I've seen a rise in people using the following as a password lately: xsw21qaz
Yes, it is that easy to spot...
A study to find the top 25 leaked passwords of 2012 has revealed too many people are still using "password", "123456" and "12345678" for their login credentials. The table was compiled from plain-text passwords and weak unsalted password hashes lifted from compromised databases and dumped online by Anonymous hacktivists and …
>on many foreign keyboards!
My` old webmail password was along the lines of: 'orwell 1984' > 'o1r9w8e4ll' (jumble letters and numbers)> 'O!r9W*e4LL (alternate Shift, two on, two off)'... so when on holiday and faced with a Spanish keyboard, I had search for an image of a UK keyboard to remember which symbols to use.
I guess I'm not ready for one of these: http://www.daskeyboard.com/model-s-ultimate/
Those are dev passwords i.e. Zaq12wsx or Xsw23edc
easy as pie if you use one starting with the website first letter theregister.co.uk could be Tgbnhy65
up or down and around, meets the usual 8 letter/numeric restrictions
Beer, as it's a good way to forget the passwords you've used
BTW my former IT manager locked the whole company to use Password10 with no option to change ever! WTF
OK, so its fail on the users for picking bad passwords, but its double fail on the SysAdmins who let them pick bad passwords.
I can think of very few applications that don't have a password checking module available to validate the strength of a password and enforce just a little bit of care.
<rant> And triple fail to those systems that restrict the character set or length of the password. I'm constantly bumping into systems that won't let me use any special characters (alphanumerics only, please!) or only a subset (dashes and underscores and similar) or restrict me to 16 characters or less (I use *long* pass phrases, come on now!). I hit one that limited me to *8* characters! Seriously? What were you thinking? I'd pass on them entirely but some of them are required for my job. Idiots. Bleeding idiots. </rant>
Thank you, I feel better now.
> I hit one that limited me to *8* characters! Seriously? What were you thinking?
At my place of work we have to use passwords of exactly 8 chars. No more, no less. At least it's case-sensitive, but stil, given that cracking someone's account gives you access to everything work-related, (including pay etc) that's a bit weak.
Just don't write it on a post-it note and stick it to your monitor.
An attacker who can see a Post-It note stuck to my monitor is in my house, and I have worse security problems to deal with. (I don't have any such notes, but they wouldn't represent a useful branch of the attack tree if I did.)
I do keep a file of password hints meaningful to me but not to an attacker, to avoid having to remember which variants of which passwords I've assigned to which domains. A very lucky and/or clever attacker might get hold of that, but the work factor required to extract useful information from it is infeasible. Better just to beat the information out of me.
The real problem, under my threat model, is the paper list of accounts and passwords I keep in the safe for use by my family members should I perish in a noble world-saving exercise or the like. And it's a problem because it's too damned hard to keep it up to date.
Passwords are a terrible authentication mechanism - I don't know any reputable information-security expert who believes otherwise.
There are more problems than that...
Most password strength enforcement systems are garbage, very few check for dictionary words for instance so Password1! is often a perfectly valid choice as it is >8 chars, contains numbers, mixed case letters and symbols - and yet is still trivially easy to crack.
And then you have the inconvenience, far too many passwords to remember because every trivial little site thinks its important enough for you to bother using a strong password.
And then the trust aspect, do you know *HOW* a particular site stores your password? Most sites never disclose to you how user passwords are stored and what precautions they take to protect them, and even if they did they could be lying. There are plenty of sites out there, including some big names that store passwords in plain text or in a form thats easily reversible to plain text.
So i use an intentionally weak password combined with a throw away email for most sites, if the site has a password policy i usually just append 1 or 1! to the end to get round it.
As for throwaway email, spamdecoy.net isn't the fanciest of sites but it works well and has several domains you can use (some places block the common disposable mail domains after a while).
When at home (the place most likely used to check more sensitive accounts like banking and email (access to all the things) ), having long passwords written down isn't really an issue. As long as the place is secure, which a private residence typically is, you don't have problems.
The work environment or you laptop bag is probably the place where written down passwords may cause problems. But even that can be foiled a bit by substitution, reminders that only you could determine, or even just keeping the reminders in your wallet.
And finally, as has been pointed out numerous times, taking a less popular song lyric (so maybe the chorus from a deep cut on an obscure band you like) and then using the first letters, mixing in capital and lower case, then tossing on something at the front that makes it unique for that specific website (and can get around stupid limitations placed on it, like no special characters, short lengths, etc.) will probably be about as secure as we can get.
I'm not sure I want to go the route of a encrypted USB stick that has a very strong password and the passwords in a text file or something, that you copy and paste, in the hopes you avoid keyloggers (wouldn't it be simple enough to also log clipboard information?). But that is one of the things that the linked NY Times article proposes.
10minutemail, however, was an awesome find. I can't believe I went that long without it for all those stupid websites that want a verification email, but otherwise have no reason to contact me ever again.
I'd like to put in a brief mention for every two-bit blog that wants you to create a separate login just to comment there. (El Reg, I'm looking at you, among others.) Fercryinoutloud, we're not handling money or secrets here! Just let us use our Google/Disqus/Wordpress logins, thank you very much.
Oh well, I guess it could be worse - they could be using Facebook.
The majority of my passwords on the web are 123123e to cover password requirements and a one time email because I'm only signing up to access to a forum or part of a website or to save site settings.
DuckDuckGo have an anonymous cloud setting to cover this, your password generates the key and from then on you can enter it and get your settings back.
Passwords get discredited by poor user practice and stupid design
Where I work there is an application that you can log into
1) Only if you are already logged onto the network
2) Only if you log into the application with a user name and password (annoying but there could be a valid reason)
3) The app user name and password must be your network user name and current password
Where's the boggled mind icon?
I was once the victim of a hacked PC, and someone made off with all my passwords (yes, I'd been lazily storing them in the browser, reusing them etc.) and so I created a little tool to generate strong password from more memorable phrases. I published this tool as a web site for anyone to use and according to Google Analytics I've seen a 20% rise in use over the last couple of months.
But then I guess a rise from eight to ten visitors per day may not be that significant ...
Yeah I've used at least one of those passwords on a throwaway site where I don't actually care all that much about whether or not someone hacks it.
Sites that I care about get different levels of attention depending on the level of caring.
Sites I sorta care about but need easily remembered passwords get passwords with root pieces and salt.
Sites that I really care about because they have financials get randomly generated passcodes. What really sucks is that sometimes when I use randomly generated passwords with full complexity, they still don't meet site rules for password generation. Which means the sites are actually less secure than the password I generated for it.
You give as your password 200 base64 characters representing 1200 bits taken from a hardware random number generator and the nincompoop site tells you: this password is not "strong" enough because it contains more than two occurrences of the character 'w'. Somebody please stab the programmer in the face.
"Er . . . we DO tell people not to enter other people's houses and take their stuff, don't we?"
That's my point. Even though people are told not to do something, doesn't mean nobody will. So we lock our doors.
Just as we tell people not to hack into another person's accounts, but we should still use strong passwords.
...and tell thieves not to steal, and rapists not to rape, and killers not to kill. Unfortunately, the real world has a propensity to ignore the proprieties. So people should still be prepared to defend themselves, be educated about the dangers of weak passwords, and the consequences of the potential identity theft that can result. That's not victim blaming, it's victim empowerment. Because identity theft is catastrophic and life-changing.
I've spoken with someone it's happened to, and having your identity stolen destroys your life. This person lost his job, faced charges including extortion, money laundering, attempting to import illegal weapons among others, which took him years to be acquitted of; he had to sell his house to pay the court and lawyer costs, and had to move cities because of the offences he'd been charged with. All because someone cracked an account and stole his credit card details and contact info.
It happens. So it's important that people be aware of the issues and take reasonable steps to protect themselves. It's just common sense.
Wait 'till I tell the missus!
New entry at no. 25... just about all my trivial passwords (including, until moments ago, El Reg) are "password1". I wonder what proportion of the occurrences which brought it into the chart are the half a billion of so places I've used it. Nice to be "ahead of the curve" for a change :D
Must say, the desperate cry of exasperation behind No. 21 certainly struck a chord. Or were "Christian Mingle" and Conservapedia among the hacked sites contributing data?
I have three reasons for doubting the accuracy of this list:
1. I don't believe "shadow" is really a popular password. I rather suspect this is a dummy value meaning that the password is not, in fact, stored.
2. There are too few obscenities in the list. I don't think I'm alone in using obvious sexual obscenities when I am forced to create an account and have no interest in its security.
3. There are too few changes in the list. They claim that the top six are unchanged (as a set) since last year. If the new list were really derived from new data I'd expect to see a lot more random variation even if the underlying popularity of the passwords were unchanged.
until we have an ISO approved standard for database and system design for holding and authenticating user details.
Personally, I can't big up LastPass enough (not just because it's free). It's password generator means a unique complex password for every site I use. The only way it could be improved (and for all I know this feature exists in the paid for version) would be to expire passwords every <x> days and nudge you to change it on the relevant site.
"Personally, I can't big up LastPass enough (not just because it's free)."
The problem I have with LastPass is the catastrophic single point of failure. I'm sure they work hard to avoid that (it is after all their entire business), but it still feels kind of uncomfortable.
@JimmyPage - I think what he is getting at is that if your single LastPass vault password is cracked, then the attacker has access to ALL your passwords in one hit. I do use LastPass myself, with a suitably secure password, but it is a good idea to be aware of this one particular weakness.
Ah, fair point, but having read their spec, it's as secure as it could be given life itself.
As I said, the vault is only one element of password security. Regular changing of passwords is essential too.
To be honest, there are several trivial things that could be done to greatly improve online security. My suggestion would simply be an SMS and/or email every time your credit/debit card is used, or a payment goes from your account. I'd guess that would cut fraud by 90% ? But then the banks would be liable for more than they are now, so that's never happen.
That has a very specific 8-12 characters for the password.
Every single time I am forced to re-generate a password because I can't remember the last one and therefore have to enter all my identifying information in all over again. I'm assuming other people write them down and keep them with the credit card.
Way to increase security.
I'm currenlty dealing with an outsourced IT service group.
The password policy is age (max 35 days), complexity (chars & numbers but no specials), length (min 8 max 12), history (not one of the previous 24). However, they don't operate a single sign on, so there are multiple domains and systems, each using different account name, details and passwords.
Because of this, they get a very large number of support requests for unlocking accounts / resetting passwords. They have a user accessible password reset tool; but it only works part of the time due to network issues. They also insist that if they have to unlock an account, they also have to reset the password every time.
All of this causes them a bit of hassle; whenever they have to unlock an account or reset a password, they always change it to abcd1234. Then they stop you from changing your password for 24 hours.
This sounds like it was specified by one person over a period of time
"damnit, we aren't complying with the thign that s called OWASP, whatever that thing is"
"damnit, users are complaining that they can't reset their passwords"
"damnit, why are password resets taking so long"
> If my password was "Iamsobloodylonely" (for example) I would hesitate before writing it down or reusing it on multiple logins.
I dunno, I'm rather found of the Louis Prima* version ("Just a Gigolo"):
"iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii'm so sad and lone--------------ly!"
*King Louie from Disney's The Jungle Book.
can't recall exactly which now, I think they were SunSPARCs or SGIs... our sysadmin insisted that people use, in their passwords, one of the additional function keys which were ranged down the left of the keyboard. It made it impossible to log in casually from anywhere other than in the computer room which housed the workstations themselves!
You want flexibility in it to cope with all the stupid options people insist your password complies with. (case important/irrelevant numbers allowed/not allowed repeated digits etc).
I think people would like to be able to pronounce it in their home language as well. I think this is probably the toughest problem, especially if you want to avoid real words in that language.
Some kind of soundex algorithm in reverse?
But seriously WTF with "password" after decades of warnings? sure for disposables but not long term.
My personal suggestion is (any) obscenity and the words "thieving" "lying" "cheating""parasites" mixed up with any random digits are quite good choices for any utility, credit card or telephone accounts
If you are only 10 years old, you probably haven't had *any* warnings. Certainly not from anyone you can be bothered to listen to. A lot of social networking websites probably have a disproportionately large number of users who see "password protection" as the thing that stops them from getting onto the site to post selfies to their friends.
The difference is what was secured by these passwords.
A personal email account you get receipts etc. emailed to? Yes, that's an error to choose a weak password.
A throwaway Yahoo account because you were forced to sign up to it by product X? Who cares?
An eHarmony account that you really don't care about people hacking and only set up for a laugh? Again, who cares?
Anyone with a brain has a set of different passwords for various things. My father's Windows Login password (which, incidentally, is totally unnecessary as it does nothing and the admin account is open if you know the double-Ctrl-Alt-Delete trick or use Safe Mode or whatever) is such a password. But his banking one is secure. His password to the account on the website he signed up to one to buy a bit from his car (but stores no credit card details)? That's different again and though not "secure" is probably not guessable even if you know him. His password for the christmas giftlist document that I share with him? Incredibly insecure but stops him clicking on it and accidentally showing mum what he got for Christmas. This is a man that has trouble turning a computer on and takes an hour to install a simple program because he reads every line of text on the screen (not the license agreements, all the surrounding "Click next to proceed with installation" etc. gumpfh) and can't see what he's supposed to press next.
The security of passwords is general is (like all statistics) meaningless without context. I have and use a number of insecure passwords for things I don't care about and don't WANT to use my secure passwords on (because if they are compromised, then they might be able to do some damage elsewhere). And my secure passwords (of which I have many levels but sometimes re-use things for passwords of the same "level"), are all unguessable. I have a very good memory for passwords, but I'm not going to make unique ones for everything I do because I will spend my LIFE logging on, and will end up having to put them all in one place which is inherently less secure than re-using passwords for similar levels of access (i.e. if you compromise, say, my forum account, yes you could probably use it on some other forums I frequent, but none of them will give you more access to information than the account password originally compromised, or any other forum account I use).
As an extreme example, the password for my banking is some incredibly secure thing and used only for banking purposes in combination with a OTK device. I have a password that I only use for Government Gateway services even though I haven't really used those in years now. I have a password for anything that involves financial matters no related to my bank (e.g. pre-paid credit cards, etc.). The password for any site that stores my credit card information is different but on the same level of security and sometimes shared between partner sites. Additionally, I have a one-off sign-up password for sites I've never used before but which want my credit card information stored. I can cancel a rogue card transaction from them and know who it was, but I can't suffer a password leak that might affect other sites I visit if they are clever and try to reuse / guess my details elsewhere to gain more access.
I have a password for accounts of value even if they have no credit card information associated (e.g. Steam). I have a password for anything that stores personal information on me but which doesn't store payment information or isn't payment related. I have a password for sites that I need to log into but which I wouldn't care about someone accessing as me (e.g. forums, etc.), and I have a password that I use to get past anything that demands one for no real reason.
Each password (and sometimes there are three-four passwords for each level depending on the security of the level) is different and all but the very lowest levels are secure passwords. I can also tell, by the very service that the website is trying to offer me, what the password for a site I hardly visit but have an account for is likely to be (and unlikely to take more than a couple of guesses and thus unlikely to be "locked out"), and even a compromise of one site's password that's advertised with full details all over the world will ever let you into an account with more "power" or containing more information than the compromised site. And I have to remember only 10 passwords, which is way within the realm of sanity, and because they can be remembered, I never have to write them down.
And my Yahoo password for an old Geocities account I had years ago which was forcibly upgraded to Yahoo? That's probably not that important to me because all it lets you do is log into Yahoo Search as me (and I haven't used Yahoo search since the Geocities days!). Dating sites? They would end up in the last category (i.e. I have to have a password, but don't particularly care about what it is). LinkedIn? I signed up to it once to talk to an old friend, didn't even put my name on the account. A quick login suggests that's also in the last category. Last.fm? If I had an account for it, it would also be the last one.
So it's really bad to try to take away anything new from this article. People choose rubbish passwords when they are asked for a password to protect rubbish. This is like having 1234 on the combination to keep your wheelie bin shut so it doesn't bang in the wind, who cares? But your bike probably has a half-decent combination on it and a better lock.
Now do a survey of the passwords people use on Amazon or Steam or their bank and see how different the results are.
Quote "A throwaway Yahoo account because you were forced to sign up to it by product X? Who cares?
An eHarmony account that you really don't care about people hacking and only set up for a laugh? Again, who cares?"
The people who get spammed when your weak user credentials are abused and used to send messages to other members or send emails?
The checking of passwords should also include the checking against common hashes. Depending on the hash size there are millions of different combinations that will, by pure accident, generate the same hash as 'password'. Imagine being one of the unlucky ones who has set their password to be 'gsvug93u10!£T!£1' , and have the application say 'great strength password' only to find it has the same hash value as 'password' - lol. Not very likely, but possible.
The password checker should generate the hash and then do a google search for the hash (which is still the easiest way to find a password from an unsalted hash).
Obviously, the above is not applicable if they salt (which of course everybody should do).
In that case is Mister gsvug93u10!£T!£1 still screwed, only now you don't know it?
But collisions are unlikely to the point of mathematical near-impossibility in a well-designed hashed password scheme.
Anyway, I suppose that protecting your users by storing the salted hashes of all bad passwords is also possible.
However, the error message ought now to read, "The server has noticed that your chosen password may be on a list of inapproiate obvious passwords. On the other hand, your choice of password may be reasonable, and this message a 'false positive' for this situation; nevertheless, we would like you to choose another, instead."
A password in hexadecimal digits is about as random and obscure as those digits are, so I propose that if there's enough of them then it's fine. Whatever it is, you're probably going to have to type it, which makes punctuation symbols just a pain. However, I did once maintain a set of several dozen UNIX servers that made various objections to alphanumeric pure hex numbers as passwords; when I put "0qz" in front of all of them one month, and then "qz0" after all of them the next month, most or all of the remaining objections to my choices went away. And the other part was and still is secret, so I think it's okay to tell you what I've told you.
This was many years ago, while doing work for a banking customer who required us to use a _lot_ of different accounts - too many to remember. Password length was up to 12 characters used on a formerly popular mainframe. They owned a bunch of these.
To pay lip service to security the entries in my password list were encoded as the octal equivalent of the password, as encoded in the Fieldata character set and circular shifted one bit in the mainframe's double-word. In those days of assembly language programming FD coding was burned into my synapses and the only uncertainty was whether I had mentally double circular shifted right (a DSC op) or left (LDSC).
The whole scheme eventually went out the window when upper/lower case combinations became required (FD is a 6-bit single case code) and I couldn't be arsed to learn the ANSI code set.
I would like to see a survey of how many websites are still using restrictive alphanumeric character sets only. Especially ones where they require no more than 8 characters!
Verified by Visa - I'm thinking of as a prime example.
Websites that don't use SSL - any El Reg editors care to comment?
I tend to think what's the point on these websites and use an insanely easy alphanumeric password because, there just is no point if someone is sniffing packets, or if there's a character limit. There's just no point in trying to to think up anything remotely imaginative.
Often numbers are required as part of a password, I have often wondered if they actually make it any better, not to mention capital letters.
Personally I tend to (when I feel is matters) have a story for my passport. Makes it long but easy to remember, take for instance something like "onceuponatimeifuckedalamb" and similar silly stories.
The thing that annoys me however are people who will not turn their bloody face away when you type your password. Often used a lot of backspace then to confuse.
put "123456" in the number two slot for 2012; the same sequence was used by 37 per cent of all user accounts at the Anonymous-hacked Greek finance ministry.
Sounds like these were initial passwords for new/never-used accounts, I don't think the 37% would be representative of individual-chosen passwords.
I have often wondered why feedback from the site or program you are entering the password into couldn't resolve this. A 'password service" similar to virus scanners could check the password's strength, and just plain stop stupidities like "password1" from being accepted.
In defence of the Greeks, I used to work in health (making sure seniors get the benefits they are entitled to) and if their government is anything like the one I used to work for...
The admins who ran the system seemed to equate more ID/password combos with better security, so we had:
- One ID/password to log on to windows.
- 5 ID/passwords to access various software, none of which sent or received any data over any kind of network.
- 19 ID/password combos to log onto various intra-net "apps". Of those, you'd use maybe 5 or 6 on a daily basis and another 4 or 5 on a weekly basis.
After the first few weeks of people spending half their work day on phone to the IT helpdesk to reset forgotten passwords (policy said you can't write any ID/password down), it quickly became common practice for everyone to use their (easily accessible) payroll number as their ID for everything, and everyone's password for each app was the same as everyone else's.
My point is that security is more than just password strength, it's having competent people creating and implementing the policies.
Not just public service - far too many corporates do it too :-(
I currently have 9 different systems that I use on a daily basis - so 9 different username/password combos. None of the usernames are the same and most of the passwords require different formats. I then have a further 4 or 5 systems I use probably around once a month, again different formats for both username and password. Vast majority of the systems don't even leave our network - only 2 of them are third party apps out there in cloudspace. Then there is all the personal stuff - banking, websites, online shopping. Add in the stupid verified by wankers and the insane amount of PINs and what hope does a mere mortal have?
Frankly its a wonder I can remember my own name most of the time.
Biting the hand that feeds IT © 1998–2021