Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Most Popular Passwords Are Still "123456" and "password"

Posted by Soulskill on from the i-have-the-same-password-on-my-luggage dept.

BarbaraHudson writes: The Independent lists the most popular passwords for 2014, and once again, "123456" tops the list, followed by "password" and "12345" at #3 (lots of Spaceballs fans out there?) . "qwerty" still makes the list, but there are some new entries in the top 25, including "superman", "batman", and "696969". The passwords used were mostly from North American and Western European leaks.

31 of 197 comments (clear)

  1. qwerty? by by+(1706743) · · Score: 4, Funny

    My password is ',.pyf, you insensitive clod!

    1. Re:qwerty? by kurkosdr · · Score: 5, Funny

      My password is 'incorrect". So if I ever forget it, the computer will helpfully remind me that "password is incorrect"

    2. Re:qwerty? by rasmusbr · · Score: 3, Informative

      Just hope that the system doesn't insist on you having a combination of letters, numbers, lowercase, uppercase and special characters

      Incorrect1!

    3. Re:qwerty? by sysrammer · · Score: 2

      Good one. Or should I say Gud1?

      I had a consultant that would frequently forget his password. I finally set it to "I forgot" and gave it to him. Three weeks later, sure enough, he drops by because he can't get in. I ask him "What's your password?" and he says "I forgot". So I just looked at him. Finally he got it. No issues since then.

      --
      His ignorance covered the whole earth like a blanket, and there was hardly a hole in it anywhere. - Mark Twain
  2. Mine is by Anonymous Coward · · Score: 2, Funny

    hunter2. But I guess that all should appear as '*******' to you as it is encrypted.

  3. 12345? by BarneyGuarder · · Score: 2

    That's the same combination I have on my luggage!

    At least 123456 has one more digit.

  4. Superman? Batman? by R3d+M3rcury · · Score: 3, Funny

    But no Marvel characters?

  5. And? by NitsujTPU · · Score: 4, Interesting

    1) Clearly bad passwords will be the most popular. Some people will blow off security and will pick a bad password.
    2) There are no data in the article regarding how frequently these passwords are used.
    3) There is no representation of what these passwords are protecting. Maybe these are passwords to something harmless like accounts in some children's game. In which case, who cares?

  6. Re:I thought by ganjadude · · Score: 4, Interesting
    after reading the article, im still confused as there isnt enough info to really make anything of this

    The data is compiled from leaked passwords in 2014, by password company SplashData.

    ok, so it was leaked passwords....but from where? for what reasons? on what devices? I would wager alot of "stock" devices will have simple PWs. and to most people, if it works, it doesnt need to be addressed. Also if PWs are from web pages? what are the pages? because if they are not secure pages (work, banks, personal info) most people simply dont care. I mean to leave comments on damn near any page, you need to register. I know on some pages ive created accts to leave a post and never plan on going back, im sure ive used some weak passwords for those sites.

    in the end, without a breakdown of types of accounts / passwords, its a little hard to claim anything based on this data that is worth anything.

    --
    have you seen my sig? there are many others like it but none that are the same
  7. Re:Joke's on you by fyngyrz · · Score: 2

    Is that a fox I see hanging off your left ass cheek by his teeth?

    --
    I've fallen off your lawn, and I can't get up.
  8. Why would they change their ways by Ravaldy · · Score: 2

    Because the media lost much of it's credibility a long time ago and because they keep fear mongering, people pay less attention to the news. What ends up happening is people don't react until they become a victim or someone close becomes a victim. Everybody thinks it happens to other people.

  9. Re:Very nice indeed by pushing-robot · · Score: 4, Insightful

    In fairness, it depends on what the passwords were *for*. If it's a bank site... that's bad. If it's some random site that hides content behind a pointless registration wall, '12345' is perfectly fine.
    It comes down to 'if this were a door, would I lock it?'

    --
    How can I believe you when you tell me what I don't want to hear?
  10. Re:Superman? Batman? by the_skywise · · Score: 3, Insightful

    Marvel readers are obviously more intelligent. ;p
    (or the built-in punctuation of the names just lends itself to passwords... spider-man, ant-man, S.H.I.E.L.D
    Actually that last one isn't a bad idea... :) )

  11. Re:I thought by JackieBrown · · Score: 4, Interesting

    I bought a Netgear AC1450-100NAR Dual Band Slim Gigabit Smart WiFi Router.

    The instructions specifically state that it would be a bad idea to change the SSID and password. I did anyways, of course, but was surprised to read this advice.
    http://ww.amazon.com/gp/produc...

  12. Low Value SItes Compromised? by Luthair · · Score: 2

    The article mentions this is based on sites compromised, I wonder if this list isn't to some extent self-selecting towards bad passwords. Lower value sites are more likely to be compromised than high value sites like Amazon or Google, and on low value sites people are much more likely to use garbage. Personally I use a pw database but still use junk passwords on sites when its irrelevant if the account were to be compromised.

  13. I actually use 12345 by Opportunist · · Score: 4, Interesting

    Really. Yes, really.

    There are certain accounts that just don't matter. Until the "5-minutes-valid" mail provider existed, I did the same with gmx mail addresses. Create, use, never bother to use it again. Since with more and more services there is no sensible way to "disable" or "close" accounts, well, one more corpse floating in their sea of dead accounts.

    For example, I sometimes want to read something on Facebook and they insist that it's only visible to people who hand them their information. And, well, creating a throwaway account for Ivana Beritsh is faster than finding one that already has 12345 as its password...

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    1. Re:I actually use 12345 by Opportunist · · Score: 2

      Allow me to delete my account and you won't have that problem. I only use such accounts when I know I will not have use for them for longer than a brief period, usually hours, at the most. After that, I'd gladly clean up after myself. Sadly, few sites allow it.

      Allow me to actively delete my account and you won't have that problem.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  14. Bull Shit! by Anon-Admin · · Score: 2

    P@ssw0rd! did not make the list and half the places I have worked have used that as the password because it meets the windows complexity rules.

  15. Biased to cracked sites by RevWaldo · · Score: 3, Insightful

    Since a site with proper hashing, where in theory the actual passwords are unknowable, wouldn't be on the list. And presumably sites with proper security on the back end would have stronger password complexity requirements in the first place, and vice versa. The blame falls more on the bar than the drunkards it serves.

    .

    --
    Prisencolinensinainciusol. Ol Rait!
  16. Oldy-But-Goody by Tablizer · · Score: 3, Insightful

    Evolution of Passwords:

    1978:

      password

    1983: Rule: Don't use 'password', too common.

      passgas

    1990: Rule: Must contain at least one digit

      passgas7

    1995: Rule: Must contain mixed case

      Passgas7

    1999: Rule: Must contain at least one punctuation character

      Passgas7&

    2004: Rule: Must change every 2 months

      Passgas7& ... Passgas8* ... Passgas9( ... Passgas1! ...

    2009: Rule: Don't use same punctuation as digit key

      Passgas7$ ... Passgas8$ ... Passgas9$ ...

    2012: Rule: Don't use incremental digit patterns

      Passgas71$ ... Passgas17$ ... Passgas$71 ... Passgas$17 ...

    2015: Rule: Must be at least 20 characters long

      Passgas711111111111$ ... Passgas177777777777$ ...

    2017: Rule: Can't use any patterns guessable by AI

      Oh f$ck it, just hack me already, dammit @666

    --
    Table-ized A.I.
  17. Re:I thought by crunchygranola · · Score: 5, Insightful

    after reading the article, im still confused as there isnt enough info to really make anything of this

    Yep. There is much less to this than meets the eye.

    In addition, a list of most common passwords will always have defaults and obvious simple strings as the top candidates, this will never change. What would be more useful to know is whether the relative proportion of passwords fitting this description is declining (I doubt it, but we need to see the data).

    --
    Second class citizen of the New Gilded Age
  18. Re:trustno1 by camperdave · · Score: 3, Funny

    Was that "Trust no one" or "Trust number one"?

    --
    When our name is on the back of your car, we're behind you all the way!
  19. Re:Superman? Batman? by the_skywise · · Score: 2

    Feh - I use brucewayne... So nobody will think to know it's batman!

  20. Here's what I do by future+assassin · · Score: 2

    When I sign up for a website I have a pattern where I take certain letters from the web sites name and add certain amount of numbers to that. Its easy to remember for me and slim chance of someone finding my combo and its a different password for every site I sing up for.

    --
    by TheSpoom (715771) Uncaring Linux user here. I have nothing to add to this but please continue. *munches popcorn*
  21. Re:I thought by BarbaraHudson · · Score: 2

    I don't think too many devices have "696969" as a default password (customers would complain); the same applies to "superman" and "batman" except this time it would be the trademark holders who would be doing the complaining.

    And if they had revealed what web sites or devices used these passwords the most, everyone would be complaining about how they're making the net "less secure", same as when someone reveals a zero-day defect, instead of maybe just changing their password because "well, I use 'password' as my password, but I'm not on that site / own that device, so I'm pretty safe.

    --
    "Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
  22. Obligatory XKCD by CronoCloud · · Score: 2

    I see "correcthorsebatterystaple" isn't in there, I'm surprised.

    http://xkcd.com/936/

  23. Re:I thought by bmo · · Score: 2

    ok, so it was leaked passwords....but from where?

    From everywhere. From pron.com, for example. Plaintext usernames, emails, and passwords. With .mil addresses and admin addresses to boot. They are there if you bother to look.

    From a csv file I have of the pronz.com list:

    Hi! We like porn (sometimes) so these are email/password
    combinations from pron.com which we plundered for the lulz

    Check out these government and military email
    addresses that signed up to the porn site...

    They are too busy fapping to defend their country:

    for what reasons?

    For money and for the lulz, as above.

    on what devices?

    Everything.

    Also if PWs are from web pages? what are the pages?

    Pron, government, banking, shopping, etc...

    because if they are not secure pages (work, banks, personal info) most people simply dont care.

    This is the problem, in a nutshell. People just don't care about even their banking passwords.

    I mean to leave comments on damn near any page, you need to register. I know on some pages ive created accts to leave a post and never plan on going back, im sure ive used some weak passwords for those sites.

    The thing is that people use the same "throw away passwords" everywhere. The same ones, across multiple sites including banking. Many of the above uname/password pairs worked in gmail and facebook.

    "But it's too much trouble to have different passwords everywhere"

    No it isn't. It's actually easier. Use a password manager. It's like a keyring, but not only do the keys fit only individual locks, the "keyring" (password manager) does the typing for you for password generation and logins. For example, through some of my own dumbassery (which I realized within 10 minutes of the dumbassery), I had to reset all my passwords one day. It took me only an hour with Lastpass including generating secure passwords. It would have taken me the better part of half-a workday to reset them manually.

    Yahoo lost control of my login credentials twice. Apparently I have been to Sweden and Bulgaria. After that, I got a password manager and never looked back.

    You will have to take my password manager from my cold dead hands.

    "But what if the password manager goes tits-up?"

    You export your credentials to a .csv file and print it out and save in a safe place offsite.

    All my passwords look like this: GvY0H025195BfN2MleZWx5Sra

    Try finding that in a rainbow table.

    its a little hard to claim anything based on this data that is worth anything.

    Only because you lack imagination.

    --
    BMO

  24. That's Stallman's Sysadmin Password by billstewart · · Score: 2

    Ok, not any more, but for many years the root/admin/whatever password on Stallman's MIT machines was just carriage return. The point was extreme openness, so that anybody could log on, see anything, fix anything, copy any code.

    --

    Bill Stewart
    New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
  25. Re:Very nice indeed by cusco · · Score: 2

    Panasonic, Sony, and a bunch of other very large manufacturers send out their **security** cameras with trivial username/password like admin/12345 (Panasonic) or admin/admin (Sony) and do not require the installer to change them. This is why we prefer cameras from Pelco and Axis, which at least require the installers to change the password from the factory default on first use (although they do allow idiots to change it back to the factory default if they're so inclined). A couple of the large manufacturers of very high-quality cameras (crappy software, but nice hardware) have only one user (root) and do not allow the password to be changed. It's a bit sad when a customer's security system becomes a security hole.

    --
    "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
  26. Re:Very nice indeed by Darinbob · · Score: 2

    What I hate is when those stupid sites require a complicated password, claiming that "password" is not secure enough, and "pa$23sw0rd97" isn't good enough because it doesn't have any capital letters, etc.

    Then there are the places which I *want* to be secure that refuse to let me have a better password because the rules are too stupid. Such as no upper case letters allowed, no special characters except dash, or password is too long. I haven't seen this at a bank, but I have seen it in modern MMOs for example who should know better than to let a database designer too lazy to scrub the input be in charge of security rules.

  27. Re:I thought by bmo · · Score: 2

    I don't see stupid passwords as a problem if they're used in situations where it doesn't matter.

    That's because the people who pick 123456 as passwords never consider if it matters or not. Most people consider their mail account something that matters, yet trying out various uname/pw combinations with gmail that come from a porn site invariably works.

    I don't know what to tell you, man, people are stupid with passwords and it's a documented problem.

    >complain about article summarizing the problem in general
    >demanding hand-holding.
    >your computer is connected to the largest information retrieval system ever invented.
    >can't be bothered to do your own research or bother to even google

    PEBKAC. Yours.

    --
    BMO