The Most Popular Bad Passwords of 2015

Nerval's Lobster writes: For years, security experts have told people they need better passwords protecting their online accounts: no more '123456' or 'qwerty' or 'password.' Based on SplashData's fifth annual list of the 25 most common passwords, however, it's clear that relatively few people are listening to that advice. The firm based its list on more than 2 million leaked passwords during the year. The most popular, as in 2014, was '123456,' followed by 'password' and the ingenious, uncrackable '12345678.' One new entry on this ignoble list: 'starwars' in 25th place, no doubt thanks in part to the popularity of 'The Force Awakens' and the accompanying marketing campaign. Seems like a lot of people have forgotten (or never learned) that, while it's a pain to create (much less remember) a complicated password with lots of numbers and special characters, it's nothing compared to the pain of having your online accounts compromised. Maybe, as some have proposed, we could someday kill passwords for most services.

Passwords leaked from where?

I can imagine people don't put the same thought into a password for a throwaway account compared to say that of a bank account password. So I'd be interested as to the source of the leaked passwords. Not that it excuses any of those passwords in the list.

Re:Passwords leaked from where?

[davester666]

google has decided that, regardless of the fact that I know the username and the long, complicated password for a gmail account, that because I haven't logging into it for some time, I can't log into it without associated it with a physical phone number, even though it has never been linked to a physical phone number before.

Re:Passwords leaked from where?

Isn't there a "skip" link, somewhere down there?

Re:Passwords leaked from where?

That isn't for your security, it's so they can obtain your phone number. It really is just a nasty and insidious way of forcing users to divulge personal information.

Re:Passwords leaked from where?

[davester666]

No. I'm used to the usual "this will help us connect your online accounts and your physical world accounts/er prevent hackers" bullshit, they won't let me through without it.

Re:Passwords leaked from where?

This guy gets it.

Re:Passwords leaked from where?

Weren't Google the ones who claimed that privacy doesn't exist online? I wonder why they are so stuck-up about passwords and shit then. If there were no privacy online, then either nobody should have passwords or they should be public information.

I guess Google are hypocrites.

Re: Passwords leaked from where?

That's not true! My phone number, address, age, number of family members, favorite hobbies, medical history, job history, annual salary, social security number, copy of my signature, fingerprints, DNA sample, semen sample and political/religious affiliations ALL help them to keep my account safe, which is why I handed it over with a smile via an UNHACKABLE connection for them to store in complete security on an UNHACKABLE database server. And, I did it with a smile, because corporations are working for my best interests. They love me. THEY DO! THEEEEEEY DOOOOOO!

Re:Passwords leaked from where?

[JackieBrown]

One of the problems I have is with my work passwords. I used to put some thought and creativity into my passwords. But the policy of having to change my password every 3 months (and 1 month for some apps) has made it difficult to keep up with security / ability to remember my "clever" password.

Now it's a simple password with a * in it and a number in it. Then I add 1 to that number which covers me for 9 months.

Re: Passwords leaked from where?

[Lije+Baley]

After a while, they'll add something to detect that number, so you then just move it to the middle of the word. And if they get wise to that, then just repeat it - still easy to remember, something like "Passw00rd!", "Passw11rd!", etc. And of course you'll need one alternate base word to swap in when they limit you to "no repeats" within 13 changes.
Another tip is to just write down your password, but write it in a "masked" fashion - like Pxxxxx, giving you a letter or two as hints without giving away the password in total.

Re:Passwords leaked from where?

[ComputerGeek01]

You should setup a Google Voice number for this just so that it messes with them.

Re: Passwords leaked from where?

[Dragonslicer]

After a while, they'll add something to detect that number

How would they do that? Unless they're storing passwords in plain text. In that case, though, there's basically no point in requiring strong passwords.

Re:Passwords leaked from where?

I have an Android phone. They already know it.

Re:Passwords leaked from where?

[Creepy]

3 months would be a joy. Try 35 days. I guess that was an improvement over our old policy of 30 days, but we also need a chipped ID badge and a machine generated PIN now. Apparently the 35 days was chosen because that is about the average time it takes to hack wifi with a brute force attack or something like that. Personally I think it was just made up numbers pushed to management based on a perceived threat.

Re:Passwords leaked from where?

Agreed.

While not quite as egregious as the examples given, my passwords for /. or the local sports team forums are significantly less complex than my banking or amazon passwords.

captcha : wiretap

Re:Passwords leaked from where?

[sudon't]

I think they found it to be a side benefit. The truth is, they began this two-step authentication crap because all the idiots using bad passwords would end up with their accounts "hacked", and then cause the web site administrators endless trouble trying to sort it out.
The problem here is that few people use password managers, and this is because Microsoft did not see fit to include one with their operating system. Mac OS has come with a well integrated password manager since at least 2002, but the user had to, you know, use it. As I tell all my friends, particularly after receiving a spam email from their account, I've used that password manager since 2002, and have never had an account compromised. Nevertheless, I have to put up with constant bullshit - two-step authentication/information harvesting schemes, having to wait for an email before I can finish logging in, or regularly being asked to change my password "for security reasons" - all because of these dolts who won't use a password manager.

Re:Passwords leaked from where?

[arglebargle_xiv]

Isn't there a "skip" link, somewhere down there?

No, as of recent months they've made it impossible to skip. You can Google for advice on getting around it, but it's all based on outdated information that doesn't work any more.

Re:Passwords leaked from where?

[lsatenstein]

my wife likes a password that is easy to enter. Its #Aaaaaaaa001. Essentially meets most password vetting software.
Sometimes she changes it to #January001, #February001, #March0001
At least she does not use swear words for passwords.

Re:Passwords leaked from where?

[mcswell]

Can someone explain the reasoning behind changing passwords periodically? If someone cracks my password, they're likely to have done plenty of damage before I change my password again. Why not allow (and require) us create more complex passwords that we don't have to change? (They can be much more complex if I don't have to periodically create and memorize a new one.) And each time I log in, they can tell me when the last time I logged in was; if someone has guessed my password, it's likely that they don't log in at the same time I do. Or if they do hide their tracks that way, there will be two logins from me at the same time, which ought to raise an alarm.

The Password is.....

[Joviex]

Thanks for the helpful list of first attack passwords for a brute force.

Always mind boggling what someone will use as a PW.

Re:The Password is.....

[phishybongwaters]

Well if you were actually going to try to brute force something, you'd already have 99% of these in your dictionary. Seriously. In fact, I'd go ahead (if I had the power) and force all of my domains users to see a brute force crack in action and how ridiculously simple it is. 1 download, 2 clicks or 1 line of commands. I'd force each user to run that tool against a test password request with THEIR weak password. Just so they can see with their own eyes how trivial it is to crack these "passwords" If the word is a word in a dictionary in any language, it's already in MY cracking dictionary. IF it's a curse word? Ditto. If it's "1337" speak? Already in there. Honestly the string of numbers, if they were out of sequence, would probably take 3 or 4 more minutes than "password", so there is that I guess.

Re: The Password is.....

Any tips on where to find good password testing dictionaries for various common (natural) languages?

Re:The Password is.....

[Creepy]

There was a time when nearly every router could be hacked with admin/admin. Often username is ignored on the router, too, so all you needed to know is the default password is admin. This still is often the default password on many routers, but they often block access to wireless and non-LAN machines by default now, so it is definitely more difficult to hack than it was in the 1980s and 1990s. I remember hacking my university router this way in the 1990s, and one of my fellow labbies put a packet sniffer on it. After stealing a bunch of passwords and looking at people's emails I think he felt guilty and alerted the administration of the security flaw. That was hardly the only security flaw we found and exploited. Quota was another fun one we found a bug with and removed the 10MB restriction we had so we could store more stuff.

Anyhow, just saying 'password' and 'admin' were first try brute force hacks dating back to the 1980s and modems and admin stuck with routers to this day.

Re:The Password is.....

[arglebargle_xiv]

There was a time when nearly every router could be hacked with admin/admin.

Why the use of past tense, has anything changed? In any case it's quite useful, when I'm at a motel somewhere and need to fix their wireless, it saves me having to guess whether they've used "password" or "password1" to keep me out.

Cool!

[penguinoid]

I knew it, my password is the top of the list! Only the best for me.

Re:Cool!

[cold+fjord]

Lucky you! Mine didn't make the list AT ALL! Not even close.

I'm going to have to rethink my strategy if I want my password to become popular. :(

Re: Cool!

that's like that episode in The Shield when the newspaper prints a list of the top 10 most dangerous street gangs, and this leads to increased violence as gangs want to move up the list.

Re:Cool!

I was curious about your link (http://www.paulbogdanor.com/chomsky/cataclysm.html) - so I followed it.

The first sentence contains loaded language, links to the author's other work ('Top 200 Chomsky Lies') but little substance.

I'm not familiar enough with Chomsky to determine, off hand, whether the author has a valid point beneath the rhetoric, but clicking through some of the links, and then trying to find further commentary on them hasn't impressed me. The 'Top 200 Chomsky Lies' only receives praise from fairly partisan sources, and seems to be fairly comprehensively critiqued here ((http://bigwhiteogre.blogspot.com/2011/06/response-to-paul-bogdanors-top-200.html)

So, as someone who is curious, skeptical and always keen to see an authority's credentials subject to rigorous scrutiny - I am underwhelmed. I presume you are including this link in your sig to raise some kind of awareness, but the only people I can see overlooking the bias and obvious agenda of Bogdanov are going to be people looking for confirmation of a position they already hold. As a work of scholarly criticism, it's unconvincing.

Re:Cool!

[ChrisMaple]

The only people I can see overlooking the bias and obvious agenda of Chomsky are going to be people looking for confirmation of a position they already hold.
FTFY

Re: Cool!

Like that Caribbean island (I won't name it..) that got 2nd on some list of countries with the most alcohol consumption-per-head.... They were pissed too.

Re:Cool!

[unixisc]

I knew it, my password is the top of the list! Only the best for me.

I saw passw0rd in the list. In my guest SSID, I've created an SSID that I'd make available, and given it a password of P@55w0rd. It combines uppercase (P), lowercase (w, r, d), numbers (0) and special characters (@) as demanded by some password systems. I usually take a common word, replace 'i's, 'o's', 's's, 'z's and so on so as to make them less likely to guess, and also, satisfy the demands of complicated password systems that insists that one combine various case types into the password

Re: Cool!

[unixisc]

So they were pissed drunk, AND pissed too??? Did #1 rest on their laurels?

Re:Cool!

Perhaps, but I'm not linking to Chomsky in my sig.

If Chomsky's bias were as self evident as you suggest, why does Bogdanov have such a poor standard of criticism?

Re: Cool!

[arglebargle_xiv]

Like that Caribbean island (I won't name it..) that got 2nd on some list of countries with the most alcohol consumption-per-head.... They were pissed too.

Obviously not pissed enough to reach the number 1 spot.

Re:Cool!

[tehcyder]

The only people I can see overlooking the bias and obvious agenda of Chomsky are going to be people looking for confirmation of a position they already hold. FTFY

And of course eveybody else in the world has no bias and no agenda at all.

Yubikey

[darkain]

Last year I switched over to using a Yubikey for U2F and SSH authentication. It has been a dream having this little thing everywhere I go. No more passwords at all. Either tap the button to log in, or NFC to my phone, or use a simple PIN number for SSH access.

Re:Yubikey

[phishybongwaters]

My last job required using a "soft token" in conjunction with the a "hard token". The softtoken is software either installed on your machine or your smartphone that requires a pin, from there once you enter the pin, it generates a challenge and response, that response is good for 30 seconds. You did need to enter that response in like a password, but it was unique and only good for 30 seconds. That gets you into their systems. To connect to customer systems (VOIP mostly) that's when the hard token comes into play..... a usb key. The whole thing was kind of a pain in the ass due to the way it was implemented, but you only needed your pin, never a bunch of passwords that get changed every 3 months

1qaz2wsx?

[mark-t]

New for this year, but 12th on the list.

While it's certainly not a particularly strong password, I'm honestly surprised that something like that would make a list of the 25 worst.

Re:1qaz2wsx?

[bigfinger76]

It's just a variation of 'querty'.

Re:1qaz2wsx?

[ET3D]

Agreed, it's rather strange. My guess is that most values on that list have few occurrences, where the top ones from 2 million might have tens of thousands or thousands of occurrences, the ones at the bottom of the list, or even its middle might have dozens. That would make these values highly affected but what subset of all password this 2M sample represents. For example if the list of hacked passwords contained passwords culled from a company where the standard password is 1qaz2wsx, then that would make it a very common password, but wouldn't mean a thing about the use of that password in general.

Re:1qaz2wsx?

[bigfinger76]

Not sure how or why I misspelled qwerty.

Re:1qaz2wsx?

Having an azerty (French keyboard) I had a hard time finding where it came from.

Re:1qaz2wsx?

You must have really big fingers.

Re:1qaz2wsx?

You also have to keep in mind the rejection of the bad passwords. Try to make a password for a site and it might complain that "password" or "12345678" is too weak and not let them do it. As this becomes more widespread, I expect to see the bad ones take a a little of a hit and more pattern-based or single-noun passwords increase.

Re:1qaz2wsx?

"1qaz" ad "2wsx" are two columns of keys on the qwerty keyboard.
So instead of making horizontal passwords "123456" or "qwerty", the new trend is vertical.

Top 25 from my SSH honeypot--

[sillivalley]

Here's the top 25 captured by my SSH honeypot so far this year as count [account/password]:
2132 [root/root]
2110 [root/admin]
2107 [root/123456]
2107 [root/1234]
2104 [root/password]
2102 [root/root123]
2102 [root/12345]
2101 [root/p@ssw0rd]
2101 [root/123]
2098 [root/1]
2091 [root/test]
1907 [root/wubao]
1905 [root/!q@w]
1905 [root/jiamima]
1905 [root/!@]
1900 [root/idc!@]
1900 [root/!]
1899 [root/!qaz@wsx]
1899 [root/admin!@]
203 [root/superuser]
203 [root/public]
203 [root/power]
203 [root/calvin]
203 [root/alpine]
203 [root/admin123]

Around 400k ssh login attempts so far in 2016, mostly from China.
If someone could explain "wubao" and "jiamima" I would greatly appreciate it!

Re:Top 25 from my SSH honeypot--

[DNS-and-BIND]

jiamima is encryption key or encrypted code, or maybe add a new password. wubao maybe 'without protection' or the equivalent of no password.

Re:Top 25 from my SSH honeypot--

[tgv]

Nice.

For what it's worth, wubao might mean this: https://en.wiktionary.org/wiki..., the second meaning of which looks like "secret". Someone, perhaps you, might have asked this question before, https://ewedaa.wordpress.com/2...

Re:Top 25 from my SSH honeypot--

[hankwang]

Do you do anything else besides logging?

I once set up an ssh honeypot in a chroot jail (with noexec and hardly anything in /bin; this was in 2005, before VMs were easy to run) to see what would happen; login guest/guest. Surely someone logged in, but they didn't attempt anything once inside. Maybe they were going to come back, but I didn't wait for it.

Re:Top 25 from my SSH honeypot--

[Bert64]

Those are just from the dictionary fed to the ssh brute forcing tool, it doesn't mean any of them ever actually got a hit on a live system...
I have exactly the same, continuous SSH brute force attempts, often the same ip will come back later and try the exact same passwords for no apparent reason.

Re:Top 25 from my SSH honeypot--

[Bert64]

I've done a few, usually on an exotic architecture with a patched shell and kernel to log commands to syslog on another host...

What you saw was probably just the scanner, it will log in and just take note of your ip and password for later use. Sometime later you'll usually get someone log in and take a look around... I found that while the scans often come from asia, the actual logins usually come from european countries like romania or italy.

They will usually try uname to see what os is running, and often if it's not linux they will give up right away and not come back. If it is linux, they will usually try to download some tools using wget - copies of their ssh scanner, local root exploits, irc bots etc... Most of them tried to download precompiled x86 binaries, even when the system in question was something else, and they usually gave up when the binaries failed to run.

It's not uncommon to see embedded devices with poor passwords that have been logged into thousands of times, but because of how restricted or nonstandard the environment is nothing was ever done with them.

Re:Top 25 from my SSH honeypot--

calvin is/was the default password for most DRACs (Dells Remote Access Controllers).
Its interesting to see it that high on the list.

What ist China hunting for?
DRACs that are directly exposed to the Internet with the default password in place?
And are the other top hits default passwords as well?

Re:Top 25 from my SSH honeypot--

Careful there! Nothing in /bin doesn't matter. They can create their own binary from scratch using only the "echo" command. Not as tedious as it sounds if the attacker scripts it - then they can look for local vulnerabilities to give them root. Or merely use your guest account for attacking other systems.

Re:Top 25 from my SSH honeypot--

[chispito]

I used to run Kippo too until the SD crapped out on my raspberry pi. I speculated some of the more popular passwords were ones the malware had successfully used in the past, or possibly passwords the malware or competing malware set to make access easy when calling back. Do you allow interactive login?

Re:Top 25 from my SSH honeypot--

[chispito]

He's probably using Kippo, which has an emulated shell sandbox. It will give fake output for common commands, and even allow file download (so you can collect samples). When they try to execute anything they'll eventually realize they can't really do anything and give up. You can even replay the entire shell session to watch what was attempted.

Re:Top 25 from my SSH honeypot--

[ACE209]

..., mostly from China.

or maybe from Verizon

http://tech.slashdot.org/story...

The relevant snippet from the summary:

Spamhaus detected over 4 million IP addresses, mainly stolen from China and Korea, and routed on Verizon's servers with forged paperwork.

Re:Top 25 from my SSH honeypot--

Is there a way to fake uname output? Would be funny to see someone try to run Linux x86 binaries off the web on a computer that identifies itself as NetBSD running on a MIPS processor.

Re:Top 25 from my SSH honeypot--

[hankwang]

You missed 'noexec': user home directory was mounted as noexec filesystem. And probably i left 'chmod' out of /bin just to be sure.

Re:Top 25 from my SSH honeypot--

[erapert]

Just get the source code for uname, modify it, recompile it, then replace the system uname with your custom version.

Re:Top 25 from my SSH honeypot--

[bloodninja]

If someone could explain "wubao" and "jiamima" I would greatly appreciate it!

wubao: No Password

jiamima: Password

Passphrase!

Yes, I have used this before:
MyBestFriendsDogDied@TheAgeOf16WhenItWasRunOverByA1969F@RDDriven>TheSpeedLimit&BAC>.21%

Re:Passphrase!

[cold+fjord]

Now if only the system didn't truncate it to 8 characters.

Re:Passphrase!

[91degrees]

I think "mbfdd@tao16wiwroba1969f" would be enough for a password secure enough for most purposes.

Perfect system

January2016, February2016, etc.

Complies with my employer's policy of min 6 characters, lower case + upper case + numbers, and the all-important changing every month.

Re:Perfect system

[Chatterton]

Similarly, for my windows account, I have a strong base password (upper, lower, numbers and special characters) and I add a counter after. I just write the current counter under my keyboard. For other company software or machine requiring another credential, I use the name of the system then the same base password and another counter (the counter is also written under my keyboard)...

eg: base password: My5trongB4seP@ssw0rd

windows: My5trongB4seP@ssw0rd017
SoftNumber4: SoftNumber5My5trongB4seP@ssw0rd005
Computer3: Computer3My5trongB4seP@ssw0rd010

Under my keyboard, I have:
windows: 17
SoftNumber4: 5
Computer3: 10

Yes If they crack one of my password and devise the methodology they can enter in all my systems at work. But I have run my base password against 3TB of rainbow tables (MD5, LM, SH1, NTLM) and the 2014 password list I could put my hand on (25M pwd) with success to have some confidence in it it will not be cracked so easily.

Re:Perfect system

[hankwang]

"SoftNumber5My5trongB4seP@ssw0rd005"

And how many times do you typically have to enter such a 35-character password on a day?

Re:Perfect system

[tehcyder]

base password: My5trongB4seP@ssw0rd

I'm almost sure you're not supposed to publish your password on the interwebs.

do most accounts need to be secure?

[sittingnut]

"while it's a pain to create (much less remember) a complicated password with lots of numbers and special characters, it's nothing compared to the pain of having your online accounts compromised."
one must question that assertion.
are the accounts these passwords belong to really in need of security in the 1st place? are they not, most of them, throwaway accounts with not much value in them?

without some measure of value of accounts secured by the passwords identified, lists like this don't tell us much.

so called "security experts" should do more worthwhile research to find out the sort of insecure passwords used by people who want to keep some thing valuable secure.

Re:do most accounts need to be secure?

[Darinbob]

My Hello Kitty Online Adventures account uses "1" as the password.

Re:do most accounts need to be secure?

[tlhIngan]

This.

Telling me "password" is a bad password isn't news. It's obvious. And you know what? For accounts I don't care about, it's a perfectly good password.

You want me to create an account to leave a comment on your stupid little blog? I don't see what's wrong with password.

Hell, a lot of forums are like that too - want to get this download? Register for an account! So yes, I'm going to use password, because chances are, I won't ever visit it again.

Now, my Amazon, Paypal, banking and other passwords? You can bet they aren't on that list!

And guess what? There's a ton of sites that need registration, so no wonder they stay on the top - for these worthless accounts, people will use worthless passwords. If your password database has a lot of these passwords, perhaps you might want to rethink your account strategy. Maybe your visitors don't see your accounts system as valuable as you do.

Re:do most accounts need to be secure?

[MouseTheLuckyDog]

Can people downvote this guy for Hello Kitty?

Re:do most accounts need to be secure?

[codeButcher]

one must question that assertion. are the accounts these passwords belong to really in need of security in the 1st place? are they not, most of them, throwaway accounts with not much value in them?

without some measure of value of accounts secured by the passwords identified, lists like this don't tell us much.

so called "security experts" should do more worthwhile research to find out the sort of insecure passwords used by people who want to keep some thing valuable secure.

True. But the answer depends. As the longish Wired article linked to above also hints at, if you link ("daisychain") your accounts, you might consider a simple throwaway e-mail account as not important. But then you go use the e-mail address as the login for another account, and/or as a backup where password resets for the other account get sent to. It now has become the weakest link in your daisychain (to mix metaphors).

And that's one of the password's weak spots in the modern economy: having so many services and devices that each require their username/password as if they are the most important or sole login the user will ever do in his life.

Re:do most accounts need to be secure?

[quintessencesluglord]

Adding-

Admins do themselves no favors by making ludicrous demand from lusers like "the password must contain a special character, but may not begin or end with a special character, have two numbers, and can only be be 8 characters long... you got that?".

Or requiring password changes every 60 days, especial for accounts I use maybe bi-yearly. Or refuse recycling passwords. And the list goes on.

Anymore more it is easier just to bang my head against the keyboard as my password and have them email me a new one.

Two step authentication, and One Password to Rule Them All.

Re:do most accounts need to be secure?

[cold+fjord]

You gotta be careful about that. Sometimes "Hello Kitty" has claws or "more forceful" means of dealing with the unwelcome.

Re:do most accounts need to be secure?

[cold+fjord]

My Hello Kitty Online Adventures account uses "1" as the password.

Ugh... Butters, go buy world of warcraft, install it on your computer, and join the online sensation ....

Re: do most accounts need to be secure?

No dumbfuck, because this isn't reddit, and there's no downvotes. Someone with mod points might waste them shitting on a guy who mentions Hello Kitty, but the odds are they'll save them to make real contributions to this thread or another, instead of spewing them all over the place to make users feel important.

Re:do most accounts need to be secure?

and thus the market demanded and created bugmenot http://bugmenot.com

Big sites regularly get the accounts being used on bugmenot(and related services) removed but often new ones get added while the "stupid little blogs" accounts stick around for years.

Re:do most accounts need to be secure?

[reboot246]

The ones that irritate me the most are the sites that say, "login with your Facebook account or your gmail account blah blah blah".

I don't have a stupid Facebook account and you're not getting my gmail account. Sometimes I just use an email address like "guest@whateversiteiamat.com or "password" as the password.

News sites are notorious for this if you want to leave a comment.

Re:do most accounts need to be secure?

This.

Telling me "password" is a bad password isn't news. It's obvious. And you know what? For accounts I don't care about, it's a perfectly good password.

"password" is a bad password.
The 123.. and qwerty style passwords can be written with your left hand in the same place, perfect for your porn account.
Interesting enough starwars fits into this category.

Re:do most accounts need to be secure?

[digitig]

Yes, it's especially annoying having to reduce the security of the strong passwords I generate using a password manager because a major organisation has employed a coder who thinks that "between 6 and 8 characters, including a digit and a special character" is a stronger password than "MXxFrmyx6pUCbyBvNx3zerBb06DABs" ("Must contain a special character").

And I know I'm not the only one frustrated by this.

Re:do most accounts need to be secure?

[danbert8]

Exactly, I need a ridiculously complicated password to use the Rally app that reminds me to eat my veggies and then I get points for which I can get in on a raffle. I could care less if someone breaks in and signs me up for a few chances at winning a Whole Foods gift card that I won't win. Maybe they'll eat some veggies for me too.

Meanwhile, unnecessarily complicated password requirements for things that NEED to be secure are still a waste. Brute force isn't really a thing anymore as most secure login portals will lock you out after 5 or so attempts. What is more likely than my password being brute forced is their database gets compromised which negates any security a long or complex password provides.

Re:do most accounts need to be secure?

[danbert8]

I just sent United Healthcare some "feedback" on that one. They have stupid rules that include requiring one of only 6 symbols. Like I can remember which stupid symbol they allowed that I stuck in my password... Instead I end up resetting my password every time I log in. I tried explaining to them their ridiculous rules do nothing to secure my account if it locks me out and forces me to reset my password after 3 incorrect attempts. And that it's far more likely that their login database gets hacked than my password getting guessed or brute forced.

Re:do most accounts need to be secure?

[danbert8]

They irritate me too and I do have a Facebook account. I would prefer to login that way, but then it takes you to the permissions page and it's "gives access to all your friends, photos, contact information, etc. and permission to post as you on your wall, on other's walls, and in private messages."

I'm like how about no... I'm not giving away permission for someone to assume my entire identity to not have to create a login to post a stupid comment on your stupid site.

Re:do most accounts need to be secure?

[supremebob]

Yeah... for sites that require a login for no good reason (like it's a free site or game that wants your user info so they can try to sell you premium features later), I'll just use something like password as the password. If someone wants to use that account because they are too lazy to create their own, more power to them.

Re:do most accounts need to be secure?

[chihowa]

Until I just recently changed it, "password" has been my password for this account on Slashdot for over fifteen years. Not only is it a fine password for accounts of little consequence, but it actually works well for accounts where nobody ever even bothers to try to break in.

Re:do most accounts need to be secure?

[Bob+the+Super+Hamste]

No. One day I wondered if someone had ever created a cross between Hello Kitty and the Punisher. The internet provides. I now want this.

Re:do most accounts need to be secure?

[Bob+the+Super+Hamste]

eatshit@and.die is one like to use when places ask for an e-mail address that only want it so they can bombard me with crap.

Re:do most accounts need to be secure?

[Bob+the+Super+Hamste]

What is more likely than my password being brute forced is their database gets compromised which negates any security a long or complex password provides.

Depends. If they were smart and salted the passwords and just stored the salted hashes as a SHA256 or SHA512 sum then having strong passwords still protects, if instead they just stored the password in plaintext in the DB well your fucked anyway. If all they have is a listing of usernames and hashes they still would have to brute force, or rainbow table them but they do that offline.

Re:do most accounts need to be secure?

password requirements == What you can take out of your bruteforce dictionary. Thanks sysadmin, I'll know not to waste my take with plain english words and go right to the l33tsp43k dictionaries!

Re:do most accounts need to be secure?

[Quirkz]

I'm going to argue there's never a time that "password" is ever really perfectly good. It's just too common, and the first thing to be checked. Even on throwaway accounts, unless you're literally trying to give away your email address and what other data points the site collects, you might as well make it not one of the first things anyone with any curiosity at all might try. Now your dog's name or your kid's name or your street, or anything else still week and relatively obvious to anyone who knows you is something I'd call perfectly fine to use. "Password" is the worst idea, under any circumstances.

Re:do most accounts need to be secure?

[myowntrueself]

Yes, it's especially annoying having to reduce the security of the strong passwords I generate using a password manager because a major organisation has employed a coder who thinks that "between 6 and 8 characters, including a digit and a special character" is a stronger password than "MXxFrmyx6pUCbyBvNx3zerBb06DABs" ("Must contain a special character").

And I know I'm not the only one frustrated by this.

I love the ones that say things like "Must contain ONE number, ONE upper case character and ONE special character. And must be 8 characters exactly." Boy that simplifies things a lot. I had a fucking BANK that demanded this kind of 'secure' password...

Re:do most accounts need to be secure?

[myowntrueself]

Until I just recently changed it, "password" has been my password for this account on Slashdot for over fifteen years. Not only is it a fine password for accounts of little consequence, but it actually works well for accounts where nobody ever even bothers to try to break in.

You might not care about your slashdot account but someone who wants to 'hack' into your slashdot account so they can swear allegiance to ISIS and threaten the life of the President of the United States of 'Murica might care. Of course the'd be behind 7 proxies, but you weren't behind 7 proxies last time you logged into it. Sucker!

Re: do most accounts need to be secure?

I have a simple one that passes all common checks. Great for accounts that I could bear losing.

Ybother?1

Not that exactly, but you get the idea.

Re:do most accounts need to be secure?

[mattventura]

The worst is the ones that have some sort of restriction on what characters you *can't* use in the password, because it means whoever programmed it had no clue what they were doing.

Re:do most accounts need to be secure?

[chihowa]

I can't say I'd care too much about that, but my point was more that there's not even much interest in attempting to compromise most internet accounts. In over 15 years, no person or bot attempted to log into this account with the most common password on the internet. Expecting users to come up with and remember strong passwords for inconsequential sites is a waste of everybody's time.

Re:do most accounts need to be secure?

[tepples]

You want me to create an account to leave a comment on your stupid little blog? I don't see what's wrong with password.

What happens when someone guesses your password to a comment section or forum and uses your account to post libel, copyright infringement, child sexual abuse photos, or other contraband information?

Re:do most accounts need to be secure?

[sudon't]

Right! My online banking forced low complexity passwords! Letters and numerals only, relatively short max length. I wrote them about this, and they replied with some crap about their servers being secure. On top of which, they blocked autofill, so that I always had to open my password manager and look up the password. Fucking annoying. Of course, BB&T is no longer my bank.

Re:do most accounts need to be secure?

[arglebargle_xiv]

The worst is the ones that have some sort of restriction on what characters you *can't* use in the password, because it means whoever programmed it had no clue what they were doing.

Like that news site, what's it called, Slashdot? Not in the passwords, on the site itself.

Re:do most accounts need to be secure?

[tehcyder]

The point is that, once you do have a facebook account, you're not really increasing the likelihood of anything bad happening by re-using it as a generic login.

Whatever SmallNewssite.com does with your facebook information is trivial compared to what facebook itself does. Same with gmail, whatever the few remaining google fanboys here might think.

Re: do most accounts need to be secure?

I don't use "password" anywhere. For throwaway accounts on fora etc. I use pwgen for the username, password and email address. It's the browsers job to remember them.

I'm stunned!

[dohzer]

Finally... a "Most Popular *THING* of *YEAR*" list where they actually waited for the year to finish before releasing it. I'm impressed.

Mobile devices

For mobile users it is hell to use strong passwords. It takes ages to enter, is mistake prone and when you make a mistake, you can start all over.

I have reverted to using all lowercase passwords again, on sites that require me to login with a password. Over 50% of web users is on mobile nowadays. Get with the times and use oauth2 services (google/facebook/twitter/whatever).

Whew!

I just checked the list! I'm safe for now, but it's only a matter of time before my server, desktop, router, phone, thermostat, and fridge get pwnd my the latest Linux vulnerability.....

At least my Surface 4 and iPad are safe so I can order some replacements for that crap!

Re:Whew!

[myowntrueself]

I just checked the list! I'm safe for now, but it's only a matter of time before my server, desktop, router, phone, thermostat, and fridge get pwnd my the latest Linux vulnerability.....

At least my Surface 4 and iPad are safe so I can order some replacements for that crap!

Yeah, its not like OSX and iOS had more vulnerabilities last year than Flash!

Obligitory XKCD

[schizz69]

I thought correcthorsebatterystaple would have made the list.

Lucky my password

"jjt4sawknsux" is not on the list.

Where is SplashID getting this from?

[TigerPlish]

Splash ID sells password vaults that can sync to cloud.

Supposedly this is all encrypted.

So.. where is Splash getting this info from?

Re:Where is SplashID getting this from?

[TigerPlish]

Oh, forgot -- cloud sync was added 2009, if I remember right. Which is six or seven years ago, depending on where in 2009 it was actually introduced. And this is their fifth list of bad passwords?

Questions abound.

Re:Where is SplashID getting this from?

[LordWabbit2]

It's in the fucking summary.

The firm based its list on more than 2 million leaked passwords during the year.

But hey, let's rather jump to conclusions, since this is slashdot and everything.

Means nothing

There is no such thing as the most popular good password.

./ is not being helpful here...

[kig8472]

...I'd rather need a list of the most popular GOOD passwords!

What I do for my passwords

[m.alessandrini]

Seriously, can you give me advice if this is a safe approach? To remember the passwords for the many web accounts, and to not reuse the same password everywhere, I use a password made from a fixed difficult sequence of characters (the same for all sites), then add a couple of letters depending on the site's name. If sites, as it should be, store only the digest/checksum of the password, even in case of stolen database one should not be able to reverse it and find the original password with the "algorithm" to apply it to other sites. I'm not a crypto expert, do you think this can be reasonably safe?

Re:What I do for my passwords

Such a simple manual hash algorithm for passwords is better than nothing. Disadvantages are:
1. Different sites have different stupid arbitrary restrictions, so you're forced to a "lowest common denominator" (e.g. probably you don't use any punctuation symbols in your manually generated passwords, and they aren't very long)
2. If a site requires you to reset/change your password for some reason, then you are stuck; you have to remember that site's password as an exception to your system.
3. If someone happened to discover 2 of your passwords to different sites, then your scheme would be easily busted.

Re:What I do for my passwords

[m.alessandrini]

I'm not sure I understand item 3, is it enough to defeat the one-way nature of a checksum?

Re:What I do for my passwords

Advertising it, especially in a format associated with a probably common handle (and what appears to a real name,) certainly isn't.

Re:What I do for my passwords

If even two sites store those passwords in plain text or using some weak scheme, your passwords are compromised.

How about doing exactly the same thing, and then running it manually through e.g. md5sum or some other hashing algorithm? Then use the hash as your password. A bit more work to log in, but not too much.

Re:What I do for my passwords

[rcase5]

I have been doing something similar for the last 15 years or so, and it works well for me. To my knowledge, none of my accounts have been hacked in that time. The other key, however, is to use LONG passwords. If the entropy in your password is sufficient, you shouldn't have any trouble. The key with dealing with long passwords? Muscle memory!

Re:What I do for my passwords

[rcase5]

1. Different sites have different stupid arbitrary restrictions, so you're forced to a "lowest common denominator" (e.g. probably you don't use any punctuation symbols in your manually generated passwords, and they aren't very long)

Excuse my french, but this shit drives me crazy! Having said that, any scheme you choose you use should be adaptable. For example, for sites that have a size limit on passwords, I use a smaller portion of the fixed part of the password, accompanied by the variable part. If they don't allow symbols, I just drop the symbols from the fixed part. Then again, if a site has these types of arbitrary restrictions, I generally only use them if they aren't terribly important. In other words, if someone were to hack my account on said web site, if it wouldn't cause me serious problems in that event, I usually go ahead anyway. Web sites for mobile phones are notorious for imposing these types of restrictions. Since I don't want someone hacking my mobile phone service, I generally don't use them; I just use their phone tree or call customer service. (It's amazing what phone companies don't know about building secure web sites).

Also, I have a theory that web sites that have these types of restrictions on their passwords are storing passwords in clear text. I'm guessing the symbols might interfere with their username/password storage scheme, and allowing them could cause their user database to become corrupted. I have no evidence to back this up, but it's the only thing I can think of that would explain why anybody would have restrictions on what characters you can use. If they were hashing passwords, it shouldn't make a difference. Same goes for those with size limits on their passwords. You should be able to copy and paste "War And Peace" as your password and it shouldn't matter; sites that use hashes should be able to handle that (system memory and bandwidth restrictions notwithstanding).

2. If a site requires you to reset/change your password for some reason, then you are stuck; you have to remember that site's password as an exception to your system.

Not unless your password scheme is adaptable. If you have a fixed portion and a variable portion of your standard password, all you do is change the variable portion. I've run into this myself, and it still works.

3. If someone happened to discover 2 of your passwords to different sites, then your scheme would be easily busted.

That's where length combined with entropy comes in. Longer passwords are harder to guess. Yes, they can be a pain in the ass, and I can't tell you how many times I have to retype my passwords. But that's a small price to pay for ensuring your online presences are secure. Also, avoid using sites that require shorter passwords and/or have restrictions on the characters you can use. But, you do have a point.

Re:What I do for my passwords

[EdwardFurlong]

I don't know how good secure this is, but I have six common passwords, each 8 characters long, these ones I know by heart because I have been using them for 10+ years. When I need to make a stronger password I start combining them. So banking I would just remember GEK, and the password would be geyu3y6deb4n7etskwoiuu6a, and my slashdot long in might just be kwoiuu6a.

Re:What I do for my passwords

[mattventura]

#3 is unrealistic. It would require someone to specifically be targeting me. When a password list gets leaked, they'll try the username/email+password at other sites. If it doesn't work, they forget about it and move on to the next. It's enough security to not be the low-hanging fruit.

Re:What I do for my passwords

[Tony+Isaac]

What are the chances they are all using hashes? Just about nil.

Still, I use a similar system. I use the same base password with minor variations, and email myself a password hint so I can look it up later.

Re:What I do for my passwords

[sudon't]

"...do you think this can be reasonably safe?"

If someone knows basically how you do it, they could probably figure it out. Remember, a lot of "hacked" accounts are compromised by people known to the victim, or by people who can have a look at your personal information, (like your Facebook account - how locked down is that?). Otherwise, I suppose any single password will look random.
You ever considered looking into a good password manager? You only have to remember one good password, and the password manager can create strong unique, (yet, memorable, if so desired), passwords for each account. I'm always amazed at the contortions people put themselves through when the solution is so simple. After all, you're on a computer already, so why not use some software?

Re:What I do for my passwords

[tepples]

That'd fail because md5sum does not produce mixed-case or punctuation, which some sites require. Another site requires passwords to be no longer than 12 (!) characters.

Re:What I do for my passwords

[tepples]

Probably because synchronizing the password manager across all devices that one uses is an extra-cost feature.

People is not "relatively" listening

Stupid websites are stupidly forcing new users to not use 12345 anymore, by not allowing you to choose how much do you really need your password to be secure.

Because Mel Brooks has the answer to everything.

[meglon]

https://www.youtube.com/watch?...

Boy am I glad that TwinkleToes is not on the list!

[dsmatthews9379]

Oooops!

Who does NOT use qwerty123456 From time to time?

When Im forced to enter a password to some shit site that is what I use. I could not care less about their security.

An interesting addition

[mechtech256]

This new entry stood out to me: 1qaz2wsx (New)

Look at the position on the keyboard. People are treating the keyboard like an android/iphone lock screen, at least that's my guess. Very cool to see behavior change as our devices do.

Re:An interesting addition

I used to do this as far back as in the 90's. Patterns like zse4rfv vgy7ujm, zse45thnmko0 etc, because the company I worked at required frequent password change and I was lazy.

Re:An interesting addition

Using patterns on the keyboard can be a good way of inventing easy to remember & use, but difficult to guess passwords. This technique is especially useful if you have a non-qwerty keyboard. However, it makes it a PITA if all you remember is the pattern, and not the actual keystrokes if you have to use a different keyboard (for whatever reason). So, one day, I'm logging into my Gmail from a Danish PC/keyboard... it took me about 10 minutes to figure where all my symbols are! Oh.. and where the hell is ~ on a Swiss German keyboard?!

Re:An interesting addition

[Quirkz]

I used to have 5tgb6yhn as a password. I didn't even have to type it, I could just swipe my finger across the keyboard twice, down the two rows, and hit it pretty reliably. It seemed convenient, but only when nobody was looking, because anyone with any sense who saw me log in that way would be able to guess it almost immediately.

Re:An interesting addition

It's been a known thing for quite a long time - way before Android.

It's common enough that there are brute force generators that try them - and decent password enforcement rulesets to forbid them on password resets/changes.

The company that I work for specifically filters out this kind of thing based on some of the more frequent patterns on multiple keyboard layouts.

Re:An interesting addition

[tepples]

Treat others' PCs as if they're keylogged.

use passphrases

Here is a good one if the spam filters here on slasblot allow me to sing it to you on my keyboard. The trick is to learn to type by omitting the spaces. Here goes: What_becomesofthebrokenheartedwhohavelovethatsnow_Departed

easy to remember and easy to type if you are not using a finger painting device like a cell phone or peanut 'puter iPad or Android tablet. For good measure if the web interface accepts underscores throw in a few between the words and a few caps, if there is the words two, ate, to, too use substitution of numbers. One of my favs is over 30 characters in length and I can type it in seconds. So it seems to me that the concept of only using random mixes of letters, numbers and characters is causing the problems with passwords. Perhaps this is the best solution inmy_notsohumble_opinionIMNSHOLOL

I Use 123456 for Throwaway Accounts

[tomxor]

I wonder how many of these leaked passwords are from disposable accounts. I use weak passwords like this when sites force you to create a useless account to perform an one time action... the account contains no valuable information (you can sign up with bogus email, name etc) but they force you to have one anyway.

I feel like these kind of shitty sites that force you to sign up for a pointless account are also likely to have shitty security and have their account info leaked.

List of the Most Popular Good Passwords of 2015?

Where's the list of The Most Popular Good Passwords of 2015?

Obligitory

[simonreid]

https://xkcd.com/936/

NSA thanksyou for being stupid

Complicated rules mandating 1of each of the following upper case letter, lowercase letter, number, special character actually makes passwords easier to brute force by a significant margin. Add in limits of repeated use of a character can make it even easier.
The last time I did the math, based on an 8 character password, the possible combinations from full US ASCII character for all positions were in the trillions, while with the complex password rules was only in the billions of possibilities.

Auto correct?

[DrYak]

It's just a variation of 'querty'.

Not sure how or why I misspelled qwerty.

Maybe because in actual languages the "que" sequence (<- see what I did here ?) is more frequent than "qwe" ?
So either your text input system (Autocorrect? Spellchecker?) or your brain motor skill automatically corrected it.

And password strength rules don't help.

We work in an environment where there are 'strong' length and character restrictions on passwords. On almost every system I see, the passwords end up being simple keyboard column or row-based sequences. The rules have made things worse.

My Slashdot password: *********

You can't see my password, right?

Dexter's Lab

Password: Omelette du fromage

Leaked from where

Many of my passwords for the thousands of Web sites that require needless registration are of the 123456 variety because there's virtually no consequence if it's cracked. The passwords to my online banking and credit cards are more something along the lines of:

128-bit
/dev/urandom tr -dc _A-Z-a-z-0-9 | head -c22

256-bit
/dev/urandom tr -dc _A-Z-a-z-0-9 | head -c43

Re:Leaked from where

[plopez]

Of course that is only as random as the "random" number generator. And since it is "random" people are more inclined to write it down somewhere, e.g. a sticky note on the monitor or in a "secure" spreadsheet in the cloud.

You should really pick up a book on security.

Re:Leaked from where

You should really pick up a book on security.

If you think random passwords are not secure, it is you who is confused about security. What idiot who knows they need x-bits of entropy, and goes to the trouble to generate that entropy, nullifies that security by writing it down on a fucking Post-It or spreadsheet? You should look into storing your passwords in encrypted containers or password managers.

Re:Leaked from where

[shaitand]

If he did it would recommend just what he is suggesting, individual and randomized passwords generated using multiple character sets and that are very long.

In place a sticky note use an encrypted personal password system like keepass and secure it with one very strong and secure passphrase that is memorable. The passphrase can be quite long so you can use something you have memorized. Don't use songs everyone knows or popular phrases from sci-fi shows though. Ideally, pick something annoying, inappropriate for your age group/profession that you dislike but couldn't forget if you wanted to. Something from a topic you are not likely to ever be posting on Facebook. Don't go using something about a floral bonnet when you are a firefly fan.

I guess I'm still well protected

using 87654321

Notepadcrypt FTW

I use randomly generated passwords which I store in a Notepadcrypt file. That way I can have complex passwords for everything but I only ever have to remember the one password for Notepadcrypt.

Given that I have to use about 500 passwords it's also the only sane way to keep track of anything !

Works great for me :)

Re:Notepadcrypt FTW

[shaitand]

You could always just use keepass

I'm safe

[plopez]

"Shadowfax" didn't even make the list.

Link to a link to a link to nothing

[EdwardFurlong]

https://www.teamsid.com/worst-...

Need current password to change it

[tepples]

You usually have to put in your current password to change it, except for self-service password resets. Otherwise, they'd find the last digit in the password and try all ten possibilities and try it against your saved previous password hashes.

I said it last year

[holophrastic]

...so I'll say it again. Your front door is protected by a 5-digit key, and it's next to a few dozen glass windows.

Maybe two of my passwords actually protect something more valuable than my house when I'm not in my house. None of them protect anything more valuable than my house when I am in my house.

Oh, I also said that what separates my 140kph car from an on-coming 140kph car is a 3inch wide strip of yellow paint. Sometimes two of them.

starwars

i've used starwars as a non-critical password on and off for the last 20 years.

It was my first email password and is my current logon password.

type "starwars" and you'll see why i prefer it.

Aunt Jiamima

[tepples]

jiamima is encryption key or encrypted code, or maybe add a new password.

Sure it isn't I love pancakes?

Step 2 of 2: Check your e-mail!

[tepples]

Sometimes I just use an email address like "guest@whateversiteiamat.com

Step 2 of 2: Check your e-mail!

Your comment is almost posted. A confirmation request has been sent to the e-mail account guest@whateversiteiamat.com. This e-mail contains a link to confirm that guest@whateversiteiamat.com is yours. Follow this link, and your comment will be posted immediately.

Having to sign up with each "whatever" IDP

[tepples]

Get with the times and use oauth2 services (google/facebook/twitter/whatever).

This leads to one of three problems.

Relying party (RP, meaning site operator) allows Facebook and no other identity provider (IDP) I don't have a Facebook account. I graduated and lost my .edu e-mail before Facebook even existed. (Or insert some other reason not to be F'd.) I guess if you want to be joined at the hip to Facebook, I'll have to patronize your competitor. RP allows the top three U.S. social IDPs Google is blocked where I live. Facebook is blocked where I live. Twitter is blocked where I live. Now how should I or any other expat living in China log in? RP allows use of any IDP supporting OpenID Connect, an application of OAuth 2 for authentication I haven't seen a single major OpenID Connect IDP that supports Dynamic Client Registration. This means each RP will have to sign a contract with each IDP, which scales at O(n^2), as I've mentioned before.

Microsoft Research Into Passwords

[HannethCom]

Microsoft Research department spent a lot of time looking into password security.

They found that for tech people the absolute minimum time between password changes, while still having good passwords was 183 days. A more realistic minimum safe time to use is 365 days.

For non-tech people they found that the absolute minimum was 365 days. A more realistic minimum was 548 days.

When going under these numbers people would have to sticky note their password to their monitor, write them down somewhere else usually stored in their desk, start storing them in password files, just increment a number on their password, or use really easy to guess passwords. These methods of password remembrance being only slightly higher than having no password at all.

Obviously there is a discrepancy between their R&D and implementation departments as in a Windows domain the default time to change password is 42 days. And they recommend.
"Set Maximum password age to a value between 30 and 90 days, depending on your environment. This way, an attacker has a limited amount of time in which to compromise a user's password and have access to your network resources."

I also found it funny that in studying for Microsoft's security test, about 10 years ago, I was finding that what was in the required main study book was the exact opposite of good security practices. I didn't pass the test because I got 1 question wrong and at that time you had to 100% the test. The funny thing was that suggested reading for the test was "Writing Secure Code (Developer Best Practices)" which was written by Microsoft's then lead security expert. The book basically said that the Microsoft security test was all wrong. That being said "Writing Secure Code (Second Edition) (Developer Best Practices)" is a really good book to read for understanding good security.

ASCII-only password field

[tepples]

The worst is the ones that have some sort of restriction on what characters you *can't* use in the password

Does this include inability to use Chinese characters because the password field is printable ASCII (U+0020 through U+007E)?

Noexec login scripts

[tepples]

How can login scripts run if /home is noexec?

Re:Noexec login scripts

[hankwang]

I'm not sure what you're referring to, but .bashrc and .profile are sourced, not executed. I tested it again just to be sure:

# mount|grep homedata
/tmp/looptest/homedata on /tmp/looptest/mnt type ext4 (rw,noexec)
# su - sb-user
$ ls -la
-rw-r--r-- 1 sb-user sb-user 675 Jan 24 11:40 .profile
-rwxr-xr-x 1 sb-user sb-user 26 Jan 24 11:46 testscript
$ . .profile
$ ./testscript
-su: ./testscript: Permission denied
$ sh testscript
It runs!

Typing on a mobile device

[tepples]

The key with dealing with long passwords? Muscle memory!

Good luck getting muscle memory to work on a flat sheet of glass. It's the same reason that a lot of video game genres are less viable on iPhone and Android than they would be on PlayStation Vita or Nintendo 3DS: you can't feel where the buttons are.

Bad passwords

[Residentcur]

I wonder how many of the bad passwords are on accounts that demand passwords for their purposes, not for the user's? I take much less care when choosing a password for an online publication that won't provide its content without a login. I won't purposefully give my credentials to someone else, but don't much care if they are compromised. I never use these simple strings on other, more important accounts, though.

Non-tech people just need a little help...

Even non-technical people can at least make their passwords somewhat better. For my non-techie friends, I recommend one of these.

offline wearable password generator/recall devices

It's better than what most people come up with in their heads, even if they think they're being 'clever'... I've given up convincing people to use LastPass or other online wallets; most people think it's just too complicated.