It's 2016 and idiots still use '123456' as their password

Nothing wrong with insecure passwords

- on insecure irrelevant sites

I use the same password on any number of forums and support sites where I really don't want to spend the time remembering them and a breach would be completely uninteresting to me.

Half the sites probably run old or homegrown forum software and dump the password straight into the DB in plaintext anyway.

I combine this with a disposable email address in case of a spam overload, but so far they're all so irrelevant that nobody has even bothered to hack them and the address is pristine !

pUctuAt10n

I found our support overhead from forgotten passwords went way down after we set the rules as:

1) Case Insensitive

2) No Numbers

3) Punctuation Ignored

4) LONG

Therefore:

isthisadaggeriseebeforeme

Is this a dagger I see before me?

...both work.

All the user needs to remember is the Shakespeare connection. The extra length compensates for the loss of complexity vs. a standard 8 char password with enforced l33+ speak. Most "weak password" checks I encounter will bounce "password" but allow "Password1". Pointless.

I think I had better upgrade my password from password. How about Passw0rd Job done :)

Great!

And I was down voted in another thread for questioning password-less accounts. There's no justice in the forums ;-}

>"It's 2016 and idiots still use '123456' as their password"

Or

It's 2016 and smart people still haven't found a way to make authentication easy to use.

idiots still use '123456' as their password

Hahahaaa..-... any fool knows a password should be at least 8 characters long, it's 12345678 for me.

confused

"MWR uses can perform over 20 billion guesses a second against Microsoft Windows password hashes"

Does this mean, that MWR had a datafile of password hashes and then tried their system against them.

As opposed to trying to logon to a real system, in which case shouldn't system speed of response actually slow down the rate of attack? Let alone protective account locking out stopping the attack after a few tries.

No Support Stnadard there?

I've worked in FAR too many places that use "t5r4e3w2q1" as an admin password. It reached the point that I used to try it before I bothered asking what the domain admin account password was.

Short is best

In my young day, the favourite password was 'fred'. Why? Look at the keyboard, see where the characters are.

We could enter what password we wanted...

Internal management tools managing massive amounts of our client's clients data, and we could log in after requesting a temp password as long as it was more than 6 characters long. We found out that there was no complexity rules (despite the doc saying there was). Incident logged and ignored.... until I did a presentation for new features to the CTO and the Security Director and selected "000000"... Got reamed by both until I presented the unprocessed incident from 2 years back showing the "critical" incident got stuffed in the "one day" backlog - by that same CTO...

Anon because I still work there...

That link takes you to an article from 2015. Last time I checked we're in 2016

The ubiquitous ”123456" remains the most popular password among web users, followed by "password" in a list of user credentials leaked online last year.

Yeah but we only do that in the 100+ throwaway accounts we create.

That's why I use 654321. As the article says, web users have to mix things up.

As to things like gaming consoles...

I set my mom up with a 123456 password simply because the XB1 I got for the younger siblings needs accounts (no password for them - no credit card and bogus email account setup where they don't know the password). Kids don't need to be in the settings (really mom doesn't) but I have to make it easy enough to walk my mom through when I send her an update disk (no internet out in the middle of the BFE they live). There's no card attached to the parent's acct. either and I have the password for that email in case someone messes that up.

20 billion guesses per second

Fun fact: the speed the researchers' cracking rig clearly demonstrates 8-character passwords are now complete rubbish. Assuming the attacker sporting such a rig has already managed to get their hands on a password database, which as some of the previous commentards already remarked is not a fat-fetched scenario (and if you think cracking passwords on a system from which you have already swiped the password database is pointless, consider many people re-use their passwords on different systems), even a truly random string of 8 ASCII upper- and lowercase letters, digits, and common special characters (couldn't be bothered to actually count the latter so I guesstimated the total number of available characters as 70) will be cracked in no more than 8 hours... Of course in all likelihood I am preaching to the choir here.

tools...

"an automated tool like a password manager"

For which the user chooses/forces the master password to be.... Can't win that way..

Oh noes... mine's on the list.

letmein master, dragon monkey's access password is qwerty

Lies, damned lies, and statistics

How many people using 'password' happen to live it at 7654 Asdf St?

It's disgraceful

Maybe an IQ test should be required before people are allowed to use a PC online?

What's disgraceful are the sites that don't allow passwords to be set up from any Unicode characters of any length. Worse still the ones that allow you to set a password but then only log in with the DB clipped 15 characters of it. Particularly bothersome has been BBC ID and UK GOV, where passwords have to be downgraded to work through mobile authentication. I keep notes on the rejected characters and weird rules for the various sites. I'm also developing a new system with proper client and server-side salted hashing and SSL/TLS.

123456?

try !zE4sb instead

File names

For most stuff, I just use the filename of the song I happen to be listening to at the time. For a while, my password at work was "Space oddity.mp3". Uppercase, lowercase, a symbol, a space, and a number. I just wrote 'password - Tom' on a sticky note for reference (I have many such sticky-notes around my desk, anyone that sees it would just think that I need to give a password to Tom or something).

1234

last week i left a company not IT related. The password for every account is 1234. For years they expressed their dissapointment that i was not willing to put my sysadmin experience into their heap of hardware and system crap. But i did my best by removing the ptouch stickers stating username and password on the screen frames. Thank gods, i´m out of there. Since the Winshit licences ran out, they asked me for advice and i told them to go Linux whatever. They bought Server2012. Well the update last week sent the database titsup and it took the "admins" four hours to get it going again. Retards,literally.

The boss

He complained about complexity until we explained the sentence as a password thing.

Others kept telling us to change his password to all asterisks, but nobody could agree on how many.

Have fun with your passwords...

I am at a large corporate. Changing the password on our corporate server is forced annually. (Mine is due to change in 12 days)... The number of times that people forget their "new passwords" is a joke.

When I setup passwords on Excel workbooks (Yes I know there are ways of getting around them) I use things like "I told you the password". When someone rings up and asks for the password I tell them "I told you the password". Invariably there response is "No you didn't I just asked for it"...

It takes a while to explain to them... Some people have no sense of humor.

When I am setting up accounts on internet based systems I try to make the user related to the site. If I have to provide an e-mail address I use a name related to the site name and have the e-mail address covered by the "catch-all" address on a domain I own. Passwords are based on the purpose of the site. I do reuse passwords within the group. If a password is compromised it only impacts one "group" of sites. No password safe with a master password. Only have to remember a few passwords. It really isn't that hard.

I have a mate of mine who always uses the same passwords (one of three) so I can get into his account on any system that allows 3 guesses before lockout.

Password?

Oh I see, "password" is not THE password, it's what they call a secret code.

- Bob Numpty, Cricklewood.

Hah!

I changed from '123456' to '654321' years ago!

How do they find out this information?

Perhaps they stop people in the street and ask them. I suspect that Goaway, I'mbusy, and F* off you waste of flesh also feature high on the list. And of course, like the pre-election polls, people simply tell lies. 123456 is possibly the first thing that comes into their heads when asked (which would explain football and sex as well).

Sampling bias

Massive sampling bias here... These are passwords from sites that have been hacked... So only tells you that people use crap passwords for sites that can't be trusted.

Also, these passwords were either A. stored in plaintext, in which case complexity is irrelevant, or B. stored hashed, in which case only easily crackable passwords would be released; skewing the results even further.

ALSO... as all the 'good' passwords are probably unique, they will never be at the top of the list of passwords. So the non-unique passwords will inherently have more people using them.

The more I think about it, the more meaningless this information becomes.