back to article Who's using 'password' as a password? TOO MANY OF YOU

A study to find the top 25 leaked passwords of 2012 has revealed too many people are still using "password", "123456" and "12345678" for their login credentials. The table was compiled from plain-text passwords and weak unsalted password hashes lifted from compromised databases and dumped online by Anonymous hacktivists and …

COMMENTS

This topic is closed for new posts.
  1. Z-Eden
    Unhappy

    I've seen a rise in people using the following as a password lately: xsw21qaz

    Yes, it is that easy to spot...

    1. TRT

      Doesn't work...

      on many foreign keyboards!

      1. Dave 126 Silver badge

        Re: Doesn't work...

        >on many foreign keyboards!

        My` old webmail password was along the lines of: 'orwell 1984' > 'o1r9w8e4ll' (jumble letters and numbers)> 'O!r9W*e4LL (alternate Shift, two on, two off)'... so when on holiday and faced with a Spanish keyboard, I had search for an image of a UK keyboard to remember which symbols to use.

        I guess I'm not ready for one of these: http://www.daskeyboard.com/model-s-ultimate/

    2. Mr_Pitiful
      Pint

      dev passwords

      Those are dev passwords i.e. Zaq12wsx or Xsw23edc

      easy as pie if you use one starting with the website first letter theregister.co.uk could be Tgbnhy65

      up or down and around, meets the usual 8 letter/numeric restrictions

      Beer, as it's a good way to forget the passwords you've used

      BTW my former IT manager locked the whole company to use Password10 with no option to change ever! WTF

      1. cordwainer 1
        Unhappy

        I'm sorry, your post is missing required data . . .

        You omitted the name of your former IT manager's current employer ]:->

    3. Ken Hagan Gold badge

      xsw2!QAZ

      If you hold down the shift key for the downward stretch (as shown) it is actually so strong that some web-sites won't let you use it.

  2. Anonymous Coward
    Anonymous Coward

    Cool I'm secure

    Great I'm secure then, I use mypassword for throw away dont care about sites that insist on registering my details :)

    1. Anonymous Coward
      Anonymous Coward

      Re: Cool I'm secure

      Don't forget handy disposable e-mail addresses. 10minutemail.com is a good 'un.

      1. Rimpel
        Thumb Up

        Re: Cool I'm secure

        In the past I have just made up random addresses like a.b@c.com for sites that want an email address but aren't actually making you register but that looks handy thanks for the tip.

    2. Androgynous Crackwhore
      Unhappy

      Arse!

      Seconds ago I changed my El Reg password to "mypassword"... just before posting my old password below.

      Now I'm feeling all paranoid and have to change it again!

      I hate you

  3. Sir Runcible Spoon

    Sir

    If you want to work out passwords that are truly difficult to crack, try cracking passwords. Mind you, it's a bit of effort and that last set of dictionary files I downloaded was about 7GB.

    1. Naughtyhorse

      Re: Sir

      Is brute force really cracking?

      i guess it is, in the same way you can use a sledgehammer to 'pick' a lock :-D

      1. DN4

        Re: Sir

        > i guess it is, in the same way you can use a sledgehammer to 'pick' a lock

        You pick the lock if you open it without damaging it (and not using the key). Doesn't matter if you use a sledgehammer, ice cone or proton collider...

  4. cyke1
    Trollface

    aol days

    Seeing this days reminds me of the Old AOL days and this stuff, back when I do evil stuff. only had to use a list of like 30 pw's, all dumb ones like this well list might been like 15. Hard to remember 14 years ago. So many ppl used these passwords. ahhh the memories.

  5. Velv
    FAIL

    Double Fail

    OK, so its fail on the users for picking bad passwords, but its double fail on the SysAdmins who let them pick bad passwords.

    I can think of very few applications that don't have a password checking module available to validate the strength of a password and enforce just a little bit of care.

    1. Zaphod.Beeblebrox
      FAIL

      Re: Double Fail

      <rant> And triple fail to those systems that restrict the character set or length of the password. I'm constantly bumping into systems that won't let me use any special characters (alphanumerics only, please!) or only a subset (dashes and underscores and similar) or restrict me to 16 characters or less (I use *long* pass phrases, come on now!). I hit one that limited me to *8* characters! Seriously? What were you thinking? I'd pass on them entirely but some of them are required for my job. Idiots. Bleeding idiots. </rant>

      Thank you, I feel better now.

      1. Naughtyhorse
        Joke

        Re: Double Fail

        whew!

        fortunately i dont have any nuke launch codes.

        only thing i need secuitly for is to look at the state of my overdraft, and that more from embarassment than anything else

      2. John G Imrie

        I hit one that limited me to *8* characters!

        8 characters was the number of significant characters used in the Unix crypt() function.

        And yes it was only when a client said that he had got into his own account with the wrong password that we realised this.

      3. ElReg!comments!Pierre
        Unhappy

        Re: Double Fail

        > I hit one that limited me to *8* characters! Seriously? What were you thinking?

        At my place of work we have to use passwords of exactly 8 chars. No more, no less. At least it's case-sensitive, but stil, given that cracking someone's account gives you access to everything work-related, (including pay etc) that's a bit weak.

      4. teebie

        Re: Double Fail

        > I hit one that limited me to *8* characters! Seriously? What were you thinking?

        They were thinking "the database column where we store passwords in plain text are only 8 characters long""

    2. auburnman
      Stop

      Re: Double Fail

      To quote the Oatmeal, " If I want to use 'Boobs' as my password that's my own shitty decision and you should just let me roll with it."

      1. JDX Gold badge

        Re: Double Fail

        Yeah - if you force me to use a long unmemorable password I'm either going to write it down or forget it.

        1. badger31
          Happy

          Re: Double Fail

          @JDX

          So write it down, then. Just don't write it on a post-it note and stick it to your monitor.

          1. Naughtyhorse

            Just don't write it on a post-it note and stick it to your monitor.

            but thats exactly where i need it - -that ergonimics that is!

            :-D

          2. Mr_Pitiful
            Facepalm

            Re: Double Fail

            /me quickly takes down postit notes from my wall and writes the passwords in our little black book!!!!

            The shame I will now suffer

          3. matthewjs

            Re: Double Fail

            It makes me chuckle how technology will always, always, always and always force us to write something down using pen and paper at some stage.

          4. Michael Wojcik Silver badge

            Re: Double Fail

            Just don't write it on a post-it note and stick it to your monitor.

            An attacker who can see a Post-It note stuck to my monitor is in my house, and I have worse security problems to deal with. (I don't have any such notes, but they wouldn't represent a useful branch of the attack tree if I did.)

            I do keep a file of password hints meaningful to me but not to an attacker, to avoid having to remember which variants of which passwords I've assigned to which domains. A very lucky and/or clever attacker might get hold of that, but the work factor required to extract useful information from it is infeasible. Better just to beat the information out of me.

            The real problem, under my threat model, is the paper list of accounts and passwords I keep in the safe for use by my family members should I perish in a noble world-saving exercise or the like. And it's a problem because it's too damned hard to keep it up to date.

            Passwords are a terrible authentication mechanism - I don't know any reputable information-security expert who believes otherwise.

        2. ratfox
          Mushroom

          And a <i>special</i> mention to web sites…

          That send you back the password by e-mail so that you don't forget it. After insisting you should choose your password carefully.

        3. I think so I am?
          Thumb Up

          Re: Double Fail

          Don't worry on 2003 Windows Domains the Policy for complex passwords still allows Password1

      2. Anonymous Coward 15
        Paris Hilton

        Re: Double Fail

        Boobs are always a password.

        1. Michael H.F. Wilkinson Silver badge

          Real BOFH fans will remember the lusers password "maggot"

          luser: "But I like the word maggot"

          BOFH: "And I like the words 'Grievous bodily harm,' but do not use them as a password..... Yet"

    3. Anonymous Coward
      Anonymous Coward

      Re: Double Fail

      And quad fail for not doing a "force password reset on login" as sooo many of those seem to be default ones.

    4. Joe Montana
      FAIL

      Re: Double Fail

      There are more problems than that...

      Most password strength enforcement systems are garbage, very few check for dictionary words for instance so Password1! is often a perfectly valid choice as it is >8 chars, contains numbers, mixed case letters and symbols - and yet is still trivially easy to crack.

      And then you have the inconvenience, far too many passwords to remember because every trivial little site thinks its important enough for you to bother using a strong password.

      And then the trust aspect, do you know *HOW* a particular site stores your password? Most sites never disclose to you how user passwords are stored and what precautions they take to protect them, and even if they did they could be lying. There are plenty of sites out there, including some big names that store passwords in plain text or in a form thats easily reversible to plain text.

      So i use an intentionally weak password combined with a throw away email for most sites, if the site has a password policy i usually just append 1 or 1! to the end to get round it.

      As for throwaway email, spamdecoy.net isn't the fanciest of sites but it works well and has several domains you can use (some places block the common disposable mail domains after a while).

      1. Eric Olson
        Childcatcher

        Re: Double Fail

        When at home (the place most likely used to check more sensitive accounts like banking and email (access to all the things) ), having long passwords written down isn't really an issue. As long as the place is secure, which a private residence typically is, you don't have problems.

        The work environment or you laptop bag is probably the place where written down passwords may cause problems. But even that can be foiled a bit by substitution, reminders that only you could determine, or even just keeping the reminders in your wallet.

        And finally, as has been pointed out numerous times, taking a less popular song lyric (so maybe the chorus from a deep cut on an obscure band you like) and then using the first letters, mixing in capital and lower case, then tossing on something at the front that makes it unique for that specific website (and can get around stupid limitations placed on it, like no special characters, short lengths, etc.) will probably be about as secure as we can get.

        I'm not sure I want to go the route of a encrypted USB stick that has a very strong password and the passwords in a text file or something, that you copy and paste, in the hopes you avoid keyloggers (wouldn't it be simple enough to also log clipboard information?). But that is one of the things that the linked NY Times article proposes.

        10minutemail, however, was an awesome find. I can't believe I went that long without it for all those stupid websites that want a verification email, but otherwise have no reason to contact me ever again.

      2. veti Silver badge
        FAIL

        Re: Double Fail

        I'd like to put in a brief mention for every two-bit blog that wants you to create a separate login just to comment there. (El Reg, I'm looking at you, among others.) Fercryinoutloud, we're not handling money or secrets here! Just let us use our Google/Disqus/Wordpress logins, thank you very much.

        Oh well, I guess it could be worse - they could be using Facebook.

      3. Gordon 8
        FAIL

        Re: Double Fail

        Have you ever used Volusion webstores?

        They allow (some) administrator(s) to view all users passwords - yes all the customers who's details you have ....

        And they don't even think it is a security problem...

        1. Anonymous Coward
          Anonymous Coward

          Re: Double Fail

          Oh God, we've just got a Volusion webstore. Wasn't my choice though, I'm not a web guy.

    5. Naughtyhorse

      Re: Double Fail

      but all the lusers complain like hell if they cant 'update' password1 to password2

      (i know i do!)

  6. FartingHippo
    Holmes

    The first person (apart from me)...

    ...to mention Horses, Batteries, or Staples should get a special "obvious post of the day" badge.

    1. David Given
      FAIL

      Re: The first person (apart from me)...

      I would actually be genuinely interested to see where 'correcthorsebatterystaple' appears on that list, but I couldn't find a download of the whole thing --- does anyone know if it's available anywhere?

    2. Anonymous Coward
      Anonymous Coward

      Re: The first person (apart from me)...

      > ..to mention Horses, Batteries, or Staples should get a special "obvious post of the day" badge

      The same goes for 'god', 'sex', 'love' and 'secret'.

  7. Anonymous Coward
    Holmes

    The majority of my passwords on the web are 123123e to cover password requirements and a one time email because I'm only signing up to access to a forum or part of a website or to save site settings.

    DuckDuckGo have an anonymous cloud setting to cover this, your password generates the key and from then on you can enter it and get your settings back.

  8. Colin Millar

    Talk about useless security

    Passwords get discredited by poor user practice and stupid design

    Where I work there is an application that you can log into

    1) Only if you are already logged onto the network

    2) Only if you log into the application with a user name and password (annoying but there could be a valid reason)

    3) The app user name and password must be your network user name and current password

    Where's the boggled mind icon?

    1. HipposRule
      Meh

      Re: Talk about useless security

      Could be linking to LDAP/AD but still have it's own password database.

    2. Andy 115

      Re: Talk about useless security

      Surely having to RE-AUTHENTICATE using your network credentials....

      …is better than having to member ANOTHER password / user id combo?

    3. Martin 37

      Re: Talk about useless security

      I work there! Company initials are Hardly Profitable?

  9. TRT
    WTF?

    WTF?!!!

    Who gave you permission to publish the secret password list for all my internet accounts?!

    1. This post has been deleted by its author

      1. Alex-L
        FAIL

        Re: WTF?!!!

        The Reg allow this as a post but have deleted posts of mine. I mean, come on...

        1. Anonymous Coward
          Anonymous Coward

          Re: WTF?!!!

          Cuh-lassic! Lol indeed.

        2. Anonymous C0ward

          Re: WTF?!!!

          Look at the user name on those two posts... I think he LARTed himself.

  10. bittenbytailfly
    Happy

    Conflicting Reports

    I was once the victim of a hacked PC, and someone made off with all my passwords (yes, I'd been lazily storing them in the browser, reusing them etc.) and so I created a little tool to generate strong password from more memorable phrases. I published this tool as a web site for anyone to use and according to Google Analytics I've seen a 20% rise in use over the last couple of months.

    http://www.deadboltpasswordgenerator.com/

    But then I guess a rise from eight to ten visitors per day may not be that significant ...

  11. Lockwood

    Love, Secret, Sex and God, wasn't it?

  12. ClassicKiriyama

    http://xkcd.com/936/

    So the ultimate password is obviously :

    welcomeletmeinkeepoutjesusninjatrustno1password1qwerty123456mustang

  13. jai

    Ashley & Michael

    presumably these are names of people's kids or SO's?

    surprising that so many people have a kid or other half names Ashley that the name outranks Jesus

    1. Captain Hogwash Silver badge

      Re: Ashley & Michael

      Really? I've met a few people called Ashley but none called Jesus. Maybe it depends on where in the world you are.

      1. Robert Carnegie Silver badge

        ¡Hola!

        No doubt, you are correct. It depends on where in the world you are.

        If something has to be secure, I favour random hexadecimal characters, if there are enough of them - although of course that could still give you "12345678".

        1. John H Woods

          Re: ¡Hola!

          Random hex is fine, as long as you remember it effectively shortens your password by at least 2 bits per char.

      2. Magnus Ramage

        Re: Ashley & Michael

        As a book of Christmas cartoons I had some years ago put it, "Jesus? Why would you want to give him a Puerto Rican name?"

        1. Yet Another Anonymous coward Silver badge

          Re: Ashley & Michael

          > "Jesus? Why would you want to give him a Puerto Rican name?"

          So nobody would know he was Jewish?

  14. Tom 13

    Okay, I'll cop to it.

    Yeah I've used at least one of those passwords on a throwaway site where I don't actually care all that much about whether or not someone hacks it.

    Sites that I care about get different levels of attention depending on the level of caring.

    Sites I sorta care about but need easily remembered passwords get passwords with root pieces and salt.

    Sites that I really care about because they have financials get randomly generated passcodes. What really sucks is that sometimes when I use randomly generated passwords with full complexity, they still don't meet site rules for password generation. Which means the sites are actually less secure than the password I generated for it.

    1. Anonymous Coward
      Anonymous Coward

      Sites that refuse random passwords

      You give as your password 200 base64 characters representing 1200 bits taken from a hardware random number generator and the nincompoop site tells you: this password is not "strong" enough because it contains more than two occurrences of the character 'w'. Somebody please stab the programmer in the face.

  15. Anonymous Coward
    Anonymous Coward

    This is victim blaming!

    Instead of telling people to not using dumb passwords, like "password". You should tell crackers not to crack.

    1. Dr. Mouse

      Re: This is victim blaming!

      Yeah, and instead of telling people to lock their doors, you should tell people not to enter other people's houses and take their stuff!

      1. cordwainer 1
        Facepalm

        Re: This is victim blaming!

        Er . . . we DO tell people not to enter other people's houses and take their stuff, don't we? Or did I misunderstand what "laws" are?

        :-D

        1. Dr. Mouse

          Re: This is victim blaming!

          "Er . . . we DO tell people not to enter other people's houses and take their stuff, don't we?"

          That's my point. Even though people are told not to do something, doesn't mean nobody will. So we lock our doors.

          Just as we tell people not to hack into another person's accounts, but we should still use strong passwords.

    2. Steven Roper
      Stop

      Re: This is victim blaming!

      ...and tell thieves not to steal, and rapists not to rape, and killers not to kill. Unfortunately, the real world has a propensity to ignore the proprieties. So people should still be prepared to defend themselves, be educated about the dangers of weak passwords, and the consequences of the potential identity theft that can result. That's not victim blaming, it's victim empowerment. Because identity theft is catastrophic and life-changing.

      I've spoken with someone it's happened to, and having your identity stolen destroys your life. This person lost his job, faced charges including extortion, money laundering, attempting to import illegal weapons among others, which took him years to be acquitted of; he had to sell his house to pay the court and lawyer costs, and had to move cities because of the offences he'd been charged with. All because someone cracked an account and stole his credit card details and contact info.

      It happens. So it's important that people be aware of the issues and take reasonable steps to protect themselves. It's just common sense.

    3. teebie

      Re: This is victim blaming!

      ?

      I have absolutely no idea if you are doing this on purpose

  16. Phil W

    1....2....3....4....5

    That's the kind of thing an idiot would have on his luggage!

    http://www.youtube.com/watch?v=_JNGI1dI-e8

    1. greenawayr
      Thumb Up

      Re: 1....2....3....4....5

      That's incredible, I've got the same combination on my luggage.

      Kudos.

      Interestingly, I've had the same password with slight variations on a theme for 14 years now. Nothing has been hacked as a result of that password.

  17. Androgynous Crackwhore
    Thumb Up

    I'm trendy!!!!

    Wait 'till I tell the missus!

    New entry at no. 25... just about all my trivial passwords (including, until moments ago, El Reg) are "password1". I wonder what proportion of the occurrences which brought it into the chart are the half a billion of so places I've used it. Nice to be "ahead of the curve" for a change :D

    Must say, the desperate cry of exasperation behind No. 21 certainly struck a chord. Or were "Christian Mingle" and Conservapedia among the hacked sites contributing data?

  18. Arthur the cat Silver badge

    Monkey?

    Why on earth is monkey so popular? Are they reshowing the old TV series or something?

    1. TRT

      Re: Monkey?

      An infinite number of them hitting keyboards at random will be able, eventually, to crack any password.

    2. Dave 126 Silver badge

      Re: Monkey?

      >Why on earth is monkey so popular? Are they reshowing the old TV series or something?

      Possibly Damon Albarn's stage adaptation is responsible:

      http://en.wikipedia.org/wiki/Monkey:_Journey_to_the_West

  19. dotdavid
    Thumb Up

    My password

    Is *********. Hiding in plain sight.

  20. Anonymous Coward
    Anonymous Coward

    Doubting the accuracy of this list

    I have three reasons for doubting the accuracy of this list:

    1. I don't believe "shadow" is really a popular password. I rather suspect this is a dummy value meaning that the password is not, in fact, stored.

    2. There are too few obscenities in the list. I don't think I'm alone in using obvious sexual obscenities when I am forced to create an account and have no interest in its security.

    3. There are too few changes in the list. They claim that the top six are unchanged (as a set) since last year. If the new list were really derived from new data I'd expect to see a lot more random variation even if the underlying popularity of the passwords were unchanged.

  21. JimmyPage
    Stop

    The golden rule of passwords is to assume that they can be seen by anybody ...

    until we have an ISO approved standard for database and system design for holding and authenticating user details.

    Personally, I can't big up LastPass enough (not just because it's free). It's password generator means a unique complex password for every site I use. The only way it could be improved (and for all I know this feature exists in the paid for version) would be to expire passwords every <x> days and nudge you to change it on the relevant site.

    1. Bakunin
      Big Brother

      Re: The golden rule of passwords is to assume that they can be seen by anybody ...

      "Personally, I can't big up LastPass enough (not just because it's free)."

      The problem I have with LastPass is the catastrophic single point of failure. I'm sure they work hard to avoid that (it is after all their entire business), but it still feels kind of uncomfortable.

      1. JimmyPage

        Re: The golden rule of passwords is to assume that they can be seen by anybody ...

        Not sure what you mean ...

        Password vault can be stored locally and backed up. I've been able to use LP even when the website has been down (or uncontactable).

        1. Rattus Rattus

          Re: The golden rule of passwords is to assume that they can be seen by anybody ...

          @JimmyPage - I think what he is getting at is that if your single LastPass vault password is cracked, then the attacker has access to ALL your passwords in one hit. I do use LastPass myself, with a suitably secure password, but it is a good idea to be aware of this one particular weakness.

          1. JimmyPage

            Re: The golden rule of passwords is to assume that they can be seen by anybody ...

            Ah, fair point, but having read their spec, it's as secure as it could be given life itself.

            As I said, the vault is only one element of password security. Regular changing of passwords is essential too.

            To be honest, there are several trivial things that could be done to greatly improve online security. My suggestion would simply be an SMS and/or email every time your credit/debit card is used, or a payment goes from your account. I'd guess that would cut fraud by 90% ? But then the banks would be liable for more than they are now, so that's never happen.

    2. Crisp
      Coat

      Re: The golden rule of passwords is to assume that they can be seen by anybody ...

      But all secure site like theregister asterisk out your passwords if you type them out in posts:

      ********

      See?

      1. Anonymous Coward
        Anonymous Coward

        Re: The golden rule of passwords is to assume that they can be seen by anybody ...

        > But all secure site like theregister asterisk out your passwords if you type them out in posts:

        > walkers1

        > See?

        I guess that only works on Internet Explorer.

  22. Bodestone

    Is it Verified by Visa?

    That has a very specific 8-12 characters for the password.

    Every single time I am forced to re-generate a password because I can't remember the last one and therefore have to enter all my identifying information in all over again. I'm assuming other people write them down and keep them with the credit card.

    Way to increase security.

    1. ratfox
      Meh

      Re-generating a password

      When I am forced to re-generate a password because I forgot my old one, the web site invariably tells me that I cannot use this password, because it is the same as the old one.

  23. Magister
    Facepalm

    The IT crowd

    I'm currenlty dealing with an outsourced IT service group.

    The password policy is age (max 35 days), complexity (chars & numbers but no specials), length (min 8 max 12), history (not one of the previous 24). However, they don't operate a single sign on, so there are multiple domains and systems, each using different account name, details and passwords.

    Because of this, they get a very large number of support requests for unlocking accounts / resetting passwords. They have a user accessible password reset tool; but it only works part of the time due to network issues. They also insist that if they have to unlock an account, they also have to reset the password every time.

    All of this causes them a bit of hassle; whenever they have to unlock an account or reset a password, they always change it to abcd1234. Then they stop you from changing your password for 24 hours.

    1. Seanmon

      Re: The IT crowd

      It's BT, isn't it?

    2. Rattus Rattus

      Re: The IT crowd

      Wow. That's an impressive mix of really good security and really horrible security. Very schizophrenic.

    3. teebie

      Re: The IT crowd

      This sounds like it was specified by one person over a period of time

      "damnit, we aren't complying with the thign that s called OWASP, whatever that thing is"

      "damnit, users are complaining that they can't reset their passwords"

      "damnit, why are password resets taking so long"

      etc

  24. auburnman

    Maybe we should use passwords that sound like mildly embarrassing admissions. If my password was "Iamsobloodylonely" (for example) I would hesitate before writing it down or reusing it on multiple logins.

    Where's the 'Lightbulb' icon?

    1. Darryl

      True... not sure how many guys would have a post-it stuck on their monitor with 'IHaveASmallPenis' scrawled on it.

    2. Anonymous Coward
      Anonymous Coward

      > If my password was "Iamsobloodylonely" (for example) I would hesitate before writing it down or reusing it on multiple logins.

      I dunno, I'm rather found of the Louis Prima* version ("Just a Gigolo"):

      "iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii'm so sad and lone--------------ly!"

      *King Louie from Disney's The Jungle Book.

      1. Zaphod.Beeblebrox
        Trollface

        I'd lose track typing it in - I mean, was that 49 or 50 'i's? 14 or 15 '-'s?

  25. TRT

    On some of the old terminals...

    can't recall exactly which now, I think they were SunSPARCs or SGIs... our sysadmin insisted that people use, in their passwords, one of the additional function keys which were ranged down the left of the keyboard. It made it impossible to log in casually from anywhere other than in the computer room which housed the workstations themselves!

    1. Anonymous Coward
      Anonymous Coward

      Re: On some of the old terminals...

      As long as it wasn't Stop+A.

  26. John Smith 19 Gold badge
    WTF?

    Password generartion is quite interesting.

    You want flexibility in it to cope with all the stupid options people insist your password complies with. (case important/irrelevant numbers allowed/not allowed repeated digits etc).

    I think people would like to be able to pronounce it in their home language as well. I think this is probably the toughest problem, especially if you want to avoid real words in that language.

    Some kind of soundex algorithm in reverse?

    But seriously WTF with "password" after decades of warnings? sure for disposables but not long term.

    My personal suggestion is (any) obscenity and the words "thieving" "lying" "cheating""parasites" mixed up with any random digits are quite good choices for any utility, credit card or telephone accounts

    1. Ken Hagan Gold badge

      Re: WTF with "password" after decades of warnings?

      If you are only 10 years old, you probably haven't had *any* warnings. Certainly not from anyone you can be bothered to listen to. A lot of social networking websites probably have a disproportionately large number of users who see "password protection" as the thing that stops them from getting onto the site to post selfies to their friends.

  27. Lee Dowling Silver badge

    The difference is what was secured by these passwords.

    A personal email account you get receipts etc. emailed to? Yes, that's an error to choose a weak password.

    A throwaway Yahoo account because you were forced to sign up to it by product X? Who cares?

    An eHarmony account that you really don't care about people hacking and only set up for a laugh? Again, who cares?

    Anyone with a brain has a set of different passwords for various things. My father's Windows Login password (which, incidentally, is totally unnecessary as it does nothing and the admin account is open if you know the double-Ctrl-Alt-Delete trick or use Safe Mode or whatever) is such a password. But his banking one is secure. His password to the account on the website he signed up to one to buy a bit from his car (but stores no credit card details)? That's different again and though not "secure" is probably not guessable even if you know him. His password for the christmas giftlist document that I share with him? Incredibly insecure but stops him clicking on it and accidentally showing mum what he got for Christmas. This is a man that has trouble turning a computer on and takes an hour to install a simple program because he reads every line of text on the screen (not the license agreements, all the surrounding "Click next to proceed with installation" etc. gumpfh) and can't see what he's supposed to press next.

    The security of passwords is general is (like all statistics) meaningless without context. I have and use a number of insecure passwords for things I don't care about and don't WANT to use my secure passwords on (because if they are compromised, then they might be able to do some damage elsewhere). And my secure passwords (of which I have many levels but sometimes re-use things for passwords of the same "level"), are all unguessable. I have a very good memory for passwords, but I'm not going to make unique ones for everything I do because I will spend my LIFE logging on, and will end up having to put them all in one place which is inherently less secure than re-using passwords for similar levels of access (i.e. if you compromise, say, my forum account, yes you could probably use it on some other forums I frequent, but none of them will give you more access to information than the account password originally compromised, or any other forum account I use).

    As an extreme example, the password for my banking is some incredibly secure thing and used only for banking purposes in combination with a OTK device. I have a password that I only use for Government Gateway services even though I haven't really used those in years now. I have a password for anything that involves financial matters no related to my bank (e.g. pre-paid credit cards, etc.). The password for any site that stores my credit card information is different but on the same level of security and sometimes shared between partner sites. Additionally, I have a one-off sign-up password for sites I've never used before but which want my credit card information stored. I can cancel a rogue card transaction from them and know who it was, but I can't suffer a password leak that might affect other sites I visit if they are clever and try to reuse / guess my details elsewhere to gain more access.

    I have a password for accounts of value even if they have no credit card information associated (e.g. Steam). I have a password for anything that stores personal information on me but which doesn't store payment information or isn't payment related. I have a password for sites that I need to log into but which I wouldn't care about someone accessing as me (e.g. forums, etc.), and I have a password that I use to get past anything that demands one for no real reason.

    Each password (and sometimes there are three-four passwords for each level depending on the security of the level) is different and all but the very lowest levels are secure passwords. I can also tell, by the very service that the website is trying to offer me, what the password for a site I hardly visit but have an account for is likely to be (and unlikely to take more than a couple of guesses and thus unlikely to be "locked out"), and even a compromise of one site's password that's advertised with full details all over the world will ever let you into an account with more "power" or containing more information than the compromised site. And I have to remember only 10 passwords, which is way within the realm of sanity, and because they can be remembered, I never have to write them down.

    And my Yahoo password for an old Geocities account I had years ago which was forcibly upgraded to Yahoo? That's probably not that important to me because all it lets you do is log into Yahoo Search as me (and I haven't used Yahoo search since the Geocities days!). Dating sites? They would end up in the last category (i.e. I have to have a password, but don't particularly care about what it is). LinkedIn? I signed up to it once to talk to an old friend, didn't even put my name on the account. A quick login suggests that's also in the last category. Last.fm? If I had an account for it, it would also be the last one.

    So it's really bad to try to take away anything new from this article. People choose rubbish passwords when they are asked for a password to protect rubbish. This is like having 1234 on the combination to keep your wheelie bin shut so it doesn't bang in the wind, who cares? But your bike probably has a half-decent combination on it and a better lock.

    Now do a survey of the passwords people use on Amazon or Steam or their bank and see how different the results are.

    1. 3G

      Quote "A throwaway Yahoo account because you were forced to sign up to it by product X? Who cares?

      An eHarmony account that you really don't care about people hacking and only set up for a laugh? Again, who cares?"

      The people who get spammed when your weak user credentials are abused and used to send messages to other members or send emails?

      1. Anonymous Coward
        Anonymous Coward

        I'd care about eHarmony being hacked. (Not that I actually use it, maybe I should.) I'd need a photo and enough real info that it runs a risk of identifying me. Plus payment info if I wanted to contact anyone.

  28. Kevin7

    The thing that strikes me as odd is that since we have a database of known weak passwords, is it really too much for login systems to blacklist them so no one can ever use them?

    1. Yet Another Anonymous coward Silver badge

      But then those passwords would become very uncommon and so excellent choices!

  29. ukgnome
    FAIL

    That looks like part of my dictionary list from the early 2000's - I miss Brutus!

  30. Evil Auditor Silver badge

    So what?!

    I consider most of the accounts of websites such as linkedin or Reg as of totally no importance and hence can't be arsed to select a secure password. And I'm rather cautious and a bit paranoid.

  31. Anonymous Coward
    Anonymous Coward

    I have used something as weak as "aaaaaa" on low-sensitivity sites that don't involve money or need a real identity. Paid user of LastPass on anything else though. Although it's a pig entering my long master password, so it's saved.

  32. Anonymous Coward
    Anonymous Coward

    The Hash-Clash Scenario (NOT a new episode of The Big Bang Theory)

    The checking of passwords should also include the checking against common hashes. Depending on the hash size there are millions of different combinations that will, by pure accident, generate the same hash as 'password'. Imagine being one of the unlucky ones who has set their password to be 'gsvug93u10!£T!£1' , and have the application say 'great strength password' only to find it has the same hash value as 'password' - lol. Not very likely, but possible.

    The password checker should generate the hash and then do a google search for the hash (which is still the easiest way to find a password from an unsalted hash).

    Obviously, the above is not applicable if they salt (which of course everybody should do).

    1. Anonymous Coward
      Anonymous Coward

      Re: The Hash-Clash Scenario (NOT a new episode of The Big Bang Theory)

      Adding salt to your hash? What does that do to the smokeability?

      1. Isendel Steel
        Pint

        Re: The Hash-Clash Scenario (NOT a new episode of The Big Bang Theory)

        might make the corned beef a bit more salty ?

        (beer to wash it down with)

    2. Robert Carnegie Silver badge

      But

      In that case is Mister gsvug93u10!£T!£1 still screwed, only now you don't know it?

      But collisions are unlikely to the point of mathematical near-impossibility in a well-designed hashed password scheme.

      Anyway, I suppose that protecting your users by storing the salted hashes of all bad passwords is also possible.

      However, the error message ought now to read, "The server has noticed that your chosen password may be on a list of inapproiate obvious passwords. On the other hand, your choice of password may be reasonable, and this message a 'false positive' for this situation; nevertheless, we would like you to choose another, instead."

      A password in hexadecimal digits is about as random and obscure as those digits are, so I propose that if there's enough of them then it's fine. Whatever it is, you're probably going to have to type it, which makes punctuation symbols just a pain. However, I did once maintain a set of several dozen UNIX servers that made various objections to alphanumeric pure hex numbers as passwords; when I put "0qz" in front of all of them one month, and then "qz0" after all of them the next month, most or all of the remaining objections to my choices went away. And the other part was and still is secret, so I think it's okay to tell you what I've told you.

  33. Steve Foster
    Go

    Now why did reading that list make me think of this?

    http://www.youtube.com/watch?v=33vc3U1X7co

  34. Anonymous Coward
    Anonymous Coward

    I used to carry a handwritten list of all my passwords in my wallet.

    This was many years ago, while doing work for a banking customer who required us to use a _lot_ of different accounts - too many to remember. Password length was up to 12 characters used on a formerly popular mainframe. They owned a bunch of these.

    To pay lip service to security the entries in my password list were encoded as the octal equivalent of the password, as encoded in the Fieldata character set and circular shifted one bit in the mainframe's double-word. In those days of assembly language programming FD coding was burned into my synapses and the only uncertainty was whether I had mentally double circular shifted right (a DSC op) or left (LDSC).

    The whole scheme eventually went out the window when upper/lower case combinations became required (FD is a 6-bit single case code) and I couldn't be arsed to learn the ANSI code set.

  35. DoesAnyoneSpeakSense?

    On a related note, using "P@55w0rd" is just as bad as using "Password". Please stop. Thanks.

  36. jjk
    Headmaster

    What, no "swordfish"?

    Sad how the classics are all but forgotten...

    (http://www.imdb.com/title/tt0023027/quotes?qt0295157)

    Icon looks a bit like Professor Wagstaff.

    1. Sooty

      Re: What, no "swordfish"?

      Sadly too common on tv

      http://tvtropes.org/pmwiki/pmwiki.php/Main/ThePasswordIsAlwaysSwordfish

  37. Haku

    Passwords? We don't need no stiHELLO DEAR FRIEND,

    WE HAVE THE PLEASURE TO MAKE THIS SURPRISING BUT MUTUALLY BENENFITING BUSINESS PROPOSAL. I AM A MEMBER OF THE NEWLY INAUGURATED COMMITTEE FOR THE PRIVATIZATION OF THE REFINERIES OF THE NIGERIAN NATIONAL PETROLEUM CORPORATION, IN NIGERIA.

  38. Keep Refrigerated
    FAIL

    OTOH

    I would like to see a survey of how many websites are still using restrictive alphanumeric character sets only. Especially ones where they require no more than 8 characters!

    Verified by Visa - I'm thinking of as a prime example.

    Websites that don't use SSL - any El Reg editors care to comment?

    I tend to think what's the point on these websites and use an insanely easy alphanumeric password because, there just is no point if someone is sniffing packets, or if there's a character limit. There's just no point in trying to to think up anything remotely imaginative.

  39. Lonesome Twin
    Megaphone

    Secure password? Simples. Think back: What was the registration of your first car/bike/moped? Your dads? I reckon the average age on this forum is only slightly less than Radio 4, so NO-ONE ELSE WILL EVER KNOW IT. Of course it will prob be 2 letters too short ;)

    <lightbulb>???

    1. Allan George Dyer
      Facepalm

      until you

      post a picture of said car/bike/moped on FB. Or your brother does...

  40. Anonymous Coward
    Anonymous Coward

    What about Password1! it was very widely used for admin access at my previous employer!

  41. Dave 32
    FAIL

    Zombie versus Vampire

    At least no one is using Zombie or Vampire as a password. Correct?

    Dave

  42. Lars Silver badge
    Pint

    Digits

    Often numbers are required as part of a password, I have often wondered if they actually make it any better, not to mention capital letters.

    Personally I tend to (when I feel is matters) have a story for my passport. Makes it long but easy to remember, take for instance something like "onceuponatimeifuckedalamb" and similar silly stories.

    The thing that annoys me however are people who will not turn their bloody face away when you type your password. Often used a lot of backspace then to confuse.

  43. Richard Cartledge

    put "123456" in the number two slot for 2012; the same sequence was used by 37 per cent of all user accounts at the Anonymous-hacked Greek finance ministry.

    Sounds like these were initial passwords for new/never-used accounts, I don't think the 37% would be representative of individual-chosen passwords.

    1. teebie

      Initial passwords, yes, new/never-sued accounts, you may be overestimating competence

  44. Anonymous Coward
    Anonymous Coward

    Horse Battery Staple

    Those 5ecur3 type passwords are very easy to guess with john the ripper, it even has the substitution rules built in,no need for big dictionaries.

    You need a password with a lot of entropy but that is easy to remember

    https://xkcd.com/936/

  45. Jim O'Reilly
    Childcatcher

    The software guys can fix this in 15 minutes!

    I have often wondered why feedback from the site or program you are entering the password into couldn't resolve this. A 'password service" similar to virus scanners could check the password's strength, and just plain stop stupidities like "password1" from being accepted.

  46. Anonymous Coward
    Anonymous Coward

    In their defense...

    In defence of the Greeks, I used to work in health (making sure seniors get the benefits they are entitled to) and if their government is anything like the one I used to work for...

    The admins who ran the system seemed to equate more ID/password combos with better security, so we had:

    - One ID/password to log on to windows.

    - 5 ID/passwords to access various software, none of which sent or received any data over any kind of network.

    - 19 ID/password combos to log onto various intra-net "apps". Of those, you'd use maybe 5 or 6 on a daily basis and another 4 or 5 on a weekly basis.

    After the first few weeks of people spending half their work day on phone to the IT helpdesk to reset forgotten passwords (policy said you can't write any ID/password down), it quickly became common practice for everyone to use their (easily accessible) payroll number as their ID for everything, and everyone's password for each app was the same as everyone else's.

    My point is that security is more than just password strength, it's having competent people creating and implementing the policies.

    1. Anonymous Coward
      Anonymous Coward

      I wish that wasn't so true

      Not just public service - far too many corporates do it too :-(

      I currently have 9 different systems that I use on a daily basis - so 9 different username/password combos. None of the usernames are the same and most of the passwords require different formats. I then have a further 4 or 5 systems I use probably around once a month, again different formats for both username and password. Vast majority of the systems don't even leave our network - only 2 of them are third party apps out there in cloudspace. Then there is all the personal stuff - banking, websites, online shopping. Add in the stupid verified by wankers and the insane amount of PINs and what hope does a mere mortal have?

      Frankly its a wonder I can remember my own name most of the time.

  47. Juan Inamillion

    Suggestion

    Old and/or current vehicle registration numbers work quite well IMHO. Combining them makes it very tricky. Plus it has the benefit of helping you remember what your vehicle reg is when asked by the officer.... :-(

  48. John Homer

    What happened to ........

    fladnag, or am I just showing my age?

This topic is closed for new posts.

Other stories you might like