back to article Just give up: 123456 is still the world's most popular password

The security industry's ongoing efforts to educate users about strong passwords appears to be for naught, with a new study finding the most popular passwords last year were 123456 and 123456789. Keeper Security wonks perused breached data dumps for the most popular passwords when they made the despondent discovery. Some 1.7 …

  1. Barry Rueger

    Don't Just Blame Users

    One of my banks doesn't allow uppercase or special characters. The other, after a major software upgrade that took much of their systems of line for several days, only allows numbers in passwords.

    On the other hand, there are sites like infrequently visited tech forums that represent no real security risk to me. A short and weak password is fine.

    The point being, the strength of a password should reflect risk levels. Sometimes 12345 is good enough.

    1. Yet Another Anonymous coward Silver badge

      Re: Don't Just Blame Users

      12345 for this forum is fine, and it means I'm not leaking any information about my secure password system

    2. a_yank_lurker

      Re: Don't Just Blame Users

      @Barry Rueger - You are correct in concept that the nature of the site should dictate the password strength required. The problem I see is accurately judging which site can have a weak one. I prefer to teach people to use strong, gibberish passwords, minimum 12 characters, for all sites with longer ones being used for any e-commerce or financial site and NEVER REPEAT them. Thus, by default they are always using a very strong password out of habit.

      On your problems with incompetent banks, my financial institutions (bank and credit cards) require a non email user id with numbers in it as well as a strong password. But I may be lucky.

      1. Phil Kingston

        Re: Don't Just Blame Users

        Should site admins be happy with users deciding whether a complex password is required or not?

        They are, after all, the ones that would have to deal with the mess of, say, a forum that got spammed to destruction if all user accounts had easily guessable passwords.

        1. Yet Another Anonymous coward Silver badge

          Re: Don't Just Blame Users

          Then they could just as easily get spammed by fake accounts

        2. Kiwi
          Holmes

          Re: Don't Just Blame Users

          They are, after all, the ones that would have to deal with the mess of, say, a forum that got spammed to destruction if all user accounts had easily guessable passwords.

          It's called "rate limiting", not "rocket science" :) . As I posted a few minutes ago, rate limit with a lockout for failure. Using the article's list as a script, spammers shouldn't be able to get as far as "password" before a x-hour lockout or contact-admin-for-reset.

          And some moderation/oversight should be done as well. Get spam posts? Get rid of spammy posters! Simples! (and harden your account sign up process if that becomes an issue)

          1. Vic

            Re: Don't Just Blame Users

            Get spam posts? Get rid of spammy posters! Simples! (and harden your account sign up process if that becomes an issue)

            But then you're up against Marketing, who want account sign-up to be incredibly easy - after all, that's why we're all here, right? Maximum number of users is the goal, because Internet...

            And when a CxO has to choose between the advice of a tekkie who knows what he's doing, or a marketroid who claims he does - guess what gets chosen?

            Vic.

      2. paulll

        Re: Don't Just Blame Users

        Which means that either they're ignoring you, or they're writing their passwords down on paper. Excellent.

        1. Doctor Syntax Silver badge

          Re: Don't Just Blame Users

          "Which means that either they're ignoring you, or they're writing their passwords down on paper."

          Teach them to use a password safe. That will allocate high entropy passwords and store them. You need never even have to read and type the password.

          It means you always have to use your own PC? Even better.

          1. Charles 9

            Re: Don't Just Blame Users

            "Teach them to use a password safe. That will allocate high entropy passwords and store them. You need never even have to read and type the password.

            It means you always have to use your own PC? Even better."

            That's assuming they OWN a PC? What if the ONLY PCs they use are communal?

            1. Stoneshop
              Facepalm

              Re: Don't Just Blame Users

              That's assuming they OWN a PC? What if the ONLY PCs they use are communal?

              Keep the password vault on an USB stick.

          2. Phil W

            Re: Don't Just Blame Users

            "I prefer to teach people to use strong, gibberish passwords, minimum 12 characters"

            This will almost certainly mean their passwords are getting written down. It takes a very special kind of mind to remember a completely random sequence of letters, numbers and other characters and also associate that random sequence with a particular website.

            "Teach them to use a password safe."

            All password safe type applications I've seen have the same obvious flaw, in that you use a password to access them. Sure no-one can guess or easily brute force your online account passwords if they're massively complex, but if you store them in a password safe all that's need is to compromise the security of the password safe and ALL of your passwords have been simultaneously compromised.

            The best solution is to teach people to create passwords that are complex enough that they can't be guessed or brute forced easily, but are based on some meaningful pattern that allows the user to remember them.

            As long as you don't pick an obvious pattern, like your spouse's initials and date of birth this can be sufficiently secure for almost any purpose. Pick two or memorable but unrelated pieces of information, for example your work post (zip) code and a sibling's date of birth.

            You can even harness old fashioned simple cipher techniques for instance take the reg (license) plate number of a car you used to own (but not your current one just to add obscurity), then to make that even more secure alternately increment and decrement each character by one so X81 EDR becomes Y72 DEQ.

            These systems are by no means foolproof, and can still be forgotten, but at least they are meaningful enough that you stand a chance of remembering them but seemingly random enough that they can't easily be guessed or brute forced.

            1. Richard Simpson

              Re: Don't Just Blame Users

              Is it really such a big problem if people write their passwords down? Surely this at least depends on where they write them.

              It seems to me that the main attack which passwords are protecting against are those which occur over the internet from anonymous adversaries usually in foreign countries. Such people can't see the passwords I have written down in a notebook at home and they only way they could would be to find my house and break in and the cost, time and risk of that clearly isn't worth it.

              I agree that a random burglar may find the notebook, but most burglars are surely more interested in money and TVs and if someone has actually broken in I will at least know that my passwords may have been compromised.

              Bottom line: Surely a strong password written down in a private location (e.g. your house) is much better than a weak password which is not written down at all.

          3. Anonymous Coward
            Anonymous Coward

            Re: Don't Just Blame Users

            "Teach them to use a password safe. That will allocate high entropy passwords and store them. You need never even have to read and type the password."

            They had password security and password managers on BBC Radio 4's "Money Box" programme the weekend before last (so bonus marks to the BBC for trying to promote it) ... quite a few UK banks seem to regard using them as recording your password, and therefore negligence rendering you liable for any fraud ...

      3. Lotaresco

        Re: Don't Just Blame Users

        "as well as a strong password"

        As long as it doesn't have a lame algorithm to work out a strong password. I've seen strength checking algorithms that force a user to create weak passwords.

    3. Franklin

      Re: Don't Just Blame Users

      One of my banks has the same idiotic policy. Passwords are required to be exactly seven--no more and no fewer--numbers.

      And it gets worse. Your username is always the last 8 digits of your debit card number. So if someone lifts your debit card, they know your username and exactly what format your password is.

      This is a large Canadian bank.

      I weep for humanity.

    4. Andrew Commons

      Re: Don't Just Blame Users

      Agreed. I have had sites reject random passwords with 'special' characters in them without any indication of the allowable character set. The error message - logs - have displayed the password string in full so just changing a bit here and there is not an option.

      Desperation may lead you to 12345 just to move forward. Finding some way to go back and rectify that accommodation may be non-trivial.

      So users should not shoulder all the blame here.

    5. Anonymous Coward
      Pirate

      Re: Don't Just Blame Users

      That's what you think. I'm hacking you for your El reg gold badge as we speak.

    6. GundarHarl

      Re: Don't Just Blame Users

      I don't agree. There was a time when lame passwords could be used to protect accounts for sites with mundane content.

      Social engineering starts with the content and posts on mundane forums and though you may not consider yourself an ideal target of a complex criminal enterprise, you may still pass off as a target for an angry ex, a disgruntled co-worker or a random thrill seeker. Mundane forums posts can contain enough detail to get security clearance for more complicated password resets. Did you mention your mother's maiden name on a genealogy website? Did you mention your dogs name in that pet food forum? Does your local newspaper comments page know your date of birth and address? These are common challenge questions for getting passwords reset at banks and credit bureaus, travel agencies and social media accounts.

      A perfect example is in this comments page, here are people, on a 'mundane' comments page, discussing their credential requirements and password policies of other organisations they subscribe to.

      Further, I a comment below makes the most sense - make strong passwords because it's a good habit.

      1. Martin an gof Silver badge

        Re: Don't Just Blame Users

        There was a time when lame passwords could be used to protect accounts for sites with mundane content.

        Social engineering starts with the content and posts on mundane forums

        But you don't need a password to slurp that information. On these very forums, so long as you can tie a user name to a real name (i.e. you are sure that the "John Smith" you are stalking is definitely "BigBiceps" online) all you have to do is click on that user name and , hey presto, a complete history of all their posts ever. No passwords involved. Easy to search.

        On El Reg, having a password gets you into the "edit my details" bit which if you don't already have the real name and real email address will give you those details, and maybe others if they have been filled in.

        I do not understand enforced weak password policies (as have been described above) but my personal beef is with enforced password change policies, at least those that mandate change too often. Regular enforced password changes drive ordinary people down the route of choosing easy to remember password sequences that just avoid tripping the system rules. I know of one system which has half sensible rules (>7 char, mixed case, special characters and digits mandated, no repetition of passwords) but then mandates changes every six weeks (could be worse, I suppose) which lead to a lot of people using passwords along the lines of "Pa$$word01" followed by "Pa$$word02".

        A "strong" password is called that because it is unlikely to be in any rainbow tables, isn't in a dictionary, is difficult to guess, and difficult to brute-force. It doesn't become any more easy to guess over time, so why enforce such a short shelf-life? By all means change it occasionally, and definitely if there is any suspicion it's been compromised, but..

        M.

        1. Charles 9

          Re: Don't Just Blame Users

          Because it limits the damage if the password is leaked but NOT KNOWN to be leaked. When the change comes, you either close the leak or you find out about it. Either outcome helps.

          1. Martin an gof Silver badge

            Re: Don't Just Blame Users

            Because it limits the damage if the password is leaked but NOT KNOWN to be leaked.

            I understand that, my point was that if too-often password changes are mandated, the temptation is to use weaker passwords which are therefore more likely to be guessable. A slow password change policy, maybe even with auto-generated passwords, makes it more likely that the user will be willing to commit a strong password to memory, and make it less likely that that password is compromised between changes. I'm talking about someone trying to guess John Smith's passwords without any inside information.

            Password "leaks" are something else altogether, I'd say. The "data dumps" that were perused for these popular passwords; how did they extract plaintext passwords from properly encrypted... Oh. Right.

            M.

            1. Doctor Syntax Silver badge

              Re: Don't Just Blame Users

              The "data dumps" that were perused for these popular passwords; how did they extract plaintext passwords from properly encrypted

              In a lot of cases the passwords may have been encrypted but not salted. In that case rainbow tables, lists of common passwords encrypted by popular algorithms, can break them. A strong password is one that's not going to make its way into such tables.

              Not only do sites apply odd rules without disclosing them, they also don't disclose whether they encrypt information, whether they salt it etc. The safest bet is to assume that they store it in plain text and that they're easily hacked. Use a password safe and allocate strong passwords everywhere.

              1. hmv

                Re: Don't Just Blame Users

                With or without rainbow tables (or salt), you can usually crack a whole bunch of password hashes (they're hashed not encrypted).

                The next question to ask is whether these weak passwords belong to accounts that have been disabled or whether they are dormant accounts - active but not in use. Accounts created a decade ago are highly likely to have very weak passwords.

                And yes there are those who refuse to be told.

            2. Charles 9

              Re: Don't Just Blame Users

              "I understand that, my point was that if too-often password changes are mandated, the temptation is to use weaker passwords which are therefore more likely to be guessable. A slow password change policy, maybe even with auto-generated passwords, makes it more likely that the user will be willing to commit a strong password to memory, and make it less likely that that password is compromised between changes. I'm talking about someone trying to guess John Smith's passwords without any inside information."

              But you assume people are guessing passwords instead of gleaning them. Mass guessing can usually be detected and noted as an attempt at an account (and handled accordingly), but an insider picking up on someone's password (reading the Post-It, for example) is much more insidious and the reason for change policy: because there usually won't be missed guesses in the latter, and since it's already internal, it's virtually indistinguishable from real attempts.

        2. sbivol

          Re: Don't Just Blame Users

          We had a policy of „minimum 8 characters, 1+ digits, no repeated passwords”. Expiration in 4 weeks.

          After 7 years, most users were incrementing the last two digits. Admins had passwords set to never expire.

      2. Francis Boyle

        Re: Don't Just Blame Users

        If your bank is using your date of birth or address as a security question it's doing it wrong and you probably should find a new bank. My bank at least allows me to choose my own question but that's not either since it ridiculously easy to create a question the answer to which even you can't remember.

        1. Anonymous Coward
          Anonymous Coward

          Re: Don't Just Blame Users

          My standard answer to all security questions, regardless of the question is always "pigshit" (just kidding but it's very similar) - a truthful answer to a security question is far weaker.

        2. Stoneshop
          Mushroom

          Re: Don't Just Blame Users

          but that's not either since it ridiculously easy to create a question the answer to which even you can't remember.

          "What... is the capital of Assyria? "

          "I don't know that!"

    7. Lotaresco

      Re: Don't Just Blame Users

      One of the banks I use has a "PIN" security scheme for online accounts that could be phished, rick-rolled and the PIN extracted from the user as follows:

      Please enter the following characters from your PIN: [1][3][4]

      Authentication failed, please try again.

      Please enter the following characters from your PIN: [6][2][5]

      Sorry, website closed for maintenance. Please try again later.

      Even the bank's official security notices look like phishing attacks, so users are unlikely to spot what is going on.

    8. Steve Evans

      Re: Don't Just Blame Users

      I feel your pain. I remember setting one up on a bank a few years ago... It insisted I used between 6 and 8 characters. No caps, no numbers, no symbols and objected when I had too many letters repeated.

      I kept meaning to sit down and calculate the number of passwords that would then be left as valid to their system.

      It's probably about a dozen! j/k!

      But it's good to see that p455w0rd1 isn't on the list, so I'm still safe!

      There are a couple which have me mystified though. On the face of it they don't look "too" bad, I just can't work out the pattern that has made them so popular.

      18atcskd2w

      3rjs1la7qe

      Can anyone enlighten me to the blatantly obvious pattern which has whooshed right over my head?

      1. Martin
        IT Angle

        Re: Don't Just Blame Users

        I'd like to know what's wrong with 18atcskd2w and 3rjs1la7qe too...I can't see any reason why they should be among the top 20 passwords.

        1. William Towle

          Re: Don't Just Blame Users

          > I can't see any reason why they should be among the top 20 passwords.

          That stumped me too, so I googled each. The suggestion: https://www.tripwire.com/state-of-security/featured/so-just-why-is-18atcskd2w-such-a-popular-password/

    9. caljudge6

      Re: Don't Just Blame Users

      Shocking that some banks force you to use WEAK passwords. I would change my bank!

      But I can't say I agree that 'sometimes 12345 is good enough'. The purpose of a password is to ensure accountability. That is not maintained with 12345. If 12345 is fine in terms of risk (no sensitive data accessed), the password control probably should not exist.

      Cost of control should never outweigh its value.

      Having said that, you may think your account has no sensitive data in it, but what if someone steals your credentials and starts posting illegal content all over the web, or malware? It's in your name.

      Also I'm pretty sure you will have an email address linked to that account. Now the 'spear-phisher' has your email plus a known interest of yours and could masquerade as the site you are signed up to.

      1. Kiwi

        Re: Don't Just Blame Users

        But I can't say I agree that 'sometimes 12345 is good enough'. The purpose of a password is to ensure accountability.

        On the weekend I built a completely fresh VM to check something (actually testing something with W7 and updates) and the weekend before I did another couple to try out a couple of new Fedora flavours. All wanted passwords, all got "1234" (IIRC Fedora either wanted something stronger or wanted a couple of confirmations). If someone gets to them, then I have far more to worry about than the passwords.

        Few days ago I downloaded a package relating to some obscure software from some website I'll probably never even remember again, let alone visit. Needed an email address and a password to sign up to access the download, they got a visit to 10minutemail.com and a 12345 password (or whatever met their regs, might've been !1QqAaZz) - all done via TOR (hey, I never said I trusted said site or package - I love how I can clone a VM in seconds and if it's compromised I've lost a few seconds of my time, nothig gelse). Good luck tying that email address back to me!

        Yes, sometimes a stupidly weak password is more than strong enough.

  2. This post has been deleted by its author

  3. Notas Badoff

    Obvious action, non-obvious why not?

    I may have missed previous discussions, but why isn't it made a requirement that financial and government sites (at the very least) reject new passwords on the top 100 list (with appropriately illuminating error messages), and probe for these and notify existing users that they've been 'unwise'.

    I'd think any 'serious' site would get a respectful "...o..k..a..y, thanks" if they emailed users with "we don't want you to lose your hard-earned money/house/job, and we noticed an insecure password and would you please change that to a better password (and here's how)." The customer might up the company's clue rating/reputation. And any customer that would pitch a major fit, well, might they not be worth keeping as a customer?

    (Implementation Tip: mention the whole undertaking in a PR announcement - anyone afterwards complaining to friends will get a "but why do you care, this doesn't apply to you, does it?")

    1. Mark 85

      Re: Obvious action, non-obvious why not?

      I'd think any 'serious' site would get a respectful "...o..k..a..y, thanks" if they emailed users with "we don't want you to lose your hard-earned money/house/job, and we noticed an insecure password and would you please change that to a better password (and here's how)."

      Probably 50% (ok... some % above 1% and less than 99%) of the users would see the email.. assume it's malware and dump the email. Unless of course, you promised them a nudie video of some celeb.

    2. Anonymous Coward
      Anonymous Coward

      Re: Obvious action, non-obvious why not?

      I'd think any 'serious' site would get a respectful "...o..k..a..y, thanks" if they emailed users with "we don't want you to lose your hard-earned money/house/job, and we noticed an insecure password and would you please change that to a better password (and here's how)."

      You can only realistically signal a password weakness at the time when a new one is set (despite the fact that I dislike some of the "strength" meters out there) and even if you want to do it retrospectively you can only alert to a weakness via some sort of message when the user logs in.

      If you do anything via cleartext email you are painting a big target on the user's back for having an account that won't survive a dictionary attack. Not quite the PR coup that you'd want as a bank IMHO.

      1. Missing Semicolon Silver badge

        Re: Obvious action, non-obvious why not?

        Presumably, the server can compare the hash of the supplied password with the hashes of the known bad ones?

    3. RobertD
      Unhappy

      Re: Obvious action, non-obvious why not?

      Simple answer? Because it would cost money to maintain that list and create/update rules, whereas setting parameters once is cheap and easy. There are many, many variables to be considered when it comes to security but poor security almost always boils down to stupidity and/or cost.

    4. Doctor Syntax Silver badge
      FAIL

      Re: Obvious action, non-obvious why not?

      if they emailed users with "we don't want you to lose your hard-earned money/house/job, and we noticed an insecure password and would you please change that to a better password (and here's how)."

      And being the bankers they are, they'd embed a "helpful" link in the email, further training their users to click on any link in any random email purporting to be from them.

      Why do banks etc persist in training their customers to be phished?

      1. Kiwi
        Pirate

        Re: Obvious action, non-obvious why not?

        Why do banks etc persist in training their customers to be phished?

        The Westpac bank here in NZ had a problem with that a while back (may still do, I now bank elsewhere). They apparantely1 sent out several emails to their customers, with all sorts of stuff in them which actually looked very much like many fishing emails I've seen over the years, in the style of writing and other factors. Including the helpful "call to action" link to log in to the bank. IIRC it also involved some survey or something else with either links to or (blocked by Thunderbird) content from some 3rd party ultra dodgy"survey" firm. Neither I nor any other people involved with IT/security could be certain it was or wasn't a bad email. Westpac received several nasty messages over this I understand, because if it was them (we mostly assumed it was, certainly best to bring it to their attention) then the customers who were watching for bad emails would delete this on sight, those who would send something off to scamwatch etc would do so (harming the banks reputation), and those who weren't on the watch for bad emails would get trained to follow the links in such emails because the official bank ones look so much like the scam ones.

        1I say "apparently" because the samples of said email I saw were from the correct branch manager (by name), and had some personal details of the customer correct - if a phishing scam then the scammers already knew your name, acc number, street, bank manager's name and a couple of other things). Because of this I don't mind giving them bad press at all, and if the subject ever comes up I advise steering well clear of this bank.

    5. hmv

      Re: Obvious action, non-obvious why not?

      Experience in sending out messages to those with weak passwords shows that the rate of the appropriate response (changing the password) is approximately 5% to such messages.

  4. Winkypop Silver badge
    Joke

    Hey! No fair!

    No wonder my passwords are so popular, when you keep publishing them!

    1. Martin

      Re: Hey! No fair!

      Anyway, 123456789 is a long password, so that's more secure, isn't it?

  5. Blofeld's Cat
    Angel

    12345?

    Dark Helmet: "That's the stupidest combination I've ever heard of in my life! That's the kinda thing an idiot would have on his luggage!"

    President Skroob:"That's amazing! I've got the same combination on my luggage."

    1. MrT

      Re: 12345?

      "Smoke 'em if you've got 'em

      ..."

      1. Aladdin Sane

        Re: 12345?

        If only they'd told Jyn Erso.

  6. JCitizen
    Coffee/keyboard

    Just get a password manager..

    I teach my clients to use Lastpass or any other acceptable password manager, and since they are not in a business environment, I let them put the strong master password on a post-it note and let Lastpass generate all their other passwords to the highest standards. I've never run into a site, so far, that doesn't accept these passwords - If I ever do, I will weight the risk just like other posters here on the Register have already mentioned!

    1. Martin an gof Silver badge

      Re: Just get a password manager..

      Please explain to an obviously clueless individual, but my confusion over password managers is that if the "master" password is compromised, everything is lost, is that not the case? Granted you are probably better able to create and remember a really good strong password if that's the only one you have to do, but isn't it creating a single point of failure?

      M.

      1. Charles 9

        Re: Just get a password manager..

        But it's a point that ideally should never go online. Meaning breaking it would involve either pwning you local machine or cracking the algorithm. If they get your local machine, to throw a quote, "You're already dead." If they cracking the algorithm, there are bigger fish they'll be frying.

        1. Martin an gof Silver badge

          Re: Just get a password manager..

          But it's a point that ideally should never go online

          Devil's advocate here, but don't these systems actually store all your data online so that you can share passwords between devices? Heavily encrypted and suchlike, but still accessible to anyone who has your master password? No need to access the local machine in that instance.

          M.

          1. Doctor Syntax Silver badge

            Re: Just get a password manager..

            "Devil's advocate here, but don't these systems actually store all your data online so that you can share passwords between devices?"

            Certainly not the password manager I use. If you have multiple devices then share the safe directly, device to device. That may be less convenient than you wish but increasing convenience will almost certainly involve a trade-off with the security you're looking for.

          2. Anonymous Coward
            Anonymous Coward

            Re: Just get a password manager..

            "Devil's advocate here, but don't these systems actually store all your data online so that you can share passwords between devices?"

            KeePass will work with a local file, etc, as it's not provided as a "cloud" service.

            1. Charles 9

              Re: Just get a password manager..

              Also, KeePass is GPL, so the source is openly available. Like with TrueCrypt, if the developer decides to abandon it, someone else will probably take it up.

            2. bombastic bob Silver badge
              Thumb Up

              Re: Just get a password manager..

              "KeePass will work with a local file, etc, as it's not provided as a "cloud" service."

              I like KeePass. It has POSIX versions as well as Windows. You can even share the SAME key file between platforms. I do.

              And if you DID store it on the cloud, anyone wanting access would need to crack your master passPHRASE. It could be anything. Anything at all, that you easily remember. A line from your favorite movie, book, or poem. Something only YOU would consider using. And typing 40+ characters can be a little irritating with no visual feedback on the character you typed, but after you've done it enough [and infrequently so] it should become relatively simple. Except for 4" screens, of course...

      2. DaveyDaveDave

        Re: Just get a password manager..

        @Martin an gof, pretty much exactly that - one very good password is easy to remember, but individual very good passwords for every account you create online (even if you only come up with a good one for the 'important' sites) is impossible. If you're not using a password manager, you're either re-using passwords or using some 'clever' system you came up with, which is probably trivial to reverse engineer if two or more of your passwords are known. To me, both of those alternatives are far worse (not to mention less convenient) than using a password manager.

        Granted, I'm trusting the developer(s) of the password manager not to do something stupid, but both of the alternatives above also rely on trusting all the sites I set up accounts on not to do something stupid, so it's a choice of trusting someone who's specifically interested in security, versus trusting many people who are not.

        1. Martin an gof Silver badge

          Re: Just get a password manager..

          individual very good passwords for every account you create online (even if you only come up with a good one for the 'important' sites) is impossible.

          Absolutely, but you forgot the third possibility, namely that you don't need dozens of strong passwords if you don't actually use dozens of services, each of which requires a separate password. The place where this really does fall down is with the stuff that used to be called "e-commerce", because unless you want to confine yourself to buying from two or three outlets only, each blasted retailer requires a new set of login details. There are some who will let you buy things without creating an account, and since retailer accounts seem to be used mainly so that a: they can remember your credit card number and b: they can send you marketing emails, frankly if such an option is offered, I'll take it.

          :-)

          M.

          1. DaveyDaveDave

            Re: Just get a password manager..

            "you don't need dozens of strong passwords if you don't actually use dozens of services"

            (how do you do italics?)

            A fair point; however, I've just reviewed the contents of my password manager (a great side-benefit, btw, being able to see who I have accounts with, when I created them and when I last changed the password), and can see 299 accounts I've got stored in there, of which (from a very quick scan) at least 50 are for services I'd consider worth securing properly. In there I'm including email accounts, financial providers (bank accounts, mortgage, insurance, pension providers, etc), social networking (OK, not an essential one necessarily, but...), my doctor's appointment booking system (probably nothing sensitive there, but still, worth being careful), mobile phone provider, various subscription services who have my payment details for purposes of their subscription model.

            Certainly more than I can remember.

            1. Doctor Syntax Silver badge

              Re: Just get a password manager..

              (how do you do italics?)

              Like that.

              It's < em >stuff< / em > without the spaces.

            2. Martin an gof Silver badge
              Happy

              Re: Just get a password manager..

              (how do you do italics?)

              El Reg Forums FAQ

              M.

            3. Martin an gof Silver badge

              Re: Just get a password manager..

              [I] can see 299 accounts I've got stored in there, of which (from a very quick scan) at least 50 are for services I'd consider worth securing properly.

              Blimey.

              Luddite as I am, and without going to check, I don't think I have 50 accounts in total. Even if I included all the other things that need login details (e.g. my router/modem) I'd struggle. Then again we don't (for example) do online banking, partly because we are fortunate to live near a town with a reasonable number of actual bank branches, and we opt to get statements through the post. It has the side benefit that any and all emails purporting to be from the bank can be binned without thought.

              Even so, I can see a use-case for a good password manager. The problem is defining "good" (and reliable, and not-likely-to-go-tits-up-without-warning etc.)

              M.

              1. DaveyDaveDave

                Re: Just get a password manager..

                town with a reasonable number of actual bank branches ... statements through the post (look at me go!)

                It's like a window into the past! What happens if there's a woolly mammoth on your route to the bank? :D

                But yeah, if you do want to give a password manager a whirl, I'd recommend Keepass, if you can put up with the typical un-userfriendly-ness of open source software. You keep the file on your machine, but obviously can choose to share it through whatever means you deem secure, if you want it on multiple machines, and you can use a password and/or key file to give you a bit more security. If you want a paid-for, more user-friendly option, 1Password is pretty good, depending on what platforms you use.

            4. Kiwi

              Re: Just get a password manager..

              (how do you do italics?)

              For me the question is how do I do "<" and ">" when I want to make something NOT look like a bit of HTML. But I haven't figured out how to do that on El Reg yet (mainly though lack of trying, partly through lack of brain cells), so you'll have to swap "[" for "<" and "]" for ">" respectively.

              [i]Italics[/b]

              [b]bold[/b]

              [blockquote]Indented block[/blockquote]

              [sup]Superstrike[/sup]

              There's more, and I think some are only available to bronze badge and above (don't quote me on that), but that should get you started.

          2. Doctor Syntax Silver badge

            Re: Just get a password manager..

            "There are some who will let you buy things without creating an account, and since retailer accounts seem to be used mainly so that a: they can remember your credit card number and b: they can send you marketing emails, frankly if such an option is offered, I'll take it."

            I use frequently changed email addresses to kill the marketing emails if I have to create an account.

            Like you I prefer accountless transactions and using PayPal is one way of ensuring they don't keep the credit card number but the downside is that PayPal provide your PayPal email - which is also the PayPal login ID - to the vendor. I've had to change my PayPal address twice because of this. I took this up with PayPal; from what I was told they have T&Cs to forbid this but can't be arsed to enforce them. Bastards - twice over!

    2. Lotaresco

      Re: Just get a password manager..

      I have some sympathy with you. However I have used three password manager applications. The biggest weakness for all of them is that the developers responsible for them have all gone belly-up. One of them in particular just shut up shop without warning. Gee thanks guys. OK I was able to use password recovery to get back into the sites that I could no longer access but that in itself is a weakness.

      I'm finding that the one durable password storage technique is a little black book in a safe.

    3. Anonymous Coward
      Anonymous Coward

      Re: Just get a password manager..

      "I've never run into a site, so far, that doesn't accept these passwords - If I ever do, I will weight the risk just like other posters here on the Register have already mentioned!"

      I've found a few issues with password manager-generated passwords: one site allowed the entry of the new password, but silently truncated it after a certain number of characters, another one randomly disallowed certain special characters (despite using it as an example on the list of allowed ones), and some don't like entry methods that are a mix of "keyboard" input and paste to try to mitigate keyloggers. Annoying, but not that big of a problem.

  7. Your alien overlord - fear me

    List # 15 and 20

    Really, they seem good to me or are they some geeky codewords?

    1. Anonymous Coward
      Anonymous Coward

      Re: List # 15 and 20

      I'll bet those are standard passwords used by spam bots to post spam on public forums, which then got added to the dictionary attack list.

      1. Nick

        Re: List # 15 and 20

        I'm sure you're right.

        So how likely is it that some/all the other trivial passwords are from (less cunning) bots?

        1. Ken Hagan Gold badge

          Re: List # 15 and 20

          "So how likely is it that some/all the other trivial passwords are from (less cunning) bots?"

          Less cunning? If someone learns that 389fj2kf674hk is being used by a bot, it is probably easy to destroy all accounts that happen to use that password. If they learn that 12345 is being used by a bot, they cannot delete anything because (in their heart of hearts) they just know that 5% of their customers are using it, too.

  8. Richard 12 Silver badge

    The source of the leaked passwords?

    If they include "Login to our free wifi", then of course almost all of them will be 123456.

    Most of the email addresses will be for example.com as well...

    1. Ken Hagan Gold badge

      Re: The source of the leaked passwords?

      "Most of the email addresses will be for example.com as well..."

      That depends on how they validate it. I tried using no@example.com as my Microsoft account during a Win10 installation, only to be told that it wasn't a valid email address. I had to find some other way of not giving them any contact details. (Eventually, I think I discovered that if I failed three times then it took pity on me and let me use a local account.)

      1. Richard 12 Silver badge

        Re: The source of the leaked passwords?

        There is a "I don't want no stinkin' MS account" hotspot you can click.

        Finding it reminds one of the old point and click adventures though.

  9. Anonymous South African Coward Silver badge

    will q1w2e3r4t5y6 be any better and more secure? :)

    1. Anonymous Coward
      Anonymous Coward

      Not anymore now you've gone public :)

  10. Anonymous Coward
    Anonymous Coward

    In at Number 14

    The sign of the devil x 2 which is nice to know.

    Though to be fair when using statistics easy numbers always draw a red flag for me like someone has plucked them out of thin air or massaged them, 10m, top 25 = over 50% of all passwords.

    This morning I can say with certainty that 50% of breakfast eaters will opt for bacon on toast and of those, 25% will have brown sauce. The remainder will consider red sauce but then realise how wrong it is and eat swiss style muesli with no added sugar.

    Back on topic passwords are easy to work out depending on the users love of social media. The password contains one of the following - Pet/Child/Partner plus a number Year of Birth/House number current or past and possibly a special character. This password may also be cleverly hidden using special characters where bob becomes 8o8.

  11. schekker

    Any site just relying on passwords should be blamed instead

    With the power of todays computers almost any password which can still be remembered by a human, can be brute-forced. And almost no human can remember fifty or more strong passwords without some common trick which immediately make all the other passwords weak if one gets published.

    If a site is serious about its security, it should offer 2-factor authentication. If it does not, why should the user take security on that site serious? And sites should standardize their login so password managers will always work with them.

    1. Charles 9

      Re: Any site just relying on passwords should be blamed instead

      What about people WITH NO SECOND FACTORS?

      1. Anonymous Coward
        Anonymous Coward

        Re: Any site just relying on passwords should be blamed instead

        What about people WITH NO SECOND FACTORS?

        That's why banks still hand out those calculator style gadgets. That's also OTP, but usually based on challenge-response instead of time.

        1. Doctor Syntax Silver badge

          Re: Any site just relying on passwords should be blamed instead

          "That's why banks still hand out those calculator style gadgets."

          Mine handed out one and I still have no second factor.

          The only time I had to use the useless piece of crap their site refused to accept the result so I had to go into a branch.

          1. Charles 9

            Re: Any site just relying on passwords should be blamed instead

            Plus people easily LOSE them. After all, they lose their PHYSICAL keys; what hope does a fob have?

            1. Martin

              Re: Any site just relying on passwords should be blamed instead

              I use my phone as my second factor for Paypal. If I lose that, it doesn't matter, I'll get another one with the same number.

              1. Anonymous Coward
                Anonymous Coward

                Re: Any site just relying on passwords should be blamed instead

                And suppose it wasn't LOST but STOLEN, then put in a Faraday Cage to prevent it being remote wiped before they get all your goods out of it?

    2. Kiwi

      Re: Any site just relying on passwords should be blamed instead

      With the power of todays computers almost any password which can still be remembered by a human, can be brute-forced.

      FTFY (see oblig xkcd, note the numbers of characters which is the point of the cartoon)

      If a site is serious about its security, it should offer 2-factor authentication.

      There's a few issues with that. How many separate devices do you want to be carrying around? What if you forget the one you need? And if it's a (etc) to your smart phone, well, how many people have their cellphones as their main computing device (especially when doing any bank transactions etc)? If I pinch your cellphone.. Got a gmail account where your bank has to send an email to it? I got your phone so I can check that. Don't use your phone to log in to Google often thus triggering their security? The one that txts you a code to your, er, phone?

      2FA for more than a couple of accounts quickly becomes a pain (devices/cards etc you have to carry/have available at the time of need) or as weak as weak passwords (if your stolen phone is the central proof of ID).

      If it does not, why should the user take security on that site serious?

      Most of the time a combination of username+password is strong enough, maybe add another factor for some sites. Convenience is a significant part of security, and if your great new social media site is a pain to log in to, then no one will log in to it. You could have the greatest security in the world, but if it's difficult to access, people will go elsewhere. I look at "good enough" security, and as I post here at El Reg (who only in the last week or so have started using HTTPS) a fair bit, obviously their security has been "good enough" for me thus far (I also do not use the name "kiwi" elsewhere, so if my El Reg account was used by another it's really a "no skin off my nose" situation, though I would be a bit pissed at not-quite-making-silver).

  12. AlexV
    Mushroom

    Don't ask for a password, assign one

    Seems pretty clear people can't, or won't generate a secure password. To be fair, it is actually now quite hard to generate a secure password - it's a skill that can be taught, but not something obvious.

    So stop asking them to do so! Don't let them create a password, just generate one and assign it to them. Ideally a modern 4-word style password rather than a random character one, but either is better than asking the user to perform a task they are so clearly not able competently fulfil.

    If they complain that their password is not memorable, then you can point them at a password manager. Or if all else fails, tell them to write it on a bit of paper and keep it in their wallet - lets face it, if your adversary is of the level to be sending round actual people to snoop inside your wallet then you have bigger problems.

    1. Charles 9

      Re: Don't ask for a password, assign one

      And if people keep forgetting their wallets? Or have trouble remembering even simple stuff like BIRTHDAYS?

    2. Anonymous Coward
      Anonymous Coward

      Re: Don't ask for a password, assign one

      There are a couple of web-sites I use so infrequently that I can never remember the password, so I end up doing a password reset every time I logon. Yes, I know I could get my brower to save the login details, but that's not much better than writing it down on a post-it note.

      1. Kiwi

        Re: Don't ask for a password, assign one

        I know I could get my brower to save the login details, but that's not much better than writing it down on a post-it note.

        A browser is easier to remotely crack than a post-it note, though it is possible to remotely hack post-its1. So long as the only people who can see your notes can be trusted, post-it notes are fine.

        I also often make use of the password reset option rather than storing stuff in the browser or the brain. The 10 minutes added per login sometimes seems to only work out to an extra minute per year...

        1 You are aware there are a number of web-attached cameras with, shall we say. less-than-ideal security? Some allow the control of pan and zoom remotely as well. So if your note is in sight of such a camera. Chance of success would be low, but not impossible, and any one who has such a camera that can see their screen, well, all your post-it passwords are compromised (hmm, wonder what fun I can have with this and a few honeypot-style notes...)

  13. Anonymous Coward
    Coffee/keyboard

    123456....

    ...holy shit!

    Just about how it's ok fine to use 123456 as I wouldn't want my password sent over http...and look, they are

    FINALLY https;//

    serious look guys, I finally see the forum is classed as secure.

    Or have I been hacked and redirected to a fake account?

    1. Anonymous Coward
      Anonymous Coward

      Re: 123456....

      Ah they are using the Cloudflare one, explains it.

      1. Kiwi
        WTF?

        Re: 123456....

        Ah they are using the Cloudflare one, explains it.

        Yeah. Which can be a pain when a) you're on a data budget and b) don't let google js run on your machine.

        Tip. Before hitting submit or preview get in the habbit of ^A ^C (select all text and copy). Clodfare seems to forget to carry the text over if you have to submit to it's demands, and you end up at an empty post form again.

        (I've also had instances where I've been told I'm blocked and so on, which is a bit odd as I'm on dynamic IP and had only been on El Reg for that session)

    2. Doctor Syntax Silver badge

      Re: 123456....

      "serious look guys, I finally see the forum is classed as secure."

      And has been for about a week. What's more there's a secure version of the front page but the little vulture icon to take you back to it takes you back to the http address. Still, things are looking up.

  14. Len Goddard

    Not a terribly useful list

    Without any sight of the raw data, you can't tell if there is any real improvement.

    123456 might still be the most popular, but how many people actually use it. On the whole, only obvious and/or finger friendly passwords will be used by many people. Hell, you would get the same "winner" if 123456 were used by 20 people and all the other passwords were unique.

    1. Seajay#

      Re: Not a terribly useful list

      RTFA

      "17 per cent of the 10 million hacked accounts the firm studied"

  15. Anonymous South African Coward Silver badge

    Obligatory Userfriendly comic strip...

  16. Anonymous Coward
    Anonymous Coward

    what this tells me

    What this tells me is that 17% of accounts are likely throw away or test accounts.

    1. Charles 9

      Re: what this tells me

      Can't those STILL be used to glean information for social engineering? Not all sites will take fake info (plenty verify).

      1. Anonymous Coward
        Anonymous Coward

        Re: what this tells me

        but not all those that verify check the email to see if it's a disposable one.

      2. Richard 12 Silver badge

        Re: what this tells me

        Probably doesn't matter.

        The deliberately wrong data is already in the database before they can try to verify a throwaway account.

  17. Anonymous Coward
    Anonymous Coward

    Rather

    Than encourage people to use stronger passwords, cant we just change those 6 keys on every new keyboard?

  18. TheProf
    Unhappy

    18atcskd2w

    Is there a 'trick' to this password? It must be memorable for a lot of people for it to have made this list. If it's a mnemonic I can't figure it out.

    1. Charles 9

      Re: 18atcskd2w

      It's got to be some kind of mnemonic, probably from a TV show or a piece of pulp fiction. That's why it escapes me at the moment.

      But serious, this article tells me that the status quo is unacceptable. What it doesn't tell us is there's any practical solution in sight. If you can't fix Stupid, you have to work around it, but if Stupid demands unicorns, then what options are left apart from taking down the Internet or turning it into a Police State?

      Sorta like how Churchill stated Democracy is the worst thing out there...barring everything else. Only thing he didn't answer was whether or Democracy was acceptable, because if it isn't...

      1. Lotaresco

        Re: 18atcskd2w

        It's not a mnemonic, it's most likely to be an account created by a spambot. The spammers will want a strong(ish) password and will use the same password for every compromised account because it saves working out which password applies to which site.

    2. Lotaresco

      Re: 18atcskd2w

      " If it's a mnemonic I can't figure it out."

      Which started me thinking about mnemonics.

      I used once, but no longer use, book codes for passwords. The reason that I stopped using them was down to me no longer getting a Christmas freebie. I will explain.

      My Christmas freebie was a slim, leather bound diary from one of my clients. Each page was week-to-a-view and had a suitable life-affirming quotation at the top and bottom of each page. You know the sort of stuff - "Start each day with a smile and every meeting will be a happy one." at the top of a page and "The time is always right to do what is right." at the foot of the page.

      So a mnemonic for a password could be a date at the top or bottom of a page followed by a numeric reference to some of the words. e.g. 170116-010608 for "StartSmileEvery" or 170118-050208 for "RightTimeWhat". As long as you don't write down the codes in the book or reference which book you are using it's strong enough.

      1. Charles 9

        Re: 18atcskd2w

        "So a mnemonic for a password could be a date at the top or bottom of a page followed by a numeric reference to some of the words. e.g. 170116-010608 for "StartSmileEvery" or 170118-050208 for "RightTimeWhat". As long as you don't write down the codes in the book or reference which book you are using it's strong enough."

        Unless someone else gets THE SAME BOOK and figures it out. It's not like those diaries are one-of-a-kind. And as they say, one slip and it's Game Over...

        1. Kiwi
          FAIL

          Re: 18atcskd2w

          Unless someone else gets THE SAME BOOK and figures it out. It's not like those diaries are one-of-a-kind. And as they say, one slip and it's Game Over...

          And the odds against that are? Come on, you can figure this out. Takes but a second.

          First, person has to get the book. Then they have to assign the same coding system. Then they have to know which one out of 365 was used for the site's password. They also still have to get user name or email as well. How long would it take to work through all that? But what if the diary is one from the last 4 years, but you don't know which? There's another thousand possibilities.

          Unless you know the coding scheme and date used, it's pretty secure. And if you're close enough to know those details, well, you can probably get the password easier just watching him type it in. Or asking him.

          1. Charles 9

            Re: 18atcskd2w

            "And the odds against that are? Come on, you can figure this out. Takes but a second."

            Passing fair. See Birthday Problem and the fact the US alone has over 350 million people; let's not get started with Europe. The odds of at least TWO people using the same book AND scheme is better than you think.

            1. Kiwi
              FAIL

              Re: 18atcskd2w

              Odds of 2 people US-wide - pretty high.

              Odds of 2 people having access to the same computer, where one does not trust the other - stupidly low.

  19. Fading
    Unhappy

    Correct horse battery staple...

    Still hasn't made the top 20.

  20. Baldrickk

    Many sites at blame here

    My bank doesn't accept "special" characters, but at least allows moderately long passwords.

    Changed my ISP password last night. It had to match "\w{8,10}"

    ^

    these are the things that scare me - if the password is hashed, why is there a limit to the length? It isn't going to take more disk space to store it. I'm not going to be logging in enough for it to strain the login system

  21. Anonymous Coward
    Anonymous Coward

    _

    The guidelines are hopelessly in-conflict and unreasonable:

    1.) Never write down a password

    2.) Never use the same password for more than one site

    3.) Passwords should be 8+ characters; not a word from the dictionary, not self-identifying info, etc. Should look like 'gibberish' if you wrote it down (but you shouldn't).

    You are supposed to change your passwords at least annually, if not quarterly. If you enter the wrong password more than 3 times, many sites suspend your account. Many sites have very different standards for passwords (min length, max length, allowed chars).

    Just how many different non-repeating strings of gibberish can people be expected to recall perfectly?

    The whole 'password' scheme is hopelessly broken in the current year, and it is not the users' fault.

    1. Charles 9

      Re: _

      "The whole 'password' scheme is hopelessly broken in the current year, and it is not the users' fault."

      Now what alternatives do you propose? It seems to me that passwords are the worst out there...barring everything else. Problem is, passwords are also insufficient. Ergo, NOTHING is sufficient, and we're, to put it mildly, screwed.

  22. Mike 16

    Horses for staples

    First off, someone above mentioned using a password manager and "sharing the file between devices". That might be good advice for another year or so, but many (most?) phone makers and telcom carriers make it damn hard to "share a file" between devices without going through either their network (yeah, even if the devices are only a meter or so apart) or their app (which can send it to Burkina Faso for all you know). The continued iOSification of MacOS, and the ever more suck-ulent telemetry on Windows mean that soon they will be effectively the same as the Mobile OSes.

    For me? I use passphrases (for sites without length limits) or truncated hashes of passphrases, for any site I care about. The ones I use frequently I memorize. The others are on a piece of paper in a safe.

    Junk sites (sorry, El Reg) get junk passwords. It's not like anybody who went to school with me and knows me now (or works in law enforcement) would be stalled long by the "password reset" questions. Other than the ones I lied about, which also go on that paper.

    Bottom line: passwords can suck, but they are about the only commonly available method of authentication that is not subject to subversion by "people with more power than you", which is pretty much everybody.

  23. Captiva

    Full Disclosure

    The study's sponsor Keeper Security sells password management software. This should be disclaimed in the article. I use the software and love it, but it creates supposedly unhackable random character passwords of impossible to memorize length thereby perpetuating the continued renewal of Keepers's subscription based software renewal. The passwords cannot be remembered, or for that matter typed in quickly with any accuracy so you need the software on all your internet connected devices. Plus, these impossible to remember passwords get stolen just as often as 123456.

  24. Kiwi
    Holmes

    "This is stunning in light of the fact that today’s brute-force cracking software and hardware can unscramble those passwords in seconds."

    Really? Most decently secure places these days have various forms of rate-listing. On every bank I've seen, if any sort of software was attempting to break into an account using that as a list, they couldn't get as far as "12345678" (3 attempts, contact bank in person prove who you are, maybe have to visit bank), and certainly would hit significant delays before they could reach "password"

    And if they manage to get the accounts/password database(s) from the bank and break that, you're long overdue for changing banks. Actually, the breaking it could be relatively trivial, it's the getting it that is the issue.

    Rate limit login attempts, block at 3-5 attempts, consider carefully how secure the "reset password" function you provide should be, and use some sense with password limits, and teach people about decent password manager (if such a thing truly exists?)/notebook use.

    And FFS STOP using easily discoverable "security questions" like "mother's maiden name" and "fist school" and "first car" and idiotic insecure stuff like that. Most social-media types will have all of that plastered all over publicly viewable places, and family members will certainly know (sometimes you want to keep your kids out of certain parts of your computer!). At the very least give people the option of choosing their own, and force at least one "own choice" that must be coupled with a provided choice if you really must provide choice.

    (Last time I checked, the NZ Governments "Real Me" site, used for logging in to the tax dept, benefits/pensions etc dept, IIRC companies office/registry and various other things had 4 choices for security question consisting of first pet, first school, oldest sibling and first vehicle, with no other options including no self-set option. I left them a nasty gram and demanded and do all of that stuff in office.)

    (El Reg : PLEASE FIX THIS CAPTCHA CRAP! I don't let any js from google run, and every time I have to enter one the text of the post is lost, it just takes be back to a blank page. I've already authenticated with you, if someone else has my password then a captcha isn't gonna stop them! For now have to use http rather than https coz https is broken on El Reg!)

  25. Jin

    Being able to create strong passwords is one thing. Being able to recall them is another. And, being able to recall the relations between the accounts and the corresponding passwords is yet another.

    At the root of the password headache is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average. What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.

    Are you aware of this?

    https://youtu.be/-KEE2VdDnY0

    1. Charles 9

      And what about the blind (or even the color-blind)? Images are not an option, and many sites are legally obligated to be accessible to the handicapped, so any alternative you propose MUST be accessible. At least text can be SPOKEN.

  26. bombastic bob Silver badge
    Trollface

    According to the movie 'Hackers'...

    According to the movie 'Hackers' the top 5 passwords are:

    love

    money

    sex

    secret

    and, of course 'god' - don't forget 'god'! System admins LOVE to use 'god'!

    heh

    ThePlague: Will her holiness please change her password?

    (ok maybe not an EXACT quote but that's what I remembered)

  27. Rich 30

    18atcskd2w

    Am i being very stupid? How is this 15th most popular? What does it say?

    18atcskd2w

  28. Tom Paine

    "Just give up"?

    I work in infosec. I'm secure in the knowledge that I already gave up a long time ago.

    (500 points for anyone spotting that reference)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon