Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Most Popular Bad Passwords of 2015 (dice.com)

Posted by samzenpus on from the make-better-choices dept.

Nerval's Lobster writes: For years, security experts have told people they need better passwords protecting their online accounts: no more '123456' or 'qwerty' or 'password.' Based on SplashData's fifth annual list of the 25 most common passwords, however, it's clear that relatively few people are listening to that advice. The firm based its list on more than 2 million leaked passwords during the year. The most popular, as in 2014, was '123456,' followed by 'password' and the ingenious, uncrackable '12345678.' One new entry on this ignoble list: 'starwars' in 25th place, no doubt thanks in part to the popularity of 'The Force Awakens' and the accompanying marketing campaign. Seems like a lot of people have forgotten (or never learned) that, while it's a pain to create (much less remember) a complicated password with lots of numbers and special characters, it's nothing compared to the pain of having your online accounts compromised. Maybe, as some have proposed, we could someday kill passwords for most services.

17 of 165 comments (clear)

  1. Passwords leaked from where? by Anonymous Coward · · Score: 4, Insightful

    I can imagine people don't put the same thought into a password for a throwaway account compared to say that of a bank account password. So I'd be interested as to the source of the leaked passwords. Not that it excuses any of those passwords in the list.

    1. Re:Passwords leaked from where? by Anonymous Coward · · Score: 5, Insightful

      That isn't for your security, it's so they can obtain your phone number. It really is just a nasty and insidious way of forcing users to divulge personal information.

  2. Cool! by penguinoid · · Score: 3, Funny

    I knew it, my password is the top of the list! Only the best for me.

    --
    Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
  3. 1qaz2wsx? by mark-t · · Score: 2

    New for this year, but 12th on the list.

    While it's certainly not a particularly strong password, I'm honestly surprised that something like that would make a list of the 25 worst.

    --
    File under 'M' for 'Manic ranting'
    1. Re:1qaz2wsx? by bigfinger76 · · Score: 4, Funny

      Not sure how or why I misspelled qwerty.

  4. Top 25 from my SSH honeypot-- by sillivalley · · Score: 4, Interesting

    Here's the top 25 captured by my SSH honeypot so far this year as count [account/password]:
    2132 [root/root]
    2110 [root/admin]
    2107 [root/123456]
    2107 [root/1234]
    2104 [root/password]
    2102 [root/root123]
    2102 [root/12345]
    2101 [root/p@ssw0rd]
    2101 [root/123]
    2098 [root/1]
    2091 [root/test]
    1907 [root/wubao]
    1905 [root/!q@w]
    1905 [root/jiamima]
    1905 [root/!@]
    1900 [root/idc!@]
    1900 [root/!]
    1899 [root/!qaz@wsx]
    1899 [root/admin!@]
    203 [root/superuser]
    203 [root/public]
    203 [root/power]
    203 [root/calvin]
    203 [root/alpine]
    203 [root/admin123]

    Around 400k ssh login attempts so far in 2016, mostly from China.
    If someone could explain "wubao" and "jiamima" I would greatly appreciate it!

    1. Re:Top 25 from my SSH honeypot-- by tgv · · Score: 2

      Nice.

      For what it's worth, wubao might mean this: https://en.wiktionary.org/wiki..., the second meaning of which looks like "secret". Someone, perhaps you, might have asked this question before, https://ewedaa.wordpress.com/2...

    2. Re:Top 25 from my SSH honeypot-- by Anonymous Coward · · Score: 2, Interesting

      calvin is/was the default password for most DRACs (Dells Remote Access Controllers).
      Its interesting to see it that high on the list.

      What ist China hunting for?
      DRACs that are directly exposed to the Internet with the default password in place?
      And are the other top hits default passwords as well?

  5. do most accounts need to be secure? by sittingnut · · Score: 4, Insightful

    "while it's a pain to create (much less remember) a complicated password with lots of numbers and special characters, it's nothing compared to the pain of having your online accounts compromised."
    one must question that assertion.
    are the accounts these passwords belong to really in need of security in the 1st place? are they not, most of them, throwaway accounts with not much value in them?

    without some measure of value of accounts secured by the passwords identified, lists like this don't tell us much.

    so called "security experts" should do more worthwhile research to find out the sort of insecure passwords used by people who want to keep some thing valuable secure.

    1. Re:do most accounts need to be secure? by Darinbob · · Score: 2

      My Hello Kitty Online Adventures account uses "1" as the password.

    2. Re:do most accounts need to be secure? by tlhIngan · · Score: 5, Insightful

      This.

      Telling me "password" is a bad password isn't news. It's obvious. And you know what? For accounts I don't care about, it's a perfectly good password.

      You want me to create an account to leave a comment on your stupid little blog? I don't see what's wrong with password.

      Hell, a lot of forums are like that too - want to get this download? Register for an account! So yes, I'm going to use password, because chances are, I won't ever visit it again.

      Now, my Amazon, Paypal, banking and other passwords? You can bet they aren't on that list!

      And guess what? There's a ton of sites that need registration, so no wonder they stay on the top - for these worthless accounts, people will use worthless passwords. If your password database has a lot of these passwords, perhaps you might want to rethink your account strategy. Maybe your visitors don't see your accounts system as valuable as you do.

    3. Re:do most accounts need to be secure? by codeButcher · · Score: 2

      one must question that assertion. are the accounts these passwords belong to really in need of security in the 1st place? are they not, most of them, throwaway accounts with not much value in them?

      without some measure of value of accounts secured by the passwords identified, lists like this don't tell us much.

      so called "security experts" should do more worthwhile research to find out the sort of insecure passwords used by people who want to keep some thing valuable secure.

      True. But the answer depends. As the longish Wired article linked to above also hints at, if you link ("daisychain") your accounts, you might consider a simple throwaway e-mail account as not important. But then you go use the e-mail address as the login for another account, and/or as a backup where password resets for the other account get sent to. It now has become the weakest link in your daisychain (to mix metaphors).

      And that's one of the password's weak spots in the modern economy: having so many services and devices that each require their username/password as if they are the most important or sole login the user will ever do in his life.

      --
      Free, as in your money being freed from the confines of your account.
    4. Re:do most accounts need to be secure? by danbert8 · · Score: 2

      Exactly, I need a ridiculously complicated password to use the Rally app that reminds me to eat my veggies and then I get points for which I can get in on a raffle. I could care less if someone breaks in and signs me up for a few chances at winning a Whole Foods gift card that I won't win. Maybe they'll eat some veggies for me too.

      Meanwhile, unnecessarily complicated password requirements for things that NEED to be secure are still a waste. Brute force isn't really a thing anymore as most secure login portals will lock you out after 5 or so attempts. What is more likely than my password being brute forced is their database gets compromised which negates any security a long or complex password provides.

      --
      Yes it's an anecdote! Were you expecting original research in a Slashdot comment?
    5. Re:do most accounts need to be secure? by sudon't · · Score: 2

      Right! My online banking forced low complexity passwords! Letters and numerals only, relatively short max length. I wrote them about this, and they replied with some crap about their servers being secure. On top of which, they blocked autofill, so that I always had to open my password manager and look up the password. Fucking annoying. Of course, BB&T is no longer my bank.

      --
      -- sudon't

      Air-ride Equipped

  6. What I do for my passwords by m.alessandrini · · Score: 4, Interesting

    Seriously, can you give me advice if this is a safe approach? To remember the passwords for the many web accounts, and to not reuse the same password everywhere, I use a password made from a fixed difficult sequence of characters (the same for all sites), then add a couple of letters depending on the site's name. If sites, as it should be, store only the digest/checksum of the password, even in case of stolen database one should not be able to reverse it and find the original password with the "algorithm" to apply it to other sites. I'm not a crypto expert, do you think this can be reasonably safe?

    1. Re:What I do for my passwords by Anonymous Coward · · Score: 3, Insightful

      Advertising it, especially in a format associated with a probably common handle (and what appears to a real name,) certainly isn't.

  7. Aunt Jiamima by tepples · · Score: 2

    jiamima is encryption key or encrypted code, or maybe add a new password.

    Sure it isn't I love pancakes?