back to article Guess the most common password. Hint: We just told you

NordPass has released its list of the most common passwords of 2022, and frankly we're disappointed in all of you. Topping the list of the most common passwords was, sadly, "password," followed by "123456" and its more secure relative "123456789," "guest," "qwerty" and lots more you can definitely figure out without needing …

  1. Joe W Silver badge

    What!?

    "Regularly change passwords, too."

    No. Not just "oh, change it every month" or somesuch stupid thing. This leads to weak passwords, and easy to figure out sequences like "Password202211" followed by "Password202212" or so. So, no, don't do that. The updated guidelines by e.g. German BSI do reflect that. Pick strong passwords and change them if you have a reason.

    OK, changing passwords regularly can be driven by e.g. distrust towards secure storage of passwords by the webshop / ISP / your employer's service providers. But then you do have a reason to change the passwords semi-regularly.

    1. Helcat Silver badge

      Re: What!?

      Change frequently leads to passwords being written down, too. Or reliance on electronic storage. It's also less secure: If someone has gotten in once, they'll have the means to do so again*. Meanwhile you're convinced you're secure because you've just changed your password.

      According to the UK Cyber Security advice, It's better to look for unusual behaviour and flag that, and to ensure long, complex passwords that the user can actually remember.

      *shoulder surfing is one easy way to get a password. So is interception of the messages. Short passwords are easy to get with either of this, but long passwords, particularly if they look like two or three shorter passwords shunted together, are hard to get 'over the shoulder' and may exceed the buffer for intercepted passwords.

      And as ever, reliance on password stores just creates a single point of failure. Sure they may seem secure, but if a hacker gets in, they now have all your passwords, and what they're for. Sure, spread them out over several stores, but that also increases your exposure to hackers. Where as they can't hack your mind, and if you can train yourself to remember a password through an alias (Penguins! Oh, yes, PinkPufferPenguines. But I make changes, so it's P1nk!pUff3r:P3ngu1n3es! - that's a rather tricky one to guess, to crack, to get by reading over your shoulder, and at 23 characters long... upper/lower/numeric/symbol... and with a spelling mistake... good luck getting that one. Just don't use it 'cause it's an example of how to create a complex password that's easy to remember, hard to crack et al)

      1. Dabooka

        Re: What!?

        I agree, regular and / or frequent changes for the sake of it are old hat. Our workplace insisted on this until WFH triggered by Covid, despite me discussing this with our Head of IT. His response was he's been instructed to do so by one of the the senior managers 'who knows things about IT' and he was equally as frustrated. In fact I believe GCHQ even updated their recommendations to reflect this (for the reasons above, repetition and writing down creates weak links).

        Also, 12 characters or more? Hard to do that when portals still insist on '6-8 letters' to create a strong password (yes City and Guilds I am looking at you). This continues to push the myth that 6 is enough

        1. Antron Argaiv Silver badge

          Re: What!?

          My company does that as well. Every 3 months. 12 characters or greater, with numbers symbols and u/l case.

          But their algorithm for similarity checking needs a bit of work. I have been using a base phrase with a short changeable addendum. It seems to get past their checking. My previous company used a much stricter test.

          1. FrogsAndChips Silver badge

            Re: What!?

            Same here, I just change the last letter and it's alright. It would even pass the 'different from the last 10/20 passwords' test. We've moved to HelloForBusiness and device-linked PIN, but the password is still required to access some internal apps so now we have to remember both PIN and password.

          2. Anonymous Coward
            Anonymous Coward

            Re: What!?

            I add in a site identifier to my passphrases. Makes remembering all the passwords much easier.

      2. FrogsAndChips Silver badge

        Re: What!?

        So you've created 1 really strong password, and with a bit of training you'll be able to remember the sequence of upper/lowercase and special chars. Now what are you going to do? Use it on every site? Firstly, that's bad practice, secondly you can be sure that lots of sites won't accept it as is for various reasons (too long, not the right special chars, there should be at least 1 even number, penguins are evil...). So you'll have to adapt your already complex password to a particular website, and remember which alteration you made. Rinse, leather, repeat for every website that doesn't like your vanilla password. Eventually, you'll end up with lots of variations of your initial password that you'll have to match to lots of websites, and you may finally realise that it's easier to let a password manager generate a strong and unique password for every site and their specific complexity requirements.

        1. J.G.Harston Silver badge

          Re: What!?

          let a password manager generate a strong and unique password

          And how do I get into the password manager?

          1. DJV Silver badge

            Re: And how do I get into the password manager?

            Crowbar...

            1. Dave559

              Re: And how do I get into the password manager?

              A $5 wrench may be cheaper, and is probably more compact, than the crowbar…

              1. DJV Silver badge

                Re: And how do I get into the password manager?

                Possibly, but if it's a higher-security password manager you'd definitely need the extra leverage of a hefty crowbar. Unless you're the LockPickingLawyer, of course, in which case it would only take a rake and the "Pick that Bosnian Bill and [him] made™"!

      3. Anonymous Coward
        Anonymous Coward

        Re: What!?

        > Change frequently leads to passwords being written down

        I used to do that but stopped when I realised that I wasn't able to read them back.

        I really should do something about my handwriting.

        1. jason_derp

          Re: What!?

          I adapted my handwriting so every character is unlike every other character for this very reason. I have loopy lowercase ells, a slash through my sevens, little serifs for my v's and u's, etc. On top of that, I overline the letter if its uppercase, underline if its lowercase, put an "s" if its a symbol underneath, and an octothorp if its a number. Has enough rigor that I get by now when I have to write down a password for somebody else.

          1. Richard 12 Silver badge

            Re: What!?

            I recommend Magic Pencil series. It's on YouTube now.

            Round and up and down and flick!

          2. LybsterRoy Silver badge

            Re: What!?

            Which weird language did you say you used - possibly Minoan?

        2. greenwood-IT

          Re: What!?

          If you are going to write it down, please add a date next to it or cross out the old ones. I must spend hours a week waiting for clients to flip through password books shouting out different passwords for the one login I need. Although I must admit, I enjoy trying to identify the pattern :-)

          I had one client who's email address was something like xT5-4GHj!@bigemail.com and the password was Mable - I'm sure they were confused when they set it up!

      4. LybsterRoy Silver badge

        Re: What!?

        P1nk!pUff3r:P3ngu1n3es! - that's a rather tricky one to guess

        and for the vast majority of the human race somewhere between tricky and impossible to remember and type in cleanly. I had hoped that this sort of password advice had vanished by now.

    2. Charlie Clark Silver badge

      Re: What!?

      Sequences, stems, etc. are all fine as long as the passwords are salted and hashed. I'm on the fence over changing: it can be tedious but at the same time it helps remind users of the need for long passwords.

      But the problem remains: multiple passwords are difficult for humans to remember correctly.

      1. Anonymous Coward
        Anonymous Coward

        Re: What!?

        Sequences are not fine. Not even close to fine.

        If someone has discovered your MyPasswordIsSecure1 and you change it then guess what they're going to try next? It's easy to attack sequenced passwords both manually and programmatically. Don't do it, folks.

        1. Version 1.0 Silver badge
          Joke

          Re: What!?

          I've just updated my BadPassw0rd to G00dPassw0rd, adding more digits is an improvement? Testing it on security.org and it's rated as "It would take a computer about 2 thousand years to crack your password", are they still using the ENIAC computing system?

          Both dumb passwords rate well and are more easier to use than a typical generated "cfmPAQtrfx986" password - plus you are going to be a hell of a lot more careful when you know you have a crappy password then if you think you have a safe one.

        2. Charlie Clark Silver badge

          Re: What!?

          If someone has discovered one of your passwords, they have probably discovered the rest.

      2. LybsterRoy Silver badge

        Re: What!?

        We have at least four memory wizards on this site!

    3. NATTtrash
      Pint

      Re: What!?

      But then you do have a reason to change the passwords semi-regularly.

      So what about this fad that Redmond is rolling out now? First killing IMAP/ SMTP and so on for their own (walled garden) OAuth2. Now pushing MFA, "because we have to and it is so much safer if we know who you are". Really? Have to huh? Think for what. Watching cat videos? Or financial accounts? Which I'm sure I can trust YOU with... Or use it as an excuse, because it gives "so many valuable business opportunities"? So it has nothing to do with locking people into situations where they have to keep paying you and reaping even more of their personal data (phone numbers, devices) that can be monetised in so many different ways? Because you can trust them, right, it is all OK? So I'm just an old fart when I point out that passwords do not exist anymore. That this security everybody is going on about is a pipe dream. Because you have to share (request!) your password, and then confirm with even more data (MFA) so you gain access to people/ organisation who rips you off. And then I'm not even getting into "making it even more secure and convenient" Intune "solution", which is like that grubby guy sticking his hands down your pants**...</rant>

      ** I do realise that there are sys admins out there that (need to) use Intune to control their fleet, and think I'm off the rails. (You would not be the first ;) Then again, think of it, might Intune not be a solution to a self created problem? We can talk for hours over it and get properly drunk. So just as a start: if we would not be cheap arses and not do e.g. BYOD, what would that mean for Intunes justification to exist/ MS peddling it? And why is such security control not in the hands exclusively of the person/ organisation whose security it is to begin with, properly walled off from the rest of the world/ "them"?

    4. Allan George Dyer
      Joke

      Re: What!?

      I was having difficulty remembering a different password for every site, but then I got an anthill, gave each ant a name and used those as passwords. It even works for frequently-changing passwords, the Queen is always laying new eggs.

      For my online banking passwords, I plan to get a beehive, to be more secure.

    5. Dave559

      Re: What!?

      I get the feeling that that part of the article was just lazily pasted straight from a NaffPass press release, since most of the "advice" given seems to be no longer regarded as best practice. I mean, would you trust a tech company that has seemingly never heard of xkcd? (You know where that link goes without even following it…)

    6. bombastic bob Silver badge
      Devil

      Re: What!?

      an alternative, use something familiar followed by a short random sequence.

      KeepassXC generates random pass if you want it. So I'll grab (let's say) 6 random chars, and either prefix or postfix something easy to type that is not easy to guess (let's say my favorite movie character but spelled wrong). So hansolow-{random sequence} then save it to KeePassXC and use either web browser password cache or KeePassXC to keep it.

      For longer stuff like github keys I wrote an open source application with a simple shell script example that lets me store a password in an encrypted file. Then I enter the master pass phrase and it puts the password in the clipboard. Then I can say "git pull" on a private repo, enter anything for the user name, and paste in the password. Pretty simple, reasonably secure.

      In any case if you do not have to remember it, a combination of "CorrectHorseBatteryStaple" approach with a pure random component is probably the easiest way to get a secure password.

    7. JimboSmith

      Re: What!?

      Yep my passwords for work and there are 3 different ones for three different systems are 15+ digit strong passwords. I have to change them every 90 days which drives me mad because it’s so unlikely someone will be able to guess them. I don’t use random public WiFi and don’t enter them whilst visible to anyone else. Plus the systems are supposed to and do lock you out after 4 wrong guesses.

      However there is a flip side to that coin, there are people in the organisation who fall for test phishing emails. It’s damned annoying.

  2. Pascal Monett Silver badge

    So there's a new malware framework out there

    Good to know, obviously, but since the bigger problem is all the clueless idiots who will click an attachment without hesitation, I don't see that a new malware framework is a particular cause for alarm.

    You could send them I Love You again and it would work just as well.

  3. Lil Endian

    XKCD Rankings?

    Brandon, is 'correcthorsebatterystaple" ranked?

    (I'm not linking it. I'm bloody not! lol)

    1. Greybearded old scrote

      Re: XKCD Rankings?

      OK, I will then.

      1. Lil Endian

        Re: XKCD Rankings?

        Ah, thanks Gos, that feels better!

        I scanned the linked Nordpass page, couldn't find it there :(

        I thought I check with Troy:

        Oh no — pwned! This password has been seen 216 times before

        So it's gaining some ground!

        1. Evil Auditor Silver badge

          Re: XKCD Rankings?

          Only 216 times?

          I'm a bit disappointed and remember the time when we counted the users that took the example from the password directive as their password. In a company of >20,000 employees that was considerably more than 300.

          1. Michael Wojcik Silver badge

            Re: XKCD Rankings?

            I use a randomly-generated password. It's "4".

    2. Anonymous Coward
      Anonymous Coward

      Re: XKCD Rankings?

      I tried passphrases for a while but I could never remember what order the words are supposed to be in. Is it correcthorsebatterystaple or correctbatteryhorsestaple? correctstaplehorsebattery? Wait, was it staple or stable? Was it battery or batteries?

      1. Charlie Clark Silver badge

        Re: XKCD Rankings?

        Just use a line from a law, song, poem, etc. They often give you capitalisation for free: "We the People…" then you salt it for the service.

        1. Lazlo Woodbine Silver badge

          Re: XKCD Rankings?

          That's what I do, intital letters from each word in the first line of a song, substitute symbols and numbers for letters as appropriate

          You then have a 12+ character password that's all but gibberish, but reasonably easy to remember.

          Just don't pick a song by a band people know is your favourite.

          1. Strahd Ivarius Silver badge
            Devil

            Re: XKCD Rankings?

            "I'm a Barbie Girl, in a Barbie world"

            for example?

            1. John Brown (no body) Silver badge

              Re: XKCD Rankings?

              I suspect he's more of a Cheeky Girls man :-)

              Yes, those who clicked the link, that IS the lyrics and no the record wasn't actually stuck :-)

            2. Charlie Clark Silver badge

              Re: XKCD Rankings?

              Why not? Anything that you can remember easily along with something unique to the service.

        2. PRR Silver badge

          Re: XKCD Rankings?

          > Just use a line from a law, song, poem, etc.

          When I worked with music professors, I sometimes suggested spelling-out the notes of a melody, something they did well. This was in days of 6-letters going to 8 mixed characters, so sharp-sign and time signatures for spice.

          What might REALLY help is exponential delay on error. My first mistake, let me try again in 1 Second (faster than my finger). Second mistake, 2 sec. 3rd and 4th screw-ups, 4 and 8 seconds. Four tries in 15 seconds does not hinder a befuddled human, but being choked to 10 tries in >1,024 seconds (>17 minutes) would really take the edge off an over-eager attack-bot. A log-in, or a significant break, could discount or reset the delays so you are not locked-out for eternity.

          1. Charlie Clark Silver badge

            Re: XKCD Rankings?

            scrypt

          2. LybsterRoy Silver badge

            Re: XKCD Rankings?

            -- What might REALLY help is exponential delay on error --

            This is the important change needed not Oauth2 or MFA. Just don't make it easy to have umpteen thousand tries per second.

            Actually there is one other thing that might help - sites that done't actually need it could stop requiring you to login. I have a number of reusable passwords (and email addresses) for such sites some of which I will never visit again after I've bought whatever it is I want.

            1. Michael Wojcik Silver badge

              Re: XKCD Rankings?

              Rate restrictions help with online attacks against a single account. They don't help against multiple accounts in parallel, an attack which was documented in the 1990s; nor do they help with offline attacks. And considering how often large databases of password hashes are leaked, offline attacks are a greater concern.

              Rate restrictions are also difficult to implement for distributed systems where there may be many oracles.

        3. Anonymous Coward
          Anonymous Coward

          Re: XKCD Rankings?

          > Just use a line from a law, song, poem, etc.

          Better yet, do that with an accent:

          "Vi, ze Peopel…"

      2. Strahd Ivarius Silver badge
        Trollface

        Re: XKCD Rankings?

        the password I provide to users who don't remember their password (a too common occurrence at work)

        "Itisthe3rdtimethisweekiforgotmypassword!"

  4. Sleep deprived
    Happy

    With a little help from the server

    I heard this story of an old lady with Alzheimer's who'd pick "invalid" as her standard password. This way, when she forgot and attempted something else, the server would reply "Your password is invalid". Thanks.

    1. Dabooka

      Re: With a little help from the server

      You're lacking the joke icon, flaming incoming

    2. dogcatcher

      Re: With a little help from the server

      Being an old git with memory loss I do find 123456 the best password for NHS sites that ask me for random letters from my password, it saves counting on my fingers.

  5. alain williams Silver badge

    Need Javascrip to view the list ...

    Did any of you check what that Javascript does ? No, I thought not.

    Just showing a list does NOT need Javascript ... but here is a company that is supposedly in the security business that is encouraging us to accept bad practice. Too many web sites force the use of Javascript for things that can be done without.

    Then they have a password generator, there is an on-line version ... I did not check if it was generated on their server or locally using Javascript. You would be foolish to trust either of them, the generated passwords could be kept by them -- I have not checked, but they could be.

    Maybe I am just showing that I am a grumbling old git.

    1. Lil Endian
      Pint

      Maybe I am just showing that I am a grumbling old git.

      Then there're two of us!

      You saved me some typing, cheers!

    2. SsiethAnabuki

      Re: Need Javascrip to view the list ...

      Also worth noting that you can post a list without HTML, using plaintext.

      Frankly, at this point, JavaScript is baked in pretty much as soundly as HTML is.

      1. stiine Silver badge
        Unhappy

        Re: Need Javascrip to view the list ...

        Unsoundly...

      2. Flocke Kroes Silver badge

        Re: JavaScript is baked in pretty much as soundly as HTML

        Try theregister - it works fine without javascript. Plenty of sites still do and more if you use a browser like lynx that doesn't misbehave with javascript switched off. I came across a site full of people patting each other on the back about how universally popular javascript is because of the results of their online poll - which required javascript - and their discussion board - which required javascript to post. It has been a long time since I checked but I think you can still buy things from Amazon without javascript.

        The only activity I have discovered that you cannot do without javascript is online banking where I can understand the need to maximise the attack surface.

        1. Anonymous Coward
          Anonymous Coward

          Re: JavaScript is baked in pretty much as soundly as HTML

          > online banking where I can understand the need to maximise the attack surface.

          Pardon?

        2. Lil Endian
          Thumb Up

          lynx

          'nuf said

  6. NightFox

    Re passwords: when a system fails to take into account end-user behaviour (especially after years of compelling evidence), then it's a failing of the system, not the end-user.

    You can't blame humans for inherently behaving like humans. Saying 'well, they shouldn't behave like that' may be a wish, but it shouldn't be a requirement.

    1. Greybearded old scrote
      Thumb Up

      Hell yeah.

      Anyone who blames the people (hi Pascal) haven't read enough Donald Norman.

    2. veti Silver badge
      FAIL

      A while back I had the dubious pleasure of applying for jobs online.

      Basically every employer presents an online application form, which (of course) you have to create an account to log into and use. That's bad enough - suddenly I was faced with coming up with many new, strong passwords, with the inevitable random not-documented rules about complexity etc., every day, and remembering and not reusing all of them, and so on. Totally reasonable, obv.

      But really it's much worse than that. Because a lot of these employers outsource their hosting for these application forms to the same company. Which, obviously, hosts them all on the same freaking server. Sharing the same cookies...

      So logging on to one application could change my password on a completely different one, or worse. Not that there was ever any reason to log in again after completing the form once, so what the fuck did we ever need passwords for in the first place, you CRETINS?

      Sorry, still handling some frustration issues over that.

      Password-based security needs to simply DIAF. It's been broken for at least a quarter of a century. At this point it's pretty clear no-one can fix it.

  7. lglethal Silver badge
    Stop

    How about sites implement basic rate limiting, and brute forcing becomes a non issue! 5 tries and the account is locked. Boom, so long as your password isnt one of the top 5 mentioned by Nordpass, you're clear.

    Or if the site really doesnt like to lock accounts, then after 1 password fail 5 second lockout, 2nd fail, 10 seconds, 3rd - 30 seconds, and so on with an exponential curve. Again Brute forcing becomes a non issue after a few tries.

    The whole extra long, complex passwords does not massively improve security, if you've implemented basic security against brute forcing.

    1. Anonymous Coward
      Anonymous Coward

      oh yeah, that'll work....

      Have you not seen the youtube videos of the dumb parent holding an iDevice displaying "incorrect password: 885558585858 seconds until you can try again"

      1. khjohansen

        Re: oh yeah, that'll work....

        *shrugs* ... seems to me to be a self-correcting problem ... >;>

    2. Anonymous Coward Silver badge
      Facepalm

      That's what's called a Denial of Service.

      If I can lock you out of your accounts by simply putting in a few wrong passwords, you'll get pissed off a lot quicker than any hacker will.

      And how do you unlock a locked account? If the answer is to use a second factor (eg SMS), why not do that in the first place?

      [I know that SMS is also vulnerable; it's just an example]

    3. Hawkeye Pierce

      @Iglethal

      Brute forcing is most certainly an issue in either of your two solutions. As others have said, if you're locking the account, you've introduced an avenue for a denial of service attack and run the risk of losing all your users because they can't log in. If you do it on a backing-off approach (your second solution) then all I need to do is to cycle through my 000's of potential usernames and by the time I get back to the first, I've spent 5 seconds.

      If you take into account the IP address before blocking/locking, you're not defending against botnets.

      If you don't use (or enforce) long complex passwords, you're open to cracking. Salting passwords is no great defence if you suffer a breach and enough people have short passwords.

      So yes, use of extra long complex passwords does indeed massively improve security. I can pretty much guarantee that my 30-char password is safe providing that the site implements what should be consider basic security even in the event of their database getting breached. I could not say the same to any degree of certainty if my password was say 8 characters no matter how complex it was.

    4. doublelayer Silver badge

      This approach defends against blindly throwing common passwords at it, but little else, and even with that there are problems as other replies have already explained. It does little against password reuse where an attacker obtains credentials from somewhere and tries one or two of them on lots of sites, as a successful access will log them in almost immediately.

      You might respond that this doesn't require basic passwords, and you would sometimes be right, but it still increases the likelihood of an attack. If I use a secure password and the site doesn't properly salt and hash the passwords, I'm still out of luck and shouldn't have reused it, but if I use a simple password, whether the site does or doesn't hash them, they will be crackable from the leaked database quickly enough that they're likely to be used. Don't reuse passwords and don't use "Password" as the password to anything. Not all the high-security constraints are necessary, and enforced changes can be harmful, but the basics are still right.

    5. MJB7

      Re: implement backoff to stop brute forcing

      That works just fine (and is very worthwhile) until the site loses their entire hashed and salted password database. At the point the hackers just point John the Ripper at the db and print out most people's passwords. Then off to try the same password+email on Facebook, gmail, and banking sites -> profit!

      (Actually, these days, banking sites tend to _insist_ on 2FA, so direct profit is a bit more difficult.)

  8. Totally not a Cylon
    Pint

    Appropriate complexity

    Passwords should be of 'appropriate complexity' for the site they're used on.

    ie, logging into a news site which has no payment/address details then why do I need more than a simple password?

    logging into a shopping site with none saved payment details which I might use again then yes a bit more complex but all miscreants would get is my address

    a shopping site with saved payment details and which I want to use regularly then definitely a secure complex password with 2fa using whatever I choose but not sms.

    Oh and when I've used the password generator built into my Mac and your site responds with 'you can only use letters, numbers and _' expect to be abused.......

    Happy Turkey Hangover day!

    1. matjaggard

      Re: Appropriate complexity

      This is exactly what I thought. Some VPN company pointlessly getting advertising. Shame on the Reg for sharing this. Everyone uses simple passwords for things they don't care about don't they? I get pretty irritated about sites with no data requiring long passwords. I know my passwords for some sites have been pwnd and I'm just fine with it. Go ahead and login, view my zero balance on a gift card, I just don't care.

      1. heyrick Silver badge

        Re: Appropriate complexity

        Yeah, there was a time (long ago) that ARM required you to log in to download the Architecture Reference Manual. Setting up the account, you had to provide a password. Upper case, lower case, symbol, numbers... Just to download a bloody PDF.

        I did some Google-fu and got a copy from a course on a .edu domain. Much less bother.

    2. LybsterRoy Silver badge

      Re: Appropriate complexity

      -- ie, logging into a news site which has no payment/address details then why do I need more than a simple password? --

      You were so near to getting it right - I'll help.....

      ie, logging into a news site which has no payment/address details then why do I need a password?

      In fact - why do I need to log in?

  9. Mark.J.H.Larsen

    Correct numbers

    Hi Brandon

    Was surfing the net to make a shortlist of the most common passwords, and found your article posted recently.

    I was checking multiple places to get a more precise list, so this was one of them.

    You link to "list of the most common passwords" however the list that is downloadable as PDF only contains passwords until 2021.

    The passwords i allready found - and have crosschecked with haveibeenpwned gives some completely different numbers

    Password i found and its counts:

    123456 37.509.543

    password 9.636.205

    Password and count according to the page you have linked to:

    password 4.929.113

    123456 1.523.537

    Some sources would be nice :)

    Hope you forgive my ranting :)

    Good article though - making awareness of the importance of good passwords is allways needed.

    1. Antron Argaiv Silver badge
      Thumb Up

      Re: Correct numbers

      Obligatory:

      https://www.datagenetics.com/blog/september32012/

  10. Dave314159ggggdffsdds Silver badge

    Most passwords are for stuff that doesn't need a proper password, throwaway accounts, and so-on. So people rightly use things that are not strong passwords.

    The real problem isn't users making poor choices, but the insistence on inappropriate faux-security measures.

    1. stiine Silver badge

      I upvoted you, but will counter your argument with the statement that I use a password generator for every sites, no matter how trivial and unimportant.

      1. Yet Another Anonymous coward Silver badge

        So when you need to login to HARDWARE makers site in order to download a driver update (why ?) - you open up the password manager with all your banking passwords in it ?

        Sounds like it would be more secure for me to just use "passwd" or my preferred "fsckoff"

        1. Flocke Kroes Silver badge

          Try account 'username' with 'password'. Quite often someone has already created that account and if not you can create it so the next person does not have to make up stupid answers for the five page privacy invading questionnaire.

        2. Anonymous Coward
          Anonymous Coward

          I just click "forgot my password" and wait for the mail for resetting it with a random value that I will not store, doing it again and again...

          1. yetanotheraoc Silver badge

            changeme

            Second-hand story. Two more-or-less "IT" guys are discussing passwords, 1st IT guy says, "I just use the same one they issued me back in university." 2nd IT guy "What's that?" 1st IT guy "changeme". (Double fail for blurting out his stupid _lifetime_ password.)

            Not changing the emailed temporary password means the still-valid password is now saved in plain-text on multiple email relays.

            I wonder why the hackers don't just set up an email relay, attack the route, and once they start forwarding the emails they can issue the reset requests themselves. This is where SMS, while not true 2FA, would be a deterrent.

            1. Anonymous Coward
              Anonymous Coward

              Re: changeme

              > Double fail for blurting out his stupid _lifetime_ password

              At a previous place of employment of mine I once spoke "a well known password" aloud.

              First and only time. I wasn't physically assaulted, but it came really close (no exaggeration).

            2. stungebag

              Re: changeme

              When I worked in schools' IT about ten years ago most people had systems provided by RM. Most still had the default admin pasword of changeme.

              1. Anonymous Coward
                Anonymous Coward

                Re: changeme

                default superuser

                login... supersuper

                password... great

                (yes, it had been left as default!)

    2. Lil Endian
      Pint

      When I moved back to UK from Belgium I wanted to mail order some beer from BE.

      I created an account at a vendor. The welcoming email contained my new password, in plain text of course, as a convenient reminder [1]. Thinking I'd give the vendor some free advice, I mailed them about the inappropriateness of this. No response email, just account closed.

      So now I brew my own tripels!

      Ooh, there's one now! -->

      [1] I may have had a wayward youth, but I reckon I can remember my new password for 60 seconds!

  11. Anonymous Coward
    Anonymous Coward

    Stupid admins and their stupid ersatz "security"

    Its been known for many decades that user selected pass phrases work really well and that passwords fail miserably. So when I see admin (site / network) demands a "strong" password I just use the same default "strong" password. Which is written down. F*ck 'em. Forced change of password regularly, then its F*ck 'em 01, F*ck 'em 02... as its obvious they know damn all about security and I will always assume the network / site is not secure. There will be a hardware firewall between me and them and on an internal network their network will be flagged as Insecure as Cafe Wifi..

    For anything that needs actual security I always use pass three or more word phrases. And for third party generated passwords/pins I wrote a very handy app that uses security through infuriating misdirecting to store the pins / passwords in question. As for passwords that have to be ultra secure nothing beats at least four or five lines of assembly language. In hex. Been using that for decades. I have used binary octal on occasion. Try finding that in any a/c cracking dictionary...

    1. Dave K

      Re: Stupid admins and their stupid ersatz "security"

      Or for throwaway accounts that require this, you just start every password with the same symbol and number, then capitalise the first letter. Doesn't take any extra effort to learn and passes the "is it secure" test for an account I really never wanted to create in the first place.

      Of course for everything else, I use a password generator these days. As a result, I couldn't tell you what 99% of my passwords are.

  12. Norman Nescio

    Salting?

    How about having a salt that you memorise, which meets the rules requiring a complex password, which is the same for all sites, and a separate simple password for each site that you write down on a handy card you keep in your wallet.

    So: memorised salt using a trusted password generator or diceware e.g.: 7pQ>F9oA

    Bank: 31HighSt

    banking password is: 7pQ>F9oA31HighSt or 31HighSt7pQ>F9oA or 7pQ>31HighStF9oA

    It seems to meet the requirements for having a different compliant password for each site, while not needing memorisation of lots of 'line noise' passwords.

    Of course, it falls foul of many places that set an unreasonably low maximum number of characters in the password, and you really have to keep the salt secret.

    Is this a bad idea?

    1. Anonymous Coward
      Anonymous Coward

      Re: Salting?

      First off, that's not really a salt. That's you amending what you chose your password to be.

      Is it a bad idea? Well it depends on your assessment of the threat to you. If your bank gets breached and your password cracked, or a keylogger gets installed on your device, and I obtain the fact that your password is 7pQ>F9oA31HighSt for the site 31HighSt, guess what password I'm going to try for you on Twitter?

      Seriously, randomly generated, complex, unique to each site, passwords are what should be used - along with a reputable password manager to store them in, use of which makes it easier and safer than all other options short of remembering each of those unique, randomly generated, long passwords.

      1. Norman Nescio

        Re: Salting?

        You are quite right, it's not a salt, but it has much the same effect.

        As for password cracking, the point of having a high-entropy 'salt' is to make password cracking hard - ideally practically impossible.

        But, you have a Very Good Point about keyloggers. Which makes me glum. But, on the other hand, thank you for giving a considered reply, and this is the advantage of having a civilised debate - other participants can point out things you didn't know, have forgotten, or otherwise omitted. You have an upvote from me.

        1. yetanotheraoc Silver badge

          Re: Salting?

          The other issue with your embedded pattern is when you are required to change your password, you either have to change the 31HighSt, or you have to change the embedded pattern. Given enough time your passwords become just as difficult to remember as random ones. Might as well start with random ones and use a password manager.

          I used to look at the plain-text login .log for a badly coded business application: timestamp, username=plaintext, password=********. Amusingly, it was trivial to get scads of valid passwords out of it, because more than half the time they would put their password in the username field on the first attempt, so you had an invalid login showing the password and five seconds later a valid login showing the username.

          Almost everybody had a simple word followed by a single digit which they would increment by one for each required password change. Foolproof!

          1. Norman Nescio

            Re: Salting?

            Have an upvote for pointing out another genuine flaw in my idea (which no doubt many others have had before).

            As for the logging: it shows why one should not blindly log the offered username. Ideally, one should be logging the fact that an invalid username was offered, not what the invalid username was. You can log the username used once it has been checked and shown to exist in the database of valid/authorised users: for the obvious reason you point out.

            Doing so does make it slightly more difficult to see if someone is cycling through possible usernames trying to break in, but there are other ways of doing that.

            1. heyrick Silver badge

              Re: Salting?

              Logging of user names can be useful to see if somebody outside is fishing for a potential contact. I mean, you know something is up if you look down the list of failed logins and see: JSmith, J.Smith, JohnS, JohnSmith, John.Smith, Smith.John (etc).

              It's not the software's fault if the users put their password in the wrong place (though you would have thought that it might have been a clue that the characters didn't turn to dots?).

              1. yetanotheraoc Silver badge

                Re: Salting?

                It would have been a clue if they had been looking at the dialog! Touch typists already looking at their paperwork for the unique id that has to go into the search form. Most of the business applications automatically populated the username, this was one of the two that didn't.

  13. Mike 137 Silver badge

    The fundamental problems

    Problem 1: Nobody explains to users what passwords are really for (to keep others out, not let the user in) or why the password rules supposedly create adequate passwords, so the rules seem arbitrary and smart folks find ways to circumvent the arbitrary.

    Problem 2: most password rules I've encountered are a load of excrement, as they don't ensure reasonably adequate passwords but merely create problems for users, who therefore fine ways to circumvent the rules.

    Problem 3: Nobody makes clear what the real threats against passwords are, or what controls (and whose responsibilities) are needed to counter each of them. Consequently, the user is made solely responsible for protecting against all the threats despite not being equipped or informed enough to do so.

    Problem 4: we should stop calling them passwords as non-technical folks (not surprisingly) take that literally.

    There are likely a few more, but these cry out for fixing, and it could be quite easy if we stopped repeating mantras and informed ourselves and our users properly.

  14. Alumoi Silver badge

    It's also essential to not reuse passwords on different accounts

    Why?

    If I don't share my info with the site or I share some fake info, I really don't care if they sell my data..., erm, sorry, they suffer a security breach. So it's always spam@mydomain and fuckoff (mixing capital letters, numbers and special characters if required).

  15. spireite Silver badge
    Facepalm

    Don't need a difficult password when I have activated......

    ...MFA on my phone.

    That was a serious answer I had once when I asked a simpleton, sorry - colleague - why they had a really easy to guess password.....

  16. Dizzy Dwarf

    I once ...

    Watched the super bowl as a student, so I thought it would be a good idea to go to the lab and change my password to cincinatty.

    I can't event spell sinsinnati sober.

  17. Anonymous Coward
    Anonymous Coward

    A unique memorable password?

    Simplified I use for sites that aren't financial or critical something like:

    W@rd1234*56an#ther

    Where the @ is the third letter of the website and # is the 2nd letter

    The actual number is one I've memorised.

    So a unique password for every website.

    If a human was trying to crack it they probably could especially if they had my password for two websites

  18. 桜沢墨

    How to avoid getting hacked...

    Don't use a password manager that knows what your passwords are? I wouldn't touch a proprietary password manager like Nordpass with a 20 foot pole.

    Maybe they got their data from somewhere else but seriously, don't proprietary software for some of the most sensitive material on your computer.

    1. Yet Another Anonymous coward Silver badge

      Re: How to avoid getting hacked...

      Real programmers write(*) their own password manager - after reading Bruce's Applied Crypto book

      (using a compiler they wrote themselves on an operating system they created)

      1. harmjschoonhoven

        Re: How to avoid getting hacked...

        At t(now) seconds and XOR(history)&0x00ff your passwords are:

        DWM#1ED106Mp

        Cwn=4Nv106Xs

        Cqc/2Qx908MX

        sva/8Tr352QC

        mqU+0Vc126GQ

        Nmc=7dN525RA

        wMA;2ZB649sT

        WFP_5eP925fq

        Dqx/1ZB285AF

        ceD/3LH827mw

        VhE+2BR588vF

        Ctm=3By593tQ

        Mmy/3Wm845XH

        eCs#9sT534Vr

        NGR=8gT549FA

        kva*1MP222WH

        SrY@7KH450tW

        RAT=9qT351zA

        BEk/3eM457SF

        EYn_4xP380cm

        ; sleep(2)

      2. Anonymous Coward
        Anonymous Coward

        Re: ...done all three, but not at the same time

        Wrote my own password hint app. Wrote commercial compilers. And have written OS'es (long story)..

        But password hint manger app written on Android. But not the custom one I once had to build from the AOSP source. Did use JNI.

        But would never use anything in the Schneier book. If you know the background history of the subject none of the interesting stuff is in any book published in Five Eyes countries. And yes, I have worked on stuff covered by Title 15..

        So yes, I am a real programmer.

    2. 桜沢墨

      Re: How to avoid getting hacked...

      Er, that LEAKS your passwords.

  19. bubblegun23
    Mushroom

    Terrible password policy

    I joined Virgin Media recently.

    Apart from being apalled at there being no IPV6 network at all, their password policy is a joke for their website.

    They have a character limit of 8 characters and only allowed numbers and letters. Cracked in an hour, anyone?

    There doesn't seem to be MFA either.

    Hope there's nothing they want to protect there.

    1. Anonymous Coward
      Anonymous Coward

      Re: Terrible password policy

      created a new login with password based on the site's criteria... success... it 'logs me out' and presents me with a login prompt... enter username and password just created...

      'username or password invalid'

      turned out that the criteria for creating a password was different from the criteria for validating a password at login and my valid password was invalid

  20. myithingwontcharge

    What in the space....?

    12345? That's amazing, I've got the same combination on my luggage!

  21. captain veg Silver badge

    the password is password

    I do this regularly.

    Our email BOFHs prohibit executable attachments. Compressing them with 7z and "a" password does the trick.

    -A.

  22. Ideasource

    Alternatively

    Fashion your life as if to expect your passwords to be cracked.

    Anything you need to keep secret don't ever write down or tell anybody.

    And always maintain multiple alternative methodogies to maintain your physical existence that doesn't rely on the convenience of temporary secrecy.

    If someone wants your data access bad enough they will get it. Even if they have to kidnap you and torture you to take it.

    Better to not be a Target in the first place

  23. Bbuckley

    thisISn0TmYpaSSW0RD

  24. Potemkine! Silver badge

    Better make a long understandable password you may remember than a shorter one using symbols and numbers.

    When an app or a site refuses my 20-letters password as being insecure before there's no symbol in it, I tend to think that developer is an idiot.

    And +1 for saying that having to change a password regularly is totally stupid. It is indeed. I can't understand how some continue to propagate that non-sense.

    == Bring us Dabbsy back! ==

  25. SotarrTheWizard
    Trollface

    I noticed that "ChuckNorris" isn't on the list. . .

    . . . .simply because **everyone** knows you can't beat Chuck Norris. . . (grin)

    (And yes, I know the story of how Facebook, in the early years, used a munged version of Chuck Norris as their main internal password. . . )

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like