Feeds

back to article Who's using 'password' as a password? TOO MANY OF YOU

A study to find the top 25 leaked passwords of 2012 has revealed too many people are still using "password", "123456" and "12345678" for their login credentials. The table was compiled from plain-text passwords and weak unsalted password hashes lifted from compromised databases and dumped online by Anonymous hacktivists and …

COMMENTS

This topic is closed for new posts.

Page:

Unhappy

I've seen a rise in people using the following as a password lately: xsw21qaz

Yes, it is that easy to spot...

3
0
TRT
Silver badge

Doesn't work...

on many foreign keyboards!

2
0
Silver badge

Re: Doesn't work...

>on many foreign keyboards!

My` old webmail password was along the lines of: 'orwell 1984' > 'o1r9w8e4ll' (jumble letters and numbers)> 'O!r9W*e4LL (alternate Shift, two on, two off)'... so when on holiday and faced with a Spanish keyboard, I had search for an image of a UK keyboard to remember which symbols to use.

I guess I'm not ready for one of these: http://www.daskeyboard.com/model-s-ultimate/

1
0
Pint

dev passwords

Those are dev passwords i.e. Zaq12wsx or Xsw23edc

easy as pie if you use one starting with the website first letter theregister.co.uk could be Tgbnhy65

up or down and around, meets the usual 8 letter/numeric restrictions

Beer, as it's a good way to forget the passwords you've used

BTW my former IT manager locked the whole company to use Password10 with no option to change ever! WTF

0
0
Unhappy

I'm sorry, your post is missing required data . . .

You omitted the name of your former IT manager's current employer ]:->

0
0
Gold badge

xsw2!QAZ

If you hold down the shift key for the downward stretch (as shown) it is actually so strong that some web-sites won't let you use it.

0
0
Anonymous Coward

Cool I'm secure

Great I'm secure then, I use mypassword for throw away dont care about sites that insist on registering my details :)

1
0
Anonymous Coward

Re: Cool I'm secure

Don't forget handy disposable e-mail addresses. 10minutemail.com is a good 'un.

5
0
Unhappy

Arse!

Seconds ago I changed my El Reg password to "mypassword"... just before posting my old password below.

Now I'm feeling all paranoid and have to change it again!

I hate you

0
0
Thumb Up

Re: Cool I'm secure

In the past I have just made up random addresses like a.b@c.com for sites that want an email address but aren't actually making you register but that looks handy thanks for the tip.

0
0
Silver badge

Sir

If you want to work out passwords that are truly difficult to crack, try cracking passwords. Mind you, it's a bit of effort and that last set of dictionary files I downloaded was about 7GB.

0
0
Silver badge

Re: Sir

Is brute force really cracking?

i guess it is, in the same way you can use a sledgehammer to 'pick' a lock :-D

1
0
DN4

Re: Sir

> i guess it is, in the same way you can use a sledgehammer to 'pick' a lock

You pick the lock if you open it without damaging it (and not using the key). Doesn't matter if you use a sledgehammer, ice cone or proton collider...

0
0
Trollface

aol days

Seeing this days reminds me of the Old AOL days and this stuff, back when I do evil stuff. only had to use a list of like 30 pw's, all dumb ones like this well list might been like 15. Hard to remember 14 years ago. So many ppl used these passwords. ahhh the memories.

0
0
Silver badge
FAIL

Double Fail

OK, so its fail on the users for picking bad passwords, but its double fail on the SysAdmins who let them pick bad passwords.

I can think of very few applications that don't have a password checking module available to validate the strength of a password and enforce just a little bit of care.

1
3
FAIL

Re: Double Fail

<rant> And triple fail to those systems that restrict the character set or length of the password. I'm constantly bumping into systems that won't let me use any special characters (alphanumerics only, please!) or only a subset (dashes and underscores and similar) or restrict me to 16 characters or less (I use *long* pass phrases, come on now!). I hit one that limited me to *8* characters! Seriously? What were you thinking? I'd pass on them entirely but some of them are required for my job. Idiots. Bleeding idiots. </rant>

Thank you, I feel better now.

26
0
Silver badge
Stop

Re: Double Fail

To quote the Oatmeal, " If I want to use 'Boobs' as my password that's my own shitty decision and you should just let me roll with it."

16
0
Anonymous Coward

Re: Double Fail

And quad fail for not doing a "force password reset on login" as sooo many of those seem to be default ones.

0
2
JDX
Gold badge

Re: Double Fail

Yeah - if you force me to use a long unmemorable password I'm either going to write it down or forget it.

17
0
Happy

Re: Double Fail

@JDX

So write it down, then. Just don't write it on a post-it note and stick it to your monitor.

0
2
Silver badge
Mushroom

And a <i>special</i> mention to web sites…

That send you back the password by e-mail so that you don't forget it. After insisting you should choose your password carefully.

11
0
FAIL

Re: Double Fail

There are more problems than that...

Most password strength enforcement systems are garbage, very few check for dictionary words for instance so Password1! is often a perfectly valid choice as it is >8 chars, contains numbers, mixed case letters and symbols - and yet is still trivially easy to crack.

And then you have the inconvenience, far too many passwords to remember because every trivial little site thinks its important enough for you to bother using a strong password.

And then the trust aspect, do you know *HOW* a particular site stores your password? Most sites never disclose to you how user passwords are stored and what precautions they take to protect them, and even if they did they could be lying. There are plenty of sites out there, including some big names that store passwords in plain text or in a form thats easily reversible to plain text.

So i use an intentionally weak password combined with a throw away email for most sites, if the site has a password policy i usually just append 1 or 1! to the end to get round it.

As for throwaway email, spamdecoy.net isn't the fanciest of sites but it works well and has several domains you can use (some places block the common disposable mail domains after a while).

4
0
Silver badge

Re: Double Fail

but all the lusers complain like hell if they cant 'update' password1 to password2

(i know i do!)

0
0
Silver badge
Joke

Re: Double Fail

whew!

fortunately i dont have any nuke launch codes.

only thing i need secuitly for is to look at the state of my overdraft, and that more from embarassment than anything else

0
0
Silver badge

Just don't write it on a post-it note and stick it to your monitor.

but thats exactly where i need it - -that ergonimics that is!

:-D

2
0
Childcatcher

Re: Double Fail

When at home (the place most likely used to check more sensitive accounts like banking and email (access to all the things) ), having long passwords written down isn't really an issue. As long as the place is secure, which a private residence typically is, you don't have problems.

The work environment or you laptop bag is probably the place where written down passwords may cause problems. But even that can be foiled a bit by substitution, reminders that only you could determine, or even just keeping the reminders in your wallet.

And finally, as has been pointed out numerous times, taking a less popular song lyric (so maybe the chorus from a deep cut on an obscure band you like) and then using the first letters, mixing in capital and lower case, then tossing on something at the front that makes it unique for that specific website (and can get around stupid limitations placed on it, like no special characters, short lengths, etc.) will probably be about as secure as we can get.

I'm not sure I want to go the route of a encrypted USB stick that has a very strong password and the passwords in a text file or something, that you copy and paste, in the hopes you avoid keyloggers (wouldn't it be simple enough to also log clipboard information?). But that is one of the things that the linked NY Times article proposes.

10minutemail, however, was an awesome find. I can't believe I went that long without it for all those stupid websites that want a verification email, but otherwise have no reason to contact me ever again.

0
0
Paris Hilton

Re: Double Fail

Boobs are always a password.

0
0
Silver badge

Real BOFH fans will remember the lusers password "maggot"

luser: "But I like the word maggot"

BOFH: "And I like the words 'Grievous bodily harm,' but do not use them as a password..... Yet"

1
0
Thumb Up

Re: Double Fail

Don't worry on 2003 Windows Domains the Policy for complex passwords still allows Password1

0
0
Silver badge

I hit one that limited me to *8* characters!

8 characters was the number of significant characters used in the Unix crypt() function.

And yes it was only when a client said that he had got into his own account with the wrong password that we realised this.

0
0
Facepalm

Re: Double Fail

/me quickly takes down postit notes from my wall and writes the passwords in our little black book!!!!

The shame I will now suffer

0
0
Silver badge
Unhappy

Re: Double Fail

> I hit one that limited me to *8* characters! Seriously? What were you thinking?

At my place of work we have to use passwords of exactly 8 chars. No more, no less. At least it's case-sensitive, but stil, given that cracking someone's account gives you access to everything work-related, (including pay etc) that's a bit weak.

1
0
Bronze badge
FAIL

Re: Double Fail

I'd like to put in a brief mention for every two-bit blog that wants you to create a separate login just to comment there. (El Reg, I'm looking at you, among others.) Fercryinoutloud, we're not handling money or secrets here! Just let us use our Google/Disqus/Wordpress logins, thank you very much.

Oh well, I guess it could be worse - they could be using Facebook.

1
0
FAIL

Re: Double Fail

Have you ever used Volusion webstores?

They allow (some) administrator(s) to view all users passwords - yes all the customers who's details you have ....

And they don't even think it is a security problem...

0
0
Anonymous Coward

Re: Double Fail

Oh God, we've just got a Volusion webstore. Wasn't my choice though, I'm not a web guy.

0
0
Bronze badge

Re: Double Fail

> I hit one that limited me to *8* characters! Seriously? What were you thinking?

They were thinking "the database column where we store passwords in plain text are only 8 characters long""

1
0

Re: Double Fail

It makes me chuckle how technology will always, always, always and always force us to write something down using pen and paper at some stage.

2
0
Silver badge

Re: Double Fail

Just don't write it on a post-it note and stick it to your monitor.

An attacker who can see a Post-It note stuck to my monitor is in my house, and I have worse security problems to deal with. (I don't have any such notes, but they wouldn't represent a useful branch of the attack tree if I did.)

I do keep a file of password hints meaningful to me but not to an attacker, to avoid having to remember which variants of which passwords I've assigned to which domains. A very lucky and/or clever attacker might get hold of that, but the work factor required to extract useful information from it is infeasible. Better just to beat the information out of me.

The real problem, under my threat model, is the paper list of accounts and passwords I keep in the safe for use by my family members should I perish in a noble world-saving exercise or the like. And it's a problem because it's too damned hard to keep it up to date.

Passwords are a terrible authentication mechanism - I don't know any reputable information-security expert who believes otherwise.

0
0
Silver badge
Holmes

The first person (apart from me)...

...to mention Horses, Batteries, or Staples should get a special "obvious post of the day" badge.

9
0
FAIL

Re: The first person (apart from me)...

I would actually be genuinely interested to see where 'correcthorsebatterystaple' appears on that list, but I couldn't find a download of the whole thing --- does anyone know if it's available anywhere?

6
0
Anonymous Coward

Re: The first person (apart from me)...

> ..to mention Horses, Batteries, or Staples should get a special "obvious post of the day" badge

The same goes for 'god', 'sex', 'love' and 'secret'.

0
0
Holmes

The majority of my passwords on the web are 123123e to cover password requirements and a one time email because I'm only signing up to access to a forum or part of a website or to save site settings.

DuckDuckGo have an anonymous cloud setting to cover this, your password generates the key and from then on you can enter it and get your settings back.

0
1

Talk about useless security

Passwords get discredited by poor user practice and stupid design

Where I work there is an application that you can log into

1) Only if you are already logged onto the network

2) Only if you log into the application with a user name and password (annoying but there could be a valid reason)

3) The app user name and password must be your network user name and current password

Where's the boggled mind icon?

3
0
Meh

Re: Talk about useless security

Could be linking to LDAP/AD but still have it's own password database.

0
0

Re: Talk about useless security

Surely having to RE-AUTHENTICATE using your network credentials....

…is better than having to member ANOTHER password / user id combo?

0
0

Re: Talk about useless security

I work there! Company initials are Hardly Profitable?

0
0
TRT
Silver badge
WTF?

WTF?!!!

Who gave you permission to publish the secret password list for all my internet accounts?!

13
1

This post has been deleted by its author

FAIL

Re: WTF?!!!

The Reg allow this as a post but have deleted posts of mine. I mean, come on...

0
0
Anonymous Coward

Re: WTF?!!!

Cuh-lassic! Lol indeed.

0
0

Page:

This topic is closed for new posts.