back to article It's 2016 and idiots still use '123456' as their password

Put your head in your hands, sysadmins: the usual weak suspects continue to make up the top most used 25 passwords. The ubiquitous ”123456" remains the most popular password among web users, followed by "password" in a list of user credentials leaked online last year. “Qwerty” appears in fourth place of the list of …

  1. Cuddles Silver badge

    Easily remembered...

    "Security experts warn that easy to remember passwords are increased easily guessed by potential attackers."

    But as usual they fail to note than difficult to remember passwords are, in fact, difficult to remember.

    "over 20 billion guesses a second against Microsoft Windows password hashes. In fact, a user that had a password in the top 25 passwords would have their password guessed by such a rig in under a second"

    No shit. Presumably those top 25 passwords are the first ones tried, so a rig capable of making only 26 guesses per second would still manage that in under a second. I mean sure, a billionth of a second is indeed under a second so the statement is technically correct, but I think it rather fails at indicating the relevant scale.

    1. Stuart 22

      Re: Easily remembered...

      Not to mention that any self respecting server operator will have anti-brute attack protection in place anyway. So you get 3 goes every 45 minutes. Doesn't matter how powerful the attacker is - as long as the password isn't in the top 100 its likely to take a day or so. Actually in most attacks they are guessing the username too so it would be much longer than that if it isn't 'admin'.

      As they say - if the account isn't important use the same memorial password, just add something random into it. Worry about the ones you need to worry about. But then those should have two factor, if they don't then you really need a password generator and a secure Keepass-like system to remember them.

      1. TeeCee Gold badge
        Black Helicopters

        Re: Easily remembered...

        ....in most attacks they are guessing the username too.....

        Er, why? Company records, directors' names. If there's a director called Roger Bellend, try "rbellend", "roger.bellend" and "roger.bellend@company.com" (the last only if they're a bit techy and hate their users enough to make 'em type that shit).

        One of those should work and with a bit of luck, being a director, he'll have insisted on having a bit more access than he should have, the "three strikes" on dodgy passwords being disabled and session logging turned off.

        1. Pascal Monett Silver badge

          You're still guessing.

          It could also be rogbel, bellenr, or even $beller, following just some of the formats I've already come across.

          1. Bbbbit

            I think you underestimate the top brass

            b3ll3nd - Let's see hackers crack that!

        2. Anonymous Coward
          Anonymous Coward

          Re: Easily remembered...

          Company records, directors' names. If there's a director called Roger Bellend, try "rbellend", "roger.bellend" and "roger.bellend@company.com" (the last only if they're a bit techy and hate their users enough to make 'em type that sht).

          Right. Usernames are easy. A favorite is to dress up for an interview, walk around an office, and look for PCs with a Post-It note with the password. The username is also indicated in the form of a "name plate" on the cubicle.

          1. Crazy Operations Guy

            Re: A favorite is to dress up for an interview,

            For security audits, I have an orange vest, big metal clipboard, and a white hardhat with the local utility company's logo on it (Actually just a sticker I got from a bowl they have in the lobby for the children) I've gotten IT managers to let me into datacenters with that getup. I keep a tablet in the clipboard and a USB-to-SATA adapter as well. So I can pop in to the DC, shut off a domain controller, and copy the authentication DB files to the hard drive.

      2. Naselus

        Re: Easily remembered...

        "Not to mention that any self respecting server operator will have anti-brute attack protection in place anyway. "

        You don't brute-force on online data. You pinch the DB and brute-force it offline, before taking the correct password online and trying it EVERYWHERE. Since 95% of users are using the exact same password on every website, the security of the big heavyweights is compromised by the security numpties. So I grab the ROT13-encrypted password DB of forum.mylittlepony.com, crack it in ten minutes, and then use your details from that to try and open your online banking and home router.

        Frankly, we'd be better off if security professionals recognized that you don't care if I hack your forum.mylittlepony.com account and so don't bother forcing a secure password on that, allowing you to save your 12 character, special character-number-capital combos for useful sites alone. A 4- or 5- letter password for junk sites would be fine and easy to remember, and do you REALLY care if that bastard RainbowSparklesIsHot97 hijacks your free forum account? Otherwise, we have widespread reuse of the same details for both junk site login AND high-value targets.

        1. Ian Emery Silver badge
          Joke

          Re: Easily remembered...

          Owe Noes, yu haz stowlen my ponez acount!!!

          Perhaps I shouldnt have used "Eearsansuwoleo" as my password.

        2. jonathanb Silver badge

          Re: Easily remembered...

          Password1! is a good choice for those sorts of sites. It meets the "difficulty" criteria, and is easy to remember.

      3. Fink-Nottle

        Re: Easily remembered...

        > if the account isn't important use the same memorial password

        R.I.P. is as good as another password, I guess.

      4. Lodgie

        Re: Easily remembered...

        It's incredible the number of systems that don't use anti-brute force timeouts, or basic complexity rules for that matter. Implementation of brute force prevention is the single most simple anti hack method available to man (or woman).

        1. Roq D. Kasba

          We are a part of the problem

          We keep referring to 'password' which strongly suggests... a word! If we used the term 'passphrase' universally, I'm sure it's be easier to at least get better length entropy. Start using it in all your corporate departmental bollocks, encourage it, support long strings (after all, why not in 2016? Don't tell me you can't afford the disc space any more)

          1. Michael Wojcik Silver badge

            Re: We are a part of the problem

            support long strings (after all, why not in 2016? Don't tell me you can't afford the disc space any more)

            There's no additional space requirement for (long) passphrases, compared to passwords, for most password/passphrase-based authentication systems, because they store constant-size hashes.

            The chief obstacle to using passphrases is usability; total typing accuracy drops as the text gets longer (obviously), and anti-shoulder-surfing mechanisms (i.e., not displaying the passphrase as it's typed) make it hard for the user to note and correct errors.

            Obscuring the typed passphrase can be dropped in some conditions, but the near ubiquity of cameras makes shoulder-surfing even more of a danger than it was when hidden input fields were introduced half a century ago.

            The problem is compounded by lockout thresholds that are firmly stuck in the short-password era (locking out after three attempts or the like). Those policies are no longer very useful, particularly when password-strength requirements are enforced, but organizations cling to them.

            My current work password is just shy of 40 characters, and I get it correct four times out of five - but when I get it wrong, I type it very carefully on the next attempt, because a lockout costs me time and effort (not to mention the aggravation).

            A good approach would be: allow and require long passphrases; make the lockout threshold something reasonable, like 20 attempts; and let authentication succeed if the supplied value is close to the desired one.

            The problem is implementing "close to" without keeping a copy of the plaintext passphrase. (It's straightforward if you do keep a copy - use weighted minimum edit distance and pick a threshold that doesn't reduce the entropy of a minimally-acceptable passphrase more than you're happy with.) It might be possible to do it with some geometric transformation of the passphrase1 without leaking an unacceptable amount of information to an attacker who gets a copy of the verifier, but I'm not offhand aware of any solution in this area.2

            1Then compute the same transformation of the candidate, treat the two results as vectors, and calculate the angle between them. "Close enough" is determined by maximum acceptable angle. Converting that to effective bits of entropy in the passphrase is left as an exercise for the reader.

            2Something coming out of the research in provable computation perhaps ... but now I'm just speculating idly.

            1. OsamaBinLogin

              Re: We are a part of the problem

              yeah, I've started using long passwords. And yes, the typing accuracy is a problem, 30 is about the limit for me. And on the phone, it can be painful.

  2. richard?

    Nothing wrong with insecure passwords

    - on insecure irrelevant sites

    I use the same password on any number of forums and support sites where I really don't want to spend the time remembering them and a breach would be completely uninteresting to me.

    Half the sites probably run old or homegrown forum software and dump the password straight into the DB in plaintext anyway.

    I combine this with a disposable email address in case of a spam overload, but so far they're all so irrelevant that nobody has even bothered to hack them and the address is pristine !

    1. Dave 126 Silver badge

      Re: Nothing wrong with insecure passwords

      And just to prove my above point about insecure passwords on irrelevant sites, this is me, richard?, posting as Dave 126, because that idiot set his password to the obvious phrase 'horse pencils'. Clearly he doesn't consider TheRegister to be that important!

      1. wolfetone Silver badge

        Re: Nothing wrong with insecure passwords

        "... that idiot set his password to the obvious phrase 'horse pencil"

        Yeah, "horse pencil". I'm sure.

      2. Glenturret Single Malt

        Re: Nothing wrong with insecure passwords

        Horse sauasge would be even more memorable.

    2. Conrad Longmore

      Re: Nothing wrong with insecure passwords

      Password re-use is the problem. Using throwaway passwords for trivial accounts is one way to prevent it. After all, there's no point using a password like ",=8r2/ax}DS-G2N&" if you use it everywhere, including easily hackable sites.

      1. Yet Another Anonymous coward Silver badge

        Re: Nothing wrong with insecure passwords

        So it's particularly annoying when some trivial site insists on 87 characters, 13 symbols and no old password reuse, just to protect your my-little-pony updates

        1. Vic

          Re: Nothing wrong with insecure passwords

          it's particularly annoying when some trivial site insists on 87 characters, 13 symbols and no old password reuse, just to protect your my-little-pony updates

          The other day, I registered an account with the Met Office.

          Minimum 9 characters, at least one capital, one lower-case, one number, and one "special" character (which wasn't defined).

          To get a wind forecast...

          Vic.

      2. brotherelf
        Devil

        Re: Nothing wrong with insecure passwords

        Do I misremember that one alleged capability of gov't INT is to track people that re-use a password that is sufficiently unique? (Remember that in many schemes, the password travels from the keyboard to the server protected only by SSL/TLS. In fact, it might be "educational" to log people's failed passwords and go rattling doors with that, too. "Did I re-use my X password or my Y password here? Oh, it must have been the other one.")

        1. cbars

          Re: Nothing wrong with insecure passwords

          Firstly:

          https://www.xkcd.com/792/

          Also:

          "protected only by SSL/TLS"? What are you on about? Pick your enemy mate. TLA's don't need to sniff your SSL traffic to pwn you. This article was about passwords getting picked up by low level criminals (but: 'cyber' so they're scary), SSL is plenty good enough to protect that sort of information.

          1. Vector

            Re: Nothing wrong with insecure passwords

            I think, reading the tea leaves in this article, the real issue is that passwords (by themselves, at least) are just about obsolete as an effective security measure.

            First, the people using the passwords have to actually understand and care about the importance of protecting the information behind a password protected wall.

            Next, they have to do this for more and more locations (work network, websites, mobile apps, etc...).

            As the strength of crackers increases, complexity rises, but the ability to retain the highly complex passwords, across dozens of locations, falters.

            So we turn to password safes, but then you're borked if you don't happen to have the device with the safe app on it (And truly F*CKED if you lose it after forgetting to make a backup).

            OH! but the cloud! Now you can access your safe from any device! But then, so can everyone else. And by cracking one password (that can't be so complex as to be unrememberable[sic?]), they can now access all your passwords.

            Even with all this, since cracking power increases at least geometrically (and quite possibly exponentially) while our ability to remember passwords increases incrementally at best (and then decreases with age), we're fast approaching the time when all reasonable complexity will make no difference to anyone willing to put in the least of efforts.

            It's time for a new way to secure things.

            1. Charles 9 Silver badge

              Re: Nothing wrong with insecure passwords

              This has been known FOR DECADES. The chief problem comes from the wetware requirement. Against a resourceful opponent (and as you note, the requirement keeps falling), there's no way to convulsively distinguish someone from an imposter. Passwords can be copied, looks can be matched, factors can be stolen, even DNA can be cloned. Yet we live in a world where proof of identity is a daily requirement, so we're caught between Scylla and Charybdis: needing a form of authentication that frankly cannot exist. So what do we do?

            2. Jimbo 6

              @ Vector

              "First, the people using the passwords have to actually understand and care..."

              Remember that we're talking about the general public here, so that plan falls at the first hurdle.

    3. Ken Hagan Gold badge

      Re: Nothing wrong with insecure passwords

      Actually there *is* something wrong. Sites with no sensitive data should not ask for a password. Doing so trains the general population into believing that a password is an annoyance and the easiest way to deal with it is to use 123456 for all sites.

      Then they are asked to choose a password for their bank account...

      Sadly the commercial incentives are all wrong here, since sites that insist on registration (which is the usual excuse for demanding a password) can then spam your email address or flog it.

  3. Ben Tasker Silver badge
    WTF?

    Errrr

    Not to be picky, but the blog linked to in TFA has a recent post appearing to be the one TFA is referring to, except that it was posted a year ago and the included list is from 2014's top 10.

    El Reg hasn't accidentally fallen for the tweet old content as if it were new trick has it?

    Edit: looks like this is the correct link https://www.teamsid.com/worst-passwords-2015/

    1. 's water music Silver badge

      Re: Errrr

      El Reg hasn't accidentally fallen for the tweet old content as if it were new trick has it?

      To be fair they did churn the press release when it was fresh too.

    2. diodesign (Written by Reg staff) Silver badge

      Re: Errrr

      Yeah, we linked to the wrong page - it's been fixed. Don't forget to email corrections@theregister.co.uk if you spot anything wrong.

      C.

  4. Lysenko

    pUctuAt10n

    I found our support overhead from forgotten passwords went way down after we set the rules as:

    1) Case Insensitive

    2) No Numbers

    3) Punctuation Ignored

    4) LONG

    Therefore:

    isthisadaggeriseebeforeme

    Is this a dagger I see before me?

    ...both work.

    All the user needs to remember is the Shakespeare connection. The extra length compensates for the loss of complexity vs. a standard 8 char password with enforced l33+ speak. Most "weak password" checks I encounter will bounce "password" but allow "Password1". Pointless.

    1. Anonymous Coward
      Anonymous Coward

      Re: pUctuAt10n

      >Most "weak password" checks I encounter will bounce "password" but allow "Password1". Pointless.

      Indeed. At my previous company (a certain large blue one) we were forced to change passwords constantly and weren't notified of any unauthorised login attempts. Password rules were strict - you couldn't use abcdefgh1 then replace it with abcdefgh2, for example, but it was fine to use 1abcdefgh then replace it with 2abcdefgh. After 8 password changes the password left the history so you could reuse these.

      Similarly, on my phone, I was forced to replace my difficult to guess 6-digit PIN, with the phrase 1qqqqqqq (which was then replaced with 2wwwwwwww etc.)

      Some people don't get it. How about the way the BBC reported this "news" and gave this advice?

      "Swapping letters for numbers and symbols can make your password even more difficult to guess. So, a capital G looks a bit like 6, we'll swap F for 4 because four begins with f, L and I both look like 1s so that's an easy swap. The @ signs are a good alternative to the letter a. It probably goes without saying, but ours is just an example and not one you should use.

      "

      Use an @ instead of an a? A 1 instead of an l? Wow. Hackers will never think of that.

      1. GrumpenKraut Silver badge

        Re: pUctuAt10n

        > ... we were forced to change passwords constantly ...

        at which point everybody has sticky notes with the password of the week somewhere at the desk. I made a point in form of a big visible note you could not possibly miss.

        Sneakily, what was written on it was not the actual password (gawd, I am clever!).

        1. Cuddles Silver badge

          Re: Nothing wrong with insecure passwords

          "Actually there *is* something wrong. Sites with no sensitive data should not ask for a password."

          The problem is that just because something isn't truly important sensitive data doesn't mean you want it visible to every random person wandering past. Essentially, we have two levels of security - preventing casual access, and protecting valuables. And this applies to pretty much everything, not just computers. For example, most houses are incredibly insecure; many regular locks can be picked in a couple of minutes even if you don't have some clever way of faking a key, and even if the lock is tricky there are few houses that a good kick or a half-brick in a sock won't get you inside. The point of locking our doors is not to stop the determined, highly competent burglars, but simply to prevent people being able to wander into your house on a whim. Similarly, people tend to close their curtains or have nets to prevent people looking in as they pass by, not to prevent investigation by spies or even to hide the kinky things they're getting up to in their living rooms.

          So there's nothing wrong with having passwords for pointless sites with no important data. Your My Little Pony forum account might not be important, but it's still your account that you probably don't want others using whenever they feel like. It's just important to recognise the difference between the security necessary on such an account, and the security necessary on something like your bank account where malicious access would actually be a serious problem. The issue isn't that unimportant sites insist on passwords, but rather than all sites tend to insist on the same level of (usually rather poor) security regardless of what level of security is actually appropriate.

          @ GrumpenKraut

          "at which point everybody has sticky notes with the password of the week somewhere at the desk."

          This gets brought up a lot, but it really isn't a big problem. Most attempts at malicious action are made remotely. If someone can see the note stuck to your monitor, they probably already have physical access. Put the note in a drawer and even people walking past can't see it, and if someone has the access and time to physically look through your things it's already game over regardless of what you might have written down. Having a record of your credentials in a place that the vast majority of attackers will never have access to really isn't a bad idea at all; it allows you to have much more secure passwords since you don't need to worry about remembering them. The tiny increase in risk from someone potentially looking at your note is likely to be more than offset by the increase in security it allows.

    2. Phil O'Sophical Silver badge

      Re: pUctuAt10n

      So now all your users have password set to either "tobeornottobe" or "alaspooryorick" ?

      1. Lysenko

        Re: pUctuAt10n

        @Anon

        >>After 8 password changes the password left the history so you could >>reuse these.

        Yep. Had that too (a Bank). They were so keen on changed passwords they had no change limit. So, when the system insisted people just changed the password 8 times in a row and back to the original.

        @Phil

        >>So now all your users have password set to either "tobeornottobe" or >>"alaspooryorick" ?

        I know one of them set it to:

        toughoncrimetoughonthecausesofcrime

        ;)

      2. GrumpenKraut Silver badge

        Re: pUctuAt10n

        > "tobeornottobe"

        Too easy. "(bb) || (!bb)" it is.

    3. This post has been deleted by its author

      1. Charles 9 Silver badge

        Re: pUctuAt10n

        Even worse, many people need to keep tabs on many different sites and may not even have a computer to call his/her own, meaning password safes are not an option. So now you're staring at the password prompt and thinking to yourself:

        "Now as it correcthorsebatterystaple or muleturbineclipwrong?"

        And then there are those with just plain bad memory (due to bad luck or maybe senility), How do we help people like that?

      2. Simon Harris Silver badge

        Re: pUctuAt10n

        @Symon

        Although getting the Shakespeare quote a little bit wrong may make it more secure.

        nowisthewinterofourincontinence

      3. Lysenko

        Re: pUctuAt10n

        @Symon

        Salt ;)

  5. zb

    I think I had better upgrade my password from password. How about Passw0rd Job done :)

    1. Robert Moore

      Go super secure, try this:

      P@55w0rd1

      Only really needed for banking sites. :)

  6. AbelSoul
    Trollface

    Correct horse battery staple

    and ting.

  7. chivo243 Silver badge

    Great!

    And I was down voted in another thread for questioning password-less accounts. There's no justice in the forums ;-}

  8. Dave 126 Silver badge

    >"It's 2016 and idiots still use '123456' as their password"

    Or

    It's 2016 and smart people still haven't found a way to make authentication easy to use.

    1. Mark 85 Silver badge
      Devil

      I'm shocked that 123456 is still allowed. Don't all passwords have to be 8 character now? It should be 12345678. Or maybe abcdefgh...

    2. Charles 9 Silver badge

      The easier to use, the less secure it is. Plus people have bad memories and our adversaries are nearing MiniLuv levels of sophistication.

  9. Michael H.F. Wilkinson Silver badge
    Happy

    Llanfairpwllgwyngyllgogerychwyrndrobwllllantysiliogogogoch

    anyone?

    Oh wait, no numbers

    L1anfairpwl1gwyngyl1g0gerychwyrndr0bwl1l1antysili0g0g0g0ch

    easily remembered

    1. Esme
      Go

      @Michael H.F. Wilkinson

      L1@nfairpwl1gwyngyl1g0g3rychwyrndr0bwl1l1@ntysili0g0g0g0ch

      FTFY - much harder to guess and just as easyto remember! 8-}

  10. Anonymous Coward
    Anonymous Coward

    idiots still use '123456' as their password

    Hahahaaa..-... any fool knows a password should be at least 8 characters long, it's 12345678 for me.

    1. Captain DaFt

      Re: idiots still use '123456' as their password

      " any fool knows a password should be at least 8 characters long"

      "SnowWhiteandthesevendwarves"

      Thank you Nick Helm!

      1. Mycho Silver badge

        Re: idiots still use '123456' as their password

        SnowWhiteHadAFightWithASnakeOnFridayNight

        Time needed to crack that?

        1. Ben Tasker Silver badge

          Re: idiots still use '123456' as their password

          Depends how many drinks she's had ;)

          1. Mycho Silver badge

            Re: idiots still use '123456' as their password

            Assume she's sober.

            She just likes snakes.

  11. Michael H.F. Wilkinson Silver badge
    Coat

    I now use "The Spanish Inquisition"

    because nobody expects the Spanish Inquisition!

    Sorry, I think I should be going. The red monastic robes and matching hat please

  12. Anonymous Coward
    Anonymous Coward

    confused

    "MWR uses can perform over 20 billion guesses a second against Microsoft Windows password hashes"

    Does this mean, that MWR had a datafile of password hashes and then tried their system against them.

    As opposed to trying to logon to a real system, in which case shouldn't system speed of response actually slow down the rate of attack? Let alone protective account locking out stopping the attack after a few tries.

    1. Rich 11 Silver badge

      Re: confused

      They say they're testing against password hashes, and since enough sets of them have been stolen and dumped where anyone can play with them, that's a reasonable thing to do. Idiots being idiots, some of the data recovered will be useable on other sites.

  13. Anonymous Coward
    Anonymous Coward

    No Support Stnadard there?

    I've worked in FAR too many places that use "t5r4e3w2q1" as an admin password. It reached the point that I used to try it before I bothered asking what the domain admin account password was.

    1. Dave 126 Silver badge

      Re: No Support Stnadard there?

      Easy fix: Kit the admins out with a Dvorak keyboard and they'll no longer use "t5r4e3w2q1". Easy!

      [Alt text: Why was a type of keyboard that was designed to allow faster accurate typing marketed with a name that looks like a typographical error? Would it have been too much to ask of Dr. Dvorak that he change his name to Dr. Fast-Type?]

    2. Jos V

      Re: No Support Stnadard there?

      Hm. Google has "about 4,690 results (0.47 seconds) " on that one. Who is t5r4e3w2q1?

      Anyway, password faults sound great, but, since people now use multiple devices (smartphone, laptop, home PC, work PC/laptop), and want to access all their accounts from each, to update their facebook pages and tweets with useless information, read their emails, do some banking, this is never going to work.

      I just rely on Microsoft Lync to screw up my password randomly and lock me out, so I have to reset it it so frequently I'm secure no matter how many billions of guesses a second you throw at me.

      1. Charles 9 Silver badge

        Re: No Support Stnadard there?

        Look at where the T is on a QWERTY keyboard, trace the password with your finger, and you should get it.

  14. K Silver badge
    Holmes

    123456.. Who is more of an idiot?

    The idiot who uses 123456?... or the idiot companies who have not worked out their customers are idiots and allow them to use it?!

  15. Will Godfrey Silver badge
    Unhappy

    It's hopeless

    Stupid is outbreeding smart.

    1. Rich 11 Silver badge
      Joke

      Re: It's hopeless

      Then we need to apply a bit of selective pressure: empty their bank accounts until they either learn or starve.

    2. IglooDude

      Re: It's hopeless

      Not necessarily - the top 25 passwords are ALWAYS going to be this collection of mindmeltingly simple passwords, even if the percentage of users using them is .01%. Good passwords are not going to be commonly used. So even if there's only a handful of people worldwide using 123456 because educating users on best security practices has been successful beyond anyone's wildest fantasies, this article can still be trotted out annually nearly verbatim.

    3. Moonunit

      Re: It's hopeless

      Face it, we're on the shrinking team ...

      1. Sir Runcible Spoon Silver badge

        Re: It's hopeless

        My wife isn't exactly an academic brain-box, but she seems happy that her IQ is actually going up every year since the average is getting lower.

  16. Primus Secundus Tertius Silver badge

    Short is best

    In my young day, the favourite password was 'fred'. Why? Look at the keyboard, see where the characters are.

    1. Paul Woodhouse

      Re: Short is best

      lol, I used to use asda for the same reason...

  17. Anonymous Coward
    Anonymous Coward

    We could enter what password we wanted...

    Internal management tools managing massive amounts of our client's clients data, and we could log in after requesting a temp password as long as it was more than 6 characters long. We found out that there was no complexity rules (despite the doc saying there was). Incident logged and ignored.... until I did a presentation for new features to the CTO and the Security Director and selected "000000"... Got reamed by both until I presented the unprocessed incident from 2 years back showing the "critical" incident got stuffed in the "one day" backlog - by that same CTO...

    Anon because I still work there...

  18. Alistair Silver badge
    Coat

    scrap passwords for scrap accounts

    - at least -- anything that makes me create an account in order to read something i make junk accounts, pointing all over the planet and use junk passwords for.

    Stuff I need, on the other hand, I take some care with, but the passwords are algorithmic, so remembering them is easier.

    Stuff I have control over? SSH? private/public key authentication only, no passwords.

    Educating the ID admins? long, painful, tedious processes. Worth it tho.

    I too worked for the 30 day rotation, 16 password deep history queue, 2 Upper, 2 Lower, 2 special, 2 Numeric "reset yer password over the phone based on one question" company. Same with the vpn password. *sigh*. I think it explains the crash and burn.

    Mines the one with the encrypted spreadsheet and a copy of "ssh-agent for dummies" in the pocket

  19. Chairboy

    That link takes you to an article from 2015. Last time I checked we're in 2016

  20. John Lilburne Silver badge

    The ubiquitous ”123456" remains the most popular password among web users, followed by "password" in a list of user credentials leaked online last year.

    Yeah but we only do that in the 100+ throwaway accounts we create.

  21. Steve Bones

    That's why I use 654321. As the article says, web users have to mix things up.

  22. Anonymous Coward
    Anonymous Coward

    As to things like gaming consoles...

    I set my mom up with a 123456 password simply because the XB1 I got for the younger siblings needs accounts (no password for them - no credit card and bogus email account setup where they don't know the password). Kids don't need to be in the settings (really mom doesn't) but I have to make it easy enough to walk my mom through when I send her an update disk (no internet out in the middle of the BFE they live). There's no card attached to the parent's acct. either and I have the password for that email in case someone messes that up.

    1. Anonymous Coward
      Anonymous Coward

      Someone pointed that out two hours before you did.

      The helpful place to post it would have been the "Tips and corrections" link below TFA.

  23. Anonymous Coward
    Anonymous Coward

    20 billion guesses per second

    Fun fact: the speed the researchers' cracking rig clearly demonstrates 8-character passwords are now complete rubbish. Assuming the attacker sporting such a rig has already managed to get their hands on a password database, which as some of the previous commentards already remarked is not a fat-fetched scenario (and if you think cracking passwords on a system from which you have already swiped the password database is pointless, consider many people re-use their passwords on different systems), even a truly random string of 8 ASCII upper- and lowercase letters, digits, and common special characters (couldn't be bothered to actually count the latter so I guesstimated the total number of available characters as 70) will be cracked in no more than 8 hours... Of course in all likelihood I am preaching to the choir here.

    1. Anonymous Coward
      Anonymous Coward

      Re: 20 billion guesses per second

      Since the site the password database has been taken from might not notice for 24 hours. And then another day or two for word to get round that the database has been compromised. And then another for people to realise that they reused that password (with the same email/username) on three other sites, and another to get round to changing it on those other sites - well, the rig doesn't need to be that fast.

      personally I try to vary the email address used on each website (aliases even if not set up under your own domain are so easy to get).

    2. Old Handle

      Re: 20 billion guesses per second

      FYI It's actually 96 (ASCII 32 though 126) so that'll take an order of magnitude longer. Still, it's not exactly high security. It is however way more time than miscreants will spend on your account in any untargeted attack, and for most people, that's all you need to worry about.

  24. Grikath Silver badge

    tools...

    "an automated tool like a password manager"

    For which the user chooses/forces the master password to be.... Can't win that way..

    1. Pookietoo

      Re: tools...

      If it's an offline password manager then it doesn't much matter what the master password is, because it's unlikely to be slurped by a hacker of websites.

      1. Charles 9 Silver badge

        Re: tools...

        But a smarter botherder would install a malware that rifles through the entire system for secrets. A password safe would immediately be marked as a juicy target and the mark the target of a logger to spot the password and/or keyfile that cracks it open.

  25. Graham Marsden
    Coat

    Obligatory...

    Remind me to change the combination on my luggage!

    (Mines the one with the Dark Helmet...)

  26. Anonymous Coward
    Anonymous Coward

    Oh noes... mine's on the list.

    letmein master, dragon monkey's access password is qwerty

  27. Anonymous Coward
    Facepalm

    I wouldn't trust a press release put out by a company that appears to have been named by an over excitable 11 year old.

    I also notice that admin (the default admin password seemingly for every Belkin router out there) isn't on the list.

  28. Kevin McMurtrie Silver badge

    Lies, damned lies, and statistics

    How many people using 'password' happen to live it at 7654 Asdf St?

  29. Anonymous Coward
    Anonymous Coward

    It's disgraceful

    Maybe an IQ test should be required before people are allowed to use a PC online?

    1. Anonymous Coward
      Anonymous Coward

      Re: It's disgraceful

      ... because it would destroy Facebook's entire business model.

    2. Charles 9 Silver badge

      Re: It's disgraceful

      A thought, but it's impractical to regulate what people do in the privacy of their own homes. At least cars drive on public roads, so there a toehold there.

  30. Pink Duck

    What's disgraceful are the sites that don't allow passwords to be set up from any Unicode characters of any length. Worse still the ones that allow you to set a password but then only log in with the DB clipped 15 characters of it. Particularly bothersome has been BBC ID and UK GOV, where passwords have to be downgraded to work through mobile authentication. I keep notes on the rejected characters and weird rules for the various sites. I'm also developing a new system with proper client and server-side salted hashing and SSL/TLS.

  31. Red Bren
    Facepalm

    Outsourcing helps... the hackers

    What about companies that outsource various non-core activities to third party suppliers? They invariably cut costs by doing everything online over the public internet. There's no chance of single-sign-on or public/private keys for authentication, just plain username and password. As there's a different third party site for each outsourced function, people will just reuse the same username/password combination for them all.

    It doesn't matter if your IT security policies are watertight if you effectively give your entire password file to some tin pot site management company because it's deemed too expensive to create a secured extranet connection to report blown lightbulb.

  32. x 7 Silver badge

    123456?

    try !zE4sb instead

  33. Crazy Operations Guy

    File names

    For most stuff, I just use the filename of the song I happen to be listening to at the time. For a while, my password at work was "Space oddity.mp3". Uppercase, lowercase, a symbol, a space, and a number. I just wrote 'password - Tom' on a sticky note for reference (I have many such sticky-notes around my desk, anyone that sees it would just think that I need to give a password to Tom or something).

  34. Richard Altmann

    1234

    last week i left a company not IT related. The password for every account is 1234. For years they expressed their dissapointment that i was not willing to put my sysadmin experience into their heap of hardware and system crap. But i did my best by removing the ptouch stickers stating username and password on the screen frames. Thank gods, i´m out of there. Since the Winshit licences ran out, they asked me for advice and i told them to go Linux whatever. They bought Server2012. Well the update last week sent the database titsup and it took the "admins" four hours to get it going again. Retards,literally.

  35. wsm

    The boss

    He complained about complexity until we explained the sentence as a password thing.

    Others kept telling us to change his password to all asterisks, but nobody could agree on how many.

  36. Oengus Silver badge

    Have fun with your passwords...

    I am at a large corporate. Changing the password on our corporate server is forced annually. (Mine is due to change in 12 days)... The number of times that people forget their "new passwords" is a joke.

    When I setup passwords on Excel workbooks (Yes I know there are ways of getting around them) I use things like "I told you the password". When someone rings up and asks for the password I tell them "I told you the password". Invariably there response is "No you didn't I just asked for it"...

    It takes a while to explain to them... Some people have no sense of humor.

    When I am setting up accounts on internet based systems I try to make the user related to the site. If I have to provide an e-mail address I use a name related to the site name and have the e-mail address covered by the "catch-all" address on a domain I own. Passwords are based on the purpose of the site. I do reuse passwords within the group. If a password is compromised it only impacts one "group" of sites. No password safe with a master password. Only have to remember a few passwords. It really isn't that hard.

    I have a mate of mine who always uses the same passwords (one of three) so I can get into his account on any system that allows 3 guesses before lockout.

  37. Anonymous Coward
    Anonymous Coward

    Password?

    Oh I see, "password" is not THE password, it's what they call a secret code.

    - Bob Numpty, Cricklewood.

  38. JJKing Bronze badge
    Thumb Down

    I did a caretaking job in a school while the regular person who looked after the network was off with a serious injury. I wasn't allowed to change things which was frustrating as the ID10T had the Lab set to autologon and he used the Domain Admin password. The clown didn't realise the students had Full Control of EVERYTHING. I did mention it to my boss but nothing changed. Three months was about 13 weeks too long at that place.

    He also had Ghost setup but didn't have the Ghost machine connected to the network. DUH!

    I have no idea how people like that actually get IT jobs.

    1. Captain Badmouth
      Devil

      "I have no idea how people like that actually get IT jobs."

      Just think for a minute of the calibre of the people doing the interview.

  39. allthecoolshortnamesweretaken Silver badge

    Hah!

    I changed from '123456' to '654321' years ago!

  40. Securitymoose

    How do they find out this information?

    Perhaps they stop people in the street and ask them. I suspect that Goaway, I'mbusy, and F* off you waste of flesh also feature high on the list. And of course, like the pre-election polls, people simply tell lies. 123456 is possibly the first thing that comes into their heads when asked (which would explain football and sex as well).

  41. JeffUK

    Sampling bias

    Massive sampling bias here... These are passwords from sites that have been hacked... So only tells you that people use crap passwords for sites that can't be trusted.

    Also, these passwords were either A. stored in plaintext, in which case complexity is irrelevant, or B. stored hashed, in which case only easily crackable passwords would be released; skewing the results even further.

    ALSO... as all the 'good' passwords are probably unique, they will never be at the top of the list of passwords. So the non-unique passwords will inherently have more people using them.

    The more I think about it, the more meaningless this information becomes.

    1. Charles 9 Silver badge

      Re: Sampling bias

      I see a different take on the data. The very existence of all this indicates you can't expect people to learn proper security on the Internet. It's like idiots and fish. Give an idiot a fish, he'll eat for a day. Teach an idiot to fish, he'll die a week later with the rod in his hand because he forgot what you taught him.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019