You'll never guess what the most common passwords are. Oh, wait, yes you will

Re: How many systems allow unlimited login attempts ?

Limiting login attempts doesn't help when someone has broken into a system and stolen a hashed password file. You can have as many goes as you like to match the hash, and then use the result to login.

My preference is car number plates, once in lower case & once with the shift key down. It helps that a) I mostly work with full sized keyboards and b) am a raging petrolhead with a gift for remembering car registrations going back decades so don't need to use my current car. Also means I can leave myself a postit note with just "blue maxi" or "white 504 estate" on my monitor and it's still pretty secure.

Password rules make for weaker passwords

Mixed case, numbers, symbols, but cannot contain some symbols and no spaces, and must change every month?

Fine: "November2025!" is good for this month.

When will people understand that allowing for a long passphrase with spaces and NOT FORCING CHANGES is the way to have good passwords?

TFL

I created an account on the Transport for London web site today. It only allows letters and digits in the password, no symbols, not even punctuation.

-A.

"I would use very long passphrases, if not for the fact that almost all systems demand numbers, mixed case and punctuation at the very least, and some of them have a max password length."

...and require you change them frequently. A password manager is not always an option. And you need many different passwords for many different systems. It's all one big well cooked recipe for normal fallible humans to create easily remembered passwords.

I love it when I try to set up a password for a website and they have min/max password length requirements and require at least one special character from a limited list of special characters, but they don't give you any of this information, so you have to keep trying randomly until your proposed password is finally accepted.

There don't appear to be too many of these sites, but I have run across several that restrict password length, and the number/variety of allowed special characters as well, forcing their users to provide relatively weak passwords. Even a sixteen-character password restricted to seven-bit ASCII is, IMO, way too weak.

I also wonder what those who store their password wallets in the cloud are thinking of?

Re: Most Popular Password : 123456

I have the same combination on my matched luggage!

Re: Most Popular Password : 123456

Ime goes to 11

Re: Still harping over forum passwords

This is indeed so much true. If I have to register to do something stupid and one-time, I usually enter a throwaway email and an idiotic password. And who cares if it gets leaked.

Re: Still harping over forum passwords

Came to to say pretty much the same thing, these are the low hanging fruit accounts that easily get guessed - you don't get many hits for ffFgghdoioijnj338488bb9d9duy££$$b

Damm , going to have to change that one now!

Well, that still needed a forklift truck to be broken...

Re: Forcing regular change is counterintuitive

I left one company, with my current password set to <highlycomplexpassword>37. Guess how long I worked there.

But then, I usually use Safari generated passwords for websites. One turned out was used in a breach. So I know one company that most definitely stored my password as clear text.

Re: Forcing regular change is counterintuitive

"There's a site I use for work, they force a password change every 60 days."

I don't see any usefulness in that. It encourages users to create simple passwords they can remember and/or write them down and store them someplace handy that isn't too hard to find. Are they worried about a brute force attack? Who's to say that if that's the case, the new password you create isn't immediately found. It sounds more like a lack of security on the server end. I also have a couple of sites that require me to create a new password ever so many days which is about how often I use them. I have to keep updating my password file that has a password I haven't changed in ages so when I get hit by a bus, a family member can retrieve the envelope with that password in it and access my accounts. Most of them, anyway. That's a reason I don't go for biometric authentication. There may be no way to get that element once I'm gone.

Re: Forcing regular change is counterintuitive

<password>MMYY was my go to at work.

Re: Password fatigue

So, I run my own password manager, its a commercial one, and its the free version. I also modified the tomcat configuration to require a client certificate. This means you can't actually connect to it, and I can reach it from anywhere.

Re: Password fatigue

"if you don't have the password manager handy, you are out of luck."

I've had that happen when away from home with a new laptop. The password manager application wanted payment for each computer it was installed on (I found something else). Having the password manager on the laptop might also be a liability if that gets hacked. Laptops are more often nicked than desktops. My main production Mac Pro is a frickin' boat anchor so I'm not so sure that a burglar is going to want to get it out of the house in the little time they have with the alarm going off and a strobe light blinking away on the roof.

Re: Password fatigue

"I have mixed feelings for 2FA with OTP that require an internet connection with the phone."

Pissed me off that TOTP doesn't require an internet connection if the seed is stored on the authenticator but most 2FA providers don't make the seed available or allow you (personally or as an admin) generate your own.

Although I had to laugh when one mob used a qcode to upload the seed etc to their authenticator app. It was purely a plaintext totp:// url, including the seed.

Re: Where are they getting the passwords from?

Stealer logs.... malware running on computers capturing the passwords as they were typed.

See https://www.troyhunt.com/2-billion-email-addresses-were-exposed-and-we-indexed-them-all-in-have-i-been-pwned/ for some details.

Re: Where are they getting the passwords from?

Some of those will be cleartext or unsalted hashes, both of which make frequency analysis easier. Others will be salted hashes which they tried some old favorites against to make sure they're still in use. Unfortunately, good password storage is another thing that we've known how to do for some time and yet we will probably never see the end of yet another system storing them badly.

Re: Where are they getting the passwords from?

When a site tells me the password has an upper limit on length and that certain characters can't be used, I assume the password is stored in plain text. (Why else would you apply such limits?)

Such limitations are common enough to suggest that a substantial number of sites (including, $DEITY help up, my mother's bank!) don't salt and hash passwords. Or even just hash them.

Re: Where are they getting the passwords from?

Re. Surely this means that large numbers of systems are still storing passwords in plain text rather that salted/peppered hashes?

I was recently to a seminar with a PEN tester, he told that first attack was to export a backup of the password file and then brute force the hashes.

I wondered how this could work with salted password, which I believed has been standard for the last 25+ years.

Reason:

Default setting for Microsoft AD is to not use salt.

https://learn.microsoft.com/en-us/answers/questions/1726174/windows-passwords-salting

Re: India@123

England beating India? That never happens.

Re: India@123

I had taken that was from M&S, Coop or JLR and was a default TCS password.

Re: What about username?

Seconded, even worse I've got one where I ended up having to set up a second email address for myself just to log in to a support site.

We have an ERP system for one group company, no problem with my main email address for the support site.

We then implemented the same ERP at another group company but with the financials from the same provider. For no reason I could see they couldn't add the financials package onto my original support account so I had no choice but to set up a new one, and it has to be a live email address. It suited me slightly to keep things separate so easy enough to set up a group mailbox but I can see that in a larger environment it might have caused problems.

So now I have to log in to the support with the correct email address depending which company I'm dealing with at the time.

Re: What about username?

Even more annoying are the sites that require an email for the username ..... and then tell me that I have not entered a valid email address! The most annoying being my local council.

I have a domain in the .email TLD, and generate a unique email address for each site that I login to. That way if I start getting spammed I know who lost or handed out the email address.

But I occasionally run across sites that say that <yourcompany>@<mydomain>.email is not a valid email address. Only one of which has actually responded when I sent them a message about the problem.

Re: What about username?

The username is going to be stored in cleartext because they use that to identify you. If you want to have more random data, stick it onto your password to make it longer*, because that's the part that gets hashed if they're doing it correctly. Admittedly, I do kind of do this by using separate emails for different sites, but that's for spam detection and prevention, not account security.

* If they have a maximum password length, then you have a bit better of an argument and a reason to worry about what they're doing with the password you give them.

Re: What about username?

Well, the username isn't supposed to be that secret either - but I would still like sites to stop using email as username, simply for the fact that emails are not forever. What happens if I change email provider and lose access to that email? Yes, yes, have your own domain, I know, but the vast majority of people won't do that.

Re: What about username?

Security through obscurity. Proverbially reliable.

Re: What about username?

I have my own email domain and can use <anything>@<my domain>, so for any company I deal with I use <company name>@<my domain>

Had one or two confused sounding people when doing something over the phone !

Along with unique passwords (thank you keepass) if I get any spam on one of those addresses I know who it is immediately (unless of course they are trying to frame a rival co)

Re: 123456

So you upgraded to be more secure! Mine is still 12345!

Re: 123456

For hard suitcases they don't even need that, just drop it hard on one corner can be enough to pop some open (OK that info is from the 1980's but somehow I suspect that they have not improved that much)

Doesn't matter how strong the password is if the database it's stored in gets hacks.

TL;DR, you're wrong.

> Yes my password manager password is a lonnnggggg passphrase but its muscle memory now and I change it every so often.

depending on where you store it, if they have access to try passwords against it, then that could be the least of your problems.

Mine is fairly simple and easy to remember but then again is on my local NAS, if someone is trying to hack that then my entire home network is compromised.

Re: Avoid plain biometrics

Exactly. Biometrics can be used in place of a Username, but never as a Password.

Re: Avoid plain biometrics

Don't even need a finger, when you leave your password on every damn thing you touch.

Re: Avoid plain biometrics

We should avoid biometrics like the plague. It's another tool in the creation of feudalism 2.0. With biometrics you can catalogue people & prevent anonymity. I am not breaking the law (yet) but allowing governments the capability we have now is a very dangerous thing. Even if you are happy with your government ( I am not ), you may not be with the next one and eventually one will stop listening to what you want and do what they want. Personally, I feel we are there now, they are just not going full draconian as they haven't completed the control grid yet. It's cut by tiny cut so the people don't get uppity until too late. Also, with so many laws and never repeals, you will always be breaking one which lets's the authorities apply punishment based on their view of you.

Re: xkcd

That's where we have all got it wrong.

Everyone is using "HorseBatteryStaple" when we should be using "CorrectHorseBatteryStaple"

Re: xkcd

This is soooooo true.

Make long passwords easy to remember, not gibberish ones which are impossible to remember.

And use keepass.

Re: Not bothered

Ahhh, the good old drowssap. Nobody'll ever guess that one, will they?

Re: what about the MFA aspect ?

> you have to decide how far you are willing to sacrifice security for simplicity.

For most people, the answer sadly is "totally". That's why they also leave their door key "hidden" under a flower pot.

Re: what about the MFA aspect ?

"However you have to decide how far you are willing to sacrifice security for simplicity."

The average punter will opt for simplicity every time. One-Click purchases anybody?

Call the pizza joint and your caller ID is your account. Just schedule for pickup instead of delivery.

Re: what about the MFA aspect ?

"Plus a lot of systems *should* ring fence really sensitive commands with a repeated prompt for an MFA token."

Some do and what they consider "sensitive" isn't the same as my opinion so I just copy/paste the info over and over to do something simple such as check a balance or when the book is due (or I want to extend) at the library.

Is that password or authorisation phrase ??

Shirley she’s already signed in.

The dark side of me does think however a password reset, failed captcha, late SMS MFA, Microsoft Authenticator/EntraID or (like at the supermarket checkout) your “App” logs you out and you can’t log back in will cause the end of the world trying to stop some missiles being launched, stop the Auto Destruct of Voyager or something.

Best left for Black Mirror to work that one up.

Re: What's Eric Schmidt's Favourite Password?

Or Elon Misk.

“OneTreeelllliiiiiiiiiioooonn”

Re: Invalid

On a similar basis I log in to quite a few trivial sites with the username "required", because it told me when I created the account that "Username is required".

Or you could improve your script?

We seem to be thinking along similar lines. I got most of the way toward approximately the same goal :

https://www.projectpluto.com/pw_hash/pw_hash.htm

The idea is that you type in your master password, and it's combined with various salts for various sites/passwords and put through SHA256. There's a bit of logic in there for uppercase-only, number-only, "must have at least one special and/or one number", etc. cases.

The overall concept, I think, is sound. The hashing, etc. takes place within your browser; no data is transferred over the Interwebs. As noted at the above link, there are limitations. It'll handle most of the "special character" requirements, but not some of the odder ones that some sites have. (I'm not much of a Javascript programmer.)

I also did some work on the same idea, but in C, where I actually know what I'm doing. I still like the overall idea of a browser-based solution, though.

Re: Netware

Ah the good old days when you only needed 2 passwords; one for work and one for personal. When I finally exited that approach I had to change 250 passwords, groan. So now I have a vulnerability managing 250 passwords. A hardware key is my preference but I dread that failing or getting lost. Biometrics are ok provided you have absolute certainty only a hash of them leaves your possession. But you still have the problem biometrics change. Bit of tough DIY or garden work and you can't get in the phone easily!

and it promptly get stored as icantbelievewe

at the last job we had an application that I had automated the hell out of the installation by writing a script for it, it would even set up the account the service used (this was windows server world) which worked fine except some genius in the past had used punctuation in the password and it would have been a real pain to change it.

For those edge cases the instructions (yes I even wrote a guide on how to use the thing!) were "use anything you like" and change the password manually before starting the app or you would lock the account very quickly.