back to article Two million TERRIBLE PASSWORDS stolen by malware attackers

Researchers have uncovered a massive cache of stolen account credentials which could impact some two million users. Security firm Trustwave said that its SpiderLabs reconnaissance team has detected a malware operation which has been able to pilfer account credentials on infected machines and build an archive of lifted …


This topic is closed for new posts.


  1. Paul 87

    All I can say is this...

    Randomness != secure

    Length and non-biometric information is far more secure in the long run, and easier to remember

  2. AbortRetryFail

    Re: All I can say is this...

    I didn't even need to follow that link to know which one it was. :oD

  3. Brian Miller Silver badge

    Re: All I can say is this...

    And watch that long password fall to a dictionary attack. Ars Technica: “thereisnofatebutwhat­wemake”—Turbo-charged cracking comes to long passwords, and How the Bible and YouTube are fueling the next frontier of password cracking. 1000 guesses per second is stupidly slow. Try 30 billion per second!

  4. Adam 1 Silver badge

    Re: All I can say is this...

    I thought you may have been posting this one for a tick

  5. Kiwi

    Re: All I can say is this...

    1000 guesses per second is stupidly slow. Try 30 billion per second!

    And how many websites let you ender that many guesses a second, or even a year?

    If they have the password file, they have your password. Reading the articles you linked (thanks!), no matter how stupidly complex your password is you're screwed. It's a matter of time and like the article says, some passwords fell very quickly but others took a while. Once the software/techniques and of course source lists were enhanced, those harder passwords were cracked.

  6. Psyx

    Re: All I can say is this...

    They won't hack my accounts: All my passwords are set to 1oD45f$tmk@@a%fd!

    Totally secure, eh?

  7. gubbool

    Re: All I can say is this...

    Read the article found on the following link to understand how passwords are cracked. It's not one user password at a time. User passwords are stored within an encrypted hash. Steal the hash and test words against it until you get matches.

    Easy passwords are quickly solved; repeat test with a better algorithm for more passwords; repeat again until the return (resolved passwords) on investment (time) is no longer worth the effort.

    The log into site with username and cracked password.

    Various nuances are discussed within the article.

  8. Don Jefe

    So I was in a retail store the other day and something was amiss with the register. The cashier called for her manager who came over to diagnose the problem. With me standing right there the manager said 'Push the Mgr Override button. Enter my employee ID (she spoke it aloud) then enter my password (again aloud) 1234567 and delete the transaction'.

    This was at a gigantic retail store with huge amounts of cash in each till and here's the manager not only blabbing her override information to another employee, but also to customers and the password is 1234567.

    Since I have no intention of getting done up for stealing from a retail store this information is useless to me. But it may not be useless to the employee or to their friends. Plus it's just epically stupid. Billions a year in revenue and even basic security isn't in place. I really don't have much confidence it's in place elsewhere either.

  9. auburnman

    In Retail terms that's an incredibly strong password. In my student days with a job at the local [Office Supplies Chain - name Redacted] the manager's password was 1. The deputy manager's was 2.

  10. Robert E A Harvey

    Sick and tired of remembering hundreds of passwords

    1960s technology belongs in the 1960s.

    It really is about time we had a better way of proving who we are.

  11. AbortRetryFail

    Re: Sick and tired of remembering hundreds of passwords

    You only need to remember one password; the master password to a vault such as KeyPass

    Quite why, in this day and age, people continue to try to *remember* different passwords for different sites or, worse, re-use the same one with multiple sites, is beyond me. I can only conclude it's ignorance and/or laziness.

    (Edit: And yet these same people are happy to use a contacts list in their phone and email, rather than remembering phone numbers and email addresses)

  12. Cripes Chief!

    Re: Sick and tired of remembering hundreds of passwords

    I was guilty of reusing a couple of passwords for multiple sites and did eventually turn to KeePass and haven't looked back since. All sites I use have a minimum 20 character password automatically generated when I create an entry.

    The only downside is I keep my database on an encrypted USB (backed up in my own cloud at home) so have to sort that out before I can access them and the auto type is a bit flaky on quite a few sites. Apart from that it's bloody marvellous.

  13. Anonymous Coward
    Anonymous Coward

    Re: Sick and tired of remembering hundreds of passwords

    KeePass is oldschool. Try this instead:

  14. Anonymous Coward
    Anonymous Coward

    Re: Sick and tired of remembering hundreds of passwords

    But, how do we know that the people who make KeePass are trustworthy?

  15. AbortRetryFail

    Re: Sick and tired of remembering hundreds of passwords

    > But, how do we know that the people who make KeePass are trustworthy?

    It's Open Source software, so the source code is there for inspection should you wish to audit it.

    Maybe the guys currently independently auditing TrueCrypt can move onto KeyPass next?

  16. gubbool

    Re: Sick and tired of remembering hundreds of passwords

    There is a flaw in thinking that 'open source' means secure.

    Once upon a time, a western firm provided controllers to the then USSR for the operation of their pipe line. This was at a time the the USSR could make a microprocessor from stolen technologies, but the device was 5 times the size with twice the inefficiencies in power and speed.

    The US gov't inserted a backdoor into the compiler and decomplier used to create new firmware. The resulting binary always had the backdoor and available decompliers always hid the backdoor. I think that was in 1970-ish. I am old and forget what I have done.

  17. Pascal Monett Silver badge

    Your post does not prove that open source code is not secure.

    Your post indicates that one must use a non-compromised compiler to create a program from open source code.

  18. i like crisps

    Re: Sick and tired of remembering hundreds of passwords

    I know what you mean Mr Harvey, its a real pain in the backside so just do what i do and write them down on a piece of paper then refer to that piece of paper when you need to. To provide an extra layer of security, you could write them down in a pad (paper one not Apple) and put the pad in your trouser pocket thus "Air-Gapping" your collection of passwords from any potential Hacker.......this advice is 'No Charge' to you Sir.

  19. Amorous Cowherder

    Re: Sick and tired of remembering hundreds of passwords

    No good writing 'em down, only takes a spill of coffee, coke (*) or small child needing some scrap paper and they'll all gone...unless you have a strongbox in the house with a photo-copy of the written down passwords, or better still make that a fireproof safe!

    ( * My Missus did have a book of passwords and logins written down and they did get soaked from an ice-cold frosty, sugar-beverage! Luckily she dried the book out and learned her lesson, put them in an encrypted software vault! )

  20. Sanctimonious Prick

    diversifying your passwords

    Absolutely! That is one thing many people do not understand! My GF uses the same unlock code on all of her devices. And the same lame response I get whenever it's brought up, "But what if I forget one? I don't want to have to remember that many passwords." FFS!

    oops. apologies.

  21. Anonymous Coward
    Anonymous Coward

    Re: diversifying your passwords

    The response I often hear when questioning someone's limp choice of password is along the lines of "well what do I care if someone gets access to my facebook/twitter account?". About half are a bit more sheepish when pressed as to whether their recycling policy extends to banks, credit cards etc.

    I finally changed my GFs mind when I found her email and favourite multi use password in a list dumped after a well publicised hack.

  22. Tom Maddox Silver badge

    The BOFH knows about bad passwords

  23. Anonymous Coward
    Anonymous Coward

    But what if I forget one?

    Don't worry, you can keep track of them in one of these:


    Are you tired of losing track of those login/usernames and passwords you create every time you visit a new Web site? Do you have sticky notes and scraps of paper scattered about your office and home computer space covered with these vital pieces of information, but never seem to be able to put your hands on them when you need them? Now you can keep important Web site addresses, usernames, and passwords in one convenient place! Introducing the Personal Internet Address & Password Organizer! This time-saving, headache-preventing little organizer features:

    Lots of space: 144 pages, including tabbed alphabetical pages

    Plenty of room for all those Web site addresses, usernames, passwords, and additional notes

    A spiral binding that allows pages to lie flat for ease of use

    Handy elastic band closure

    Pages in the back on which to record additional useful information, such as your home network configuration, software license numbers, and other notes

    Removable label and discreet cover design

    4-1/4'' wide x 5-3/4'' high


    No it's not April 1st, this and several similar ones get 4*+ reviews.

    It even says "Personal Internet Address and Password Log Book" on the front (in big friendly letters as required by law).

    I've asked my local IT folks if they can supply them, given that their expertise doesn't seem to cope with anything other than Active Directory authentication from Windows XP/7 clients (and deffo no Lunix).

  24. Anonymous Coward
    Anonymous Coward

    Re: But what if I forget one?

    Yep, I've got one of those. I got so annoyed with remembering all the passwords I needed that I bought one.

    I knew it wasn't very secure though, so I created an encryption sheet of 987 letters with a master sheet which changes every week to give a new lead key. As long as I remember the decryption sequence it's easy.

    Oh... wait...

  25. Old Handle

    "4 used from £3.46"


  26. An0n C0w4rd

    Shock horror

    People who don't take basic security steps, like anti-malware and anti-virus, also trend to choose dumb passwords!

    Providers need to put basic checks into their systems to prevent such passwords in the first place. Just because 12345 is the combination for your luggage doesn't mean you should use it for your bank accounts!

  27. Sanctimonious Prick

    Just because 12345 is the combination for your luggage

    Yeah, but that's easy to remember...


  28. scoot76

    Re: Just because 12345 is the combination for your luggage

    So the combination is... one, two, three, four, five? That's the stupidest combination I've ever heard in my life! That's the kind of thing an idiot would have on his luggage!

  29. Charles 9 Silver badge

    Re: Just because 12345 is the combination for your luggage

    12345? That's amazing! I put the same combination on my luggage!

    But SERIOUSLY, remembering the password IS an issue just as big as having it stolen which is why it creates a second, competing barrier to passwords: you need one that's hard enough to guess but not SO hard you can't recall it. Think of it like having a ring full of keys. If time is pressing, could you retrieve the one key you need quickly enough? And if you use anything to help differentiate the keys, then someone who STEALS the keys can use those mnemonics, too. And key vaults only help if you're in known systems. What if you MUST login on a new or otherwise unknown device where the key vault can't be retrieved?

    Sometimes I wonder if we should try to develop something better than passwords because, let's face it, people's memory can be flakey, but what alternatives are out there that can tick all the boxes?

  30. DropBear Silver badge

    Re: Just because 12345 is the combination for your luggage

    @Charles 9: Try this (if it ever actually starts selling, that is...): - It's meant exactly to solve inputting anything anywhere, including insecure terminals (if you trust your credentials transiting them of course).

  31. Anonymous Coward
    Anonymous Coward

    PostIt Note

    Top drawer

  32. Anonymous Coward
    Anonymous Coward

    Re: PostIt Note

    top drawer! how obvious, I keep mine on the underside of the keyboard, no-one would ever look there!

  33. This post has been deleted by a moderator

  34. Lusty Silver badge

    Re: Crack this...

    That's just the point, nobody will because the juice isn't worth the squeeze. Facebook is not a bank so why would I set a hard password? Yahoo is of so little value to me that I doubt I'd act even if it was "hacked".

  35. Lusty Silver badge

    Re: Crack this...

    That having been said I'm only 4 votes off a silver badge so hands off the reg account!!

  36. Adam 1 Silver badge

    Re: Crack this...

    Now imagine some future exploit el reg falls for means your password hash is discovered. You had better hope they are using some appropriate salt in their password hash. If not your password will be identified in seconds. The same credentials can thenbe checked for the email, ebay, amazon, etc. If they can access your email they will get all sorts of passwords reset.

  37. Ledswinger Silver badge

    Re: Crack this...

    " I'm only 4 votes off a silver badge so hands off the reg account"

    It's posts, I thought, not votes (it's certainly not word count, otherwise I'd have a platinum badge with diamond adornments).

    So on that basis, open your Reg account to the hackers, let them spill their bile, advertise their tawdry tat etc, and those posts will push you over the limit. But you can have a free upvote on me, if that's any help.

  38. Pascal Monett Silver badge

    Nope, it is indeed votes. But only the positive ones count.

  39. Irongut

    Re: Crack this...

    Ah the old FB is not a bank and I don't care if someone hacks my Yahoo account line.

    Do you realise your FB account contains lots of personal details that would be useful in impersonating you to your bank?

    Would you care if I hack your Yahoo email and send a message to your boss telling him you think he's a dick? Maybe send everyone at work an email containing goatse? Or how about sending your wife/husband an email that appears to be one you meant to send to the lover you are having an affair with?

    Suddenly that unimportant Yahoo account might need a better password.

  40. Lusty Silver badge

    Yeah and it turns out its 2000 not the 1000 I was sure they initially announced so a good year or two yet! :(

  41. Charlie Clark Silver badge


    Passwords are the problem not the solution.

  42. Anonymous Coward
    Anonymous Coward

    What is the solution?

    So what's the solution?

    Remembering 10-20+ strong passwords isn't easy for most people.

    I've been thinking of using one of the password vault systems but then all my credentials are in one place - what happens when they get hacked?

    Is it really so bad to write everything down? A notebook with all credentials, though instead of using a bank name you'd probably use something a little more cryptic. Stick it on the bookshelf, lock it in a box, whatever. At this point it seems far less likely that it will be compromised than using crap passwords on websites. Especially if you live alone - I suspect very few burglars will be looking for this. Seems like good risk management to me.

    Of course this only works for sites you access from home.

    Note: just had to reset password to post this as I forgot it.

  43. gazthejourno (Written by Reg staff)

    Re: What is the solution?

    There's a sideways thought - reset your password every single time you use a service, and use one of those password-generating sites to come up with a dictionary-proof password each time.

    Bit cumbersome, mind.

  44. Darryl

    Re: What is the solution?

    "reset your password every single time you use a service"

    I sort of do this with a lot of passwords. Not on purpose, but the once a year that I might log into some software company's updates page or similar, there's no way in hell that I'm going to remember what I used as a password, let alone which email address I used to sign in, so I make good use of their 'Forgot my password' button. Then I just have to try a few email addresses until it recognises one.

  45. RyokuMas Silver badge

    Terrible passwords...

    ... are just Darwinism moving into the cyber arena.

    And David Attenborough reckons we are no longer evolving!

  46. Anonymous Coward
    Anonymous Coward

    I wonder if the large financial organisation where I installed an IT system once still insists on username: security; password: security; for all its access control administration...

  47. Gordon Pryra

    "little indication that those efforts to educate users are gaining much traction"

    When the passwords are just lifted wholesale in clear text from the site you enter it at, whats the point?

    On top of that, its a proven fact that the more complex the password the more likely it is to appear on a post it note stuck to the screen...

  48. Intractable Potsherd

    Re: "little indication that those efforts to educate users are gaining much traction"

    Whilst I don't do it (I am fortunate in having a reasonably good memory and a technique for creating passwords), Bruce Scheier actually advocates strong passwords written down and kept in your wallet/purse. I'm not sure I agree, since money, cards and passwords all kept in one place just seems to multiply the pain if it is stolen, but using a simple substitution code (all numbers are +2, or whatever) could help.

  49. Paul Smith

    password policy

    I got so peed off with different sites requireing different policies, that I came up with my own.

    I have three passwords, (four if you include the ones I don't bother remembering) that I use for everything.

    I have my use everywhere password for low value sites that wont hurt me if they are cracked (such as this one). It looks like Passw0rd (but isn't) giving me 8 character mixed case with digit to satisfy most sites.

    I have the passwords that must be changed on a regular basis such as work, it looks like Password1311 (but isn't), the digits are the year and month I last had to change it.

    I have a complex non-guessable password for bank accounts etc.

    And finally, for infrequently visited sites, I just use the "forgot my password" link and have them send me a new one when I want access.

    I am not a fan of keypass or the likes as they are just a single point of failure. If someone hacks my hotmail account, if they take the time, they can find references to some of the other sites I access, and maybe even some of the user ids I use. They can they try to access each one individually to see if I have used the same password. If the break my keypass account, they have full access to every site I have registered with keypass, no need to guess. And that motivates hackers to target keypass.

  50. gubbool

    Password Scheme

    Care to know a password generating scheme that works?

    The password checker at say that my passwords are pretty good.


    It would take a desktop PC about

    501 nonillion years

    to crack your password


    I use a md5 hasher to create a password; I need only remember the method used to create the root word used for all sites. The md5-er will make it different and significantly more complex.


    my root word for the password for 'The Register' is two parts. A ' short secret pattern' used at all sites and several characters from site name; ie. 'The Register' = happyregister. The md5 hash is 589c4d4e1f9bf29a16fd66fb385ea351 and The Register likes long passwords :)

    For the few sites that don't like long passwords or requires special chars, I reduce the password length until the site is happy and add the special characters as needed. For some sites, I do have to keep up with the length and special chars, but very few; and I have a simple 'tag' based on a common pattern for all such needs. example 589c4d4e1f9bf29a16fd66fb385ea351 plus the tag 'N!'

    So I copy & paste the md5 hash and type the tag...

    Every site has a different password because I am using the site name as part of the root password.

    I never write down a password. I use the md5 hash maker to generate it as needed.

    I am never 'without' my password because I know the pattern for the root word and this site will gladly give me the md5 hash.

    If you can spot a flaw with my method, please point it out to me.


This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2018