach a few years back for example.. who would really give a stuff about having their Gawker password compromised.

So, it doesn't really matter on a lot of these sites if your password is 123456 because everything of value is protected by something better. Isn't it?

Re:It doesn't matter how secure the password is..

[jmkaza]

Great point. I always laugh when this list comes out each year, 'cause the guy who used jelHk7$%jh78df+EK9 was just as compromised as the guy who used abc123.

Oldy-But-Goody

[Tablizer]

Evolution of Passwords:

1978:

  password

1983: Rule: Don't use 'password', too common.

  passgas

1990: Rule: Must contain at least one digit

  passgas7

1995: Rule: Must contain mixed case

  Passgas7

1999: Rule: Must contain at least one punctuation character

  Passgas7&

2004: Rule: Must change every 2 months

  Passgas7& ... Passgas8* ... Passgas9( ... Passgas1! ...

2009: Rule: Don't use same punctuation as digit key

  Passgas7$ ... Passgas8$ ... Passgas9$ ...

2012: Rule: Don't use incremental digit patterns

  Passgas71$ ... Passgas17$ ... Passgas$71 ... Passgas$17 ...

2015: Rule: Must be at least 20 characters long

  Passgas711111111111$ ... Passgas177777777777$ ...

2017: Rule: Can't use any patterns guessable by AI

  Oh f$ck it, just hack me already, dammit @666

Most probably forums password

[aepervius]

Most important password institution including banks , have strong password policy which would reject "123456", and "password" (heck bank even have a second factor where you use the bank card decoder device but I have no idea on how secure it is). Those password are most probably email or forums password. And as secure as i want to be, I do the same. Email not linked to a bank account and used for spam registration or whatnot => weak password like "jodie123" like my slashdot password. Bank account and email linked to it get something more like "bY7&!-;+#ASumn)(". Yeah sure you might find my jodie123 password leaked. So what ?

I am calling shenanigans

[bloodhawk]

This sounds bogus to me, everything from windows to most forums, ISP's and Telco's that I am aware of won't let you use such simple passwords. The only place I know that I could use 123456 or password for me is on one of my work smart cards (I have 3 but only one is so weak on security).

I'm safe.

[msauve]

IT make us change them, so mine is now 123457, which isn't on the list!

Re:Superman? Batman?

'batman' is ideal for a stupid persons password. It has 6 letters, which is often a minimum requirement. It sounds cool. And it reeks of secretivity almost as much as 'password' does.

Re:Superman? Batman?

[the_skywise]

Feh - I use brucewayne... So nobody will think to know it's batman!

Linked Stories Comments

I like how the linked story on password protection can't seem to secure their comment board enough to prevent bots from spamming "$100/hr from home ads" and "look at my blog" posts.

In my 500,000 corpus ...

[raymorris]

> 2) There are no data in the article regarding how frequently these passwords are used.

There are 448,232 passwords in my corpus right now. The top ones today are:

password frequency
| bobb17 | 5 |
| iceman69 | 5 |
| demon133 | 5 |
| robert8 | 5 |
| saintt9 | 5 |
| alpha123 | 5 |
| jordan | 3 |
| pass | 3 |
| 1234 | 3 |

Here's what I do

[future+assassin]

When I sign up for a website I have a pattern where I take certain letters from the web sites name and add certain amount of numbers to that. Its easy to remember for me and slim chance of someone finding my combo and its a different password for every site I sing up for.

Re:Here's what I do

I do something similar for less important sites. The pattern would be trivially obvious for any human looking at the passwords for two sites but an automated system that grabs the password and uses it elsewhere would be harder to program.

Re:Here's what I do

Modify the site-specific letters using a simple algorithm known only to you. Shift them on the keyboard and/or in the alphabet by some amount, for example. For frequently accessed sites, it becomes second nature; for others it takes just a few seconds to do the algorithm in your head. Odds of someone caring enough to figure it out go down astronomically.

696969

[OldSport]

Clearly a lot of teenage boys' passwords were leaked as well.

Spaceballs

The same combination as my luggage.

Different for secure sites, yes. Also LONG. Passph

[raymorris]

> or at least a different password on each site you care about. For some sites is really doesn't matter if it gets hacked or not. The Gawker breach a few years back for example.. who would really give a stuff about having their Gawker password compromised.

Yeah, it's a very good idea to have your bank password be different from your reddit password. Also, most places let you reset your password by using your email address, so the email password is something of a "master key", it should be good.

A good password isn't a pass word, it's a pass phrase. Length matters above all else.

> Attackers can use precomputed tables made up of all sorts of phrases, letters, numbers etc
> which will get a handle on even very secure passwords.

An eight-character password will be found using a rainbow table, if the service didn't salt their passwords. A twelve-character password won't be cracked. (Assuming the site didn't use DES, thereby truncating it to eight characters).

A rainbow table for 8-character passwords is about a terabyte.
9 character, about 64 TB.
10 character, about 4096 TB.
11 character about 262,144 TB
12 character, about 16,777,216 TB

So for the 12-character table, the bad guy will need MILLIONS of hard drives to store the rainbow table.

Re:Superman? Batman?

With all the "batman" flying around, why didn't anyone check for the obvious???

Bat-Password

Obligatory XKCD

[CronoCloud]

I see "correcthorsebatterystaple" isn't in there, I'm surprised.

http://xkcd.com/936/

You'll never guess mine

[WillAffleckUW]

654321

Now that's secure!

Re:Superman? Batman?

[BarbaraHudson]

But no Marvel characters?

I've looked everywhere on my keyboard and I can't find anything about using any Marvel character set. Is this some sort of unicode thingee?

Selection Bias?

[RockyMountain]

The article is a little light and fluffy. Doesn't say how these passwords were leaked.

Seems likely, though, that the very fact that they were leaked at all might be a form of selection bias. For example if the leakage vector involved some sort of cracking, it is hardly surprising at all that simple passwords dominate the list.

/. -- please stop publishing my passwords.

Every time /. publishes some article about passwords, they seem to list mine. I wish /. would value security of their users more and stop doing this.

When simple/no passwords are appropriate

[unixisc]

On my home laptop, which has no users other than myself, I have a few login accounts for different purposes. One of them is for things like my banking, paying bills, purchases, et al, and that account has a proper password. For all the others, I either have the password as {ENTER}, or I just use the login name as password (if it's an administrator's account that requires a password). Nobody but me will ever get into this computer, so why make it needlessly complicated?

the nsfw password list

Given cats and porn run the internet, the porn site perspective is a valid one.

I will not repeat the list here, but needless to say, my "pass phrase" is a string of vile profanity, from the darkest subconcious of my perverse mind.

As it happens, It would appear to be fairly common password according to an equivilant article published by a porn industry article a couple years back.

Passwords for Unimportant Sites

Some of them are idiots, others of them don't think password security is important for all of their accounts. "password" is perfectly adequate for a typical online newspaper comments section password (because worst case is somebody starts writing crank letters to the editor from the fake name you used, with the email that points to a disposable Yahoo email address.) On the other hand, while my Slashdot account isn't particularly valuable, I do have a stronger password on that, especially useful for discussions like this.

Re:Passwords for Unimportant Sites

[kian]

IMHO, unimportant Sites should not ask visitors to create a password at all !

Why don't they just ask an OpenId or a {facebook|google|msn|yahoo|whatever} account and use its authentication protocol ?

Why do I have to create a password to post a comment on /. ?

That's Stallman's Sysadmin Password

[billstewart]

Ok, not any more, but for many years the root/admin/whatever password on Stallman's MIT machines was just carriage return. The point was extreme openness, so that anybody could log on, see anything, fix anything, copy any code.

Re:That's Stallman's Sysadmin Password

What, no line feed?

Re:That's Stallman's Sysadmin Password

[Darinbob]

Why complicate it?

Re: That's Stallman's Sysadmin Password

So it's confirmed. Stallman *is* an idiot.

MAC Address as default device password

[billstewart]

I've had a number of devices over the years where the default password was the MAC address of the admin port or first wired Ethernet port or equivalent, and was also printed on a label on the device. It's not perfect, but it's at least unique, and is strong enough that in most cases, people won't try to crack it, or anybody who might try cracking it has physical access to the box (in which case you're toast anyway.)

Passw0rd!

Even most sites like that will let you use a trivial password as long as you meet rules for length and character set. (In the rare cases that my browser doesn't remember them for me, I occasionally have to try Passw0rd! or passw0rd instead of password if the first guess doesn't work.)

Android-keypad-friendly passwords, sigh

[billstewart]

My medium-security passwords were usually L33tSp34k versions of one or two dictionary words, plus whatever capitalization and punctuation were required. But now that I'm occasionally accessing the web through tablets and accessing work systems over cellphone, I've had to switch to Android-friendly passwords, so the letters get grouped together, followed by the numbers, and usually any punctuation is the limited set that appear on the same keypads as the letters or the numbers. So it's Abc,1234 instead of Passw0rd! for trivial passwords now...

Re:Android-keypad-friendly passwords, sigh

[TWX]

I wonder how secure l33t sp34k is now; if it's automatically being tried simply because it's so ubiquitous.

Re:Android-keypad-friendly passwords, sigh

I use the old-skool CompuServe type passwords with android:
    Piece 1 is related to the site (eg ebay)
    Piece 2 is a constant bit of gibberish that usually maxes the requirements out (eg, Passw0rd!)

Teach swype both pieces, but not together. Now it's 2 swypes, but if somebody hacks into my dictionary (or finds my phone before I wipe it), it's still secure(ish) (there's 10 difference gibberishes, so I suppose you could try all 10 in an exhaustive search)....

Re:Android-keypad-friendly passwords, sigh

[dbIII]

I've seen it being used in dictionary password attacks on an ssh honeypot so not at all.

Re:Android-keypad-friendly passwords, sigh

In case you didn't already know, you can hold the "shift" or "numbers" key and then slide your finger to the letter or number you're wanting to type and it keeps you from tapping the shift or numbers key and then the letter or number you're wanting to type.

It's still not perfect, but better.

Re:Android-keypad-friendly passwords, sigh

[some+old+guy]

7|-|@ d3P3|\|D$ 0|\| 7|-|3 d14L3(7 4|\|D 7|-|3 UB3r|\|3$$ 0Ph 7|-|3 $P34|30rz.

Ah, you're not being creative enough...

[Svartalf]

"...and change the combination on my luggage!!"

Strange angle

[Luckyo]

Why is anyone expecting this to change? It's fairly obvious that overwhelming majority of people with these passwords have little to no contact with people who can tell them why it's wrong. It's also fairly obvious that they're not very interested in the issue either.

So why expect change?

I wonder did/does anyone use Pi as thier password.

[TimSSG]

I wonder if anyone uses Pi or Pi/2 as there password. Too bad it would take so long to enter it into the password field. Tim S.

Headline fix

[Antony8GVM]

I think the headline should read:

The Most Popular *LEAKED* Passwords Are Still "123456" and "password"

Which if you think about it...makes perfect sense why they were vulnerable in the first place.

Re:One-time use and garbage accounts

[reboot246]

But my fucking bank allows only letters (caps or lowercase) and numbers. No punctuation or symbols are allowed. And they limit me to 10 characters! Some security, huh?

I ought to change my bank password to something like "yourbanksucks", but that's too many letters.

Blatant Plug

..I got sick of my wife and friends email accounts getting hacked (both twice within months) due to them using simple passwords and using them on multiple sites so I made these...

http://russtopialabs.bigcartel.com/product/ringminder-tm-mkii-password-crypto-rings

Basically a mnemonic device to help them generate unique per-site passwords (for Luddites who don't like using pass wallet apps).

Re:Superman? Batman?

Marvel fans are not smart enough to spell the name of marvel characters right.

DMCA takedown notice

To whom it may concern,

By means of this communication, your website and related websites (named as, but not limited to, the names 'it.Slashdot.org', 'www.Slashdot.org', 'Slashdot.org', and various uppercase and lowercase letter combinations of these names) stands hereby notified of Digital Millenium Copyright Act violation of copyrighted text (named as, but not limited to, the terms "password", "password123", and uppercase versions of both terms), used for various important computer security and related purposes by the undersigned entity.

Please stop using these terms.

Signed,
A Tourney

On behalf of,
A Coward

Password policy...

[rizole]

We have to change our passwords every month and this always causes me to pause a beat to recall the current password. I asssume because one month isn't long enough to forget the last and become habituated to the new. Anyway, I've started using swearwords and, interestinglym find I can recall them significantly faster with less interference from previous passwords.

0118 999 881 99 9119 7253

[Gunstick]

Now that's easy to remember!
Spaceballs is old, now it's IT crowd, and it makes for way better passwords.

Re:Password policy... Swearwords

[Cro+Magnon]

One of my systems at work kept rejecting my attempts to change my password. The one it finally accepted had the added bonus that I wasn't likely to give it out in mixed company.

Re:Superman? Batman?

It is now...