back to article After Cummings' Barnard Castle trip, cheeky Britons started using the word 'vision' in their passwords

Britons began using the word "vision" in their passwords after prime ministerial advisor Dominic Cummings was caught travelling across the country from his parents' farm in Durham to Barnard Castle "to test" his eyesight, according to research from Pen Test Partners (PTP). Not only that but the words "covid", "corona" and “ …

  1. Anonymous Coward
    Anonymous Coward

    Just wondering..

    "... Failing that, NCSC advocates the three unique words method, as popularised by web comic XKCD...."

    Just wondering if this audit found anyone using the password "correct horse battery staple"

    1. Charlie Clark Silver badge
      Coat

      Re: Just wondering..

      Not me! I'm safe because I use "correct horse barn stable"

      Mine's the one with a carrot in the pocket.

      1. Alumoi Silver badge

        Re: Just wondering..

        What's wrong with 12345? Or hunter2?

        1. Anonymous Coward
          Joke

          Re: Just wondering..

          I've used badpassword for years, it's never appeared in any hacked lists - yes this is a joke but it's the password for the "accessible" WiFi at work with zero internal access.

          1. Strahd Ivarius Bronze badge
            Devil

            Re: Just wondering..

            For the guest access I always go with "There is no password"

        2. Anonymous Coward
          Anonymous Coward

          Re: Just wondering..

          12345 ...My luggage has that exact same combination ..!

        3. seven of five Silver badge

          Re: Just wondering..

          Hmm, have not heard of "hunter2". Though I am old enough to use "joshua".

          1. Alumoi Silver badge

            Re: Just wondering..

            Shame on you. Lurking on ElReg and not having memorized the best of bash.org. Tut, tut!

      2. Dante Alighieri
        Happy

        counting

        but that is a FOUR word pass phrase and the ARTICLE is clear that xkcd is a THREE word,,,

        sorry entropy just hit me nothing else to say...

        although correct horse battery staple is now banned as a password on many services for unknown reasons...

      3. Anonymous Coward
        Anonymous Coward

        Re: "correct horse barn stable"

        Oh Lord!

        That reminded me of an outback TV show where some red neck antipodean actually used the term "horse barn"!? It's a wonder I didn't have a coronary or a brain haemorrhage, a fucking horse barn, do you mean a stable, like wot they had 2000 years ago when baby Lord Jesus was born!?

    2. smudge

      Re: Just wondering..

      I'm using "handsfacespace".

      Because I know that no one else is :(

      1. William Towle
        Pint

        Re: Just wondering..

        > "handsfacespace"

        My internal monologue responded to these adverts with "bass in the place!" and imaginary rave-style handwaving ... and shortly afterwards "The Skewer"* put samples of the advert over a drum'n'bass backing :)

        * one of the later episodes at https://www.bbc.co.uk/programmes/m000czyb

        // raises virtual pint to John Holmes -->

    3. sbt
      Headmaster

      It's four words, particularly needed ...

      ... when you're not using caps, digits or punctuation.

    4. Andy Miller

      Re: Just wondering..

      I'm told our IT department have explicitly blocked that one

  2. MJI Silver badge

    Forced changes

    Yes been there and inflicted with it.

    Monthly changes.

    So found a book and found lots of simple passwords.

    Dreadnaught, Superb, Temeraire, StVincent were the first 4

    1. volsano

      Re: Forced changes

      Years back I worked somewhere that enforced monthly changes of password.

      Had to be upper and lower letters, digits, special characters, Could not reuse a password you had previously used. At least 8 characters long.

      Pretty much everyone in the company password for this month would be some minor variation of

      Nov-2020

      Fits all the rules, and hard to forget. Secure? Not so much.

      1. Anonymous Coward
        Anonymous Coward

        Re: Forced changes

        I worked in a place where the admins ran about 200 servers. The security on them was laughable, but someone up high mandated that each machine had a unique root password, randomly generated using mixed case alphanumerics.

        Still, if I was ever in work out of hours, and needed to access one of the machines, I wouldn't need to call sometime if I didn't know the password... I'd just go into the large open plan office (I e. everyone from secretaries to phone operators, to help desk call loggers...) and pick up one of the many root-password sheets left on the desks...

      2. Dante Alighieri
        FAIL

        Re: Forced changes

        Where I work now...

      3. G7mzh

        Re: Forced changes

        Same system at the place I worked at. We had two, which would interrupt your work at random times during the working day. After we'd exhausted all the obscenities telling the machine what we thought of it, everyone went to the Month-year system.

        I doubt if management cared that nearly everyone in the place used the same password; it wasn't a security-sensitive system anyway. Especially as it wasn't unknown for people to log in as other people on occasion if there was some server problem.

    2. Strahd Ivarius Bronze badge

      Re: Forced changes

      What is nice now is that when you have cloud systems that synchronize with your on-premise users directory, it takes some time for the new password to be replicated.

      So once you have your new password you keep being pestered by various applications over the next few hours asking you to re-authenticate.

      It helps ensure that you memorize the new complex password...

    3. MJI Silver badge

      Re: Forced changes

      And I left before Fearless

  3. Anonymous Coward
    Anonymous Coward

    Wait - they've got an app that can do an audit of what everyone's password is on a Windows domain?

    1. Yet Another Anonymous coward Silver badge

      Old windows domain security was trivial to crack, the new standard isn't.

      If you control the domain you can presumably enable the old scheme aswell.

      Or is there an API for the domain to allow reading input of new passwords before they are set ?

      1. Charlie Clark Silver badge

        Or is there an API for the domain to allow reading input of new passwords before they are set ?

        There's certainly something that is required to enforce the policy where previous passwords are not reused but unless it's self-contained it's an attack waiting to happen.

        Papa can identify base words that are used within an organisation and see how these change over time

        Without more details this sound like BS. Or Windows security is worse than we thought. If passwords are properly salted and hashed this isn't possible. However, I have recently read some reports on domain passwords leaking…

        1. Anonymous Coward
          Anonymous Coward

          Surely, when passwords are guessed during an audit, using the old fashioned method of guessing many common variations, they can in future audits track variations of the cracked password?

        2. thondwe

          IIRC there's a plugin system so that other identity systems can catch the password change and validate/populate it elsewhere. So presume same hook can be used to audit changes...

        3. MrStripey

          I'm the guy that wrote the Papa tool. I can answer any question you have on it. Windows NTLM hashes are not salted, so the hash for Password1 is always the same on every Windows domain for every user

          1. Charlie Clark Silver badge

            Thanks for the info. So, still open to rainbow table attacks?

            1. MrStripey

              Yes they are still open to Rainbow Table attacks, but no one really uses them any more. It's faster to crack passwords on GPUs and they give you more flexibility for applying common rules to dictionaries.

    2. cornetman Silver badge

      Sounds to me like it is flawed by design therefore.

      If they are not storing a hard to decode hash and ditching the password itself, that's pretty shit.

      That's pretty basic security.

      1. Robert Carnegie Silver badge

        If it's the hash of "p@ssw0rd" then hashing won't save the user who set it.

    3. logicalextreme Silver badge

      Looks like they try and crack them on their end, the hard(-ish) way.

    4. smudge

      https://www.pentestpartners.com/penetration-testing-services/papa/

      "It extracts the encrypted hashes from the domain and sends them, over a secure connection, to our dedicated password cracking servers.

      All cracked passwords are then returned to the Papa tool where administrators can get detailed information about the domain as a whole and perform trend analysis to view the impact of password policy changes."

      1. monty75

        Another good reason not to reuse passwords for different services. Unless you enjoy having your office BOFH ordering dildos from your Amazon account and having them sent gift-wrapped to your boss.

        1. Anonymous Coward
          Anonymous Coward

          Well, that's what YOU say happened...

    5. Robert Carnegie Silver badge

      Penetration testers got my Windows password and a little interview with management for me, and it was something like Ptgmpa12 - actually random, unique, mixed case and numeric, meeting company rules I think, and typeable, but evidently NOT long and complex enough.

      1. Mike 137 Silver badge

        "but evidently NOT long and complex enough"

        What is "enough"?

        Depending on the tools used, the effort put in and the time allowed, any password can be cracked if the authentication interface allows enough attempts. The fault lies as much in that interface as it does in the choice of password.

        Apart from which, will someone at last explain cogently how the hell "complexity" makes passwords "secure"?

        [1] Apparent randomness is not randomness - it's impossible for a human to mentally generate a truly random string as we have a problem called "memory" that prevents us ensuring the true independence of the elements of any sequence.

        [2] Randomness is a property of sets, not of the members of sets. If all your passwords are identical, it doesn't matter that they're all the same highly entropic string of characters. Thus the "security" of your corporate passwords is primarily a property of the entire set of passwords, and variation within that set is its most important characteristic.

        [3] A highly entropic string is not necessarily secure against attack anyway. It's only secure against human guessing. An attacker using rainbow tables works from the hash to the string, so it doesn't matter two hoots what that string is as it's going to be found eventually via the relevant path through the table.

        [4] Length is important, but only up to practical limits. If it's too short, a password is open to easy guessing because there won't be many to choose from (how many three letter strings are there?). But if it's required to be too long, people will find ways to simplify their own problem - creating and remembering it, rather than yours - ensuring it robust against attack. So it won't be.

        The ultimate reality is that, properly managed, passwords provide sufficient assurance for some tasks but not for others. For those others there are alternatives such as multifactor (not biometrics, which are identifiers, not authenticators).

        1. Martin an gof Silver badge

          Re: "but evidently NOT long and complex enough"

          how the hell "complexity" makes passwords "secure"?

          Often wondered that too, but I suppose it depends what you mean by "secure". The thing that most people are trying to protect against by using passwords is some miscreant - without inside knowledge - being able to access the protected account / function / whatever. Typical opportunistic miscreants will, for reasons of economy, check common passwords and their variants first, followed by dictionary words. The idea behind a random collection of characters isn't that it is inherently more difficult to brute-force "sf7*sd:[" than "abcdefgh" (they have the same level of "complexity" assuming they are from the same namespace) but that any sane opportunistic attack will always check "abcdefgh" first. Thus someone using the former password may never suffer a proper attack, because someone using the latter will be compromised first.

          If the target is sufficiently high-value and can be attacked over a longish period of time then any single password will eventually be discovered.

          The company I work for had a six-week (I think) mandatory password reset cycle and all the usual rules in place and I know that many people did, indeed, manage to get around those rules by using passwords the equivalent of passw0rd01 followed by passw0rd02.

          They also had a three-strikes rule for local logins, but not for remote access, and (latterly) a reset policy that required some kind of authentication that it was actually the user requesting the password change and not somebody else.

          When lockdown started, one of the very first things they did was up the three-strikes to a five (IIRC) strikes rule, but they also completely removed the six-week reset requirement. I imagine they've also now applied the five-strikes to external access, but I'm not going to test it :-)

          M.

      2. Filippo

        It's not that complex. Eight characters are enough to protect against online attacks, but if someone gets the hash and can attack it offline, they are not that much. On top of that, the uppercase is the first letter, and the digits are at the end, and one of those digits is 1. Those are very common cases, which means that the brute force tool will try those very early, which in turn means that they count relatively little for complexity. So it's only better than eight lower-case letters by a small factor. That's not much at all.

        pTG7mp2A would already be significantly better, as it would stay hidden until the attacker starts attempting to switch cases on all subsets of letters, and inserting any digit anywhere. That enlarges the search space by a fairly big factor. The problem is that making company rules that actually result in good passwords is very difficult and extremely annoying.

        Personally, I think XKCD is right: I would just use three uncommon or four common words, randomly chosen from dictionaries of all languages I speak, in sequence and in lower case. The problem is - aha - stupid company rules. As soon as I have to throw in special characters, mixed case and numbers, the password becomes exponentially harder to remember, without actually getting much more difficult to attack. At that point, I usually just give up and use a regular password. And nevermind sites that actually have a max password length...

        1. Martin an gof Silver badge

          And nevermind sites that actually have a max password length...

          And which site was it - some years ago - where it was discovered that it allowed you to set a password of almost any length, but it only actually stored and checked the first eight characters?

          I discovered very early on that it was possible to reset the PIN on my bank card to a sequence of more than the regulation four digits, and had a five digit password for some years, which worked fine in the ATMs that were basically all I needed the PIN for in those days. When chip-and-pin came along some of the early terminals didn't like five digits so I reverted to four. I have no idea what the situation is these days, perhaps I ought to give it a go again.

          M.

          1. Cuddles Silver badge

            "And which site was it - some years ago - where it was discovered that it allowed you to set a password of almost any length, but it only actually stored and checked the first eight characters?"

            Not just some years ago, I've had the same problem recently. It's quite confusing when using a password manager and so are pretty damn sure you're not typing in the password wrong. Eventually discovered that there was a character limit when entering or resetting the password, but not during account creation.

        2. Robert Carnegie Silver badge

          I still only use case or numbers if/when a system doesn't let me set a password without them, which is often. Other annoying rules are "a punctuation mark that doesn't appear in numbers" and "no repeated character".

          After I was caught out with my Unlong43 format, I adopted rando mword sovfi velet thers which I can memorise individually and then as a set, making one password which I can type if I must. However, I miskey a lot of the time. When required, an O, O!, or 0 can be added at the end when setting and using the password.

          If necessary the letters are from dice rolls: I customised dice to roll 0/1/2, 0/3/6, and 0/9/18, totalling a letter from 1-26 (A to Z), or 0, which I discard and throw again, along with repeats. I've also got a customised fidget spinner since I had trouble finding dice for sale.

          A drawback of English in words password as a, is that you are inputting about 1 bit of random with each letter, if someone knows that you have an English language passphrase. You might as well type a binary number, if you remember one. I think that my random letters have about 4 and a half bits of random, each.

          I still have a risk or often an actuality of typing a password into the wrong device or service, which is awkward when one is your Brazilian drug dealer on the dark web and the other is your bank. Speaking hypothetically, of course.

        3. Charlie Clark Silver badge

          Actually, once someone has the hash they can perform a lookup against previously calculated hashes. This is why salting is so important.

    6. Olivier2553

      If their task is to check that nobody is using weak passwords, then they should be granted the file with the hashed passwords. It is easy then to brute force try to decode them.

  4. Danny 2 Silver badge

    Maga2020 hindsight

    PersonWomanManCameraTV

    1. Dan 55 Silver badge

      Re: Maga2020 hindsight

      Don't tell everyone his new Twitter password.

      1. Danny 2 Silver badge

        Re: Maga2020 hindsight

        ThreeWordChant!ThreeWordChant!ThreeWordChant!

    2. bigmacbear

      Re: Maga2020 hindsight

      Search YouTube for "Padded Cellblock Tango" if you're into that sort of thing.

  5. Fruit and Nutcase Silver badge
    Trollface

    I can see clearly now

    I wonder if Johnny Nash's "I can see clearly now" is on Cummings' phone/iPod

  6. Mike 137 Silver badge

    The fundamental problem

    The fundamental problem is that we've always considered passwords as ways to give us access to systems so folks don't consider anything except their own immediate convenience (coming up with something simple that just comes to mind right now).

    They're not, they're ways to deny others access. That point has needed ramming home for over two decades, but nobody has made much of it. Advising people about how to create passwords without explaining forcibly what they're really for is and always has been a complete waste of time.

  7. ColinPa

    You do not need to remember complex passwords - just write them down.

    Going back about 20 years when we had userid and passwords for about 30 machines. We had very strong corporate rules about what was a valid password. One team had a scheme such as take the month NOV, increment the letters by one NOV -> OPW, permute letters of team member's names, add in part of the machine name, and give it a stir.

    I asked them how they remembered the passwords. They said the algorithm was very complex and easy to get wrong, so they wrote them up on the white board (for all to see). You had to know that the 10th password in the list was for machine "Firefly".

    A couple of years later the company introduced a rule all white boards had to be cleaned at the end of the day, and we had a clean desk policy.

    1. Richard 12 Silver badge

      Re: You do not need to remember complex passwords - just write them down.

      I hate places with a clean desk policy. It means you just waste up to an hour each day clearing and getting everything back out.

      Locks work better.

      1. Hollerithevo Silver badge

        Re: You do not need to remember complex passwords - just write them down.

        I had a nice box under my desk, and every evening I obeyed the clean desk policy by picking up my wire storage rack and my day-book and popping both in the box. The pen went on top. Every morning, opened it and restored. We also had to walk miles to a recycling point with paper, as we weren't allowed trash-cans by our desks. A day's worth went into the box and the next morning, on my way to the coffee station, I passed a manager's desk. He had his very own recycling box (because he couldn't be arsked, So important, etc) and popped my trash in there.

        Poetry in motion.

        1. KBeee Bronze badge
          Happy

          Re: You do not need to remember complex passwords - just write them down.

          A friend of mine worked at a place where the tidy desk policy said you could have either one pot plant OR one photo on your desk. So he had a photo of a pot plant.

  8. Anonymous Coward
    Anonymous Coward

    Poetry and Repetition are helpful...

    I quite like the first line from "This be the verse" by Philip Larkin. Repeat twice and add a number seems to work in most places.

    *

    And there's the satisfaction of recognising a universal truth at the same time!

    1. Danny 2 Silver badge

      Re: Poetry and Repetition are helpful...

      TyFkYuUpYrMmAdDd

  9. Anonymous Coward
    Anonymous Coward

    Passwords?

    Oh just fuck it. I can no longer be bothered. I just don't keep anything worth passwording on any computer/telephone connected to the internet.

    YMMV.

    Cheers… Ishy

  10. Tom 7 Silver badge

    Who the fuck is doing this

    25 years ago I was encrypting passwords in the browser so that we could have no clue what the customer was using and so possibly sue us as a result.

  11. seven of five Silver badge

    Password recycling can be acceptable

    If you start with part of some lyrics you like, eg

    If you've been bad oh Lord I bet you have

    turning into

    beenLORDohBAD

    with some special chars:

    beenLORD><++ohBAD

    and then increment

    been00LORD><++oh00BAD

    maybe do not use month and year for the numbering. But a significant part of the machine/account name can easily go in there as well. Brute force or rainbow tables just don't work anymore when you start to use 20+ characters.

  12. evadnos nibor

    Martin is a twat

    An over-officious BOFH at a place I worked introduced Lotus Notes-level of password changiness on a dev server without notice, to universal dismay. He'd brook no argument, his boss backed him up and was big enough to not be too fussed about physical threats. He and I sat back-to-back with a whiteboard between us, on which I wrote my password in foot-high letters every time I had to change it, always some variant of "Martin is a twat".

    The bugger of it is, though, he *wasn't* that much of a twat, he was actually a good guy who wanted things to work, even though he was quite wrong in this case.

    If you're reading this, Martin ... pint sometime? Twat.

  13. js6898

    Use the first character of each word in a song or poem - the more obscure the better.

    Example - God save the Queen becomes

    gsogqllonqgstq

    Obviously this song is not obscure enough it was just an example

    1. Anonymous Coward
      Anonymous Coward

      GSTQ

      If you want obscurity, just use the second verse...

      Off-topic: Is there an official ruling on just how many verses the National Anthem of the UK has (in 2020)? I have the impression that it's never been put into law.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021