back to article Your password hygiene remains atrocious, says NordPass

It's that time of year again – NordPass has released its annual list of the most common passwords. And while it seems some of you took last year's chiding to heart, most of you arguably swapped bad for worse. Password manager vendor NordPass, which is well aware of the poor quality of passwords, reported that last year's top …

  1. Mayday
    Alert

    Streaming Passwords

    "Streaming platforms seem to be relegated to the bottom of the password priority list for most users"

    Presumably this is because most streaming clients, such as "smart" TVs, and to a lesser extent tablets and phones, have a more cumbersome user interface than a computer (ie clunky menu operated via a remote control vs a PC keyboard) which makes John User just want to enter something that's easy to enter as opposed to change different on-screen display keyboards to increase complexity by way of caps. numbers, special characters etc. Not to mention password length.

    Not making excuses, just a possible explanation. Not that Mr & Mrs Hacker would feel sorry for you and your shitbird.

    1. DS999 Silver badge

      Re: Streaming Passwords

      And because they are often shared with others, so the masses who use the same password all over don't have to tell others their "real" password when they trade their Netflix login for their neighbor's Disney+ login.

    2. Marty McFly Silver badge
      Holmes

      Re: Streaming Passwords

      More like the password matches the security level required for the USER.

      I couldn't give two shitbirds if someone cracked my password and got access to my streaming service. The absolute worst thing that could happen is they foul up my previous watched history and 'recommendations'. And even if they managed to lock me out of the account, stop paying the bill and it will be shut off soon enough. I would be happy to go to the web page and start watching without having to screw with a password.

      The SERVICE, however, wants me to have a password to prevent it from being shared. They have the 'something to lose', not me.

      And thus the user configures a weak password and doesn't care.

      1. ThomH

        Re: Streaming Passwords

        Not only have I forgotten many times to log out of a TV or similar while on holiday, but I've frequently chanced upon other people's accounts as still signed in. Amazon's the only one I've cared enough about to perform a remote sign-out, since you can buy content through it.

        Thanks to the last already-signed-in Netflix I happened upon in a rental, I know that it is the go-to service for telenovelas from the US. Sadly the characters tend to say more complicated things than "My name is ThomH. I eat rice. The cat is at the library." so my Spanish isn't really sufficient.

    3. doublelayer Silver badge

      Re: Streaming Passwords

      This is true in my case. If I expect that I will have to enter a password on something with an annoying input device, the password is likely to look something like hzycdkbkfamxptdjdl. Length makes it secure, but by having no characters that aren't on the lowercase keyboard, I don't have to keep switching layers to enter it. This is, of course, if I have the luxury of encrypting it and looking it up only when needed. I imagine that people who have to enter it frequently or share it with others don't bother with that either.

  2. Sora2566 Silver badge

    Well, it's about time somebody's trying to staunch the gushing wound that is port-out fraud... people really need to learn that text-based 2FA is really not secure.

  3. Emir Al Weeq

    What about sites that force you to make it easier?

    I often find that the password I try to use is rejected because the special characters chosen are too special and aren't from a very small subset that (if you're lucky) the site tells you to use. Why impose a limit on something that's supposed to be as varied as possible?

    1. Recluse

      Re: What about sites that force you to make it easier?

      My experience is similar - complex passwords ( > 25 characters) accepted, only to find that the password is later rejected as incorrect.

      Experimentation finds that the site (although not mentioned) only actually accepted/recorded (say) the first 20 digits of the input passwotd. Doesn’t say much for their capture/error checking/sanitation code …

      My other bugbear (as I use a password manager) is constantly being hassled to rotate passwords. If its a site that I don’t visit frequently, the first 5 minutes of any return are spent messing around updating/resetting passwords.

      Naturally the sites that seem to insist on frequent changes are the ones that often don’t offer proper 2FA - only the inadequate SMS version - and perhaps I don't want them to know my phone number (no, I am not referring to “cough” smut sites …)

      1. Charlie Clark Silver badge

        Re: What about sites that force you to make it easier?

        Current BSI (German Office of IT Security) recommendation is 12 characters and no rotation: rotation being one of the reasons to choose simpler passwords.

        1. John H Woods

          Re: What about sites that force you to make it easier?

          Same with the National Cyber Security Centre in the UK.

          Don't enforce regular password expiry

          Regular password changing harms rather than improves security. Many systems will force users to change their password at regular intervals, typically every 30, 60 or 90 days. This imposes burdens on the user and there are costs associated with recovering accounts.

          Forcing password expiry carries no real benefits because:

          * the user is likely to choose new passwords that are only minor variations of the old

          * stolen passwords are generally exploited immediately

          * resetting the password gives you no information about whether a compromise has occurred

          * an attacker with access to the account will probably also receive the request to reset the password

          * if compromised via insecure storage, the attacker will be able to find the new password in the same place

          1. FrogsAndChips Silver badge

            Re: What about sites that force you to make it easier?

            NIST dropped that requirement a few years ago, and at corporate level we're starting to see implementations of new authentication methods (biometrics, PINs, HelloForBusiness) which ultimately will lead to the disappearance of the password, or at least its quarterly rotation (which generally consistis in incrementing the last character, so provides no additional security).

            1. Charlie Clark Silver badge

              Re: What about sites that force you to make it easier?

              Note, the new authentication methods are not necessarily any better (and biometrics is particularly tricky) but they do change liability, almost invariably meaning that the provider of the service is never liable.

          2. Roland6 Silver badge

            Re: What about sites that force you to make it easier?

            I have found with one (non-IT) user group is that by dropping the monthly forced password change, people actually start to remember their password. Net effect I have reduced the miskeyed limit back to 3 without any one complaining and the security software now seems to be working as it will now flag when a user changes their usage (eg. Switch from BT to Virgin - identified due to using a different ISP address pool).

            My advice to users is if they wish to access company systems whilst abroad, via arrangements other than roaming, contact me, as the odds are it will fail and I will get an attack alert.

            Obviously, a hacker in the UK in possession of the password can still get in, it’s just harder for them to do so under the radar.

    2. doublelayer Silver badge

      Re: What about sites that force you to make it easier?

      I usually assume the worst with sites like this. One reason this could happen is that someone copied and pasted some validity checking code for no reason, but the most plausible reason I can come up with is that the password is stored raw in a database and they're worried that some characters will mess up an SQL statement, meaning the service is vulnerable to SQL injection and has my passwords in plain text. Maybe that's not true, but if I see those requirements, I assume that they hold and act accordingly.

      1. Bill Gray

        Re: What about sites that force you to make it easier?

        > the most plausible reason I can come up with is that the password is stored raw

        This. It's just about the only reason I've been able to come up with. Which is horrifying. Salting and hashing is not rocket surgery.

    3. captain veg Silver badge

      Re: the special characters chosen are too special

      In my CompSci student days we were still working on dumb terminals connected to minicomputers. I read an article on password security which, among its practical tips, suggested that if your system allowed it, include one or more control codes. So I tried it. And, to my slight surprise, the program for changing passwords did indeed allow the inclusion of control codes. Unfortunately the program for actually logging in didn't, so I had just locked myself out.

      -A.

      1. Ian Johnston Silver badge

        Re: the special characters chosen are too special

        I once set my password on a Vax 11/780 to a string which included two spaces. It worked fine for logging it, but when the password expired it wasn't accepted as "Old password" to change it.

        1. Eclectic Man Silver badge
          Unhappy

          Re: the special characters chosen are too special

          True story:

          On an ICL system I used* the password change system allowed a password to start with the space character. However, the log on system ignored leading spaces, but as the password was hashed for log on ...

          Someone had not tested it properly.

          *Yes, I really am that old.

          1. Roland6 Silver badge

            Re: the special characters chosen are too special

            There was a time when it was advised not to start passwords with a number, due to similar implementation problems..

            I’m uncertain whether it was simply an urban myth or not, but the use of special characters - specifically those used by Unix and C - could cause problems.

          2. Roland6 Silver badge

            Re: the special characters chosen are too special

            Saw this in the release notes for a router firmware update, release last month…

            “ The "%" character is no longer supported in the admin password. If the character "%" is currently in use as the router’s admin password, you must change the password before upgrading to the new firmware version.”

            Suspect it was easier to check for the presence (or not) of the ‘%’ character than correct whatever function that misreads it…

  4. Potemkine! Silver badge

    . For best results, use a password generator that can give you a long, random string that's harder to guess

    Through 20 years of effort, we've successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess

  5. This post has been deleted by its author

  6. Ian Johnston Silver badge

    As we seemingly need to remind you every year, longer passwords are always better

    So "123456789" is better than "Ghk989%f"?

    1. Charlie Clark Silver badge

      Trick question: both will turn up in rainbow tables for unsalted hashes.

      1. Eclectic Man Silver badge
        Joke

        Asking for a friend

        Just wondering where 0987654321 came in the list?

        1. captain veg Silver badge

          Re: Asking for a friend

          Is this some oblique reference to telephone porn?

          -A.

  7. Flightmode

    So let's see, a password manager company that makes it their business to list their customers' most commonly used passwords every year? Broken down per service type, country and all? Definitely doesn't sound like a password manager I'd like to use, that's for sure.

    1. Daniel Feenberg

      Apparently the data do not come from their customers, but from downloads of hacked passwords posted to public databases. See https://haveibeenpwned.com/

    2. doublelayer Silver badge

      And you assume that they're providing their customers' passwords why? Did you read that in the article? Did you read that in their statement? Does it make any sense whatsoever, given how password managers work?

      They didn't.

      1. Flightmode

        Maybe I jumped to conclusions here, and for that I apologize. Wordings such as "NordPass customers in the US seem more likley[sic!] to use generic passwords..." from the article led me to believe that the data in the list (which apparently is an annual thing, coming from a company referred to in the same article as a "password manager vendor") came from their own customers. If the data is indeed collected from other sources then NordPass obviously have no blame here. I based my comment solely on the info in this article, I did not go the the source.

        And my point was exactly what you're bringing up - if a password manager can even READ my password in clear text - either through non-encrypted backend storage or through a hidden master key, then they should definitely NOT be trusted. I have no experience with NordPass or any of the other Nord products, nor with any other online password managers. I rely on an offline password manager whose database I can maintain on my devices using a self-hosted sync service. That way, if something does go wrong, I can't blame anyone but myself.

        1. doublelayer Silver badge

          This was their method of advertising their services. They find some data about how bad passwords are, which is basically the same data as last time an article was written about it, but this time they get to have their name as the password manager company that suggested it. That's all they did in this case.

  8. Manolo
    Holmes

    Pill pushers' password

    Is the pharmacopeia included in dictionary attacks?

    I tend to use passwords like methotreXate2,5mg.

    Easy for me to remember, (hopefully?) not very likely to pop up in a brute force dictionary attack

    1. Anonymous Coward
      Anonymous Coward

      Re: Pill pushers' password

      I'm sure you're safe with that, I think the problem here is that most of us need so many passwords that we can't easily recall them.

  9. Mike 137 Silver badge

    For best results, use a password generator that can give you a long, random string"

    This is the myth that's persisted for forty years despite all changes to the threats space. The problem is that practically nobody can actually use a password of this type, so it's self-defeating, and it also offers practically no defence in the case of offline attack.

    So here are some truths:

    [1] once the perp has a raw password hash, there's absolutely no defence against a rainbow table that can accommodate the length of your password, regardless of how 'complex' [sic] it is. The only difference is whether it takes a few seconds or a few minutes to find it. Adequate salting helps the defence, but the real trick is to prevent the perp laying hands on your password database in the first place, and that's not a user responsibility. It's down to network security.

    [2] in the absence of getting hold of the database, the perp either has to infiltrate your front line (capturing passwords as they are entered) or has to keep trying based on published frequency lists until they succeed. In the first case, it doesn't matter a toss what your password is -- you're handing it to them, and the only defence is endpoint security, which once again is not a user responsibility. In the second case, there are several ways to make retrying randomly impractical, which is (yet again) not a user responsibility.

    The only fundamental user responsibility is to choose a non-obvious password of a minimum prescribed length, and that's down to proper training that successfully instils the necessary understanding of why passwords have to be defined like this. The prevalence of impractical mandatory password rules without any supporting explanation (and indeed "letmein" as a password) shows this is not happening. The most fundamental rule that is not being imparted is:

    a password is not to give you access -- it's to deny access to others, so don't make it obvious.

    But I've never seen that stated plainly in any password policy I've seen over two decades of consulting.

    1. sebacoustic

      Re: For best results, use a password generator that can give you a long, random string"

      so you're saying I should not use "letmein" any more but "keepothersout" is more secure? Ah, i get it now.

      1. OhForF' Silver badge
        Windows

        The one password

        Speak, friend, and enter.

        1. Emir Al Weeq

          Re: The one password

          friend

    2. Ian Johnston Silver badge

      Re: For best results, use a password generator that can give you a long, random string"

      Also ... the more complicated you make password requirements and the more frequently you insist on changes, the more likely the pissed-off user is to write this weeks's bizarrely unmemorable string on a Post-It note and stick it onto their monitor or laptop.

      1. WolfFan

        Re: For best results, use a password generator that can give you a long, random string"

        One of the places I must log in to REQUIRES:

        1. 10 or more digits

        2. At least one capital letter

        3. At least one lowercase letter

        4. At least one symbol

        5. The password must be changed every 90 days

        6. Old passwords can not be reused for 12 password change cycles, a.k.a. three years.

        I set up a password using five characters, one a capital, then a symbol, then two numbers, then four characters, one a capital. There are three secondary passwords on the system (Single Sign On, they've heard of it ). I use the exact same password for each… except that the system gets paranoid. So I changed the symbol in the secondary log-ins. Now it's happy. Every 90 days, change one of the numbers. I'm fairly sure that this behavior is not what the administration wanted, but I don't care. I have passwords that I can remember. I don't have anything written down. I'm not using a good password, which would have to be changed every 90 days.

        My passwords on systems that don’t have to be changed on a regular basis are 12 to 18 characters, typically with a capital or two or three, sometimes with a number, symbols are a pain when using many virtual keyboards, and are not reused.

        The letter parts of the password would usually be derived from a non-Indo-European language. Good luck guessing which one. Good luck guessing where I deliberately misspelled something.

        1. Roland6 Silver badge

          Re: For best results, use a password generator that can give you a long, random string"

          Secondary logins/security …

          I use an off-the-shelf password manager, I’m seeing an increase ini the number of sites where login credentials are either on multiple webpages and/or use fields which the password manager does not recognise as credential fields, hence requiring manual editing of the password manager credentials record, so I can select the right credential for each stage of a sign-on.

          Another irritation is the password manager deletes replaced passwords so no history. I have resorted to periodically exporting the database; so when I get the “ you password ‘letmein’ has appeared in a breech, I can determine where and roughly when I used that password and hence determine the extent of damage limitation required.

          1. FrogsAndChips Silver badge

            Re: For best results, use a password generator that can give you a long, random string"

            Keepass keeps a history of your passwords, and its Autotype features allow you to input any number of TAB, ENTER keystrokes to navigate between the input fields, with delays to take into account paghe loading times. Of course every now and then you need to reconfigure because the provider has redesigned their login page, but I can live with that.

            1. Andy The Hat Silver badge

              Re: For best results, use a password generator that can give you a long, random string"

              Thant sounds great ... but who produces Keepass (to use your example)? Where are the passwords stored? Can the database accessed online? Is the database protected by a single password? Why should I trust a single company with *all* my security when I have no knowledge or control of that company or their security processes? For all I know they may have a massive online database with a master password of "password" to open everyone's systems when the ransomware company that runs it decides there's enough data to make it financially viable ... (I'm not suggesting Keepass are actually involved in ransomware, just that with limited user knowledge, they *could* be and I'd be none the wiser.) Before the suggestion that I'm being paranoid, try looking at nearly every crypto investment or pension fund fraud conducted by the "reputable" companies that run them, without the knowledge of the users of those systems.

              In essence, who polices these "trust" companies?

              1. FrogsAndChips Silver badge

                Re: For best results, use a password generator that can give you a long, random string"

                https://www.keepass.info

                It is open-source, is not owned by a company and has been audited and recommended by several national security bodies.

                It is an offline, standalone tool but offers sync features with most online storage provides (Google Drove, Dropbox, Onedrive...) if you want to use them - or not if you're paranoid.

                You can protect the database with a master password, a keyfile (random file that you keep separate from your database) or Yubikey.

    3. doublelayer Silver badge

      Re: For best results, use a password generator that can give you a long, random string"

      "The most fundamental rule that is not being imparted is:

      a password is not to give you access -- it's to deny access to others, so don't make it obvious.

      But I've never seen that stated plainly in any password policy I've seen over two decades of consulting."

      I didn't think we had to, since that seems rather intrinsic in a definition of a password. I think users know what a password is for. They either don't care as much about the desire to make it secure or don't understand how password security works, and the latter is a point on which we can help, but I think they understand why they've got one.

      1. Version 1.0 Silver badge

        Re: For best results, use a password generator that can give you a long, random string"

        I always find the strongest passwords to use by going to XKCD!

        1. Anonymous Coward
          Anonymous Coward

          Re: For best results, use a password generator that can give you a long, random string"

          "I always find the strongest passwords to use by going to XKCD!"

          You are 'correct', XKCD has been a 'staple' in my 'battery' of security methods also !!!

          :)

          1. FrogsAndChips Silver badge

            Re: For best results, use a password generator that can give you a long, random string"

            What does your 'horse' think about it?

    4. FrogsAndChips Silver badge

      Re: For best results, use a password generator that can give you a long, random string"

      The only difference is whether it takes a few seconds or a few minutes to find it

      I'd like to see a source for this.

      A 12-digit password combining uppercase, lowercase, digits and special chars gives you 10^22 combinations. Assuming a compute power of a trillion (10^12) combinations per second, it would take roughly 400 years to try them all, so on average you'll crack that in 200 years.

      1. Roland6 Silver badge

        Re: For best results, use a password generator that can give you a long, random string"

        It’s going to be interesting to find out if quantum computing really delivers or not, if it delivers then passwords etc. will rapidly become history, if it fails we can expect quantum computing to become history…

    5. Graham Cobb

      Re: For best results, use a password generator that can give you a long, random string"

      Adequate salting helps the defence, but the real trick is to prevent the perp laying hands on your password database in the first place, and that's not a user responsibility

      Errr... Adequate salting is absolutely critical: it makes rainbow tables useless. Preventing getting hold of the password database is also standard practice. Anyone who fails one of those doesn't get any more of my business once I find out.

      The crucial user responsibility is to use different and completely unrelated passwords for each service they care about, and use a password manager to manage them. Of course, they can use their girlfriend's favourite colour or their dog's name for the hundreds of passwords they don't care about (like streaming services).

  10. captain veg Silver badge

    a long, random string that's harder to guess than 123456 – or even UNKNOWN

    How about 12345678UNKNOWN then?

    -A.

    1. James O'Shea Silver badge

      Re: a long, random string that's harder to guess than 123456 – or even UNKNOWN

      Too easy. HakkaaPaalle1618 should do. From the furious Finns may the Lord deliver us!

      1. Mookster

        Re: a long, random string that's harder to guess than 123456 – or even UNKNOWN

        Shurely, hakkaaPäälle1618

  11. Snowy Silver badge
    Facepalm

    Get a password manager

    Then password it with 1234567 then wonder why it did not protect you.

  12. captain veg Silver badge

    for the love of your IT team's sanity, don't reuse passwords

    When my IT team isn't involved I generally use the same password everywhere. It's the only way I'm going to remember it. But I change the login email address for each one.

    -A.

    1. Roland6 Silver badge

      Re: for the love of your IT team's sanity, don't reuse passwords

      Whilst I think you are joking, you touch on an important point, namely, the login username and account email address; these are generally not well protected, with user feedback leaking information and many systems also storing these in plain text.

  13. Joe Dietz

    Passwords are all vanity if you leave the post auth token laying about.

    The real action is in getting post authentication tokens. All I need to do is read your tokens out of your profile directory and I _am_ you to whatever you happened to be logged into. I don't need your username or your password, and I don't care if your MFA is legit or SMS. I'm still _you_.

  14. hayzoos

    I use simple passwords for low risk logins and poor interfaces for good passwords.

    I use a password manager and generate the longest passwords a site will accept. Repeating criticism of many above... Why so short, or why accept a longer for setting but not for login? Duh.

    The master password I use for the password manager is 48 characters. I memorized it in 8 character chunks. A while back I had upgraded from 24 characters.

    I changed the master password earlier this year because of a weakness found in certain Key Derivation Functions amplified when using a low iteration count. This was necessary because I started using the password manager long ago and recommendations changed since then.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like