The Most Popular Passwords Are Still "123456" and "password"

BarbaraHudson writes: The Independent lists the most popular passwords for 2014, and once again, "123456" tops the list, followed by "password" and "12345" at #3 (lots of Spaceballs fans out there?) . "qwerty" still makes the list, but there are some new entries in the top 25, including "superman", "batman", and "696969". The passwords used were mostly from North American and Western European leaks.

qwerty?

[by+(1706743)]

My password is ',.pyf, you insensitive clod!

Re:qwerty?

[kurkosdr]

My password is 'incorrect". So if I ever forget it, the computer will helpfully remind me that "password is incorrect"

Re:qwerty?

[unixisc]

Just hope that the system doesn't insist on you having a combination of letters, numbers, lowercase, uppercase and special characters

Re:qwerty?

[rasmusbr]

Just hope that the system doesn't insist on you having a combination of letters, numbers, lowercase, uppercase and special characters

Incorrect1!

Re:qwerty?

[gatkinso]

I used qwerty on /. for about 9 years before I finally changed it. Funny thing - it was also my hotmail password for even longer.

Re:qwerty?

[sysrammer]

Good one. Or should I say Gud1?

I had a consultant that would frequently forget his password. I finally set it to "I forgot" and gave it to him. Three weeks later, sure enough, he drops by because he can't get in. I ask him "What's your password?" and he says "I forgot". So I just looked at him. Finally he got it. No issues since then.

Re:qwerty?

[Neil+Boekend]

I always rather like "Secret" and "Above your paygrade" as multiple user passwords but "I forgot" would be a cool one too.
Now I just have to go back to a place where multiple user passwords are a thing again.

I thought

[rossdee]

I thought the most popular password was just {enter}

Re:I thought

[ganjadude]

after reading the article, im still confused as there isnt enough info to really make anything of this

The data is compiled from leaked passwords in 2014, by password company SplashData.

ok, so it was leaked passwords....but from where? for what reasons? on what devices? I would wager alot of "stock" devices will have simple PWs. and to most people, if it works, it doesnt need to be addressed. Also if PWs are from web pages? what are the pages? because if they are not secure pages (work, banks, personal info) most people simply dont care. I mean to leave comments on damn near any page, you need to register. I know on some pages ive created accts to leave a post and never plan on going back, im sure ive used some weak passwords for those sites.

in the end, without a breakdown of types of accounts / passwords, its a little hard to claim anything based on this data that is worth anything.

Re:I thought

[JackieBrown]

I bought a Netgear AC1450-100NAR Dual Band Slim Gigabit Smart WiFi Router.

The instructions specifically state that it would be a bad idea to change the SSID and password. I did anyways, of course, but was surprised to read this advice.
http://ww.amazon.com/gp/produc...

Re:I thought

[ganjadude]

the fact that "admin" is on there as a PW, I would wager a lot of people dont change their router PW let alone SSID and SSID PW

Re:I thought

[crunchygranola]

after reading the article, im still confused as there isnt enough info to really make anything of this

Yep. There is much less to this than meets the eye.

In addition, a list of most common passwords will always have defaults and obvious simple strings as the top candidates, this will never change. What would be more useful to know is whether the relative proportion of passwords fitting this description is declining (I doubt it, but we need to see the data).

Re:I thought

[JackieBrown]

You are correct that this is the password to access the setting for the router through their webgui. The password to connect to the wifi, though, was similar to badorange456. (To be honest, it was actually harder than anything I ever manually set since I get frustrated typing long passwords into consoles using a gamepad.)

Re:I thought

[BarbaraHudson]

I don't think too many devices have "696969" as a default password (customers would complain); the same applies to "superman" and "batman" except this time it would be the trademark holders who would be doing the complaining.

And if they had revealed what web sites or devices used these passwords the most, everyone would be complaining about how they're making the net "less secure", same as when someone reveals a zero-day defect, instead of maybe just changing their password because "well, I use 'password' as my password, but I'm not on that site / own that device, so I'm pretty safe.

Re:I thought

[ganjadude]

yes, but im sure that someone out there has made, or is working on a way to crack those defaults too. Of the dozen or so routers ive set up in the past 3 years, almost all of them still follow a formula such as "color+number" or "fruit+number" . We are not getting passwords like 1nV@l!Dp2s$w04d by default yet

Re:I thought

[ganjadude]

I see no reason for anyone to complain about those as defaults. a string of numbers (696969) is not bad in anyway unless you really want to stretch the whole 69 thing. Batman and superman as a password I cant see how trademark owners could argue that a password is infringing on the trademark. As for the rest of your arguments I agree we shouldnt say "these are the most used passwords from slashdot" but I would like to know that they were talking about user submitted passwords over default PWs

Re:I thought

[The-Ixian]

Who would complain about a *default* password they didn't like? They already bought the widget and have the ability to change the password... Who bases their buying decision on the default password of the device?

Re:I thought

[Archangel+Michael]

Let me know when Gaming Consoles can do WPS and I'll be happy to put a huge long ugly password in. I would love to be able to use the button on my router.

Re:I thought

I thought the most popular password was just {enter}

That technically would not be a password.

That would be called a fuck-up, done by the dumbshit in charge of configuring said authentication system that accepts nothing as valid input.

Then again, we're talking about the general population who thinks "password" is the best choice for authenticating, so is it really a fuck-up when it's dumped into the middle of fuck-up island? I think not.

Re:I thought

[um...+Lucas]

Maybe more websites need to enforce strong password rules on their users. I know that plenty of sites either read the password entered or check the hash and reject it if it doesn't meet certain criteria. Ideally, end users would come up with secure passwords on their own, but since they can't, administrators need to do some prodding.

Re:I thought

[retroworks]

NO! NO NO! My biggest risk is websites which I don't care about trying to force me to use a very secure password. I use a word like "password" for example to access the Boston Globe online because a) I don't have anything to secure there, b) I don't care if someone learns my password and reads the Boston Globe, and most important c) I don't want an employee in Boston to have access to one of my more secure passwords. Unfortunately, sites like this force me to use "strong password rules" and then when I go back to it, when I have to guess my password, I may enter in an actual secure password which I actually use on an important secure site.

Re:I thought

[bmo]

ok, so it was leaked passwords....but from where?

From everywhere. From pron.com, for example. Plaintext usernames, emails, and passwords. With .mil addresses and admin addresses to boot. They are there if you bother to look.

From a csv file I have of the pronz.com list:

Hi! We like porn (sometimes) so these are email/password
combinations from pron.com which we plundered for the lulz

Check out these government and military email
addresses that signed up to the porn site...

They are too busy fapping to defend their country:

for what reasons?

For money and for the lulz, as above.

on what devices?

Everything.

Also if PWs are from web pages? what are the pages?

Pron, government, banking, shopping, etc...

because if they are not secure pages (work, banks, personal info) most people simply dont care.

This is the problem, in a nutshell. People just don't care about even their banking passwords.

I mean to leave comments on damn near any page, you need to register. I know on some pages ive created accts to leave a post and never plan on going back, im sure ive used some weak passwords for those sites.

The thing is that people use the same "throw away passwords" everywhere. The same ones, across multiple sites including banking. Many of the above uname/password pairs worked in gmail and facebook.

"But it's too much trouble to have different passwords everywhere"

No it isn't. It's actually easier. Use a password manager. It's like a keyring, but not only do the keys fit only individual locks, the "keyring" (password manager) does the typing for you for password generation and logins. For example, through some of my own dumbassery (which I realized within 10 minutes of the dumbassery), I had to reset all my passwords one day. It took me only an hour with Lastpass including generating secure passwords. It would have taken me the better part of half-a workday to reset them manually.

Yahoo lost control of my login credentials twice. Apparently I have been to Sweden and Bulgaria. After that, I got a password manager and never looked back.

You will have to take my password manager from my cold dead hands.

"But what if the password manager goes tits-up?"

You export your credentials to a .csv file and print it out and save in a safe place offsite.

All my passwords look like this: GvY0H025195BfN2MleZWx5Sra

Try finding that in a rainbow table.

its a little hard to claim anything based on this data that is worth anything.

Only because you lack imagination.

--
BMO

Re:I thought

[bloodhawk]

you would be amazed at what people will make formal complaints about. I shit you not we had people submit formal complaints to our organisation over some error messages where we used a few names from greek mythology as they considered it blasphemous that we were using religious icons that did not represent their beliefs. We also received complaints about error number 666 and various other items. Their are so many retards in this world just looking for a reason to feel victimised or insulted, I am surprised some of them have time for anything else in their lives.

Re:I thought

[ganjadude]

So pretty much rule 34 of the internet, but for complaints. If it exists,someone will complain about it or be offeneded by it

Re:I thought

[Darinbob]

For many sites, 123456 is a perfectly fine password, but possibly too long. Too many sites require registering to do the most basic of mundane things, and the visitors don't care if anyone steals their throwaway account.

A better set of data would be to know what was the most common password on a banking site which should be considered high security by most users, versus twitter which should be medium security (possibility of causing embarrassment), versus a forum for some game you just want help on which is low priority unless you were stupid enough to use your real name, versus the site requiring a registration in order to get a free coupon.

Re:I thought

[Darinbob]

This is the problem, in a nutshell. People just don't care about even their banking passwords.

But what are the stats there? The article didn't claim what "123456" was the most popular banking password, only that it was the most popular password. I don't see stupid passwords as a problem if they're used in situations where it doesn't matter.

Of course I can't be bothered to spend a couple days mining all that data from questionable web sites just to get some actual useful information out of it, but the original article could have done so instead of just having yet another funny article that doesn't really mean much as it's presented with no context.

Re:I thought

[bmo]

I don't see stupid passwords as a problem if they're used in situations where it doesn't matter.

That's because the people who pick 123456 as passwords never consider if it matters or not. Most people consider their mail account something that matters, yet trying out various uname/pw combinations with gmail that come from a porn site invariably works.

I don't know what to tell you, man, people are stupid with passwords and it's a documented problem.

>complain about article summarizing the problem in general
>demanding hand-holding.
>your computer is connected to the largest information retrieval system ever invented.
>can't be bothered to do your own research or bother to even google

PEBKAC. Yours.

--
BMO

Re:I thought

[RespekMyAthorati]

You need LastPass or KeepPass. Completely eliminates that problem.

Re:I thought

[Neil+Boekend]

The past 3 routers I used had a random number sequence 20 or so number long on a sticker on the back. That sequence was the initial key and after a physical reset that will be the key again.

Very nice indeed

People like this are rightfully called incompetent. Hopefully they're not multi-billion dollar companies.

Re:Very nice indeed

[pushing-robot]

In fairness, it depends on what the passwords were *for*. If it's a bank site... that's bad. If it's some random site that hides content behind a pointless registration wall, '12345' is perfectly fine.
It comes down to 'if this were a door, would I lock it?'

Re:Very nice indeed

[ShanghaiBill]

If it's a bank site... that's bad.

I don't know of any bank that would allow any of the passwords listed. Most (perhaps all) financial institutions will reject any password containing all digits, all letters, or any standard dictionary word (even if written in "L337 Speak").

These passwords are most likely for throwaway accounts for untrustworthy services. Since they were leaked, it is clear that the people running the services deserved the lack of trust.

Re:Very nice indeed

[BarbaraHudson]

I don't know of any bank that would allow any of the passwords listed. Most (perhaps all) financial institutions will reject any password containing all digits, all letters, or any standard dictionary word (even if written in "L337 Speak").

Then I guess you don't know enough banks. Some definitely do, as well as passwords less than 8 characters.

Re:Very nice indeed

These passwords are leaked passwords, i.e. the passwords are from sites that didn't properly protect the information of their users. Why waste a good password on a shitty site?

Re:Very nice indeed

[Cro+Magnon]

One of my banks didn't allow special characters. They changed and now do allow them, but that was pretty recent.

Re:Very nice indeed

[Cro+Magnon]

My "main" password isn't on their list, but it is a dictionary word, it's short, and it doesn't have numbers or specials. It's also only used on unimportant websites.

Re:Very nice indeed

[cusco]

Panasonic, Sony, and a bunch of other very large manufacturers send out their **security** cameras with trivial username/password like admin/12345 (Panasonic) or admin/admin (Sony) and do not require the installer to change them. This is why we prefer cameras from Pelco and Axis, which at least require the installers to change the password from the factory default on first use (although they do allow idiots to change it back to the factory default if they're so inclined). A couple of the large manufacturers of very high-quality cameras (crappy software, but nice hardware) have only one user (root) and do not allow the password to be changed. It's a bit sad when a customer's security system becomes a security hole.

Re:Very nice indeed

[Harlequin80]

My bank is even worse. They REQUIRE a 6 character password, and the input method is clicking on the virtual keyboard on the screen. So no special characters no capitalisation.

Then they force that password into the mobile app where you type it on a normal keyboard. I hate it. The only good security aspect they have is you can request (note not standard) an RSA token that you have to enter the code for whenever you want to make a transfer.

Re:Very nice indeed

[ShanghaiBill]

My bank is even worse. They REQUIRE a 6 character password

Which bank is that?

Re:Very nice indeed

[sublayer]

I don't know if it is Harlequin80's bank, but Westpac (https://online.westpac.com.au/esis/Login/SrvPage) requires exactly 6 characters, with no lowercase.

Re:Very nice indeed

[Harlequin80]

Sublayer is right - Westpac....

Re:Very nice indeed

[Harlequin80]

Yeah westpac.

Re:Very nice indeed

[Darinbob]

What I hate is when those stupid sites require a complicated password, claiming that "password" is not secure enough, and "pa$23sw0rd97" isn't good enough because it doesn't have any capital letters, etc.

Then there are the places which I *want* to be secure that refuse to let me have a better password because the rules are too stupid. Such as no upper case letters allowed, no special characters except dash, or password is too long. I haven't seen this at a bank, but I have seen it in modern MMOs for example who should know better than to let a database designer too lazy to scrub the input be in charge of security rules.

Re:Very nice indeed

Congratulations. Your "free registration" identity is now being used by ISIS to pass messages back and forth through its chat utility.

Enjoy the no-fly list.

Re:Very nice indeed

[nmr_andrew]

My bank still doesn't allow special characters, and IIRC the whole password has to be 6-10 characters long. At least I can combine upper and lower case *eyeroll*

if only they used...

mooltipass!

Re:if only they used...

[camperdave]

The problem with that is that there are few machines that come with a multi-pass reader slot built in, and I don't know of anyone who sells them as an add-on peripheral.

Re:if only they used...

[tbuddy]

Could put a link in since the time it takes to google is above the average attention span.

Re:if only they used...

[Darinbob]

Yes, she knows it's a multipass, anyway we're in love.

Re:if only they used...

[Darinbob]

In the future, meme's will be the way to tell someone's age if you've only met them online.

Joke's on you

Thing is, 'password' is so common, no one will guess that I'm using it. I'm outfoxing the foxes!

Re:Joke's on you

[fyngyrz]

Is that a fox I see hanging off your left ass cheek by his teeth?

Length does matter.

[auric_dude]

As illustrated by Stanfordâ(TM)s password policy shuns one-size-fits-all security http://arstechnica.com/securit... via https://itservices.stanford.ed...

If your us, what number are we thinking of?

69 Dude!

Mine is

hunter2. But I guess that all should appear as '*******' to you as it is encrypted.

Re:Mine is

[sumdumass]

Oh it does appear as *******. Its just that you can see it so you know you put it in correctly. Type another and it will do it again. You see, you could put your bank password in and it will only show the real password on your computer. Its microsoft's way of protecting you. Try it, you will see.

12345?

[BarneyGuarder]

That's the same combination I have on my luggage!

At least 123456 has one more digit.

Re:12345?

[Bob+the+Super+Hamste]

Well that makes it 10x as secure or possibly ~70x as secure depending on allowable values

Re:12345?

[halivar]

Well, *I* for one thought it was rather unsporting of the submitter to cut us off from potential (+5, Funny) Spaceballs references.

Re:12345?

[The+Grim+Reefer]

12345 is perfectly fine as long as you capitalize some of the characters. ;-)

Re:12345?

[Bob+the+Super+Hamste]

What did you say about my mother?!

Re:12345?

[Incadenza]

I always use 666 as the lock on my luggage, just to be sure I won't get anything stolen by a christian fundamentalist.

Re:12345?

[BarbaraHudson]

"darkHelmet": password hint "Vader"
"usetheschwartz", hint:"Use The Force"
"gone_plaid": hint: "Past Ludicrous Speed"
"Perri-Aire", : hint "More refreshing than Perrier"
"ImSurroundedByAsshoes" : hint: "management"
"goodisdumb" hint "goodisdumb" (think for a second :-),

See - plenty of password fun left for spaceballs fans.

Re:12345?

[marcello_dl]

I'll flip it and open it with "999".
Your move, atheists.

Re:12345?

[gatkinso]

12345....7

Re:12345?

[Darinbob]

There was a safe in the Thief reboot game, and nearby was a note that read "I've tried every number combination from 0-0-0 all the way up to 6-7-2. I give up."

Re:12345?

[Kittenman]

I'll flip it and open it with "999". Your move, atheists.

80085 ?

Re:12345?

[marcello_dl]

Don't forget traditions.
http://en.wikipedia.org/wiki/L...

Superman? Batman?

[R3d+M3rcury]

But no Marvel characters?

And?

[NitsujTPU]

1) Clearly bad passwords will be the most popular. Some people will blow off security and will pick a bad password.
2) There are no data in the article regarding how frequently these passwords are used.
3) There is no representation of what these passwords are protecting. Maybe these are passwords to something harmless like accounts in some children's game. In which case, who cares?

Re:And?

[gurps_npc]

I bet you my slashdot password vs your slashdot password that the passwords are protecting crap.

Re:And?

[schlachter]

1) Clearly bad passwords will be the most popular. Some people will blow off security and will pick a bad password.

Inversely, the most popular passwords will always be bad.

Re:And?

[Mr+D+from+63]

The most popular passwords are by nature the worst. Be it "123456" or "yy447dkwumm", if it is popular, it is not a good PW.

What would interest me in addition to what are they protecting would be what percentage of accounts using those PWs is ever hacked vs. more secure PWs.

Re:And?

[Drethon]

Yeah, my passwords to sites I'm not overly concerned about are a common single word or if I want to feel mildly more secure I toss a number in the middle of it. Just a throw away really.

Re:And?

[NitsujTPU]

Exactly!

Re:And?

[NitsujTPU]

I see what you did there!

Re:And?

[Deadstick]

More precisely, it's a list of the most common bad passwords. If nobody cracks your password, it doesn't get on the list.

Re:Hashed passwords?

I'm more worried about bad password storage practices than I am people using bad passwords. Individually, poor passwords are bad because it leaves people vulnerable, but if a company isn't properly hashing their passwords and that list is stolen? It doesn't matter how strong my 12 character long alphanumeric password is, because it's right there for the hackers.

Re:In other news

[fyngyrz]

Computer security is not a naturally intuitive domain for most human beings, absent some properly directed training and experience.

It doesn't make them idiots. But it does make them vulnerable.

I use password

[Drethon]

On my own computers behind a firewall. I consider use of the password password about the same as having none.

Why would they change their ways

[Ravaldy]

Because the media lost much of it's credibility a long time ago and because they keep fear mongering, people pay less attention to the news. What ends up happening is people don't react until they become a victim or someone close becomes a victim. Everybody thinks it happens to other people.

Re:Why would they change their ways

[Bob+the+Super+Hamste]

Well most of the people who's passwords are guessed and accounts cracked are dumb. About a month ago I went to try and log into my bank account to pay some bills and found the account had been locked. The password is 24 random characters as are the answers to the 5 security questions so it is highly unlikely that it would be broken. When I called to get the account unlocked they also asked one of the security questions. So long as the bank can manage to not leak the info I should be good. Granted that is a big if but it is a credit union so their customers are their shareholders so it is at least receptive to concerns mentioned by customers.

Re:Why would they change their ways

[Ravaldy]

I understand what you are saying. Even if the information was leaked it's encrypted so it would not be available to the hacker.

The point I was trying to make is that it's not a problem until it's a problem. I know so many people who give me their password at work and I tell them I do not want to know it. They don't understand that they can't trust anybody with their password. Its partially a generation issue but even the new generation is ignoring the consequences.

Re:Why would they change their ways

[Bob+the+Super+Hamste]

I understood your point and yes most people aren't proactive about their security as evidenced by their willingness to hand out their poorly chosen passwords like candy. Then they wonder why someone hacked their accounts, the whole photo hacking of apple's cloud storage thing should have taught people to choose better passwords. Companies do also share some of the blame for things poor security if they are getting hacked and having passwords and other account information stolen but it does seem to rarely wake people up.

Re:Superman? Batman?

[the_skywise]

Marvel readers are obviously more intelligent. ;p
(or the built-in punctuation of the names just lends itself to passwords... spider-man, ant-man, S.H.I.E.L.D
Actually that last one isn't a bad idea... :) )

trustno1

[__aaltlg1547]

I got a kick out of this one.

(changing password now)

Re:trustno1

[camperdave]

Was that "Trust no one" or "Trust number one"?

Low Value SItes Compromised?

[Luthair]

The article mentions this is based on sites compromised, I wonder if this list isn't to some extent self-selecting towards bad passwords. Lower value sites are more likely to be compromised than high value sites like Amazon or Google, and on low value sites people are much more likely to use garbage. Personally I use a pw database but still use junk passwords on sites when its irrelevant if the account were to be compromised.

Re:Low Value SItes Compromised?

[BarbaraHudson]

The article mentions this is based on sites compromised, I wonder if this list isn't to some extent self-selecting towards bad passwords. Lower value sites are more likely to be compromised than high value sites like Amazon or Google, and on low value sites people are much more likely to use garbage. Personally I use a pw database but still use junk passwords on sites when its irrelevant if the account were to be compromised.

Do you really want to be low-hanging fruit anywhere on the net for an account whose creation can be traced back to you? Seems to me that having the DHS or FBI seizing your computers because some jerk used your account to post death threats in the name of Islamic Jihad for the lulz is not worth the ease of using a simple, throw-away password,

I actually use 12345

[Opportunist]

Really. Yes, really.

There are certain accounts that just don't matter. Until the "5-minutes-valid" mail provider existed, I did the same with gmx mail addresses. Create, use, never bother to use it again. Since with more and more services there is no sensible way to "disable" or "close" accounts, well, one more corpse floating in their sea of dead accounts.

For example, I sometimes want to read something on Facebook and they insist that it's only visible to people who hand them their information. And, well, creating a throwaway account for Ivana Beritsh is faster than finding one that already has 12345 as its password...

Re:I actually use 12345

[Poeli]

Try http://bugmenot.com/

It really helps a lot on those annoying sites.

Re:I actually use 12345

[Opportunist]

Allow me to delete my account and you won't have that problem. I only use such accounts when I know I will not have use for them for longer than a brief period, usually hours, at the most. After that, I'd gladly clean up after myself. Sadly, few sites allow it.

Allow me to actively delete my account and you won't have that problem.

Life is Like a Box of Chocolates

What is Forrest Gump's password?

1forrest1

Bull Shit!

[Anon-Admin]

P@ssw0rd! did not make the list and half the places I have worked have used that as the password because it meets the windows complexity rules.

Biased to cracked sites

[RevWaldo]

Since a site with proper hashing, where in theory the actual passwords are unknowable, wouldn't be on the list. And presumably sites with proper security on the back end would have stronger password complexity requirements in the first place, and vice versa. The blame falls more on the bar than the drunkards it serves.

.

Re:Biased to cracked sites

[rgmoore]

Since a site with proper hashing, where in theory the actual passwords are unknowable, wouldn't be on the list.

This is simply not true. It may be impossible to reverse the hash and recover the password directly, but it is both possible and practical to carry out a dictionary attack on a file of hashed passwords. That's exactly why you're supposed to avoid easily guessed passwords and why those crappy passwords are crappy: they're susceptible to dictionary attacks.

Re:Biased to cracked sites

[complete+loony]

I'd say it's the other way around. If these sites were hashing and salting passwords, these simple passwords were low hanging fruit that were easy to crack.

I love these threads

I love the threads where we all jerk each other off about how smart we are. Next time we should skip the thread, meet up somewhere and jerk each other off for real!

Re:I love these threads

[sumdumass]

Well, my favorite BS password is "6uldvnc!"

Had that at work once for a few excel files when they imposed some stupid rules that eventually got ignored. But someone who had to access the file sounded it out and HR made me change it.

Shadow?

[Millennium]

18 shadow (Unchanged)

Please, please don't tell me that this word's popularity is an ill-conceived response to /etc/shadow. I may have to weep for humanity.

Re:Shadow?

[sound+vision]

People using "shadow" for a password have never heard of /etc/shadow.

Re:Shadow?

[Millennium]

Maybe not with that exact filename, but I can't help but wonder if some people hear that "shadow passwords are more secure" and think this means that changing your password to "shadow" helps.

I mean, why that particular word? Is there another explanation for how it could be that popular? Other than hedgehogs with guns, I mean?

12345?

[SeaFox]

Why isn't everything requiring at least 8 characters now?
(Also at least 1 letter as well).

LOL ...

[gstoddart]

Geez, Babs, look at you all submitting and stuff.

That's several stories in the last few days.

Just don't go all Bassett Houndleton on us and start posting long, tedious opinion pieces.

Re:LOL ...

[BarbaraHudson]

Geez, Babs, look at you all submitting and stuff.

That's several stories in the last few days.

Just don't go all Bassett Houndleton on us and start posting long, tedious opinion pieces.

The latest weather
report from hell
forecasts "it be hot"
the next millennium as well
If stupid stories
you wish to peruse
there's my journal
for all to abuse.

Burma Shave

Short enough? :-)

It doesn't matter how secure the password is..

[Dynamoo]

It doesn't matter how secure the password is, if a site or service gets compromised then it is highly likely that the password will get revealed. What makes a difference in those cases is how well encrytped or hidden the password is, and how determined the attacker is. Attackers can use precomputed tables made up of all sorts of phrases, letters, numbers etc which will get a handle on even very secure passwords.

It's far more important to have a different password on each site.. or at least a different password on each site you care about. For some sites is really doesn't matter if it gets hacked or not. The Gawker breach a few years back for example.. who would really give a stuff about having their Gawker password compromised.

So, it doesn't really matter on a lot of these sites if your password is 123456 because everything of value is protected by something better. Isn't it?

Re:It doesn't matter how secure the password is..

[jmkaza]

Great point. I always laugh when this list comes out each year, 'cause the guy who used jelHk7$%jh78df+EK9 was just as compromised as the guy who used abc123.

Oldy-But-Goody

[Tablizer]

Evolution of Passwords:

1978:

  password

1983: Rule: Don't use 'password', too common.

  passgas

1990: Rule: Must contain at least one digit

  passgas7

1995: Rule: Must contain mixed case

  Passgas7

1999: Rule: Must contain at least one punctuation character

  Passgas7&

2004: Rule: Must change every 2 months

  Passgas7& ... Passgas8* ... Passgas9( ... Passgas1! ...

2009: Rule: Don't use same punctuation as digit key

  Passgas7$ ... Passgas8$ ... Passgas9$ ...

2012: Rule: Don't use incremental digit patterns

  Passgas71$ ... Passgas17$ ... Passgas$71 ... Passgas$17 ...

2015: Rule: Must be at least 20 characters long

  Passgas711111111111$ ... Passgas177777777777$ ...

2017: Rule: Can't use any patterns guessable by AI

  Oh f$ck it, just hack me already, dammit @666

Most probably forums password

[aepervius]

Most important password institution including banks , have strong password policy which would reject "123456", and "password" (heck bank even have a second factor where you use the bank card decoder device but I have no idea on how secure it is). Those password are most probably email or forums password. And as secure as i want to be, I do the same. Email not linked to a bank account and used for spam registration or whatnot => weak password like "jodie123" like my slashdot password. Bank account and email linked to it get something more like "bY7&!-;+#ASumn)(". Yeah sure you might find my jodie123 password leaked. So what ?

I am calling shenanigans

[bloodhawk]

This sounds bogus to me, everything from windows to most forums, ISP's and Telco's that I am aware of won't let you use such simple passwords. The only place I know that I could use 123456 or password for me is on one of my work smart cards (I have 3 but only one is so weak on security).

I'm safe.

[msauve]

IT make us change them, so mine is now 123457, which isn't on the list!

Re:Superman? Batman?

[the_skywise]

Feh - I use brucewayne... So nobody will think to know it's batman!

In my 500,000 corpus ...

[raymorris]

> 2) There are no data in the article regarding how frequently these passwords are used.

There are 448,232 passwords in my corpus right now. The top ones today are:

password frequency
| bobb17 | 5 |
| iceman69 | 5 |
| demon133 | 5 |
| robert8 | 5 |
| saintt9 | 5 |
| alpha123 | 5 |
| jordan | 3 |
| pass | 3 |
| 1234 | 3 |

Here's what I do

[future+assassin]

When I sign up for a website I have a pattern where I take certain letters from the web sites name and add certain amount of numbers to that. Its easy to remember for me and slim chance of someone finding my combo and its a different password for every site I sing up for.

696969

[OldSport]

Clearly a lot of teenage boys' passwords were leaked as well.

Different for secure sites, yes. Also LONG. Passph

[raymorris]

> or at least a different password on each site you care about. For some sites is really doesn't matter if it gets hacked or not. The Gawker breach a few years back for example.. who would really give a stuff about having their Gawker password compromised.

Yeah, it's a very good idea to have your bank password be different from your reddit password. Also, most places let you reset your password by using your email address, so the email password is something of a "master key", it should be good.

A good password isn't a pass word, it's a pass phrase. Length matters above all else.

> Attackers can use precomputed tables made up of all sorts of phrases, letters, numbers etc
> which will get a handle on even very secure passwords.

An eight-character password will be found using a rainbow table, if the service didn't salt their passwords. A twelve-character password won't be cracked. (Assuming the site didn't use DES, thereby truncating it to eight characters).

A rainbow table for 8-character passwords is about a terabyte.
9 character, about 64 TB.
10 character, about 4096 TB.
11 character about 262,144 TB
12 character, about 16,777,216 TB

So for the 12-character table, the bad guy will need MILLIONS of hard drives to store the rainbow table.

Obligatory XKCD

[CronoCloud]

I see "correcthorsebatterystaple" isn't in there, I'm surprised.

http://xkcd.com/936/

Re:Hashed passwords?

[BarbaraHudson]

I can think of a few ways that people leak their own passwords. Emails to a co-worker when you're sick or away, chat or IM logs, picking an easy password so that if they forget it they can just try a few easy ones at random, being in a rush to change it because "here is your temporary password. You may only use it to change your password, after which you can use your new account" (a security practice that in practice causes the human elephant to fail).

While storing passwords as a hash offers some defense, even that doesn't work for common passwords where the hash value is known - just look at the stored hash and use the corresponding password. And then their's rainbow tables ... get access to the server involved and you can quickly match a password for every account.

And none of this includes the "password on a post-it under the keyboard." Go through any office and you'll find at least one (if the post-it isn't just stuck to the corner of the screen).

I'm sure in 5 minutes you can think of more ways to leak passwords :-)

You'll never guess mine

[WillAffleckUW]

654321

Now that's secure!

Re:Superman? Batman?

[BarbaraHudson]

But no Marvel characters?

I've looked everywhere on my keyboard and I can't find anything about using any Marvel character set. Is this some sort of unicode thingee?

Selection Bias?

[RockyMountain]

The article is a little light and fluffy. Doesn't say how these passwords were leaked.

Seems likely, though, that the very fact that they were leaked at all might be a form of selection bias. For example if the leakage vector involved some sort of cracking, it is hardly surprising at all that simple passwords dominate the list.

When simple/no passwords are appropriate

[unixisc]

On my home laptop, which has no users other than myself, I have a few login accounts for different purposes. One of them is for things like my banking, paying bills, purchases, et al, and that account has a proper password. For all the others, I either have the password as {ENTER}, or I just use the login name as password (if it's an administrator's account that requires a password). Nobody but me will ever get into this computer, so why make it needlessly complicated?

That's Stallman's Sysadmin Password

[billstewart]

Ok, not any more, but for many years the root/admin/whatever password on Stallman's MIT machines was just carriage return. The point was extreme openness, so that anybody could log on, see anything, fix anything, copy any code.

Re:That's Stallman's Sysadmin Password

[Darinbob]

Why complicate it?

MAC Address as default device password

[billstewart]

I've had a number of devices over the years where the default password was the MAC address of the admin port or first wired Ethernet port or equivalent, and was also printed on a label on the device. It's not perfect, but it's at least unique, and is strong enough that in most cases, people won't try to crack it, or anybody who might try cracking it has physical access to the box (in which case you're toast anyway.)

Android-keypad-friendly passwords, sigh

[billstewart]

My medium-security passwords were usually L33tSp34k versions of one or two dictionary words, plus whatever capitalization and punctuation were required. But now that I'm occasionally accessing the web through tablets and accessing work systems over cellphone, I've had to switch to Android-friendly passwords, so the letters get grouped together, followed by the numbers, and usually any punctuation is the limited set that appear on the same keypads as the letters or the numbers. So it's Abc,1234 instead of Passw0rd! for trivial passwords now...

Re:Android-keypad-friendly passwords, sigh

[TWX]

I wonder how secure l33t sp34k is now; if it's automatically being tried simply because it's so ubiquitous.

Re:Android-keypad-friendly passwords, sigh

[dbIII]

I've seen it being used in dictionary password attacks on an ssh honeypot so not at all.

Re:Android-keypad-friendly passwords, sigh

[some+old+guy]

7|-|@ d3P3|\|D$ 0|\| 7|-|3 d14L3(7 4|\|D 7|-|3 UB3r|\|3$$ 0Ph 7|-|3 $P34|30rz.

Re:What happened to "sex", "money" and "god"?

[Svartalf]

Headupassians don't typically care about those things...

Ah, you're not being creative enough...

[Svartalf]

"...and change the combination on my luggage!!"

Strange angle

[Luckyo]

Why is anyone expecting this to change? It's fairly obvious that overwhelming majority of people with these passwords have little to no contact with people who can tell them why it's wrong. It's also fairly obvious that they're not very interested in the issue either.

So why expect change?

Re:Passwords for Unimportant Sites

[kian]

IMHO, unimportant Sites should not ask visitors to create a password at all !

Why don't they just ask an OpenId or a {facebook|google|msn|yahoo|whatever} account and use its authentication protocol ?

Why do I have to create a password to post a comment on /. ?

I wonder did/does anyone use Pi as thier password.

[TimSSG]

I wonder if anyone uses Pi or Pi/2 as there password. Too bad it would take so long to enter it into the password field. Tim S.

Re:God wouldn't be up this late

[agm]

Often the word "to" is too short.

Re:Why don't movie and TV people try these?

[PPH]

I did like the episode of Dexter where he had to guess his foul-mouthed sister's password. "password". Nope. "fuckingpassword". I'm in.

Password policy...

[rizole]

We have to change our passwords every month and this always causes me to pause a beat to recall the current password. I asssume because one month isn't long enough to forget the last and become habituated to the new. Anyway, I've started using swearwords and, interestinglym find I can recall them significantly faster with less interference from previous passwords.

0118 999 881 99 9119 7253

[Gunstick]

Now that's easy to remember!
Spaceballs is old, now it's IT crowd, and it makes for way better passwords.

Re:Password policy... Swearwords

[Cro+Magnon]

One of my systems at work kept rejecting my attempts to change my password. The one it finally accepted had the added bonus that I wasn't likely to give it out in mixed company.