back to article Hotmail phish exposes most common passwords

Data from the Hotmail phishing attack proves that consumer password security remains pants. The most common single password in the sample of 10,000 purloined Live ID login credentials posted as a text file to developer site PasteBin.com was "123456", something only marginally more secure than the traditional favourite " …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    FAIL

    It's no wonder...

    ....a high percentage of the passwords on the list were poor or weak.

    They were poor and weak.

  2. Naich

    Not representative

    These are the passwords of people who have been successfully phished, i.e. people who aren't exactly shit-hot when it comes to security matters, so it's not surprising they are piss-poor security-wise.

  3. Enrico Vanni
    FAIL

    Dumb and Dumber

    It doesn't take an idiot to work out that the sort of people most likely to fall for phishing scams are the same people who don't take password security seriously.

  4. Scary

    Skewed

    Of course the analysis results will be skewed because these are the people who fell for a phishing scam (I would suggest that such people probably tend to have weaker passwords).

  5. Anonymous Coward
    Grenade

    Security Firms

    So, are these security firms offering their services for free, seeing as though it's based on information that they themselves downloaded for free?

  6. AliBaBa
    Happy

    really?

    Neil O'Neill? I wonder what his middle name is

  7. The Original Ash
    Go

    Keepass

    One password for the program, no issue with other passwords being lost. Backup the database, and no reason for insecure / reused passwords anywhere.

    http://www.keepass.info

  8. The Mole 1
    FAIL

    Password in wallet

    If you need write your password down because you can't remember it then how are you going to be able to change it when it has been stolen along with your money?

  9. Jimbob 3
    Alert

    Like shooting phish in a barrel

    So not only did these people have pants passwords they also entered said password into a form not linked in any way to Hotmail?

    Some kind of worldwide general public 'IT and Security' training is needed methinks. Yeah I know, that is impossible.

  10. Antony King

    Wallet

    So your password list gets nicked along with the wallet. Exactly how do you change your password then if your list of passwords has been nicked? Especially if you have to change it before the thief looks at the contents of the wallet and logs on to your bank - I can imagine your bank's response when they find out you kept your password with your bank card!

  11. Ed Blackshaw Silver badge
    Boffin

    Be careful in drawing any correlations from this data

    If, indeed, it was gained through a phishing attack, there is also a possible correlation between people who use weak passwords and those who fall for phishing attacks to be controlled for. In other words, there are probably a higher percentage of weak passwords in this list than there would be in the general population of hotmail users.

  12. Anonymous Coward
    Anonymous Coward

    So What?

    My Hotmail account password is as weak as hell and I don't give a shit.

    Do you know why? It's because it's just a fucking hotmail account. Not the keys to my front door.

  13. Dan 21

    How accurate is the list?

    Assuming that not all of the passwords were checked before being posted, what makes anyone think that they are real? I've given fake information to phishers for a lark myself.

    Hi. My name is Ima Lamer. My email is abuse@yourregistrar.com. My password is eatshitanddieyoulamer. &etc.

  14. Anonymous Coward
    Stop

    Probably one of those sites...

    ...that says, 'See if any of your friends are already on here/using XYZ by giving us your hotmail/gmail/etc login details to check.

    Seriously, who in their right mind, trusts any site with such details? If someone really wants to find this out so badly, they should type them out one by one or if skilled enough, write a program to do this for them. But anyone skilled enough to do that would probably be clever enough to realise what a waste of time and effort it would all be anyway.

    Thing is these sort of requests for login details are 2 a penny on almost every social networking or general time-consuming site that's out there and for the general population, having this sort of social site currency is so important, they must take the risk anytime they see such a form. :(

  15. Anonymous Coward
    Stop

    Coded passwords

    I've been writing down my passwords for years, but only in coded form. Just a hint to remind me which of the 5 or so passwords I use for the 20+ accounts I need to remember, never the full password. Not ideal, but the information is no use to anyone if stolen, and is a manageable number that my brain can cope with.

    Putting full passwords in your wallet isn't clever. That's traditionally something that is more likely to get stolen from you than anything else!

  16. Jas 1

    @Antony

    I thought the same thing, if you don't know your password then you can't change it.

    If you know your password, why write it down at all.

    I like the old postcode idea, might use that one. erm then again, might not ;)

  17. Anonymous Coward
    Boffin

    Passwords

    I generally use passwords on multiple sites because otherwise I'd have no way of remembering them.

    BUT

    I take precautions such that general purpose websites have one password, email has another and banking/paypal/etc have completely independant ones.

    So I only have to remember half a dozen passwords for every site I've ever signed up to; and I maintain degrees of seperation from important info!

  18. rustinees
    Alert

    Go phish

    I've kept my hotmail account for many years, mostly for endeavors I think are likely to promulgate my address. But I never use the web to check it and I'm not happy to be lumped into a phishing victim category!! My login was compromised (I have seen the bogus emails sent) and they got that information some other way. Not to mention that a message from the service provider would have been a better way to find out about it then complaints and failures from my 7-year old online contact list.

  19. Bernie 2

    if your passwrod is "123456"

    then your account isn't worth stealing anyway.

    What are the scammers going to do with the hotmail login details for 10,000 larger louts and dole dossers?

    Yeah there's BIG MONEY to be had pillaging their overdrawn bank accounts.

    /now that's sarcasm.

  20. Anonymous Coward
    Anonymous Coward

    Employer insists on weak password

    My partner's employer insists that laptops do not belong to particular members of staff, but can be used interchangeably by anybody, and therefore the password MUST be "password".

    Seriously - hence the AC. Any advice on shifting this degree of stupidity would be appreciated.

  21. Anonymous Coward
    Anonymous Coward

    Re. So What?

    "My Hotmail account password is as weak as hell and I don't give a shit. Do you know why? It's because it's just a fucking hotmail account. Not the keys to my front door."

    Well, if you say so swearing person.

    Others may beg to differ and keep rather more info in it than spam and, in your case, e-mails probably containing naughty words. That you don't is neither here nor there. Not everyone is obviously as brilliant as you. Well done and keep it up.

  22. sandiskboy

    My password is simple

    I use the same one for everything and I have had no trouble at all. Even if someone guessed my password it would make no difference as I am not stupid enough to put any real info online.

  23. Anonymous Hero
    FAIL

    Slightly OT, but....

    ...it still amazes me the number of organisations, including banks, that won't let me use non-alphanumeric characters in my password i.e. !"£$%^&*() etc.

    Hell, even equifax, who are supposed to be guardians of all my credit data won't let me do this. That's a serious WTF.

  24. Anonymous Coward
    FAIL

    What kind of idiot system

    What kind of idiot system accepts a password like 123456 anyway?

  25. Philip Dagnan
    Coffee/keyboard

    Passed Words

    Neil O'Neill? I wonder what his middle name is

    Probably the same as his passwords

  26. Anonymous Coward
    Joke

    I'm always careful

    I exercise extreme caution when choosing and using passwords.

    Right now, my current password for some of my accounts is 123456querty

    I find this particular mixture of numbers and letters would thwart most hackers.

    You'll see I've used the most popular password, but with a bit of a cunning plan, I bolted some letters onto the end. You just have to know how to play them at thier own game really, it's that simple.

    I may switch to using my current postcode - SW183QX, that's a good one, or my mobile number, 07831243321 - they'd never get that. I suppose using parts of my name, Matt Finley Dawson, could work fine too. Or maybe my bank account number? - 894341243

    It's suprises me how silly people can be with this kind of sensitive data.

  27. Matt 32

    Um...

    How 'bout we recognize that passwords alone are the equivelant of just weak padlocks and it doesn't matter how fancy you make them today?

    What will be truly great is once one of these major sites has it's password database stolen, and a massive rainbow table attack is run against it using distributed computing (think: zombie network).

    Most stuff online just needs a really simple, weak password to keep the honest folks out. Keep the more complex ones for where you actually need high security.

    Anything needing truly high security we need systems better then passwords. Tokens, password protected keys, or the ability to authenticate transactions by out-of-bandwidth means -- i.e. you do an online banking transaction, your cell phone gets an SMS with a authorization code you then type into the website to authenticate the transaction.

  28. Fred Flintstone Gold badge
    Coat

    @ My password is simple

    No it isn't. I even tried it in uppercase: "SIMPLE".

    I use ****** myself, at least I can still read that when I type it in..

    :-)

  29. Brian Miller 1
    Stop

    Phishing Scam?

    My wife had her hotmail account hacked NOT through a phishing scam but by someone inside a UK based E-commerce site.

    She ordered t-shirts printed for her mates "hen do" from the cheapest online t-shirt place. A week after recieving the shirts in good order suddenly she was sending all of her contacts e-mails saying how great and cheap the t-shirt printers was. Only she hadn't sent any of them.

    It was obvious that she had her account used to push out spam for the company she ordered with. She had used the same password for the e-commerce site as for her email, which she obviously entered into the site as well.

    So, I think it is very possible that these are not specifically people falling for a dedicated phishing ring but frighteningly by apparently genuine businesses. I only hope to god that we don't get a credit card bill through for lots more t-shirts.

  30. Trevor 3
    Coat

    @Matt 89

    Is this some kind of hoax? I tried to ring you to get your pin number so I could keep it safe, and you didn't answer.

    I've got £5,000,000 I need to get out of the country, because my grandad died in a fishing incident organised by the government.

  31. Dave 32
    WTF?

    How accurate is the list?

    That's a good one, @Dan 21. My favourite food to feed the phishers is the data for good, old William Edward Goat (who usually goes by his nick-name). :-) So, since he's a adolescent male, I wonder if his ID (goatsex) has shown up in any of the lists? ;-)

  32. EddieD

    Sometimes it's not the users

    I always try and make my passwords adhere to the three out of four requirements - where the four are upper case, lower case, numbers, symbols, but it isn't helped when some companies, e.g. Blizzard, don't allow most symbols, and don't distinguish between upper and lower case.

    It's not just the users, sometimes the hosts it hard to get secure passwords.

  33. Anomalous Cowherd Silver badge

    @ Employer insists on weak password

    1. Download sensitive client data onto laptop

    2. "Lose" laptop. 815 to Waterloo seems to be popular

    3. Post sensitive data on Wikileaks

    4. Call journalist with scoop. Describe security routine. Name boss.

    That should do it.

  34. transientcylon
    Joke

    12345?

    That's the same combination on my luggage!

  35. ThaMossop
    FAIL

    @What kind of idiot system

    Worse still, it allows a 1 character password!

  36. Soruk
    WTF?

    @AC Employer insists on weak passwords

    Check your employer's IT acceptable use policy, if (like mine) it describes password sharing as a disciplinary offence then complain to corporate security.

  37. Sir Runcible Spoon
    Troll

    remembering passwords..

    does anyone remember the old Lloyds advert (for something) that had a telephone number of 0800 71723 ?

    That's how you remember a password :D

  38. Steve K

    -> Employer insists on weak password #

    Can't they use their individual domain credentials?

    Steve

  39. Anonymous Coward
    Anonymous Coward

    Employer insists on weak password

    Thanks to Anomalous Cowherd for advice on how to get the sack, but I am already helping another friend with this kind of situation.

    The employer in question is in the public sector and any "sensitive data" would harm innocent people.

    I was looking for a guide to computer security aimed at a level of computer illiteracy that is probably beyond the comprehension of any El Reg reader - maybe I should ask Sun readers for their advice instead.

  40. Will Godfrey Silver badge

    Stupidity will always win

    Some people simply CAN'T be educated, no matter what you do.

    Personally I memorise just two complex passwords. One is my bank account. The other is the encrypted section of my 'pooter. All the others (along with my documents etc.) are stored there. Exactly where I will need them.

    If anyone can get at those then I need to have words with a certain Mr Zimmermann!

    P.S.

    Yes I do keep an identically encrypted backup 'off-site'.

  41. John 174
    Coat

    AC?

    AC wrote:

    "1. Download sensitive client data onto laptop

    2. "Lose" laptop. 815 to Waterloo seems to be popular

    3. Post sensitive data on Wikileaks

    4. Call journalist with scoop. Describe security routine. Name boss.

    That should do it."

    You are Simon Travaglia, and I claim my 5 pounds....

  42. itfitzme
    Badgers

    Keyboard Patterns

    keyboard patterns work well. Like 1793zqpm which is the four corners of the key number pad and four corners of the alphabet keyboard.. They are easy to remember. There is no particular pattern from a computational standpoint.

    But then, I'm dirt poor and my life doesn't amount to much so no one really cares a hoot about me anyways. I'm really just not significant enough to be hacked.

  43. Anonymous Coward
    Anonymous Coward

    Worse & worse

    I have to agree with comments posted about lots of places not allowing decent secure passwords with special chars.

    I currently work for a major oil company, who have recently rolled out a special password system. It basically synchronises all your different passwords so they are the same, and because of the limitations of one of the legacy systems it cant allow more than 8 digits or any special chars etc. We are limited to an 8 char alphanumeric. It HAS to be 8 chars long (ok I guess it stops you having a silly short password).

    To make matters worse there is now an option to reset your password on the log in screen, where all you have to answer are 4 pre defined questions 'mothers maiden name' etc.

    Some systems I've used insist that you cant have a numerical for the first digit (making even less brute force required).

    It's sad that many banking sites etc are also limited by this kind of short-sitedness when it comes to programming their security.

    Some of us actually want to try to use secure passwords, but often I find that I have a great system for remembering a complex password only to be told my password isn't acceptable. I'm then forced to invent a new system of remembering the password which I then completely forget!

  44. Anonymous Coward
    Anonymous Coward

    Passwords suck

    Why are people so derisive of people who use easy to crack passwords?

    You can't blame them in my view.

    The internet needs a single, standard password system.

    At the moment we have:

    • non-case sensitive

    • case sensitive

    • minimum of 5 characters

    • minimum of 6 characters

    • maximum of 9 characters

    • must include 1 number

    • must include 2 numbers

    • numeric only

    • letters only

    • pre-determined numbers for banking

    I have 4 related passwords for whichever type of password the site requires from the list above. It's the only way it's possible to remember.

    The problem is that we've been told never to write them down, but it's impossible to remember 30 sites that require passwords other than keep the same, or similar ones for each site. And unless they are easy to remember, you've no chance.

  45. steogede
    Dead Vulture

    no shit

    people who are foolish enough to be duped by a simple phishing scam have weak passwords.

  46. Mark York 3 Silver badge
    Paris Hilton

    My Method Of PW Recall.

    I was going to post it, but thought better of it.

    PH because her defences are pretty weak.

  47. J 3
    Paris Hilton

    @Password in wallet

    Well, you'd reset them the same way you reset forgotten passwords now, I suppose?

    Although it is sure true that the bank would love to hear that you kept the bank/credit cards together with the written passwords...

    A system that works well for me is using the first (or second, or third, etc) letters of each word from part of a song/book passage/poem/motto/whatever, substituting some character for others (e.g. 3 for an e, 1 for either i or L or even the whole word "one", etc.). That way you end up with something that "looks random", but that has meaning to you. Then your password reminder could be something like "Douglas Adams" or "SRV", and good luck to anyone who'd try to guess which part from which book/song (and using which scheme) you are using there.

    WWPD?

  48. Anonymous Coward
    Megaphone

    Obscure song lyrics

    generally work for me, the more obscure the lyric (but particularly well remembered by me have bawled them out along to the band responsible for them countless times) the better

    Shouty icon, cos I'll happily shout my passwords during the song they come from

  49. Mathew White

    Brute forcing

    So given the data analysed from above, there is an almost 1% chance of guessing the persons password in 3 attempts by going down the list. (100*93/9843)

    More if you assume a country of origin.

  50. Anonymous Coward
    Anonymous Coward

    the other side of the coin

    I work at a US government agency that insisted on requiring highly secure passwords for foreign companies to register with them. Many of these are non-English speaking; the information is almost all publicly available to start with (Company name, address, phone, etc.); and then they are required to change the PW every 90 days, even though most of them will probably only log into the account once every few years when an item of the above info changes (new phone, new company HQ, etc.).

  51. Anonymous Coward
    Anonymous Coward

    @ Anonymous Hero

    "..it still amazes me the number of organisations, including banks, that won't let me use non-alphanumeric characters in my password i.e. !"£$%^&*() etc."

    Absolutely agree.

    I can easily remember my passwords (and I never use the same one twice) if I'm allowed to choose something that has significance to me for that particular site. However, where I can't remember passwords is when I have been forced by some web site's IT f*cktard to limit my password in all sorts of bizarre ways.

    No you can't use that symbol.

    Nope, you can't use that symbol either.

    Nor that one.

    In fact we won't let you use any symbol at all except dot.

    No you can't insert a space in the password.

    No you can't start the password with a number

    That password is too long. Restrict it to between 6 and 8 characters.

    etc. etc.

    It's damned irritating.

  52. Anonymous Coward
    Unhappy

    @ Bernie 2 - Law of Large Numbers

    "What are the scammers going to do with the hotmail login details for 10,000 larger louts and dole dossers?

    "Yeah there's BIG MONEY to be had pillaging their overdrawn bank accounts."

    If you can just withdraw 1p from each account... £100 easy. Want more money? Increase the number of lusers...

    DISCLAIMER: I do not advocate this, but "know your enemy, know yourself..."

  53. Sean Thompson

    Weak Passwords

    Personally I don't mind weak password requirements. It takes the bull’s-eye off of those like me who care to secure their stuff.

    Also, for those admins who like to REQUIRE that passwords use 8+, symbols, uppercase, etc. you are actually limiting the brute force possibilities. It is even worse when you say that the first and last cannot be a number, symbol or uppercase. To a skiddie, this means it must be lower case.

    Statistically the best password is a random one, though this will result in it being placed on a post-it on the bottom of the user’s keyboard. I prefer pass phrases myself, though I've been known to use a weak password for expectedly insecure sites like the reg.

  54. Aron
    Megaphone

    Easy peasy

    Nearly all the cracked preauthorised versions of Windows floating around on torrent sites right now have keyboard loggers and spyware preinstalled. Getting passwords is easy no matter how compicated they are.

  55. Popperist
    Paris Hilton

    Neil O'Neil's middle name

    Well D'uh

    His middle name is 'O'

    Paris could work that one out.

    Ask me Rupert's middle name.

  56. Anonymous Coward
    Anonymous Coward

    Any owners report?

    The news doesn't tell how many email addresses that are abandoned by its owner. It is also possible that the weak email password is intentionally set because that email address is dummy email addresses - usually given away to website, which ask for registration. I am actually more interested to know how many owners would report that their email had been phished.

  57. A J Stiles
    Go

    Hah

    All that really goes to show is that people with weak passwords tend to fall for phishing scams. Still, given the choice between dancing pigs and security ..... If you want to do an experiment, stick up a form with a couple of boxes for "login" and "password" on your own web site, and something like the following;

    <?

    if (($login=$_REQUEST["login"])&&($pass=$_REQUEST["pass"])) {

    $ip=$_SERVER["REMOTE_ADDR"];

    $dbh = mysql_connect("localhost","root","");

    mysql_select_db("stuff", $dbh);

    mysql_query("INSERT INTO lusers(login,pass,date,ip) VALUES(\"$login\",\"$pass\",\"$ip\")");

    };

    ?>

    You'll be amazed what sort of things you will find in there.

    (And no, using root and no password *isn't* insecure. If you're on a shared web host, you can easily get hold of every other user's database username and password. The apache daemon -- as which user all scripts run -- needs to be able to read every user's scripts.)

  58. Kevin 6

    Pssh thats nothing

    At a charter grammar school where I was a system admin for a few months (almost lost my mind due to the stupidity) 95% of employees passwords were 12345...

    I'm not talking worthless general student use accounts I'm talking the schools administration principal and almost every teacher (4 non IT users didn't use 12345 and one had the ultra secure 54321...). Some of these accounts stored extremely sensitive data like CC numbers parents used to buy uniforms, grades, Social Security #'s for staff and students, PAYROLL, access to the rest of the school district, and much more. And no matter what me or my boss said they refused to change their passwords and would bitch us out about security. We were actually ordered to set the firewalls password was 12345 along with the VNC connections password or we would be fired.

    My boss and I quit 2 weeks later...

  59. ThomasF
    Big Brother

    Star Trek Voyager Passwords

    In Voyager there was never a problem with passwords so it must be a phase we are going through.

    A spoken password "Janeway Alpha Omega 1642" seemed to do the trick. So Voice recognition control from the Clouds will be the answer.

    So the Pleb equivalent will be. " 123456789 men and his dog went to mow a meadow"

    Simples!

  60. Anonymous Coward
    Anonymous Coward

    Please Enter

    Please Enter your first and second names:

    ---Neil O'Neil

    Sorry, first name is too close to second name. Please choose names that show a little imagination.

    Please Enter your first and second names:

    ---

  61. Anonymous Coward
    Alert

    Stoopid pwd with silly chars

    Easy, use a foreign mapped keyboard (languages with lots of accentuated chars are top notch). The password is still easy to remember when punched on a UK keyboard but complete gibberish when actual

    Things get tricky when switching between OSes but that is not too mooch of a concern if you are not.

    Go figure +ěščřžýáíé = 1234567890 on a Czech keyboard

  62. Anonymous Bosch

    Jenny ...

    Jenny8675309.

    Damn, now I have to gargle my brain to get it out of my head.

  63. Anonymous Coward
    FAIL

    so if this was output from a phish

    That's suposing that everyone gave your their real name and password, right? if they didn't, then this is all just phish poop.

  64. Anonymous Coward
    WTF?

    Huh?

    I use Linux, so I'm not in danger!! Take that, Windoze-lusers!!1one!1!

    Really. All the AV in the world, all the firewalls, all the hardened OS'es (hah!), are not going to save you if the password is 123456 and/or you give it out to the first phisherman you see. My brain hurts...

  65. Anonymous Coward
    Anonymous Coward

    Solution to all your problems...

    Just use a 'password algorithm', or a way that from just looking at the site you can come up with a unique password for that site. Its not as hard as it sounds.

    Pick a simple algorithm to get part of the password. It could the last 5 chars of the website name, or the 2nd, 3rd, 4th character, first or second word, or something that is obvious about the site, and add in something that you always use, like your work postcode, or the first part of your phone number. And voilà a unique password per site. (egsw2yreg6qd startpostcode - site - endpostcode)

    Yes people can figure it out if they collect a couple of your passwords, but if people are targetting you specifically (instead of a hack or whatever) you'll be stuffed anyway...

  66. Saul Dobney

    Or...

    Add a random token to the login URL. Offline the user hashes his or her password with the URL+ token. The user log-ins with the hash. The real password is never sent and it can't be worked out through a man-in-the-middle attack. Easy to implement, impossible to phish.

  67. Steve Evans

    Weak

    You should see the restrictions Barclays put on their online system before introducing their annoying pin-sentry thing...

    Length 6-8 characters

    No numerics

    No repeated characters

    Case ignored.

    Personally my big worry is social networking sites. You know the main one I mean, the one that offers to add all your messenger friends by taking your messenger username and password when you sign up... I declined their kind offer, but given the number of people who turn up on my friends suggestions, many of my messenger contacts jump at the chance.

  68. Anonymous Coward
    Anonymous Coward

    quantity, and a diversion

    My password notebook contains 74 assorted gobblydegooks. When the house is empty I have my fears.

    But there is a more serious response that has to be aired. The BBC TV, all unctious clever clogs, when they reported this concluded with the advice that if you are invited to give your secrets and you suspect that it is crooked then don't comply.

  69. Steven 7

    @Sir Runcible Spoon

    I believe you'll find it was 0800 710723 ;-)

    Or as they liked to say:

    Oh, a Tundred, sever one ooohhh, sever two.... free!

  70. Shane Lusby
    Grenade

    Agree with many

    A lot of the info in the article is skewed because these were people who were dumb enough to be phished, but there is also the point that the hotmail accounts could be throw away accounts anyway. I go for very secure passwords for the few sites that matter(financial, web admin and useful email passwords) and for almost everything else, one pass. I mean do you really care if someone hacks your account on a forum you posted three things on two years ago?

  71. Dick Emery
    Go

    One password to rule them all

    and one password maker to bind them.

    It was mentioned in a previous articles comments but passwordmaker.org seems to be the answer.

    Currently changing my passwords to match but only have to remember one password! Plus it's never stored on the computer. Pretty neat. Go read all about it.

    www.passwordmaker.org it's free and open source.

  72. blackworx
    FAIL

    Mixed characters

    I'm sick fed up of having to reduce my password security for sites like hotmail and its ilk. IME over half the sites/services I've ever registered for have disallowed non-alphanumeric characters.

  73. Richard IV
    Headmaster

    Pnemonics

    @Sir Runcible:

    Sadly yes. And you missed a 0 :p

    Knight: Oh, a tundred! Sever one!

    Tundred: Oh!

    Knight: Sever two!

    Princess: Free!

    Latex markup source with spaces stripped out tends to generate rather nice passwords as do memorable locations as latitude/longitude, or think of a word and use the keys 1 place diagonally up from it - hello becomes y3oo9.

    Seemingly along with many others, what really annoys me is not so much the variety of password schemes, it's the forbidden characters from the "I don't know how properly to sanitise inputs" school of programming that mean you have to come up with alternatives to compensate - it's those ones I tend to forget. *sigh*

  74. Robert E A Harvey
    Paris Hilton

    Let's see

    So we are basing our research into passwords on people daft enough to respond to phishing attacks now?

    In the old days Dec had a secure service to harvest passwords without the other ID material and collect them centrally for analysis. Now that was sensible. making assummptions based on data from dickheads is .. err.. dickheaded

    Dick.. Head.. Paris?

  75. James R Grinter

    @ Employer insists on weak password

    Is it possible that the laptops are only meant to be used to connect to other, more secure systems, using Citrix or other remote access techniques? Perhaps no data is meant to be stored on them?

    As to these weak passwords that were leaked, a proportion are certainly going to be bogus. (What, you mean you /don't/ give an invalid password or type in an incorrect PIN when using a machine or web site that you're slightly skeptical of? Didn't we have a similar discussion recently about how to verify your bank when it phones you up?)

  76. CapitalW
    Joke

    Now I know......

    ....why my luggage keeps getting broken into.....

    My combo is all lower case........

  77. Sarev
    Happy

    @ Fred Flintstone

    > I use ****** myself, at least I can still read that when I type it in.

    I did that once, too, for some crappy account that I wasn't too bothered about. Many moons later, I wanted to log in and couldn't remember my credentials so I asked for the password to be emailed to me (yeah, there's a secure system!). I was fuming when the password was obscured in that email... until I (much later) remembered that that _was_ the password. Doh.

  78. Adam White

    Passphrases

    Passphrases are the way to go

    You don't have to write them down to remember them

    They are long and complex

    They do not appear in the dictionary

    You can also substitute misspellings and special character to make them extra salty

  79. Anonymous Coward
    Thumb Down

    comments

    Type your comment here — plain text only, no HTML

  80. Anonymous Coward
    Thumb Up

    Do you come?

    Sites that demand a pw with mixed case, plus numbers at least 10 characters long etc are actually going to be LESS secure. You know why? Because most people use a few passwords they can remember. Something so convoluted isn't going to be remembered, so they WRITE IT DOWN. Immediate security risk.

    Whilst I don't endorse 123456 and so on, forcing complex passwords isn't the way to go either. You need to take into account the number of accounts people have these days, plus the "human" factor.

  81. Frumious Bandersnatch

    "digital forensics"

    > [most popular password was "123456"]

    perl -nalF: -e 'print $F[1]' | sort | uniq -c | head -10

    *ahem*

  82. ElReg!comments!Pierre

    Just sayin'

    You imply that all-lower case letter-only passwords are inherently bad. That's one of my pet peeves in the security area: This is NOT true. I would really like it if all my lusers were using passwords like " i am an ancient deity and you should do whatever i want or else" instead of "Passw0rd!" (the latter, obviously very weak, will pass most automated checks nowadays, while the former will probably fail, despite being much, much stronger in my opinion). I met a few admins who would *demand* at least 1 upper case, one lower case, and one numeric character as well as a punctuatuion mark. While, wait for it, making it mandatory to keep the password between 6 and 8 characters in length (my ISP is a good example. Clueless morons. My former bank is fighting for the title, too, but they are still behind as they allow "up to" 10 chars). Anyone with access to decent computing power will crack any of those "strong" 6-to-8 characters passwords in minutes. Especially when the username is your bloody email adress (also mandatory withsome of the aforementioned institutions).

    Also, If you want to avoid fishers, checking the URL might be a good thing (TM). The oft-predicted breakdown of the DNS system might be an improvement: (I would say "after all", but I always viewed the DNS thinggy as an unnecessary hack open to abuse in the first place. If you can remember a phone number, you can remember an IP address). As a nice side-effect, typing IPs in would make domain-squatting useless.

  83. Anonymous Coward
    Pint

    RE: remembering passwords..

    Ah, but you got the number wrong! It was 0800 710723, you missed the 'ohh' after they sever the first head.

  84. Wombat

    Want a strong password?

    Allow backspaces. So a password of "1357" is constructed of 1-7-backspace-3-8-backspace... and so on.

  85. Sir Runcible Spoon
    Coat

    @Richard IV

    Well done sir, had totally forgotten that :D

    Mine's the one with the dragon blood smeared across the front and a sword in the pocket.

  86. Anonymous Coward
    Boffin

    Definitely should Passphrases

    Loads easier to remember than a password and harder to crack.

    Also much easier to make it secure than an 8 char one.

    My current passphrase is 26 characters and I can remember it far easier than my last 8 digit password.

  87. kwikbreaks
    Boffin

    What a surprise...

    So people stupid enough to fall for a phishing scam also use unsecure passwords - wow I'd never have guessed.

  88. adaytay
    Coat

    @Sir Runcible Spoon

    That advert was probably the most inventive advert ever thought up - absolute genius!!

    For those of you who can't remember it... It showed this story in a ye olde fantasy setting. There was a guy who went off to save a princess but came across a monster who's heads he had to chop off.

    Twas clever because the telephone number was made up of the scenes, they did a quick recap at the end. I can even remember the phone number to this day because of this clever manipulation of words (a clever thing you can do by associating memory with weird objects or scenes, memory experts reccommend doing this when you want to remember something)... Here's the recap at the end of the advert...

    "Oh, a tundred!" Said the guy...

    "Sever one" said the guy as he chopped off one of the monsters heads. "Oh" said the monster, "Sever two"...

    "Free!" (said the damsel in distress)

    If you read the bits in quotes you'll get the phone number.... Gettit!?

  89. Wize

    Password keeping programs

    All well and good storing all your passwords in someone else's software. What if they turn out to be phishers too and all your passwords have been going to their servers for years...

  90. Adam White

    @adaytay

    So what was it an ad for?

  91. Lawrence

    Social networks are to blame too

    The second step in Facebook's sign up process is the 'friend finder' option where the user is invited to submit his/her Gmail / Yahoo / Hotmail login details so that some script can send automated emailed to the contact list.

    Ironically, point 4.6 of Facebook terms states: You will not share your password, let anyone else access your account, or do anything else that might jeopardize the security of your account.

    The problem with this (apart from the risk of some dodgy engineer skimming off this info) is that it makes it seem OK to share webmail login details. If I were a phishin' cyber criminal I'd set up a social network just for that purpose!

    I've blogged about this here iif anyone is interested: http://www.architxt.net/blog/is-facebook-helping-phishers-hack-email-accounts

  92. Lawrence

    Don't remember passwords but a formula instead

    Rather than using the same password for all my accounts, which isn’t partucularly secure, I’ve come up with a single formula that returns different passwords for each.

    For example, a password for this site could be (but isn't):

    The first 3 letters of my email address / username + the year i was born but using '!' instead of the last '1' + the first and last letter of the site's domain name + the number of characters of the site's domain name.

    In this case: law!97!tr3

    If this isn't clear I've explained it in my blog: http://www.architxt.net/blog/miscellaneous/remembering-password/

  93. Anonymous Coward
    FAIL

    itfitzme: Security fail - those patterns ruin the ammount of keyspace you need to seach.

    itfitzme: Oh please. Any decent password dictionary has loads of common "patterns" in them. After a quick seach for 10 patterns I found the following 6 in a dictionary file I have:

    aqz]'/,

    edcedcedc

    qpzm7913

    qazxcdewq

    cde345tgb

    zcbm.13

This topic is closed for new posts.

Other stories you might like