Love, Secret, Sex and God, wasn't it?

http://xkcd.com/936/

So the ultimate password is obviously :

welcomeletmeinkeepoutjesusninjatrustno1password1qwerty123456mustang

Ashley & Michael

presumably these are names of people's kids or SO's?

surprising that so many people have a kid or other half names Ashley that the name outranks Jesus

Okay, I'll cop to it.

Yeah I've used at least one of those passwords on a throwaway site where I don't actually care all that much about whether or not someone hacks it.

Sites that I care about get different levels of attention depending on the level of caring.

Sites I sorta care about but need easily remembered passwords get passwords with root pieces and salt.

Sites that I really care about because they have financials get randomly generated passcodes. What really sucks is that sometimes when I use randomly generated passwords with full complexity, they still don't meet site rules for password generation. Which means the sites are actually less secure than the password I generated for it.

This is victim blaming!

Instead of telling people to not using dumb passwords, like "password". You should tell crackers not to crack.

1....2....3....4....5

That's the kind of thing an idiot would have on his luggage!

http://www.youtube.com/watch?v=_JNGI1dI-e8

Monkey?

Why on earth is monkey so popular? Are they reshowing the old TV series or something?

Doubting the accuracy of this list

I have three reasons for doubting the accuracy of this list:

1. I don't believe "shadow" is really a popular password. I rather suspect this is a dummy value meaning that the password is not, in fact, stored.

2. There are too few obscenities in the list. I don't think I'm alone in using obvious sexual obscenities when I am forced to create an account and have no interest in its security.

3. There are too few changes in the list. They claim that the top six are unchanged (as a set) since last year. If the new list were really derived from new data I'd expect to see a lot more random variation even if the underlying popularity of the passwords were unchanged.

Is it Verified by Visa?

That has a very specific 8-12 characters for the password.

Every single time I am forced to re-generate a password because I can't remember the last one and therefore have to enter all my identifying information in all over again. I'm assuming other people write them down and keep them with the credit card.

Way to increase security.

Maybe we should use passwords that sound like mildly embarrassing admissions. If my password was "Iamsobloodylonely" (for example) I would hesitate before writing it down or reusing it on multiple logins.

Where's the 'Lightbulb' icon?

On some of the old terminals...

can't recall exactly which now, I think they were SunSPARCs or SGIs... our sysadmin insisted that people use, in their passwords, one of the additional function keys which were ranged down the left of the keyboard. It made it impossible to log in casually from anywhere other than in the computer room which housed the workstations themselves!

The difference is what was secured by these passwords.

A personal email account you get receipts etc. emailed to? Yes, that's an error to choose a weak password.

A throwaway Yahoo account because you were forced to sign up to it by product X? Who cares?

An eHarmony account that you really don't care about people hacking and only set up for a laugh? Again, who cares?

Anyone with a brain has a set of different passwords for various things. My father's Windows Login password (which, incidentally, is totally unnecessary as it does nothing and the admin account is open if you know the double-Ctrl-Alt-Delete trick or use Safe Mode or whatever) is such a password. But his banking one is secure. His password to the account on the website he signed up to one to buy a bit from his car (but stores no credit card details)? That's different again and though not "secure" is probably not guessable even if you know him. His password for the christmas giftlist document that I share with him? Incredibly insecure but stops him clicking on it and accidentally showing mum what he got for Christmas. This is a man that has trouble turning a computer on and takes an hour to install a simple program because he reads every line of text on the screen (not the license agreements, all the surrounding "Click next to proceed with installation" etc. gumpfh) and can't see what he's supposed to press next.

The security of passwords is general is (like all statistics) meaningless without context. I have and use a number of insecure passwords for things I don't care about and don't WANT to use my secure passwords on (because if they are compromised, then they might be able to do some damage elsewhere). And my secure passwords (of which I have many levels but sometimes re-use things for passwords of the same "level"), are all unguessable. I have a very good memory for passwords, but I'm not going to make unique ones for everything I do because I will spend my LIFE logging on, and will end up having to put them all in one place which is inherently less secure than re-using passwords for similar levels of access (i.e. if you compromise, say, my forum account, yes you could probably use it on some other forums I frequent, but none of them will give you more access to information than the account password originally compromised, or any other forum account I use).

As an extreme example, the password for my banking is some incredibly secure thing and used only for banking purposes in combination with a OTK device. I have a password that I only use for Government Gateway services even though I haven't really used those in years now. I have a password for anything that involves financial matters no related to my bank (e.g. pre-paid credit cards, etc.). The password for any site that stores my credit card information is different but on the same level of security and sometimes shared between partner sites. Additionally, I have a one-off sign-up password for sites I've never used before but which want my credit card information stored. I can cancel a rogue card transaction from them and know who it was, but I can't suffer a password leak that might affect other sites I visit if they are clever and try to reuse / guess my details elsewhere to gain more access.

I have a password for accounts of value even if they have no credit card information associated (e.g. Steam). I have a password for anything that stores personal information on me but which doesn't store payment information or isn't payment related. I have a password for sites that I need to log into but which I wouldn't care about someone accessing as me (e.g. forums, etc.), and I have a password that I use to get past anything that demands one for no real reason.

Each password (and sometimes there are three-four passwords for each level depending on the security of the level) is different and all but the very lowest levels are secure passwords. I can also tell, by the very service that the website is trying to offer me, what the password for a site I hardly visit but have an account for is likely to be (and unlikely to take more than a couple of guesses and thus unlikely to be "locked out"), and even a compromise of one site's password that's advertised with full details all over the world will ever let you into an account with more "power" or containing more information than the compromised site. And I have to remember only 10 passwords, which is way within the realm of sanity, and because they can be remembered, I never have to write them down.

And my Yahoo password for an old Geocities account I had years ago which was forcibly upgraded to Yahoo? That's probably not that important to me because all it lets you do is log into Yahoo Search as me (and I haven't used Yahoo search since the Geocities days!). Dating sites? They would end up in the last category (i.e. I have to have a password, but don't particularly care about what it is). LinkedIn? I signed up to it once to talk to an old friend, didn't even put my name on the account. A quick login suggests that's also in the last category. Last.fm? If I had an account for it, it would also be the last one.

So it's really bad to try to take away anything new from this article. People choose rubbish passwords when they are asked for a password to protect rubbish. This is like having 1234 on the combination to keep your wheelie bin shut so it doesn't bang in the wind, who cares? But your bike probably has a half-decent combination on it and a better lock.

Now do a survey of the passwords people use on Amazon or Steam or their bank and see how different the results are.