Just give up: 123456 is still the world's most popular password The security industry's ongoing efforts to educate users about strong passwords appears to be for naught, with a new study finding the most popular passwords last year were 123456 and 123456789. Keeper Security wonks perused breached data dumps for the most popular passwords when they made the despondent discovery. Some 1.7 …
One of my banks doesn't allow uppercase or special characters. The other, after a major software upgrade that took much of their systems of line for several days, only allows numbers in passwords.
On the other hand, there are sites like infrequently visited tech forums that represent no real security risk to me. A short and weak password is fine.
The point being, the strength of a password should reflect risk levels. Sometimes 12345 is good enough.
@Barry Rueger - You are correct in concept that the nature of the site should dictate the password strength required. The problem I see is accurately judging which site can have a weak one. I prefer to teach people to use strong, gibberish passwords, minimum 12 characters, for all sites with longer ones being used for any e-commerce or financial site and NEVER REPEAT them. Thus, by default they are always using a very strong password out of habit.
On your problems with incompetent banks, my financial institutions (bank and credit cards) require a non email user id with numbers in it as well as a strong password. But I may be lucky.
Should site admins be happy with users deciding whether a complex password is required or not?
They are, after all, the ones that would have to deal with the mess of, say, a forum that got spammed to destruction if all user accounts had easily guessable passwords.
They are, after all, the ones that would have to deal with the mess of, say, a forum that got spammed to destruction if all user accounts had easily guessable passwords.
It's called "rate limiting", not "rocket science" :) . As I posted a few minutes ago, rate limit with a lockout for failure. Using the article's list as a script, spammers shouldn't be able to get as far as "password" before a x-hour lockout or contact-admin-for-reset.
And some moderation/oversight should be done as well. Get spam posts? Get rid of spammy posters! Simples! (and harden your account sign up process if that becomes an issue)
Get spam posts? Get rid of spammy posters! Simples! (and harden your account sign up process if that becomes an issue)
But then you're up against Marketing, who want account sign-up to be incredibly easy - after all, that's why we're all here, right? Maximum number of users is the goal, because Internet...
And when a CxO has to choose between the advice of a tekkie who knows what he's doing, or a marketroid who claims he does - guess what gets chosen?
Vic.
"Which means that either they're ignoring you, or they're writing their passwords down on paper."
Teach them to use a password safe. That will allocate high entropy passwords and store them. You need never even have to read and type the password.
It means you always have to use your own PC? Even better.
"Teach them to use a password safe. That will allocate high entropy passwords and store them. You need never even have to read and type the password.
It means you always have to use your own PC? Even better."
That's assuming they OWN a PC? What if the ONLY PCs they use are communal?
"I prefer to teach people to use strong, gibberish passwords, minimum 12 characters"
This will almost certainly mean their passwords are getting written down. It takes a very special kind of mind to remember a completely random sequence of letters, numbers and other characters and also associate that random sequence with a particular website.
"Teach them to use a password safe."
All password safe type applications I've seen have the same obvious flaw, in that you use a password to access them. Sure no-one can guess or easily brute force your online account passwords if they're massively complex, but if you store them in a password safe all that's need is to compromise the security of the password safe and ALL of your passwords have been simultaneously compromised.
The best solution is to teach people to create passwords that are complex enough that they can't be guessed or brute forced easily, but are based on some meaningful pattern that allows the user to remember them.
As long as you don't pick an obvious pattern, like your spouse's initials and date of birth this can be sufficiently secure for almost any purpose. Pick two or memorable but unrelated pieces of information, for example your work post (zip) code and a sibling's date of birth.
You can even harness old fashioned simple cipher techniques for instance take the reg (license) plate number of a car you used to own (but not your current one just to add obscurity), then to make that even more secure alternately increment and decrement each character by one so X81 EDR becomes Y72 DEQ.
These systems are by no means foolproof, and can still be forgotten, but at least they are meaningful enough that you stand a chance of remembering them but seemingly random enough that they can't easily be guessed or brute forced.
Is it really such a big problem if people write their passwords down? Surely this at least depends on where they write them.
It seems to me that the main attack which passwords are protecting against are those which occur over the internet from anonymous adversaries usually in foreign countries. Such people can't see the passwords I have written down in a notebook at home and they only way they could would be to find my house and break in and the cost, time and risk of that clearly isn't worth it.
I agree that a random burglar may find the notebook, but most burglars are surely more interested in money and TVs and if someone has actually broken in I will at least know that my passwords may have been compromised.
Bottom line: Surely a strong password written down in a private location (e.g. your house) is much better than a weak password which is not written down at all.
"Teach them to use a password safe. That will allocate high entropy passwords and store them. You need never even have to read and type the password."
They had password security and password managers on BBC Radio 4's "Money Box" programme the weekend before last (so bonus marks to the BBC for trying to promote it) ... quite a few UK banks seem to regard using them as recording your password, and therefore negligence rendering you liable for any fraud ...
One of my banks has the same idiotic policy. Passwords are required to be exactly seven--no more and no fewer--numbers.
And it gets worse. Your username is always the last 8 digits of your debit card number. So if someone lifts your debit card, they know your username and exactly what format your password is.
This is a large Canadian bank.
I weep for humanity.
Agreed. I have had sites reject random passwords with 'special' characters in them without any indication of the allowable character set. The error message - logs - have displayed the password string in full so just changing a bit here and there is not an option.
Desperation may lead you to 12345 just to move forward. Finding some way to go back and rectify that accommodation may be non-trivial.
So users should not shoulder all the blame here.
I don't agree. There was a time when lame passwords could be used to protect accounts for sites with mundane content.
Social engineering starts with the content and posts on mundane forums and though you may not consider yourself an ideal target of a complex criminal enterprise, you may still pass off as a target for an angry ex, a disgruntled co-worker or a random thrill seeker. Mundane forums posts can contain enough detail to get security clearance for more complicated password resets. Did you mention your mother's maiden name on a genealogy website? Did you mention your dogs name in that pet food forum? Does your local newspaper comments page know your date of birth and address? These are common challenge questions for getting passwords reset at banks and credit bureaus, travel agencies and social media accounts.
A perfect example is in this comments page, here are people, on a 'mundane' comments page, discussing their credential requirements and password policies of other organisations they subscribe to.
Further, I a comment below makes the most sense - make strong passwords because it's a good habit.
There was a time when lame passwords could be used to protect accounts for sites with mundane content.
Social engineering starts with the content and posts on mundane forums
But you don't need a password to slurp that information. On these very forums, so long as you can tie a user name to a real name (i.e. you are sure that the "John Smith" you are stalking is definitely "BigBiceps" online) all you have to do is click on that user name and , hey presto, a complete history of all their posts ever. No passwords involved. Easy to search.
On El Reg, having a password gets you into the "edit my details" bit which if you don't already have the real name and real email address will give you those details, and maybe others if they have been filled in.
I do not understand enforced weak password policies (as have been described above) but my personal beef is with enforced password change policies, at least those that mandate change too often. Regular enforced password changes drive ordinary people down the route of choosing easy to remember password sequences that just avoid tripping the system rules. I know of one system which has half sensible rules (>7 char, mixed case, special characters and digits mandated, no repetition of passwords) but then mandates changes every six weeks (could be worse, I suppose) which lead to a lot of people using passwords along the lines of "Pa$$word01" followed by "Pa$$word02".
A "strong" password is called that because it is unlikely to be in any rainbow tables, isn't in a dictionary, is difficult to guess, and difficult to brute-force. It doesn't become any more easy to guess over time, so why enforce such a short shelf-life? By all means change it occasionally, and definitely if there is any suspicion it's been compromised, but..
M.
Because it limits the damage if the password is leaked but NOT KNOWN to be leaked.
I understand that, my point was that if too-often password changes are mandated, the temptation is to use weaker passwords which are therefore more likely to be guessable. A slow password change policy, maybe even with auto-generated passwords, makes it more likely that the user will be willing to commit a strong password to memory, and make it less likely that that password is compromised between changes. I'm talking about someone trying to guess John Smith's passwords without any inside information.
Password "leaks" are something else altogether, I'd say. The "data dumps" that were perused for these popular passwords; how did they extract plaintext passwords from properly encrypted... Oh. Right.
M.
The "data dumps" that were perused for these popular passwords; how did they extract plaintext passwords from properly encrypted
In a lot of cases the passwords may have been encrypted but not salted. In that case rainbow tables, lists of common passwords encrypted by popular algorithms, can break them. A strong password is one that's not going to make its way into such tables.
Not only do sites apply odd rules without disclosing them, they also don't disclose whether they encrypt information, whether they salt it etc. The safest bet is to assume that they store it in plain text and that they're easily hacked. Use a password safe and allocate strong passwords everywhere.
With or without rainbow tables (or salt), you can usually crack a whole bunch of password hashes (they're hashed not encrypted).
The next question to ask is whether these weak passwords belong to accounts that have been disabled or whether they are dormant accounts - active but not in use. Accounts created a decade ago are highly likely to have very weak passwords.
And yes there are those who refuse to be told.
"I understand that, my point was that if too-often password changes are mandated, the temptation is to use weaker passwords which are therefore more likely to be guessable. A slow password change policy, maybe even with auto-generated passwords, makes it more likely that the user will be willing to commit a strong password to memory, and make it less likely that that password is compromised between changes. I'm talking about someone trying to guess John Smith's passwords without any inside information."
But you assume people are guessing passwords instead of gleaning them. Mass guessing can usually be detected and noted as an attempt at an account (and handled accordingly), but an insider picking up on someone's password (reading the Post-It, for example) is much more insidious and the reason for change policy: because there usually won't be missed guesses in the latter, and since it's already internal, it's virtually indistinguishable from real attempts.
If your bank is using your date of birth or address as a security question it's doing it wrong and you probably should find a new bank. My bank at least allows me to choose my own question but that's not either since it ridiculously easy to create a question the answer to which even you can't remember.
One of the banks I use has a "PIN" security scheme for online accounts that could be phished, rick-rolled and the PIN extracted from the user as follows:
Please enter the following characters from your PIN: [1][3][4]
Authentication failed, please try again.
Please enter the following characters from your PIN: [6][2][5]
Sorry, website closed for maintenance. Please try again later.
Even the bank's official security notices look like phishing attacks, so users are unlikely to spot what is going on.
I feel your pain. I remember setting one up on a bank a few years ago... It insisted I used between 6 and 8 characters. No caps, no numbers, no symbols and objected when I had too many letters repeated.
I kept meaning to sit down and calculate the number of passwords that would then be left as valid to their system.
It's probably about a dozen! j/k!
But it's good to see that p455w0rd1 isn't on the list, so I'm still safe!
There are a couple which have me mystified though. On the face of it they don't look "too" bad, I just can't work out the pattern that has made them so popular.
18atcskd2w
3rjs1la7qe
Can anyone enlighten me to the blatantly obvious pattern which has whooshed right over my head?
Shocking that some banks force you to use WEAK passwords. I would change my bank!
But I can't say I agree that 'sometimes 12345 is good enough'. The purpose of a password is to ensure accountability. That is not maintained with 12345. If 12345 is fine in terms of risk (no sensitive data accessed), the password control probably should not exist.
Cost of control should never outweigh its value.
Having said that, you may think your account has no sensitive data in it, but what if someone steals your credentials and starts posting illegal content all over the web, or malware? It's in your name.
Also I'm pretty sure you will have an email address linked to that account. Now the 'spear-phisher' has your email plus a known interest of yours and could masquerade as the site you are signed up to.
But I can't say I agree that 'sometimes 12345 is good enough'. The purpose of a password is to ensure accountability.
On the weekend I built a completely fresh VM to check something (actually testing something with W7 and updates) and the weekend before I did another couple to try out a couple of new Fedora flavours. All wanted passwords, all got "1234" (IIRC Fedora either wanted something stronger or wanted a couple of confirmations). If someone gets to them, then I have far more to worry about than the passwords.
Few days ago I downloaded a package relating to some obscure software from some website I'll probably never even remember again, let alone visit. Needed an email address and a password to sign up to access the download, they got a visit to 10minutemail.com and a 12345 password (or whatever met their regs, might've been !1QqAaZz) - all done via TOR (hey, I never said I trusted said site or package - I love how I can clone a VM in seconds and if it's compromised I've lost a few seconds of my time, nothig gelse). Good luck tying that email address back to me!
Yes, sometimes a stupidly weak password is more than strong enough.
This post has been deleted by its author
I may have missed previous discussions, but why isn't it made a requirement that financial and government sites (at the very least) reject new passwords on the top 100 list (with appropriately illuminating error messages), and probe for these and notify existing users that they've been 'unwise'.
I'd think any 'serious' site would get a respectful "...o..k..a..y, thanks" if they emailed users with "we don't want you to lose your hard-earned money/house/job, and we noticed an insecure password and would you please change that to a better password (and here's how)." The customer might up the company's clue rating/reputation. And any customer that would pitch a major fit, well, might they not be worth keeping as a customer?
(Implementation Tip: mention the whole undertaking in a PR announcement - anyone afterwards complaining to friends will get a "but why do you care, this doesn't apply to you, does it?")
I'd think any 'serious' site would get a respectful "...o..k..a..y, thanks" if they emailed users with "we don't want you to lose your hard-earned money/house/job, and we noticed an insecure password and would you please change that to a better password (and here's how)."
Probably 50% (ok... some % above 1% and less than 99%) of the users would see the email.. assume it's malware and dump the email. Unless of course, you promised them a nudie video of some celeb.
I'd think any 'serious' site would get a respectful "...o..k..a..y, thanks" if they emailed users with "we don't want you to lose your hard-earned money/house/job, and we noticed an insecure password and would you please change that to a better password (and here's how)."
You can only realistically signal a password weakness at the time when a new one is set (despite the fact that I dislike some of the "strength" meters out there) and even if you want to do it retrospectively you can only alert to a weakness via some sort of message when the user logs in.
If you do anything via cleartext email you are painting a big target on the user's back for having an account that won't survive a dictionary attack. Not quite the PR coup that you'd want as a bank IMHO.
Simple answer? Because it would cost money to maintain that list and create/update rules, whereas setting parameters once is cheap and easy. There are many, many variables to be considered when it comes to security but poor security almost always boils down to stupidity and/or cost.
if they emailed users with "we don't want you to lose your hard-earned money/house/job, and we noticed an insecure password and would you please change that to a better password (and here's how)."
And being the bankers they are, they'd embed a "helpful" link in the email, further training their users to click on any link in any random email purporting to be from them.
Why do banks etc persist in training their customers to be phished?
Why do banks etc persist in training their customers to be phished?
The Westpac bank here in NZ had a problem with that a while back (may still do, I now bank elsewhere). They apparantely1 sent out several emails to their customers, with all sorts of stuff in them which actually looked very much like many fishing emails I've seen over the years, in the style of writing and other factors. Including the helpful "call to action" link to log in to the bank. IIRC it also involved some survey or something else with either links to or (blocked by Thunderbird) content from some 3rd party ultra dodgy"survey" firm. Neither I nor any other people involved with IT/security could be certain it was or wasn't a bad email. Westpac received several nasty messages over this I understand, because if it was them (we mostly assumed it was, certainly best to bring it to their attention) then the customers who were watching for bad emails would delete this on sight, those who would send something off to scamwatch etc would do so (harming the banks reputation), and those who weren't on the watch for bad emails would get trained to follow the links in such emails because the official bank ones look so much like the scam ones.
1I say "apparently" because the samples of said email I saw were from the correct branch manager (by name), and had some personal details of the customer correct - if a phishing scam then the scammers already knew your name, acc number, street, bank manager's name and a couple of other things). Because of this I don't mind giving them bad press at all, and if the subject ever comes up I advise steering well clear of this bank.
I teach my clients to use Lastpass or any other acceptable password manager, and since they are not in a business environment, I let them put the strong master password on a post-it note and let Lastpass generate all their other passwords to the highest standards. I've never run into a site, so far, that doesn't accept these passwords - If I ever do, I will weight the risk just like other posters here on the Register have already mentioned!
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
