back to article Good news: 'password' is no longer the #1 sesame opener, now it's '123456'

Despite the fact that users continue to cling to predictable and insecure passwords, the worst of them all is no longer the most popular. Security firm SplashData reports that in 2013, "password" slipped from the top spot as the most popular log-in code. Taking over the dubious distinction of most popular (and perhaps least …

COMMENTS

This topic is closed for new posts.
  1. Lusty

    The problem is that the geeks requiring passwords often think their application needs more security than the users do. I can't imagine many people being overly bothered when their twitter password is hacked which might be pass1234 but those same people might use a really complex bank password.

    The real take away from this is that 123456 and password are the most popular passwords on services that we know take security seriously enough to have been hacked and had their passwords published. The users probably don't give a hoot either other than having to change that same password/email combo on other services to stop "hackers" getting in.

    1. Flocke Kroes Silver badge

      When you do not want to create an account

      Try emails postmaster@localhost or user@name.example.com with passwords password or wordpass.

      If that does not work, create that account so the next person does not have to bother.

      1. Cliff

        Re: When you do not want to create an account

        Don't be the lowest hanging fruit. I use a moderately obscure but dictionary password for sites that made me register with no meaningful loss if I get 'hacked' (eg this one - frankly who cares as long as it's not 123456) and a stronger brute force only one when a site matters.

        1. Yet Another Anonymous coward Silver badge

          Re: When you do not want to create an account

          For sites that you don't care about - having to create an account to download an update - surely it's more secure to use "password" or "1234567" than anything more secure which might also be used in a similar form on sites that matter.

          1. Tom 35 Silver badge

            Re: When you do not want to create an account

            When they want me to create an account just to download a patch or something and have "send me crap" checked by default I'm Elvis, and my email is marketing@their-domain.com and the crappiest password that will work.

            Elvis is often already taken... so I use a "funny name" like I P Standing, Mickey Mouse is almost always taken.

            1. Nick Ryan Silver badge

              Re: When you do not want to create an account

              Other that marketing@, other commonly used are:

              sales@<theirdomain.com>

              support@<theirdomain.com>

              The usual <expletives>@<theirdomain.com> are often good to go as well... If you can be bothered to do the research, the name of their owners or board members is also quite adequate and you'd be surprised how many of them don't appear to have accounts on their own systems that they foist onto the public.

    2. John Lilburne

      Quite. I don't give a shit about stupid web forum passwords they can all be the same for all I care and easy to type too, or at least the damn stupid computer can remember it. Other accounts might get a bit more security consciousness from me, but when they start messing about with stupid rules and make it complicated then count me out. Recently I was in the local bank setting up an online account. Having filled in the forms I was then asked to supply an 8-12 digit password. I'm never going to remember THAT without writing it down, then thought I don't have to write it down or remember it either. Reach into wallet, pull out a membership card use first 10 digits from that, look at bank employee and smile.

      1. ravenviz

        I manage my passwords by not letting on what my rules are, however clever I think I am being.

  2. BinkyTheHorse
    Happy

    Balls to that!

    "1-2-3-4-5? That's the stupidest combination I've ever heard of in my life! That's the kinda thing an idiot would have on his luggage!"

    1. Richard Taylor 2 Silver badge

      Re: Balls to that!

      No not really, I use 123 on my luggage because it only has a three digit code.

      1. Simon Harris Silver badge
        Coat

        Re: Balls to that!

        I set my password to 99999999

        The trick is knowing which order to type in the nines.

        1. Tom 35 Silver badge
          Trollface

          Re: Balls to that!

          So what, I saw some guy use ****** for his password!

          1. WraithCadmus
            WTF?

            Re: Balls to that!

            That's just showing up as hunter2 to me...

      2. Anonymous Coward
        Anonymous Coward

        Re: Balls to that!

        911 just to f*ck with tsa agents.

    2. DiViDeD Silver badge

      Re: Balls to that!

      Absolutely! I use 0-0-0-0-0-0-0-0 for all my combination locks. If it was good enough to protect the US nuclear arsenal then it's good enough for me!

      http://gizmodo.com/for-20-years-the-nuclear-launch-code-at-us-minuteman-si-1473483587

      1. andy k O'Croydon
        Mushroom

        Re: Balls to that!

        Yowser! Apart from that alarming revelation, it would be quicker to use something like 06060606 because then you could use 2 fingers.

        1. Simon Harris Silver badge

          Re: Balls to that!

          "it would be quicker to use something like 06060606 because then you could use 2 fingers."

          Didn't nuclear missile launch panels of that vintage have a row of thumbwheel switches rather than a keypad to enter the code?

  3. ObSolutions, Inc

    create and forget

    "Avoiding the use of easily-guessed passwords is simple enough if users employ a bit of creativity and standard best practices, such as using hard-to-guess mnemonic device and mixing letters and numbers (non-sequential, obviously) in their passwords"

    Based on an el reg comment some 12 months ago, I started using KeePass. Haven't looked back since. It creates, stores securely, and makes it easy to re-enter passwords in websites, etc.

    Alternatively, of you suspect you won't be using the site very often, just create a bogus password and forget about it - when you come back in 6mo, it's much easier to have them send you a reset e-mail.

  4. Dabooka Silver badge
    Meh

    It's not just about websites though is it?

    Take my work; every 28 days I'm instructed to "change my password for my security"

    Before this policy, I used to be use my next door neighbours WPA alphanumeric string for their wifi (we lend each others when the connection is poor!). Can't do that now. Now I use it with an incrementally increasing number at the end, and I'd bet most of my collegues just use 'Password#' and add one once a month. I wonder what is more secure? I'm sure Enigma being cracked was in some small part to a incremental increase being used which allowed the rest to be broken.

    I'm not suggesting I have the answer, far from it, but multiple logins at the same place of work, all of which require constant changes, just pushes people to either write them down or make them more simplistic and then repeat it'a usage.

    Just sayin', please don't flame me!

    .

    1. BigAndos

      Re: It's not just about websites though is it?

      At work I have to log into three different domains each day and (naturally) they all have different password rules. And then if I want to use my admin account on any of them the password has to be a minimum of 25 characters long FFS! While this is indeed excellent security practice, it is a giant pain in the bottom. I have a very good memory for patterns of letters and numbers, for example I can usually memorise my credit card details after using it one or twice online. However, even I regularly forget passwords, get locked out of accounts etc.

      Most people can't memorise things like this very well at all so I think a lot of people just choose the easiest passwords possible almost as a form of protest or stubbornness. I'm not sure what the answer is either but there has to be a better way.

      1. Cliff

        Re: It's not just about websites though is it?

        The more onerous the rules, the more you force people to write down their passwords on post it notes, the less secure they are.

        Changing every 28 days, particularly on a well enough secured corporate network, what's to gain? What theoretical risk does it mitigate to the point where post it notes are more secure? Maybe you can VPN in, but secondary/2FA takes ample care of that.

        1. nuked

          Re: It's not just about websites though is it?

          Contrary to popular belief, written down passwords are not a great security risk, when looking a the root causes of intrusions. The enforced renewing of passwords is however a major damage limiter for infiltrated systems. Drives me nuts too, but the numbers say it is certainly worth the inconvenience.

        2. Tom 35 Silver badge

          Re: It's not just about websites though is it?

          Our phone system decided to make everyone change their voicemail passcode the day before Christmas break. Guess what happened when they came back? Except for the ones that put a sticky note on the bottom of their phones...

          I discovered that one sneaky staff member had discovered that if they "forgot" their password and had me reset it with "must change password" set, they could put their old password back in without getting the can't reuse password error. Didn't what everyone doing it so I waited a day, then turned "must change password" on again.

          But I agree with others (and have talked to the boss, but that's what the best practices doc said to do...) that forcing password changes is a waste of time as they will just add a number to the end.

          Microsoft says that Pa$$w0rd is Very Strong...

          1. Michael H.F. Wilkinson Silver badge
            Happy

            Re: It's not just about websites though is it?

            Reminds me of the BOFH episode in which he recalls setting the minimum required password length to 32 and required users of said VMS system choose a new one each day (which meant they really had to use the password generator which gave results described as "vaguely pronounceable line noise". Now that's trying!.

        3. Roland6 Silver badge

          Re: It's not just about websites though is it?

          >Changing every 28 days, particularly on a well enough secured corporate network, what's to gain?

          Depends upon the particular enterprise and the sector it is working in. But yes if you really are using good security, particularly for remote access (eg. two factor password generator tokens and/or PKI certificates) then I would agree. However, I suspect that many use the same password for remote access as they use for local in-building access, which presents a greater security threat, due to these credentials probably being sent across the internet in plain text.

      2. Terry 6 Silver badge

        Re: It's not just about websites though is it?

        I agree.And add in that the non-techie office worker wants to sit down and quickly get that report printed off, check the figures for that meeting etc.

        So they need a quick reliable log-in.

        They can't sit there for several minutes trying to work out what password they used ths month, whether it was for the computer log-in or the data account, which letter was the capital etc. then get locked out because they used the wrong one more than twice, then wait for it to let them back in, then ask to be sent a new temporary password that has to be emailed ( or texted, if they have their work mobile at the desk with them) then type in the 9 random letters and numbers they've been sent, get it wrong twice, get locked out again, try again, wait ten minutes, maybe get it right, enter a new password (twice) and try to remember what it was they changed it to.

        So they type qwerty or 12345 etc. and head for that meeting, while cursing the entire IT community.

      3. PJI

        Re: It's not just about websites though is it?

        Just to add a wrinkle: I work in a country where my keyboard in a workplace can be US, UK, German, Swiss German, French or even something else. So, using even letters of the alphabet can cause problems as these move around the keyboard (I touch type and am reasonably multi-lingual in this respect).

        So, one learns, the hard way, to not use those characters that may be absent on some keyboards or move about (e.g. Z and Y). Combine this with the above mentioned idiocy of enforced, frequent password changes with differing validity periods, numbers of retries, rules (sometimes clashing, such as minimum and maximum lengths): fine way to keep more and more low level admins. employed.

        In the end, security is degraded severely as unhappy and alienated users find it almost impossible to remember which password for which system is current and so stay logged in for as long as possible to avoid having to reenter the string, or avoid using the system as long as possible or write down the numbers, with any luck in their mobile telephones or in a file under a login they really do use and know well.

        I tend to put important ones in my mobile (according to the manufacturer, encrypted - I have the most complex password for that) and, because a mobile can get lost, forgotten or run out of battery, in a simple, text file, encrypted using gpg (using another odd password). It does not protect me against mistypes because I forgot I had changed it or which keyboard I am on or just was not fully awake. But it is the best that I could do so far.

        Then, some systems seem to be so complex or perhaps the network is so bad, that the change does not actually go through or causes a lock at once. Some even warn you that the relevant server is so far away across some international firm's network that it will not be active for 24 hours (really) and the LDAP server is down and .... Or you must restart your PC to flush all caches ….

        Then, the reminder email tells you that you must change the password within ten days. Oh dear, it arrived the day after you left for a fortnight's holiday, following the firm's rules that you must take at least a fortnight's holiday in one lump every year. What fun trying to log back in when you return (you know where the helpline number is or you must use email, it's listed in the internal website - oh you can not log in and you came in early and nobody else is here for two hours yet).

        Moral: over-prescription and micro-control are not better than simplicity, education and adjustment to real human - computer interaction.

    2. Steve Foster

      Re: It's not just about websites though is it?

      «Take my work; every 28 days I'm instructed to "change my password for my security"»

      The default in Windows domains is 42 days. I usually push that out to 90 days or so (it's a reasonable compromise for the environments I'm normally managing).

      There are a couple of valid reasons for requiring regular password changes - a) if someone leaves and IT isn't informed (no, really, it does occasionally happen!), the password expiry should limit exposure[1], and b) it discourages users from password-reuse (in the same-password-everywhere sense).

      [1] assuming supporting secure policies are in place (such as preventing remote changes of expired passwords).

    3. Anonymous Coward
      Anonymous Coward

      Re: It's not just about websites though is it?

      Yes, but with the Enigma machine I'm sure I saw a documentary which said a lot of the cracking could be done because the Germans would often use a predictable keyword cipher. That is, if the first letters of the cipher were discovered to be H-I-T it didn't take a genius to realise the rest would be L-E-R. I think they also used B-E-R with L-I-N on one occasion. Which sort of goes to prove that the weakest link in the security chain will always be the carbon based life form trying to operate the infernal machine.

    4. Triggerfish

      Re: It's not just about websites though is it?

      I agree I used to work at a place that really had to take their security quite seriously, including hiring pen testers for the network. If at some point someone managed to get past the array of firewalls and the security team, my passwords being changed every 28 days is probably irrelevant.

  5. Anonymous Coward 101

    I suggest Ian Watkins could give us all good advice about strong, hard to guess passwords. Such advice would no doubt include choosing passwords unrelated to any crimes one regularly commits.

    http://www.theregister.co.uk/2013/11/27/gchq_role_watkins_child_abuse_case/

    On a serious note, everybody should be using password lockers these days. You will only need to rote learn one strong password. I don't know how I lived before using Keepass.

    1. Roland6 Silver badge

      Re: everybody should be using password lockers these days.

      "should" is the operative word.

      I'm a little surprised, given what MS have previously bundled in MSDOS and Windows, that they didn't bundle one into Windows 7 or 8 and their cloud services. Because they haven't and because it is a discrete install on all your devices which may also involve some additional cost, I suspect that only those "in the know" take the trouble, hence the majority of users are left with basic tools for recording passwords - which in many cases come down to pen and paper.

      What I've found interesting is that in the various enterprise desktop refreshes I've been involved in, a password locker hasn't been included - interestingly at the enterprise level it can be hard to justify (even though Lenovo Thinkpads have included an OEM proprietary password locker for some years), but at the SoHo end of the market it is practically a no brainer.

  6. Anonymous Coward
    Anonymous Coward

    I used to work at an IT support company

    whereby the original password for domain admin, router admin, whatever was "support"

    Then, password complexity was heard of, somewhere in the 1990s they decided that "support" was no good so they upgraded the complexity to "supp0rt1"

    Then afterwards the company's standard password was then upgraded further to "Supp0rt1"

    With the company's name as the username, and the above password, you were pretty much guaranteed to get in to any of their customer's servers with full admin.

    Anonymous because their legal defense fund is higher than mine.

    Stupid user passwords does not surprise me. You can bet your bottom dollar that there's a large chunk of "network admin team" passwords lumped in there, and that that password of "ch33s3" or whatever will also unlock their router.

    Surprised that this survey wasn't funded or sponsored by Lastpass or anything like that. Tempted to put a referral link in my post...

  7. Tony W

    Why does anyone expect people to remember?

    Even a casual internet user would likely need passwords for PC logon, ISP, email. router admin, Wi-Fi, bank, building society, Amazon, eBay, gas and electricity on-line accounts, Facebook and Twitter, as well as non-internet PINs for credit and debit cards. It's just not reasonable to expect human beings to remember all these. Most people I know have their pssswords written down, or have simply forgotten the less frequently used ones.

    The only practical answer is to use a password utility such as provided with some AV programs, or a stand-alone utility such as Keepass. For me it's an essential piece of software.

    I avoid creating passwords wherever possible but even so I have 392 passwords ... of which probably 1/4 are defunct and I will never need about 3/4 of the rest (only I'm not quite sure which 3/4.) Some of these belong to relatives in case they ask me to sort out problems with their email etc.

    But they're easily managed with Keepass, and available on my desktop PC, laptop and phone, by sharing the encrypted password file on DropBox.

    I only have to remember the master phrase, and I use that often enough to remember easily. Should I change it regularly though? Surely it it's secure I don't need to, and if it isn't, by the time I change it, it would probably too late.

    1. R Soles

      Re: Why does anyone expect people to remember?

      >," by sharing the encrypted password file on DropBox."

      So you're happy with the NSA knowing all your 392 passwords?

    2. Tom_

      Re: Why does anyone expect people to remember?

      That's great until you find yourself on holiday without your PC and your laptop and phone get stolen.

      "That's ok, I'll go to an internet cafe!" you think. So in you go, pay for an hour and sit at a computer.

      ... "Shit."

  8. Terry 6 Silver badge

    Seeing the password

    The fact that the entered password is only seen as a string of ******* doesn't help either.

    If you can't see what you type in you are much less likely to remember it.

    You are much more likely to mistype it too.

    So users will choose something simple that they can get right. "qwerty" and not "sDwLios34Fg45"

    The need to hide the entered password is surely not as significant as making sure the users choose something safe in the first pace.

    1. Steve Foster
      Boffin

      Re: Seeing the password

      "The fact that the entered password is only seen as a string of ******* doesn't help either."

      The theory goes that this provides protection against shoulder-surfing. I suspect that this is less of an issue than previously thought (and those keen observers can probably achieve the same result by finger-watching).

      This seems to be being belatedly recognised - I've seen a number of places where the user can now opt to show passwords as they're typed (for example, when connecting to WiFi networks in recent versions of Windows).

      1. Ken Hagan Gold badge

        Re: Seeing the password

        25 years ago, most systems weren't networked and shoulder-surfing was probably the main issue. Now, most systems are online and the main attacker is some foreigner with an FPGA-based password cracker. So yes, times have changed and the most secure system now would probably be to write your long password(s) on a Post-It note and stick it (them) to your monitor.

        1. Chris T Almighty

          Re: Seeing the password

          At which point your main security threat won't be some foreigner, it'll be someone in your office. It has to be down to the software to reject commonly used passwords.

          "No. You're NOT choosing 123456 as your password.

          Would you like to try again, or should I just mail your Boss now and tell him you can't even manage this simple task...?"

    2. DiViDeD Silver badge

      Re: Seeing the password

      Even in the early days I never understood the reason for hiding the password from the user. I mean, if someone's looking over your shoulder as you type, they can read which keys you press as easily as the screen, and if you have fingers with a mind of their own, you'd like to be able to see that you've typed s0l4r4419 when you should have typed soL4r4491.

      Although I always got a titter from the obscured passwords in Windows that you could read by cutting and pasting into Notepad.

      1. Roland6 Silver badge

        Re: Seeing the password

        Re: Even in the early days I never understood the reason for hiding the password from the user.

        This convention is probably a hang over from when many people accessed computers through teletypes and early VDU's (that effectively emulated the teletype) - where output was either printed on continuous paper or remained on screen until it was scrolled off (for younger readers the command-line shell gives a good emulation of this mode of operation). Hence a concern would of been the length of time the password was on display.

        And yes we shouldn't under-estimate the power of (unwanted) screen reading app's.

      2. teebie

        Re: Seeing the password

        It's a lot easier to read a password from a screen, than from someone's finger presses (source: I can only do one of these things)

        Showing *s for everything but the last character seems to be becoming more popular, and provides a compromise between the two

  9. Frumious Bandersnatch Silver badge

    using hard-to-guess mnemonic device

    Step 1: pick a tune that you can play on a piano keyboard

    Step 2a: assign one key to each piano key /or/

    Step 2b: count whole notes/semitones from some starting position

    Step 3: hum the tune or come up with some mnemonic to remind yourself of the association

    Step 4: wait until someone makes a dictionary with common melodies

    To be honest, this is probably just as bad as something like picking/encoding sections from $INSERT_ONE_AND_ONLY_HOLY_BOOK_HERE.

    1. Eddy Ito Silver badge

      Re: using hard-to-guess mnemonic device

      You forgot one.

      Step 0: learn how to play the piano and the difference between notes and semitones.

      Now to find a piece that is easy to play with only one thumb.

      1. Irony Deficient

        a piece that is easy to play with only one thumb

        Eddy, how about John Cage’s 4′33″?

        1. zb

          Re: a piece that is easy to play with only one thumb

          I prefer Mike Batt's derivative work "A Minute's Silence" but it may be too short to provide a secure password.

  10. Duncan Macdonald Silver badge

    Banned password dictionary

    Even back in the early 1980's VMS had a list of banned passwords - any attempt by a normal user to create a password that matched one in the forbidden list was rejected with a request for the user to choose a different password. Why is it that modern systems running on vastly more powerful hardware do not use the same method . (From memory in one of the early VMS versions the forbidden password list was about 47000 words long.)

    1. Nick Ryan Silver badge

      Re: Banned password dictionary

      I forgot about running into that, but it all comes back to me now. It was a very sensible thing to implement even if it was frustrating at times.

      However Microsoft got involved when they attempted to shift from single-user standalone devices to make them networkable after a fashion things went backwards. The passwords on these local systems were checked locally and 47000 words was probably too much of a dictionary for either the local storage / install media for the system to check against given Microsoft coding efficiency at the time. As a result, subsequently, if your website or service didn't allow a password that a local system that you used did, then it would appear to the end user that your website or service was defective, not the local system with poor or no security. Basically: Lowest Common Denominator wins :(

    2. Ken Hagan Gold badge

      Re: Banned password dictionary

      Windows (well, proper Windows rather than the Domesdos-based version) has always supported password complexity policies and I believe you could implement a banned list by writing a GINA DLL.

      If you haven't noticed, it is because your sysadmin doesn't know how to switch it on. I suspect *that* is the main difference between Windows and VMS.

  11. pith

    Obligatory XKCD link

    https://xkcd.com/936/

    1. Adam 1 Silver badge

      Re: Obligatory XKCD link

      Although that one is probably common now. My approach is to generate a random number for each required credential.

      http://xkcd.com/221/

    2. Micha

      Re: Obligatory XKCD link

      While a neat idea (and definitely better than abc123) the main problem is that most systems don't allow arbitrarily long passwords. For example, one of my online bank accounts restricts me to 6 characters, numbers and uppercase letters only. I kid thee not.

      Also the entropy doesn't scale quite as well as claimed if the attacker knows the pattern (a selection of (4 common english) words).

      1. b166er

        Re: Obligatory XKCD link

        But surely two-factor authentication?

        If not, why are you still with that bank???

    3. Jim 59

      Correct horse battery staple

      I try to follow the XKCD way, but remembering several random words for each site is not as easy as it sounds. I can remember many "Tr0ubad0r" type passwords, but only 2 of the XKCD variety.

  12. mrjohn

    In Firefox, preferences>security>saved passwords>show passwords

    It does ask if you really want to show your passwords

  13. Anonymous Coward
    Anonymous Coward

    Most used password?

    Having seen a few people using web-based outlook and web-based database access recently, I would say the most commonly used password appears to be the username.

    On a system with confidential info too.

    The reason I heard was to allow colleagues and IT support easy access.

    Simply staggering.

  14. Chicken Marengo

    Password Policies

    If it's an account I don't care about then it's EREIAMJH every time.

    If I'm setting a password for a user/colleague who has a history of sharing their password then I take a sentence, encrypt it and set their password as the encrypted string.

    For most websites, I simply forget te relevant password and create a new account every time I logon.

  15. Ralph B

    Decline of Monkey

    > "monkey", interestingly enough, slipped all the way from the sixth spot last year down to number 17 overall.

    The effects of Ballmer's retirement are being seen already.

  16. John H Woods
    Joke

    Dvorak keymap helps ...

    If I press the keys P-a-s-s-w-o-r-d on my keyboard, I get "Laoo,rpe". And if I switch back to Qwerty, "Password" comes out as "Ra;;,sho". Both of these pass muster as strong passwords on nearly every site I try.

    It's also useful if you leave your computer momentarily whilst it is still logged in, it's pretty hard for your 'friends' or colleagues to do much of anything in a short time when only the A, M, and the number keys are in the same place!

    1. Roland6 Silver badge

      Re: Dvorak keymap helps ...

      >It's also useful if you leave your computer momentarily whilst it is still logged in...

      I found that many colleagues were put off by the simple setting of the mouse to operate in left-handed mode (ie. left and right button functions swapped).

      Interestingly, since I replaced the mouse on my elderly parent's system with a trackball, their system has become a lot more stable - they prefer the trackball (less hand movement and easier to control by 'old' hands), but others (that liked to 'fiddle and fix') find it difficult since they are used to mice.

  17. JulianB

    Using a blank keyboard

    A colleague of mine used the blank "Das Keyboard", and couldn't tell you offhand what his password was. He just picked a pleasing pattern of keys. I guess that would be applicable even on a conventional keyboard.

  18. malfeasance

    echo -n $1 | md5sum | xxd -r -p | base64 | cut -c1-10

    Choose a celebrity that's died recently, a song lyric, favourite poem. Done.

    For non-important websites (like this one), forums, twitter, whatnot. My password is a dictionary word, with this applied. Easy to remember; I don't check websites unless I'm on a trusted machine...

  19. Alister Silver badge

    Swordfish

    What number in the list is swordfish?

    "The password is always swordfish"

  20. Nifty

    When I created the account it said enter password twice so I did this. Just following instructions guv.

  21. Anonymous Coward
    Anonymous Coward

    It's not just passwords that get written down.

    My wife's employer decided to use "security" questions, in case a password was forgotten. Not an entirely bad idea. However, the genius who implemented the policy had never bothered to visit the real world, it seems. All answers had to be a minimum of 8 characters. OK if you had to choose your favourite type of plague, but useless for the more common question of where did you go on your first holiday? I guess the admin in charge had never heard of those obscure holiday destinations of France, Spain, Italy, Greece... The result? Everyone had to make up the answers to the questions, and promptly wrote them all down on a piece of paper.

    1. Chicken Marengo
      FAIL

      >>All answers had to be a minimum of 8 characters. OK if you had to choose your favourite type of plague

      Bubonic

      1. Tom_

        No, sorry, your favourite type of plague is now 'pneumonic'.

  22. PiquePK

    Back in 1979 the root password for our college's computer was "root". Until someone put a worm on the system.

    later working somewhere where I was forced to change passwords every month and would forget and need to call support just when I needed it most I resorted to Password as the password, rotated to asswordP, sswordPa etc etc.

    I use secure passwords where I need them

  23. Anonymous Coward
    Anonymous Coward

    One of my passwords is 62 characters long.

    Though it is a combination of seven other passwords I use.

    1. Anonymous Coward
      Anonymous Coward

      re: One of my passwords is 62 characters long.

      Shame only the first 8 are read.

  24. Anonymous Coward
    Anonymous Coward

    Lets just face it, on the whole, people are just stupid!

  25. Peter Clarke 1
    Coat

    Password Length

    On one site I tried to use PENIS.

    It told me it wasn't long enough

    I like to get these old jokes back out into the community

  26. Anonymous Coward
    Anonymous Coward

    https://howsecureismypassword.net/

    says:

    Newyear - You password would be cracked almost Instantly

    but:

    Newyear2014! - It would take a desktop PC about 344 thousand years to crack your password

    I love January!

    1. Darryl

      That site should be renamed 'How long is my password'

      If you type in the uber-secure aaaaaaaaaaaaaaa, it claims it would take 13,000 years to crack.

      1. Spleen

        !"£$%^&*() would apparently take 9,000 years to crack. Not as secure as (control c, control v) aaaaaaaaaaaaaaa, but much easier to remember - how do you remember how many As there are? Whereas all you have to do with this little beauty is hold down shift and run your finger down the numbers.

  27. Purlieu

    The truth is out there

    TRUSTNO1 is Fox Mulder's password, any fule kno

  28. b166er

    Looking at the ophcrack rainbow tables, you now need 13 characters (from all of the 4 groups) to be secure from any Tom, Dick and Harry :(

    Presumably various intelligence agencies have larger still rainbow tables, so passwords are probably a waste of time unless you can remember passwords comprised of all 4 character groups and at least 15 characters in length.

    Can anyone confirm whether pass phrases (ie concatenations of dictionary words) are harder to crack?

    Such as: XKCD

    EDIT: I looked up ^ and saw this has been discussed.

    There needs to be a better way.

  29. Anonymous Coward
    Anonymous Coward

    checking our user DB...

    on our internal system, 4 digit passwords are the norm. I'm disappointed to see that the first rude word is waaay down this list...

    select count(pin), pin from employees

    group by pin

    order by count(pin) desc

  30. SeldomRight

    Number 24

    The popularity of "trustno1" might be due to its use in an episode of X-Files where Scully successfully guesses it as Mulder's password.

  31. TopOnePercent Silver badge

    Unfortunately, passwords are just another example of the lowest common denominator spoling things for the rest of us.

  32. Ethangar
    Alien

    An old co-worker used to be freakish about his passwords. Every site had its own unique password. He wrote them all down in a booklet beside his desk but even took that one step beyond. The book was filled with things like

    theregister - I had a peanut butter sandwich and a chocolate milk for lunch today. 3U

    So it was every 3rd letter in upper case. There was also A for alternate, L for lower case and H for hacker a=@ etc.

    So even if you got his notes.... you would still be lost.

    1. Tom_

      Yeah, but so would he once you had his notes.

    2. JulianB

      Better than someone I heard of who obfuscated his PINs by writing them down in EBCDIC. So he'd write F1F2F3F4 safe in the knowledge that nobody would guess he meant 1234.

  33. Anonymous Coward
    Anonymous Coward

    Expiring passwords just F'ing P me off

    Anything which has expiring password, like work windows logins gets a simpler password, because I've run out of all the clever ones, and won't remember anything else now; anywhere where else, I use nasty random generated passwords stored in a well encrypted password store (not on cloud), with lots of backups.

  34. Stevie Silver badge

    Bah!

    The bloke at xkcd had the right of it: what is needed is more *entropy* not more numbers, changes of case or special characters. Add words, not furbish.

    Because long concatenations of random words are easy for a human to remember but hard for a computer program to crack whereas short runs of gobbledegook are relatively easy (still) for a cracker to bust but hard for the legitimate user to remember.

    Why not mix increased entropy with the same usage pattern watching techniques the credit card companies use (they are very fast to spot unusual usage patterns I can tell you from personal experience) for the win?

  35. Javapapa

    True stories

    Gather 'round the campfire, kids.

    After the movie "War Games" came out in the early 80's, I told the DP Manager that it would inspire a generation of hackers.

    "I'm not worried, I have an IBM System/38. It's secure."

    I entered "QUSER" in the login username field, and pressed Enter.

    User menu screen appeared. Sound of jaw dropping to to floor.

    Back then IBM shipped machines without a password for the user template profile.

    In mid 90's the New York Times insisted I register to see their webpage. I angrily typed "F--kYou", only to see the screen refresh with, "We are sorry, 'F--kYou' has been used. Would you like to use 'F--kYou149' ?

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019