back to article Good news: 'password' is no longer the #1 sesame opener, now it's '123456'

Despite the fact that users continue to cling to predictable and insecure passwords, the worst of them all is no longer the most popular. Security firm SplashData reports that in 2013, "password" slipped from the top spot as the most popular log-in code. Taking over the dubious distinction of most popular (and perhaps least …

COMMENTS

This topic is closed for new posts.

Page:

Bronze badge

The problem is that the geeks requiring passwords often think their application needs more security than the users do. I can't imagine many people being overly bothered when their twitter password is hacked which might be pass1234 but those same people might use a really complex bank password.

The real take away from this is that 123456 and password are the most popular passwords on services that we know take security seriously enough to have been hacked and had their passwords published. The users probably don't give a hoot either other than having to change that same password/email combo on other services to stop "hackers" getting in.

22
1
Silver badge

When you do not want to create an account

Try emails postmaster@localhost or user@name.example.com with passwords password or wordpass.

If that does not work, create that account so the next person does not have to bother.

1
1
Silver badge

Re: When you do not want to create an account

Don't be the lowest hanging fruit. I use a moderately obscure but dictionary password for sites that made me register with no meaningful loss if I get 'hacked' (eg this one - frankly who cares as long as it's not 123456) and a stronger brute force only one when a site matters.

3
0
Silver badge

Re: When you do not want to create an account

For sites that you don't care about - having to create an account to download an update - surely it's more secure to use "password" or "1234567" than anything more secure which might also be used in a similar form on sites that matter.

9
1
Silver badge

Re: When you do not want to create an account

When they want me to create an account just to download a patch or something and have "send me crap" checked by default I'm Elvis, and my email is marketing@their-domain.com and the crappiest password that will work.

Elvis is often already taken... so I use a "funny name" like I P Standing, Mickey Mouse is almost always taken.

6
0
Silver badge

Re: When you do not want to create an account

Other that marketing@, other commonly used are:

sales@<theirdomain.com>

support@<theirdomain.com>

The usual <expletives>@<theirdomain.com> are often good to go as well... If you can be bothered to do the research, the name of their owners or board members is also quite adequate and you'd be surprised how many of them don't appear to have accounts on their own systems that they foist onto the public.

1
0

Quite. I don't give a shit about stupid web forum passwords they can all be the same for all I care and easy to type too, or at least the damn stupid computer can remember it. Other accounts might get a bit more security consciousness from me, but when they start messing about with stupid rules and make it complicated then count me out. Recently I was in the local bank setting up an online account. Having filled in the forms I was then asked to supply an 8-12 digit password. I'm never going to remember THAT without writing it down, then thought I don't have to write it down or remember it either. Reach into wallet, pull out a membership card use first 10 digits from that, look at bank employee and smile.

0
0
Bronze badge

I manage my passwords by not letting on what my rules are, however clever I think I am being.

1
0
Happy

Balls to that!

"1-2-3-4-5? That's the stupidest combination I've ever heard of in my life! That's the kinda thing an idiot would have on his luggage!"

14
0
Bronze badge

Re: Balls to that!

No not really, I use 123 on my luggage because it only has a three digit code.

5
0
Silver badge
Coat

Re: Balls to that!

I set my password to 99999999

The trick is knowing which order to type in the nines.

33
0
Silver badge
Trollface

Re: Balls to that!

So what, I saw some guy use ****** for his password!

28
0
Bronze badge
WTF?

Re: Balls to that!

That's just showing up as hunter2 to me...

7
0
Bronze badge

Re: Balls to that!

Absolutely! I use 0-0-0-0-0-0-0-0 for all my combination locks. If it was good enough to protect the US nuclear arsenal then it's good enough for me!

http://gizmodo.com/for-20-years-the-nuclear-launch-code-at-us-minuteman-si-1473483587

2
0
Mushroom

Re: Balls to that!

Yowser! Apart from that alarming revelation, it would be quicker to use something like 06060606 because then you could use 2 fingers.

0
1
Silver badge

Re: Balls to that!

"it would be quicker to use something like 06060606 because then you could use 2 fingers."

Didn't nuclear missile launch panels of that vintage have a row of thumbwheel switches rather than a keypad to enter the code?

1
0
Anonymous Coward

Re: Balls to that!

911 just to f*ck with tsa agents.

0
0

create and forget

"Avoiding the use of easily-guessed passwords is simple enough if users employ a bit of creativity and standard best practices, such as using hard-to-guess mnemonic device and mixing letters and numbers (non-sequential, obviously) in their passwords"

Based on an el reg comment some 12 months ago, I started using KeePass. Haven't looked back since. It creates, stores securely, and makes it easy to re-enter passwords in websites, etc.

Alternatively, of you suspect you won't be using the site very often, just create a bogus password and forget about it - when you come back in 6mo, it's much easier to have them send you a reset e-mail.

5
0
Meh

It's not just about websites though is it?

Take my work; every 28 days I'm instructed to "change my password for my security"

Before this policy, I used to be use my next door neighbours WPA alphanumeric string for their wifi (we lend each others when the connection is poor!). Can't do that now. Now I use it with an incrementally increasing number at the end, and I'd bet most of my collegues just use 'Password#' and add one once a month. I wonder what is more secure? I'm sure Enigma being cracked was in some small part to a incremental increase being used which allowed the rest to be broken.

I'm not suggesting I have the answer, far from it, but multiple logins at the same place of work, all of which require constant changes, just pushes people to either write them down or make them more simplistic and then repeat it'a usage.

Just sayin', please don't flame me!

.

31
0

Re: It's not just about websites though is it?

At work I have to log into three different domains each day and (naturally) they all have different password rules. And then if I want to use my admin account on any of them the password has to be a minimum of 25 characters long FFS! While this is indeed excellent security practice, it is a giant pain in the bottom. I have a very good memory for patterns of letters and numbers, for example I can usually memorise my credit card details after using it one or twice online. However, even I regularly forget passwords, get locked out of accounts etc.

Most people can't memorise things like this very well at all so I think a lot of people just choose the easiest passwords possible almost as a form of protest or stubbornness. I'm not sure what the answer is either but there has to be a better way.

8
0
Silver badge

Re: It's not just about websites though is it?

The more onerous the rules, the more you force people to write down their passwords on post it notes, the less secure they are.

Changing every 28 days, particularly on a well enough secured corporate network, what's to gain? What theoretical risk does it mitigate to the point where post it notes are more secure? Maybe you can VPN in, but secondary/2FA takes ample care of that.

11
1
Bronze badge

Re: It's not just about websites though is it?

I agree.And add in that the non-techie office worker wants to sit down and quickly get that report printed off, check the figures for that meeting etc.

So they need a quick reliable log-in.

They can't sit there for several minutes trying to work out what password they used ths month, whether it was for the computer log-in or the data account, which letter was the capital etc. then get locked out because they used the wrong one more than twice, then wait for it to let them back in, then ask to be sent a new temporary password that has to be emailed ( or texted, if they have their work mobile at the desk with them) then type in the 9 random letters and numbers they've been sent, get it wrong twice, get locked out again, try again, wait ten minutes, maybe get it right, enter a new password (twice) and try to remember what it was they changed it to.

So they type qwerty or 12345 etc. and head for that meeting, while cursing the entire IT community.

9
0

Re: It's not just about websites though is it?

Contrary to popular belief, written down passwords are not a great security risk, when looking a the root causes of intrusions. The enforced renewing of passwords is however a major damage limiter for infiltrated systems. Drives me nuts too, but the numbers say it is certainly worth the inconvenience.

5
2

Re: It's not just about websites though is it?

«Take my work; every 28 days I'm instructed to "change my password for my security"»

The default in Windows domains is 42 days. I usually push that out to 90 days or so (it's a reasonable compromise for the environments I'm normally managing).

There are a couple of valid reasons for requiring regular password changes - a) if someone leaves and IT isn't informed (no, really, it does occasionally happen!), the password expiry should limit exposure[1], and b) it discourages users from password-reuse (in the same-password-everywhere sense).

[1] assuming supporting secure policies are in place (such as preventing remote changes of expired passwords).

0
0
Silver badge

Re: It's not just about websites though is it?

Our phone system decided to make everyone change their voicemail passcode the day before Christmas break. Guess what happened when they came back? Except for the ones that put a sticky note on the bottom of their phones...

I discovered that one sneaky staff member had discovered that if they "forgot" their password and had me reset it with "must change password" set, they could put their old password back in without getting the can't reuse password error. Didn't what everyone doing it so I waited a day, then turned "must change password" on again.

But I agree with others (and have talked to the boss, but that's what the best practices doc said to do...) that forcing password changes is a waste of time as they will just add a number to the end.

Microsoft says that Pa$$w0rd is Very Strong...

2
0
Silver badge
Happy

Re: It's not just about websites though is it?

Reminds me of the BOFH episode in which he recalls setting the minimum required password length to 32 and required users of said VMS system choose a new one each day (which meant they really had to use the password generator which gave results described as "vaguely pronounceable line noise". Now that's trying!.

2
0
Bronze badge

Re: It's not just about websites though is it?

>Changing every 28 days, particularly on a well enough secured corporate network, what's to gain?

Depends upon the particular enterprise and the sector it is working in. But yes if you really are using good security, particularly for remote access (eg. two factor password generator tokens and/or PKI certificates) then I would agree. However, I suspect that many use the same password for remote access as they use for local in-building access, which presents a greater security threat, due to these credentials probably being sent across the internet in plain text.

0
0
Anonymous Coward

Re: It's not just about websites though is it?

Yes, but with the Enigma machine I'm sure I saw a documentary which said a lot of the cracking could be done because the Germans would often use a predictable keyword cipher. That is, if the first letters of the cipher were discovered to be H-I-T it didn't take a genius to realise the rest would be L-E-R. I think they also used B-E-R with L-I-N on one occasion. Which sort of goes to prove that the weakest link in the security chain will always be the carbon based life form trying to operate the infernal machine.

0
0
PJI

Re: It's not just about websites though is it?

Just to add a wrinkle: I work in a country where my keyboard in a workplace can be US, UK, German, Swiss German, French or even something else. So, using even letters of the alphabet can cause problems as these move around the keyboard (I touch type and am reasonably multi-lingual in this respect).

So, one learns, the hard way, to not use those characters that may be absent on some keyboards or move about (e.g. Z and Y). Combine this with the above mentioned idiocy of enforced, frequent password changes with differing validity periods, numbers of retries, rules (sometimes clashing, such as minimum and maximum lengths): fine way to keep more and more low level admins. employed.

In the end, security is degraded severely as unhappy and alienated users find it almost impossible to remember which password for which system is current and so stay logged in for as long as possible to avoid having to reenter the string, or avoid using the system as long as possible or write down the numbers, with any luck in their mobile telephones or in a file under a login they really do use and know well.

I tend to put important ones in my mobile (according to the manufacturer, encrypted - I have the most complex password for that) and, because a mobile can get lost, forgotten or run out of battery, in a simple, text file, encrypted using gpg (using another odd password). It does not protect me against mistypes because I forgot I had changed it or which keyboard I am on or just was not fully awake. But it is the best that I could do so far.

Then, some systems seem to be so complex or perhaps the network is so bad, that the change does not actually go through or causes a lock at once. Some even warn you that the relevant server is so far away across some international firm's network that it will not be active for 24 hours (really) and the LDAP server is down and .... Or you must restart your PC to flush all caches ….

Then, the reminder email tells you that you must change the password within ten days. Oh dear, it arrived the day after you left for a fortnight's holiday, following the firm's rules that you must take at least a fortnight's holiday in one lump every year. What fun trying to log back in when you return (you know where the helpline number is or you must use email, it's listed in the internal website - oh you can not log in and you came in early and nobody else is here for two hours yet).

Moral: over-prescription and micro-control are not better than simplicity, education and adjustment to real human - computer interaction.

2
0
Bronze badge

Re: It's not just about websites though is it?

I agree I used to work at a place that really had to take their security quite seriously, including hiring pen testers for the network. If at some point someone managed to get past the array of firewalls and the security team, my passwords being changed every 28 days is probably irrelevant.

0
0
Silver badge

I suggest Ian Watkins could give us all good advice about strong, hard to guess passwords. Such advice would no doubt include choosing passwords unrelated to any crimes one regularly commits.

http://www.theregister.co.uk/2013/11/27/gchq_role_watkins_child_abuse_case/

On a serious note, everybody should be using password lockers these days. You will only need to rote learn one strong password. I don't know how I lived before using Keepass.

0
0
Bronze badge

Re: everybody should be using password lockers these days.

"should" is the operative word.

I'm a little surprised, given what MS have previously bundled in MSDOS and Windows, that they didn't bundle one into Windows 7 or 8 and their cloud services. Because they haven't and because it is a discrete install on all your devices which may also involve some additional cost, I suspect that only those "in the know" take the trouble, hence the majority of users are left with basic tools for recording passwords - which in many cases come down to pen and paper.

What I've found interesting is that in the various enterprise desktop refreshes I've been involved in, a password locker hasn't been included - interestingly at the enterprise level it can be hard to justify (even though Lenovo Thinkpads have included an OEM proprietary password locker for some years), but at the SoHo end of the market it is practically a no brainer.

0
0
Anonymous Coward

I used to work at an IT support company

whereby the original password for domain admin, router admin, whatever was "support"

Then, password complexity was heard of, somewhere in the 1990s they decided that "support" was no good so they upgraded the complexity to "supp0rt1"

Then afterwards the company's standard password was then upgraded further to "Supp0rt1"

With the company's name as the username, and the above password, you were pretty much guaranteed to get in to any of their customer's servers with full admin.

Anonymous because their legal defense fund is higher than mine.

Stupid user passwords does not surprise me. You can bet your bottom dollar that there's a large chunk of "network admin team" passwords lumped in there, and that that password of "ch33s3" or whatever will also unlock their router.

Surprised that this survey wasn't funded or sponsored by Lastpass or anything like that. Tempted to put a referral link in my post...

0
0

Why does anyone expect people to remember?

Even a casual internet user would likely need passwords for PC logon, ISP, email. router admin, Wi-Fi, bank, building society, Amazon, eBay, gas and electricity on-line accounts, Facebook and Twitter, as well as non-internet PINs for credit and debit cards. It's just not reasonable to expect human beings to remember all these. Most people I know have their pssswords written down, or have simply forgotten the less frequently used ones.

The only practical answer is to use a password utility such as provided with some AV programs, or a stand-alone utility such as Keepass. For me it's an essential piece of software.

I avoid creating passwords wherever possible but even so I have 392 passwords ... of which probably 1/4 are defunct and I will never need about 3/4 of the rest (only I'm not quite sure which 3/4.) Some of these belong to relatives in case they ask me to sort out problems with their email etc.

But they're easily managed with Keepass, and available on my desktop PC, laptop and phone, by sharing the encrypted password file on DropBox.

I only have to remember the master phrase, and I use that often enough to remember easily. Should I change it regularly though? Surely it it's secure I don't need to, and if it isn't, by the time I change it, it would probably too late.

3
0

Re: Why does anyone expect people to remember?

>," by sharing the encrypted password file on DropBox."

So you're happy with the NSA knowing all your 392 passwords?

1
0

Re: Why does anyone expect people to remember?

That's great until you find yourself on holiday without your PC and your laptop and phone get stolen.

"That's ok, I'll go to an internet cafe!" you think. So in you go, pay for an hour and sit at a computer.

... "Shit."

0
0
Bronze badge

Seeing the password

The fact that the entered password is only seen as a string of ******* doesn't help either.

If you can't see what you type in you are much less likely to remember it.

You are much more likely to mistype it too.

So users will choose something simple that they can get right. "qwerty" and not "sDwLios34Fg45"

The need to hide the entered password is surely not as significant as making sure the users choose something safe in the first pace.

6
1
Boffin

Re: Seeing the password

"The fact that the entered password is only seen as a string of ******* doesn't help either."

The theory goes that this provides protection against shoulder-surfing. I suspect that this is less of an issue than previously thought (and those keen observers can probably achieve the same result by finger-watching).

This seems to be being belatedly recognised - I've seen a number of places where the user can now opt to show passwords as they're typed (for example, when connecting to WiFi networks in recent versions of Windows).

6
1
Bronze badge

Re: Seeing the password

Even in the early days I never understood the reason for hiding the password from the user. I mean, if someone's looking over your shoulder as you type, they can read which keys you press as easily as the screen, and if you have fingers with a mind of their own, you'd like to be able to see that you've typed s0l4r4419 when you should have typed soL4r4491.

Although I always got a titter from the obscured passwords in Windows that you could read by cutting and pasting into Notepad.

0
1
Bronze badge

Re: Seeing the password

Re: Even in the early days I never understood the reason for hiding the password from the user.

This convention is probably a hang over from when many people accessed computers through teletypes and early VDU's (that effectively emulated the teletype) - where output was either printed on continuous paper or remained on screen until it was scrolled off (for younger readers the command-line shell gives a good emulation of this mode of operation). Hence a concern would of been the length of time the password was on display.

And yes we shouldn't under-estimate the power of (unwanted) screen reading app's.

0
0
Bronze badge

Re: Seeing the password

It's a lot easier to read a password from a screen, than from someone's finger presses (source: I can only do one of these things)

Showing *s for everything but the last character seems to be becoming more popular, and provides a compromise between the two

1
0
Gold badge

Re: Seeing the password

25 years ago, most systems weren't networked and shoulder-surfing was probably the main issue. Now, most systems are online and the main attacker is some foreigner with an FPGA-based password cracker. So yes, times have changed and the most secure system now would probably be to write your long password(s) on a Post-It note and stick it (them) to your monitor.

1
0

Re: Seeing the password

At which point your main security threat won't be some foreigner, it'll be someone in your office. It has to be down to the software to reject commonly used passwords.

"No. You're NOT choosing 123456 as your password.

Would you like to try again, or should I just mail your Boss now and tell him you can't even manage this simple task...?"

0
0
Bronze badge

using hard-to-guess mnemonic device

Step 1: pick a tune that you can play on a piano keyboard

Step 2a: assign one key to each piano key /or/

Step 2b: count whole notes/semitones from some starting position

Step 3: hum the tune or come up with some mnemonic to remind yourself of the association

Step 4: wait until someone makes a dictionary with common melodies

To be honest, this is probably just as bad as something like picking/encoding sections from $INSERT_ONE_AND_ONLY_HOLY_BOOK_HERE.

1
1
Silver badge

Re: using hard-to-guess mnemonic device

You forgot one.

Step 0: learn how to play the piano and the difference between notes and semitones.

Now to find a piece that is easy to play with only one thumb.

13
0
Bronze badge

a piece that is easy to play with only one thumb

Eddy, how about John Cage’s 4′33″?

2
0
zb

Re: a piece that is easy to play with only one thumb

I prefer Mike Batt's derivative work "A Minute's Silence" but it may be too short to provide a secure password.

0
0

Banned password dictionary

Even back in the early 1980's VMS had a list of banned passwords - any attempt by a normal user to create a password that matched one in the forbidden list was rejected with a request for the user to choose a different password. Why is it that modern systems running on vastly more powerful hardware do not use the same method . (From memory in one of the early VMS versions the forbidden password list was about 47000 words long.)

6
0
Silver badge

Re: Banned password dictionary

I forgot about running into that, but it all comes back to me now. It was a very sensible thing to implement even if it was frustrating at times.

However Microsoft got involved when they attempted to shift from single-user standalone devices to make them networkable after a fashion things went backwards. The passwords on these local systems were checked locally and 47000 words was probably too much of a dictionary for either the local storage / install media for the system to check against given Microsoft coding efficiency at the time. As a result, subsequently, if your website or service didn't allow a password that a local system that you used did, then it would appear to the end user that your website or service was defective, not the local system with poor or no security. Basically: Lowest Common Denominator wins :(

1
0
Gold badge

Re: Banned password dictionary

Windows (well, proper Windows rather than the Domesdos-based version) has always supported password complexity policies and I believe you could implement a banned list by writing a GINA DLL.

If you haven't noticed, it is because your sysadmin doesn't know how to switch it on. I suspect *that* is the main difference between Windows and VMS.

0
0

Page:

This topic is closed for new posts.

Forums