User topics

Article topics

Log in Sign up

Guess the most common password. Hint: We just told you

NordPass has released its list of the most common passwords of 2022, and frankly we're disappointed in all of you. Topping the list of the most common passwords was, sadly, "password," followed by "123456" and its more secure relative "123456789," "guest," "qwerty" and lots more you can definitely figure out without needing …

COMMENTS

Post your comment

House rules Send corrections

Add to 'My topics'

Friday 25th November 2022 10:00 GMT Joe W

What!?

"Regularly change passwords, too."

No. Not just "oh, change it every month" or somesuch stupid thing. This leads to weak passwords, and easy to figure out sequences like "Password202211" followed by "Password202212" or so. So, no, don't do that. The updated guidelines by e.g. German BSI do reflect that. Pick strong passwords and change them if you have a reason.

OK, changing passwords regularly can be driven by e.g. distrust towards secure storage of passwords by the webshop / ISP / your employer's service providers. But then you do have a reason to change the passwords semi-regularly.

68 0 Reply
1. Friday 25th November 2022 12:42 GMT Helcat
  
  Re: What!?
  
  Change frequently leads to passwords being written down, too. Or reliance on electronic storage. It's also less secure: If someone has gotten in once, they'll have the means to do so again*. Meanwhile you're convinced you're secure because you've just changed your password.
  
  According to the UK Cyber Security advice, It's better to look for unusual behaviour and flag that, and to ensure long, complex passwords that the user can actually remember.
  
  *shoulder surfing is one easy way to get a password. So is interception of the messages. Short passwords are easy to get with either of this, but long passwords, particularly if they look like two or three shorter passwords shunted together, are hard to get 'over the shoulder' and may exceed the buffer for intercepted passwords.
  
  And as ever, reliance on password stores just creates a single point of failure. Sure they may seem secure, but if a hacker gets in, they now have all your passwords, and what they're for. Sure, spread them out over several stores, but that also increases your exposure to hackers. Where as they can't hack your mind, and if you can train yourself to remember a password through an alias (Penguins! Oh, yes, PinkPufferPenguines. But I make changes, so it's P1nk!pUff3r:P3ngu1n3es! - that's a rather tricky one to guess, to crack, to get by reading over your shoulder, and at 23 characters long... upper/lower/numeric/symbol... and with a spelling mistake... good luck getting that one. Just don't use it 'cause it's an example of how to create a complex password that's easy to remember, hard to crack et al)
  
  5 7 Reply
  1. Friday 25th November 2022 12:49 GMT Dabooka
    
    Re: What!?
    
    I agree, regular and / or frequent changes for the sake of it are old hat. Our workplace insisted on this until WFH triggered by Covid, despite me discussing this with our Head of IT. His response was he's been instructed to do so by one of the the senior managers 'who knows things about IT' and he was equally as frustrated. In fact I believe GCHQ even updated their recommendations to reflect this (for the reasons above, repetition and writing down creates weak links).
    
    Also, 12 characters or more? Hard to do that when portals still insist on '6-8 letters' to create a strong password (yes City and Guilds I am looking at you). This continues to push the myth that 6 is enough
    
    18 0 Reply
    1. Friday 25th November 2022 13:59 GMT Antron Argaiv
      
      Re: What!?
      
      My company does that as well. Every 3 months. 12 characters or greater, with numbers symbols and u/l case.
      
      But their algorithm for similarity checking needs a bit of work. I have been using a base phrase with a short changeable addendum. It seems to get past their checking. My previous company used a much stricter test.
      
      19 0 Reply
      1. Friday 25th November 2022 17:48 GMT FrogsAndChips
        
        Re: What!?
        
        Same here, I just change the last letter and it's alright. It would even pass the 'different from the last 10/20 passwords' test. We've moved to HelloForBusiness and device-linked PIN, but the password is still required to access some internal apps so now we have to remember both PIN and password.
        
        0 0 Reply
      2. Saturday 26th November 2022 00:52 GMT Anonymous Coward
        
        Re: What!?
        
        I add in a site identifier to my passphrases. Makes remembering all the passwords much easier.
        
        3 0 Reply
  2. Friday 25th November 2022 17:43 GMT FrogsAndChips
    
    Re: What!?
    
    So you've created 1 really strong password, and with a bit of training you'll be able to remember the sequence of upper/lowercase and special chars. Now what are you going to do? Use it on every site? Firstly, that's bad practice, secondly you can be sure that lots of sites won't accept it as is for various reasons (too long, not the right special chars, there should be at least 1 even number, penguins are evil...). So you'll have to adapt your already complex password to a particular website, and remember which alteration you made. Rinse, leather, repeat for every website that doesn't like your vanilla password. Eventually, you'll end up with lots of variations of your initial password that you'll have to match to lots of websites, and you may finally realise that it's easier to let a password manager generate a strong and unique password for every site and their specific complexity requirements.
    
    13 0 Reply
    1. Saturday 26th November 2022 20:00 GMT J.G.Harston
      
      Re: What!?
      
      let a password manager generate a strong and unique password
      
      And how do I get into the password manager?
      
      2 1 Reply
      1. Sunday 27th November 2022 22:12 GMT DJV
        
        Re: And how do I get into the password manager?
        
        Crowbar...
        
        3 0 Reply
        
        Monday 28th November 2022 13:23 GMT Dave559
        
        Re: And how do I get into the password manager?
        
        A $5 wrench may be cheaper, and is probably more compact, than the crowbar…
        
        1 0 Reply
        
        Monday 28th November 2022 22:32 GMT DJV
        
        Re: And how do I get into the password manager?
        
        Possibly, but if it's a higher-security password manager you'd definitely need the extra leverage of a hefty crowbar. Unless you're the LockPickingLawyer, of course, in which case it would only take a rake and the "Pick that Bosnian Bill and [him] made™"!
        
        0 0 Reply
  3. Saturday 26th November 2022 16:08 GMT Anonymous Coward
    
    Re: What!?
    
    > Change frequently leads to passwords being written down
    
    I used to do that but stopped when I realised that I wasn't able to read them back.
    
    I really should do something about my handwriting.
    
    16 0 Reply
    1. Saturday 26th November 2022 18:09 GMT jason_derp
      
      Re: What!?
      
      I adapted my handwriting so every character is unlike every other character for this very reason. I have loopy lowercase ells, a slash through my sevens, little serifs for my v's and u's, etc. On top of that, I overline the letter if its uppercase, underline if its lowercase, put an "s" if its a symbol underneath, and an octothorp if its a number. Has enough rigor that I get by now when I have to write down a password for somebody else.
      
      4 0 Reply
      1. Saturday 26th November 2022 20:10 GMT Richard 12
        
        Re: What!?
        
        I recommend Magic Pencil series. It's on YouTube now.
        
        Round and up and down and flick!
        
        0 0 Reply
      2. Monday 28th November 2022 16:00 GMT LybsterRoy
        
        Re: What!?
        
        Which weird language did you say you used - possibly Minoan?
        
        1 0 Reply
    2. Monday 28th November 2022 08:24 GMT greenwood-IT
      
      Re: What!?
      
      If you are going to write it down, please add a date next to it or cross out the old ones. I must spend hours a week waiting for clients to flip through password books shouting out different passwords for the one login I need. Although I must admit, I enjoy trying to identify the pattern :-)
      
      I had one client who's email address was something like xT5-4GHj!@bigemail.com and the password was Mable - I'm sure they were confused when they set it up!
      
      3 0 Reply
  4. Monday 28th November 2022 15:57 GMT LybsterRoy
    
    Re: What!?
    
    P1nk!pUff3r:P3ngu1n3es! - that's a rather tricky one to guess
    
    and for the vast majority of the human race somewhere between tricky and impossible to remember and type in cleanly. I had hoped that this sort of password advice had vanished by now.
    
    2 0 Reply
2. Friday 25th November 2022 13:03 GMT Charlie Clark
  
  Re: What!?
  
  Sequences, stems, etc. are all fine as long as the passwords are salted and hashed. I'm on the fence over changing: it can be tedious but at the same time it helps remind users of the need for long passwords.
  
  But the problem remains: multiple passwords are difficult for humans to remember correctly.
  
  2 4 Reply
  1. Friday 25th November 2022 13:43 GMT Anonymous Coward
    
    Re: What!?
    
    Sequences are not fine. Not even close to fine.
    
    If someone has discovered your MyPasswordIsSecure1 and you change it then guess what they're going to try next? It's easy to attack sequenced passwords both manually and programmatically. Don't do it, folks.
    
    9 0 Reply
    1. Friday 25th November 2022 19:23 GMT Version 1.0
      
      Re: What!?
      
      I've just updated my BadPassw0rd to G00dPassw0rd, adding more digits is an improvement? Testing it on security.org and it's rated as "It would take a computer about 2 thousand years to crack your password", are they still using the ENIAC computing system?
      
      Both dumb passwords rate well and are more easier to use than a typical generated "cfmPAQtrfx986" password - plus you are going to be a hell of a lot more careful when you know you have a crappy password then if you think you have a safe one.
      
      2 0 Reply
    2. Monday 28th November 2022 10:21 GMT Charlie Clark
      
      Re: What!?
      
      If someone has discovered one of your passwords, they have probably discovered the rest.
      
      1 0 Reply
  2. Monday 28th November 2022 16:02 GMT LybsterRoy
    
    Re: What!?
    
    We have at least four memory wizards on this site!
    
    0 0 Reply
3. Saturday 26th November 2022 08:22 GMT NATTtrash
  
  Re: What!?
  
  But then you do have a reason to change the passwords semi-regularly.
  
  So what about this fad that Redmond is rolling out now? First killing IMAP/ SMTP and so on for their own (walled garden) OAuth2. Now pushing MFA, "because we have to and it is so much safer if we know who you are". Really? Have to huh? Think for what. Watching cat videos? Or financial accounts? Which I'm sure I can trust YOU with... Or use it as an excuse, because it gives "so many valuable business opportunities"? So it has nothing to do with locking people into situations where they have to keep paying you and reaping even more of their personal data (phone numbers, devices) that can be monetised in so many different ways? Because you can trust them, right, it is all OK? So I'm just an old fart when I point out that passwords do not exist anymore. That this security everybody is going on about is a pipe dream. Because you have to share (request!) your password, and then confirm with even more data (MFA) so you gain access to people/ organisation who rips you off. And then I'm not even getting into "making it even more secure and convenient" Intune "solution", which is like that grubby guy sticking his hands down your pants**...</rant>
  
  ** I do realise that there are sys admins out there that (need to) use Intune to control their fleet, and think I'm off the rails. (You would not be the first ;) Then again, think of it, might Intune not be a solution to a self created problem? We can talk for hours over it and get properly drunk. So just as a start: if we would not be cheap arses and not do e.g. BYOD, what would that mean for Intunes justification to exist/ MS peddling it? And why is such security control not in the hands exclusively of the person/ organisation whose security it is to begin with, properly walled off from the rest of the world/ "them"?
  
  4 1 Reply
4. Sunday 27th November 2022 23:14 GMT Allan George Dyer
  
  Re: What!?
  
  I was having difficulty remembering a different password for every site, but then I got an anthill, gave each ant a name and used those as passwords. It even works for frequently-changing passwords, the Queen is always laying new eggs.
  
  For my online banking passwords, I plan to get a beehive, to be more secure.
  
  2 0 Reply
5. Monday 28th November 2022 13:18 GMT Dave559
  
  Re: What!?
  
  I get the feeling that that part of the article was just lazily pasted straight from a NaffPass press release, since most of the "advice" given seems to be no longer regarded as best practice. I mean, would you trust a tech company that has seemingly never heard of xkcd? (You know where that link goes without even following it…)
  
  3 0 Reply
6. Monday 28th November 2022 14:27 GMT bombastic bob
  
  Re: What!?
  
  an alternative, use something familiar followed by a short random sequence.
  
  KeepassXC generates random pass if you want it. So I'll grab (let's say) 6 random chars, and either prefix or postfix something easy to type that is not easy to guess (let's say my favorite movie character but spelled wrong). So hansolow-{random sequence} then save it to KeePassXC and use either web browser password cache or KeePassXC to keep it.
  
  For longer stuff like github keys I wrote an open source application with a simple shell script example that lets me store a password in an encrypted file. Then I enter the master pass phrase and it puts the password in the clipboard. Then I can say "git pull" on a private repo, enter anything for the user name, and paste in the password. Pretty simple, reasonably secure.
  
  In any case if you do not have to remember it, a combination of "CorrectHorseBatteryStaple" approach with a pure random component is probably the easiest way to get a secure password.
  
  0 1 Reply
7. Monday 28th November 2022 19:11 GMT JimboSmith
  
  Re: What!?
  
  Yep my passwords for work and there are 3 different ones for three different systems are 15+ digit strong passwords. I have to change them every 90 days which drives me mad because it’s so unlikely someone will be able to guess them. I don’t use random public WiFi and don’t enter them whilst visible to anyone else. Plus the systems are supposed to and do lock you out after 4 wrong guesses.
  
  However there is a flip side to that coin, there are people in the organisation who fall for test phishing emails. It’s damned annoying.
  
  0 0 Reply
Friday 25th November 2022 10:29 GMT Pascal Monett

So there's a new malware framework out there

Good to know, obviously, but since the bigger problem is all the clueless idiots who will click an attachment without hesitation, I don't see that a new malware framework is a particular cause for alarm.

You could send them I Love You again and it would work just as well.

13 0 Reply
Friday 25th November 2022 10:31 GMT Lil Endian

XKCD Rankings?

Brandon, is 'correcthorsebatterystaple" ranked?

(I'm not linking it. I'm bloody not! lol)

22 0 Reply
1. Friday 25th November 2022 10:52 GMT Greybearded old scrote
  
  Re: XKCD Rankings?
  
  OK, I will then.
  
  19 0 Reply
  1. Friday 25th November 2022 11:01 GMT Lil Endian
    
    Re: XKCD Rankings?
    
    Ah, thanks Gos, that feels better!
    
    I scanned the linked Nordpass page, couldn't find it there :(
    
    I thought I check with Troy:
    
    Oh no — pwned! This password has been seen 216 times before
    
    So it's gaining some ground!
    
    9 0 Reply
    1. Saturday 26th November 2022 12:16 GMT Evil Auditor
      
      Re: XKCD Rankings?
      
      Only 216 times?
      
      I'm a bit disappointed and remember the time when we counted the users that took the example from the password directive as their password. In a company of >20,000 employees that was considerably more than 300.
      
      3 0 Reply
      1. Monday 28th November 2022 19:11 GMT Michael Wojcik
        
        Re: XKCD Rankings?
        
        I use a randomly-generated password. It's "4".
        
        0 0 Reply
2. Friday 25th November 2022 12:59 GMT Anonymous Coward
  
  Re: XKCD Rankings?
  
  I tried passphrases for a while but I could never remember what order the words are supposed to be in. Is it correcthorsebatterystaple or correctbatteryhorsestaple? correctstaplehorsebattery? Wait, was it staple or stable? Was it battery or batteries?
  
  5 0 Reply
  1. Friday 25th November 2022 13:05 GMT Charlie Clark
    
    Re: XKCD Rankings?
    
    Just use a line from a law, song, poem, etc. They often give you capitalisation for free: "We the People…" then you salt it for the service.
    
    5 0 Reply
    1. Friday 25th November 2022 15:29 GMT Lazlo Woodbine
      
      Re: XKCD Rankings?
      
      That's what I do, intital letters from each word in the first line of a song, substitute symbols and numbers for letters as appropriate
      
      You then have a 12+ character password that's all but gibberish, but reasonably easy to remember.
      
      Just don't pick a song by a band people know is your favourite.
      
      2 0 Reply
      1. Friday 25th November 2022 20:25 GMT Strahd Ivarius
        
        Re: XKCD Rankings?
        
        "I'm a Barbie Girl, in a Barbie world"
        
        for example?
        
        6 0 Reply
        
        Saturday 26th November 2022 00:11 GMT John Brown (no body)
        
        Re: XKCD Rankings?
        
        I suspect he's more of a Cheeky Girls man :-)
        
        Yes, those who clicked the link, that IS the lyrics and no the record wasn't actually stuck :-)
        
        1 0 Reply
        
        Monday 28th November 2022 10:24 GMT Charlie Clark
        
        Re: XKCD Rankings?
        
        Why not? Anything that you can remember easily along with something unique to the service.
        
        1 0 Reply
    2. Friday 25th November 2022 21:24 GMT PRR
      
      Re: XKCD Rankings?
      
      > Just use a line from a law, song, poem, etc.
      
      When I worked with music professors, I sometimes suggested spelling-out the notes of a melody, something they did well. This was in days of 6-letters going to 8 mixed characters, so sharp-sign and time signatures for spice.
      
      What might REALLY help is exponential delay on error. My first mistake, let me try again in 1 Second (faster than my finger). Second mistake, 2 sec. 3rd and 4th screw-ups, 4 and 8 seconds. Four tries in 15 seconds does not hinder a befuddled human, but being choked to 10 tries in >1,024 seconds (>17 minutes) would really take the edge off an over-eager attack-bot. A log-in, or a significant break, could discount or reset the delays so you are not locked-out for eternity.
      
      6 0 Reply
      1. Monday 28th November 2022 10:22 GMT Charlie Clark
        
        Re: XKCD Rankings?
        
        scrypt
        
        0 0 Reply
      2. Monday 28th November 2022 16:12 GMT LybsterRoy
        
        Re: XKCD Rankings?
        
        -- What might REALLY help is exponential delay on error --
        
        This is the important change needed not Oauth2 or MFA. Just don't make it easy to have umpteen thousand tries per second.
        
        Actually there is one other thing that might help - sites that done't actually need it could stop requiring you to login. I have a number of reusable passwords (and email addresses) for such sites some of which I will never visit again after I've bought whatever it is I want.
        
        1 0 Reply
        
        Monday 28th November 2022 19:11 GMT Michael Wojcik
        
        Re: XKCD Rankings?
        
        Rate restrictions help with online attacks against a single account. They don't help against multiple accounts in parallel, an attack which was documented in the 1990s; nor do they help with offline attacks. And considering how often large databases of password hashes are leaked, offline attacks are a greater concern.
        
        Rate restrictions are also difficult to implement for distributed systems where there may be many oracles.
        
        0 0 Reply
    3. Saturday 26th November 2022 16:14 GMT Anonymous Coward
      
      Re: XKCD Rankings?
      
      > Just use a line from a law, song, poem, etc.
      
      Better yet, do that with an accent:
      
      "Vi, ze Peopel…"
      
      1 0 Reply
  2. Friday 25th November 2022 20:23 GMT Strahd Ivarius
    
    Re: XKCD Rankings?
    
    the password I provide to users who don't remember their password (a too common occurrence at work)
    
    "Itisthe3rdtimethisweekiforgotmypassword!"
    
    4 0 Reply
Friday 25th November 2022 10:38 GMT Sleep deprived

With a little help from the server

I heard this story of an old lady with Alzheimer's who'd pick "invalid" as her standard password. This way, when she forgot and attempted something else, the server would reply "Your password is invalid". Thanks.

38 2 Reply
1. Friday 25th November 2022 12:52 GMT Dabooka
  
  Re: With a little help from the server
  
  You're lacking the joke icon, flaming incoming
  
  3 0 Reply
2. Friday 25th November 2022 19:23 GMT dogcatcher
  
  Re: With a little help from the server
  
  Being an old git with memory loss I do find 123456 the best password for NHS sites that ask me for random letters from my password, it saves counting on my fingers.
  
  5 0 Reply
Friday 25th November 2022 11:01 GMT alain williams

Need Javascrip to view the list ...

Did any of you check what that Javascript does ? No, I thought not.

Just showing a list does NOT need Javascript ... but here is a company that is supposedly in the security business that is encouraging us to accept bad practice. Too many web sites force the use of Javascript for things that can be done without.

Then they have a password generator, there is an on-line version ... I did not check if it was generated on their server or locally using Javascript. You would be foolish to trust either of them, the generated passwords could be kept by them -- I have not checked, but they could be.

Maybe I am just showing that I am a grumbling old git.

25 2 Reply
1. Friday 25th November 2022 11:05 GMT Lil Endian
  
  Maybe I am just showing that I am a grumbling old git.
  
  Then there're two of us!
  
  You saved me some typing, cheers!
  
  8 0 Reply
2. Friday 25th November 2022 11:16 GMT SsiethAnabuki
  
  Re: Need Javascrip to view the list ...
  
  Also worth noting that you can post a list without HTML, using plaintext.
  
  Frankly, at this point, JavaScript is baked in pretty much as soundly as HTML is.
  
  4 1 Reply
  1. Friday 25th November 2022 12:19 GMT stiine
    
    Re: Need Javascrip to view the list ...
    
    Unsoundly...
    
    2 0 Reply
  2. Friday 25th November 2022 15:35 GMT Flocke Kroes
    
    Re: JavaScript is baked in pretty much as soundly as HTML
    
    Try theregister - it works fine without javascript. Plenty of sites still do and more if you use a browser like lynx that doesn't misbehave with javascript switched off. I came across a site full of people patting each other on the back about how universally popular javascript is because of the results of their online poll - which required javascript - and their discussion board - which required javascript to post. It has been a long time since I checked but I think you can still buy things from Amazon without javascript.
    
    The only activity I have discovered that you cannot do without javascript is online banking where I can understand the need to maximise the attack surface.
    
    6 0 Reply
    1. Saturday 26th November 2022 16:18 GMT Anonymous Coward
      
      Re: JavaScript is baked in pretty much as soundly as HTML
      
      > online banking where I can understand the need to maximise the attack surface.
      
      Pardon?
      
      5 0 Reply
    2. Monday 28th November 2022 07:11 GMT Lil Endian
      
      lynx
      
      'nuf said
      
      0 0 Reply
Friday 25th November 2022 11:10 GMT NightFox

Re passwords: when a system fails to take into account end-user behaviour (especially after years of compelling evidence), then it's a failing of the system, not the end-user.

You can't blame humans for inherently behaving like humans. Saying 'well, they shouldn't behave like that' may be a wish, but it shouldn't be a requirement.

28 0 Reply
1. Friday 25th November 2022 11:43 GMT Greybearded old scrote
  
  Hell yeah.
  
  Anyone who blames the people (hi Pascal) haven't read enough Donald Norman.
  
  4 0 Reply
2. Saturday 26th November 2022 12:38 GMT veti
  
  A while back I had the dubious pleasure of applying for jobs online.
  
  Basically every employer presents an online application form, which (of course) you have to create an account to log into and use. That's bad enough - suddenly I was faced with coming up with many new, strong passwords, with the inevitable random not-documented rules about complexity etc., every day, and remembering and not reusing all of them, and so on. Totally reasonable, obv.
  
  But really it's much worse than that. Because a lot of these employers outsource their hosting for these application forms to the same company. Which, obviously, hosts them all on the same freaking server. Sharing the same cookies...
  
  So logging on to one application could change my password on a completely different one, or worse. Not that there was ever any reason to log in again after completing the form once, so what the fuck did we ever need passwords for in the first place, you CRETINS?
  
  Sorry, still handling some frustration issues over that.
  
  Password-based security needs to simply DIAF. It's been broken for at least a quarter of a century. At this point it's pretty clear no-one can fix it.
  
  10 0 Reply
Friday 25th November 2022 11:20 GMT lglethal

How about sites implement basic rate limiting, and brute forcing becomes a non issue! 5 tries and the account is locked. Boom, so long as your password isnt one of the top 5 mentioned by Nordpass, you're clear.

Or if the site really doesnt like to lock accounts, then after 1 password fail 5 second lockout, 2nd fail, 10 seconds, 3rd - 30 seconds, and so on with an exponential curve. Again Brute forcing becomes a non issue after a few tries.

The whole extra long, complex passwords does not massively improve security, if you've implemented basic security against brute forcing.

24 3 Reply
1. Friday 25th November 2022 12:21 GMT Anonymous Coward
  
  oh yeah, that'll work....
  
  Have you not seen the youtube videos of the dumb parent holding an iDevice displaying "incorrect password: 885558585858 seconds until you can try again"
  
  4 0 Reply
  1. Friday 25th November 2022 13:02 GMT khjohansen
    
    Re: oh yeah, that'll work....
    
    *shrugs* ... seems to me to be a self-correcting problem ... >;>
    
    7 0 Reply
2. Friday 25th November 2022 13:51 GMT Anonymous Coward
  
  That's what's called a Denial of Service.
  
  If I can lock you out of your accounts by simply putting in a few wrong passwords, you'll get pissed off a lot quicker than any hacker will.
  
  And how do you unlock a locked account? If the answer is to use a second factor (eg SMS), why not do that in the first place?
  
  [I know that SMS is also vulnerable; it's just an example]
  
  8 0 Reply
3. Friday 25th November 2022 16:30 GMT Hawkeye Pierce
  
  @Iglethal
  
  Brute forcing is most certainly an issue in either of your two solutions. As others have said, if you're locking the account, you've introduced an avenue for a denial of service attack and run the risk of losing all your users because they can't log in. If you do it on a backing-off approach (your second solution) then all I need to do is to cycle through my 000's of potential usernames and by the time I get back to the first, I've spent 5 seconds.
  
  If you take into account the IP address before blocking/locking, you're not defending against botnets.
  
  If you don't use (or enforce) long complex passwords, you're open to cracking. Salting passwords is no great defence if you suffer a breach and enough people have short passwords.
  
  So yes, use of extra long complex passwords does indeed massively improve security. I can pretty much guarantee that my 30-char password is safe providing that the site implements what should be consider basic security even in the event of their database getting breached. I could not say the same to any degree of certainty if my password was say 8 characters no matter how complex it was.
  
  2 0 Reply
4. Friday 25th November 2022 20:40 GMT doublelayer
  
  This approach defends against blindly throwing common passwords at it, but little else, and even with that there are problems as other replies have already explained. It does little against password reuse where an attacker obtains credentials from somewhere and tries one or two of them on lots of sites, as a successful access will log them in almost immediately.
  
  You might respond that this doesn't require basic passwords, and you would sometimes be right, but it still increases the likelihood of an attack. If I use a secure password and the site doesn't properly salt and hash the passwords, I'm still out of luck and shouldn't have reused it, but if I use a simple password, whether the site does or doesn't hash them, they will be crackable from the leaked database quickly enough that they're likely to be used. Don't reuse passwords and don't use "Password" as the password to anything. Not all the high-security constraints are necessary, and enforced changes can be harmful, but the basics are still right.
  
  1 0 Reply
5. Sunday 27th November 2022 10:19 GMT MJB7
  
  Re: implement backoff to stop brute forcing
  
  That works just fine (and is very worthwhile) until the site loses their entire hashed and salted password database. At the point the hackers just point John the Ripper at the db and print out most people's passwords. Then off to try the same password+email on Facebook, gmail, and banking sites -> profit!
  
  (Actually, these days, banking sites tend to _insist_ on 2FA, so direct profit is a bit more difficult.)
  
  2 0 Reply
Friday 25th November 2022 11:44 GMT Totally not a Cylon

Appropriate complexity

Passwords should be of 'appropriate complexity' for the site they're used on.

ie, logging into a news site which has no payment/address details then why do I need more than a simple password?

logging into a shopping site with none saved payment details which I might use again then yes a bit more complex but all miscreants would get is my address

a shopping site with saved payment details and which I want to use regularly then definitely a secure complex password with 2fa using whatever I choose but not sms.

Oh and when I've used the password generator built into my Mac and your site responds with 'you can only use letters, numbers and _' expect to be abused.......

Happy Turkey Hangover day!

22 0 Reply
1. Friday 25th November 2022 20:23 GMT matjaggard
  
  Re: Appropriate complexity
  
  This is exactly what I thought. Some VPN company pointlessly getting advertising. Shame on the Reg for sharing this. Everyone uses simple passwords for things they don't care about don't they? I get pretty irritated about sites with no data requiring long passwords. I know my passwords for some sites have been pwnd and I'm just fine with it. Go ahead and login, view my zero balance on a gift card, I just don't care.
  
  4 0 Reply
  1. Sunday 27th November 2022 19:22 GMT heyrick
    
    Re: Appropriate complexity
    
    Yeah, there was a time (long ago) that ARM required you to log in to download the Architecture Reference Manual. Setting up the account, you had to provide a password. Upper case, lower case, symbol, numbers... Just to download a bloody PDF.
    
    I did some Google-fu and got a copy from a course on a .edu domain. Much less bother.
    
    1 0 Reply
2. Monday 28th November 2022 16:23 GMT LybsterRoy
  
  Re: Appropriate complexity
  
  -- ie, logging into a news site which has no payment/address details then why do I need more than a simple password? --
  
  You were so near to getting it right - I'll help.....
  
  ie, logging into a news site which has no payment/address details then why do I need a password?
  
  In fact - why do I need to log in?
  
  0 0 Reply
Friday 25th November 2022 12:19 GMT Mark.J.H.Larsen

Correct numbers

Hi Brandon

Was surfing the net to make a shortlist of the most common passwords, and found your article posted recently.

I was checking multiple places to get a more precise list, so this was one of them.

You link to "list of the most common passwords" however the list that is downloadable as PDF only contains passwords until 2021.

The passwords i allready found - and have crosschecked with haveibeenpwned gives some completely different numbers

Password i found and its counts:

123456 37.509.543

password 9.636.205

Password and count according to the page you have linked to:

password 4.929.113

123456 1.523.537

Some sources would be nice :)

Hope you forgive my ranting :)

Good article though - making awareness of the importance of good passwords is allways needed.

0 0 Reply
1. Friday 25th November 2022 14:01 GMT Antron Argaiv
  
  Re: Correct numbers
  
  Obligatory:
  
  https://www.datagenetics.com/blog/september32012/
  
  2 0 Reply
Friday 25th November 2022 12:19 GMT Dave314159ggggdffsdds

Most passwords are for stuff that doesn't need a proper password, throwaway accounts, and so-on. So people rightly use things that are not strong passwords.

The real problem isn't users making poor choices, but the insistence on inappropriate faux-security measures.

20 1 Reply
1. Friday 25th November 2022 12:24 GMT stiine
  
  I upvoted you, but will counter your argument with the statement that I use a password generator for every sites, no matter how trivial and unimportant.
  
  6 0 Reply
  1. Friday 25th November 2022 13:51 GMT Yet Another Anonymous coward
    
    So when you need to login to HARDWARE makers site in order to download a driver update (why ?) - you open up the password manager with all your banking passwords in it ?
    
    Sounds like it would be more secure for me to just use "passwd" or my preferred "fsckoff"
    
    9 1 Reply
    1. Friday 25th November 2022 15:40 GMT Flocke Kroes
      
      Try account 'username' with 'password'. Quite often someone has already created that account and if not you can create it so the next person does not have to make up stupid answers for the five page privacy invading questionnaire.
      
      7 0 Reply
    2. Friday 25th November 2022 20:32 GMT Anonymous Coward
      
      I just click "forgot my password" and wait for the mail for resetting it with a random value that I will not store, doing it again and again...
      
      4 0 Reply
      1. Friday 25th November 2022 21:50 GMT yetanotheraoc
        
        changeme
        
        Second-hand story. Two more-or-less "IT" guys are discussing passwords, 1st IT guy says, "I just use the same one they issued me back in university." 2nd IT guy "What's that?" 1st IT guy "changeme". (Double fail for blurting out his stupid _lifetime_ password.)
        
        Not changing the emailed temporary password means the still-valid password is now saved in plain-text on multiple email relays.
        
        I wonder why the hackers don't just set up an email relay, attack the route, and once they start forwarding the emails they can issue the reset requests themselves. This is where SMS, while not true 2FA, would be a deterrent.
        
        2 0 Reply
        
        Saturday 26th November 2022 16:28 GMT Anonymous Coward
        
        Re: changeme
        
        > Double fail for blurting out his stupid _lifetime_ password
        
        At a previous place of employment of mine I once spoke "a well known password" aloud.
        
        First and only time. I wasn't physically assaulted, but it came really close (no exaggeration).
        
        0 0 Reply
        
        Monday 28th November 2022 09:43 GMT stungebag
        
        Re: changeme
        
        When I worked in schools' IT about ten years ago most people had systems provided by RM. Most still had the default admin pasword of changeme.
        
        1 0 Reply
        
        Monday 28th November 2022 15:50 GMT Anonymous Coward
        
        Re: changeme
        
        default superuser
        
        login... supersuper
        
        password... great
        
        (yes, it had been left as default!)
        
        0 0 Reply
2. Friday 25th November 2022 13:50 GMT Lil Endian
  
  When I moved back to UK from Belgium I wanted to mail order some beer from BE.
  
  I created an account at a vendor. The welcoming email contained my new password, in plain text of course, as a convenient reminder [1]. Thinking I'd give the vendor some free advice, I mailed them about the inappropriateness of this. No response email, just account closed.
  
  So now I brew my own tripels!
  
  Ooh, there's one now! -->
  
  [1] I may have had a wayward youth, but I reckon I can remember my new password for 60 seconds!
  
  6 0 Reply
Friday 25th November 2022 13:35 GMT Anonymous Coward

Stupid admins and their stupid ersatz "security"

Its been known for many decades that user selected pass phrases work really well and that passwords fail miserably. So when I see admin (site / network) demands a "strong" password I just use the same default "strong" password. Which is written down. F*ck 'em. Forced change of password regularly, then its F*ck 'em 01, F*ck 'em 02... as its obvious they know damn all about security and I will always assume the network / site is not secure. There will be a hardware firewall between me and them and on an internal network their network will be flagged as Insecure as Cafe Wifi..

For anything that needs actual security I always use pass three or more word phrases. And for third party generated passwords/pins I wrote a very handy app that uses security through infuriating misdirecting to store the pins / passwords in question. As for passwords that have to be ultra secure nothing beats at least four or five lines of assembly language. In hex. Been using that for decades. I have used binary octal on occasion. Try finding that in any a/c cracking dictionary...

1 0 Reply
1. Friday 25th November 2022 14:38 GMT Dave K
  
  Re: Stupid admins and their stupid ersatz "security"
  
  Or for throwaway accounts that require this, you just start every password with the same symbol and number, then capitalise the first letter. Doesn't take any extra effort to learn and passes the "is it secure" test for an account I really never wanted to create in the first place.
  
  Of course for everything else, I use a password generator these days. As a result, I couldn't tell you what 99% of my passwords are.
  
  1 0 Reply
Friday 25th November 2022 14:25 GMT Norman Nescio

Salting?

How about having a salt that you memorise, which meets the rules requiring a complex password, which is the same for all sites, and a separate simple password for each site that you write down on a handy card you keep in your wallet.

So: memorised salt using a trusted password generator or diceware e.g.: 7pQ>F9oA

Bank: 31HighSt

banking password is: 7pQ>F9oA31HighSt or 31HighSt7pQ>F9oA or 7pQ>31HighStF9oA

It seems to meet the requirements for having a different compliant password for each site, while not needing memorisation of lots of 'line noise' passwords.

Of course, it falls foul of many places that set an unreasonably low maximum number of characters in the password, and you really have to keep the salt secret.

Is this a bad idea?

0 0 Reply
1. Friday 25th November 2022 16:38 GMT Anonymous Coward
  
  Re: Salting?
  
  First off, that's not really a salt. That's you amending what you chose your password to be.
  
  Is it a bad idea? Well it depends on your assessment of the threat to you. If your bank gets breached and your password cracked, or a keylogger gets installed on your device, and I obtain the fact that your password is 7pQ>F9oA31HighSt for the site 31HighSt, guess what password I'm going to try for you on Twitter?
  
  Seriously, randomly generated, complex, unique to each site, passwords are what should be used - along with a reputable password manager to store them in, use of which makes it easier and safer than all other options short of remembering each of those unique, randomly generated, long passwords.
  
  6 1 Reply
  1. Friday 25th November 2022 17:57 GMT Norman Nescio
    
    Re: Salting?
    
    You are quite right, it's not a salt, but it has much the same effect.
    
    As for password cracking, the point of having a high-entropy 'salt' is to make password cracking hard - ideally practically impossible.
    
    But, you have a Very Good Point about keyloggers. Which makes me glum. But, on the other hand, thank you for giving a considered reply, and this is the advantage of having a civilised debate - other participants can point out things you didn't know, have forgotten, or otherwise omitted. You have an upvote from me.
    
    4 0 Reply
    1. Friday 25th November 2022 22:12 GMT yetanotheraoc
      
      Re: Salting?
      
      The other issue with your embedded pattern is when you are required to change your password, you either have to change the 31HighSt, or you have to change the embedded pattern. Given enough time your passwords become just as difficult to remember as random ones. Might as well start with random ones and use a password manager.
      
      I used to look at the plain-text login .log for a badly coded business application: timestamp, username=plaintext, password=********. Amusingly, it was trivial to get scads of valid passwords out of it, because more than half the time they would put their password in the username field on the first attempt, so you had an invalid login showing the password and five seconds later a valid login showing the username.
      
      Almost everybody had a simple word followed by a single digit which they would increment by one for each required password change. Foolproof!
      
      6 0 Reply
      1. Sunday 27th November 2022 13:07 GMT Norman Nescio
        
        Re: Salting?
        
        Have an upvote for pointing out another genuine flaw in my idea (which no doubt many others have had before).
        
        As for the logging: it shows why one should not blindly log the offered username. Ideally, one should be logging the fact that an invalid username was offered, not what the invalid username was. You can log the username used once it has been checked and shown to exist in the database of valid/authorised users: for the obvious reason you point out.
        
        Doing so does make it slightly more difficult to see if someone is cycling through possible usernames trying to break in, but there are other ways of doing that.
        
        3 0 Reply
        
        Sunday 27th November 2022 19:30 GMT heyrick
        
        Re: Salting?
        
        Logging of user names can be useful to see if somebody outside is fishing for a potential contact. I mean, you know something is up if you look down the list of failed logins and see: JSmith, J.Smith, JohnS, JohnSmith, John.Smith, Smith.John (etc).
        
        It's not the software's fault if the users put their password in the wrong place (though you would have thought that it might have been a clue that the characters didn't turn to dots?).
        
        0 0 Reply
        
        Monday 28th November 2022 04:01 GMT yetanotheraoc
        
        Re: Salting?
        
        It would have been a clue if they had been looking at the dialog! Touch typists already looking at their paperwork for the unique id that has to go into the search form. Most of the business applications automatically populated the username, this was one of the two that didn't.
        
        1 0 Reply
Friday 25th November 2022 15:06 GMT Mike 137

The fundamental problems

Problem 1: Nobody explains to users what passwords are really for (to keep others out, not let the user in) or why the password rules supposedly create adequate passwords, so the rules seem arbitrary and smart folks find ways to circumvent the arbitrary.

Problem 2: most password rules I've encountered are a load of excrement, as they don't ensure reasonably adequate passwords but merely create problems for users, who therefore fine ways to circumvent the rules.

Problem 3: Nobody makes clear what the real threats against passwords are, or what controls (and whose responsibilities) are needed to counter each of them. Consequently, the user is made solely responsible for protecting against all the threats despite not being equipped or informed enough to do so.

Problem 4: we should stop calling them passwords as non-technical folks (not surprisingly) take that literally.

There are likely a few more, but these cry out for fixing, and it could be quite easy if we stopped repeating mantras and informed ourselves and our users properly.

7 0 Reply
Friday 25th November 2022 15:55 GMT Alumoi

It's also essential to not reuse passwords on different accounts

Why?

If I don't share my info with the site or I share some fake info, I really don't care if they sell my data..., erm, sorry, they suffer a security breach. So it's always spam@mydomain and fuckoff (mixing capital letters, numbers and special characters if required).

3 2 Reply
Friday 25th November 2022 16:04 GMT spireite

Don't need a difficult password when I have activated......

...MFA on my phone.

That was a serious answer I had once when I asked a simpleton, sorry - colleague - why they had a really easy to guess password.....

0 0 Reply
Friday 25th November 2022 17:12 GMT Dizzy Dwarf

I once ...

Watched the super bowl as a student, so I thought it would be a good idea to go to the lab and change my password to cincinatty.

I can't event spell sinsinnati sober.

6 0 Reply
Friday 25th November 2022 17:33 GMT Anonymous Coward

A unique memorable password?

Simplified I use for sites that aren't financial or critical something like:

W@rd1234*56an#ther

Where the @ is the third letter of the website and # is the 2nd letter

The actual number is one I've memorised.

So a unique password for every website.

If a human was trying to crack it they probably could especially if they had my password for two websites

0 0 Reply
Saturday 26th November 2022 00:32 GMT æ¡æ²¢å¢¨

How to avoid getting hacked...

Don't use a password manager that knows what your passwords are? I wouldn't touch a proprietary password manager like Nordpass with a 20 foot pole.

Maybe they got their data from somewhere else but seriously, don't proprietary software for some of the most sensitive material on your computer.

2 0 Reply
1. Saturday 26th November 2022 03:55 GMT Yet Another Anonymous coward
  
  Re: How to avoid getting hacked...
  
  Real programmers write(*) their own password manager - after reading Bruce's Applied Crypto book
  
  (using a compiler they wrote themselves on an operating system they created)
  
  10 0 Reply
  1. Monday 28th November 2022 01:23 GMT harmjschoonhoven
    
    Re: How to avoid getting hacked...
    
    At t(now) seconds and XOR(history)&0x00ff your passwords are:
    
    DWM#1ED106Mp
    
    Cwn=4Nv106Xs
    
    Cqc/2Qx908MX
    
    sva/8Tr352QC
    
    mqU+0Vc126GQ
    
    Nmc=7dN525RA
    
    wMA;2ZB649sT
    
    WFP_5eP925fq
    
    Dqx/1ZB285AF
    
    ceD/3LH827mw
    
    VhE+2BR588vF
    
    Ctm=3By593tQ
    
    Mmy/3Wm845XH
    
    eCs#9sT534Vr
    
    NGR=8gT549FA
    
    kva*1MP222WH
    
    SrY@7KH450tW
    
    RAT=9qT351zA
    
    BEk/3eM457SF
    
    EYn_4xP380cm
    
    ; sleep(2)
    
    0 0 Reply
  2. Monday 28th November 2022 17:55 GMT Anonymous Coward
    
    Re: ...done all three, but not at the same time
    
    Wrote my own password hint app. Wrote commercial compilers. And have written OS'es (long story)..
    
    But password hint manger app written on Android. But not the custom one I once had to build from the AOSP source. Did use JNI.
    
    But would never use anything in the Schneier book. If you know the background history of the subject none of the interesting stuff is in any book published in Five Eyes countries. And yes, I have worked on stuff covered by Title 15..
    
    So yes, I am a real programmer.
    
    0 0 Reply
2. Saturday 26th November 2022 15:40 GMT æ¡æ²¢å¢¨
  
  Re: How to avoid getting hacked...
  
  Er, that LEAKS your passwords.
  
  1 0 Reply
Saturday 26th November 2022 09:21 GMT bubblegun23

Terrible password policy

I joined Virgin Media recently.

Apart from being apalled at there being no IPV6 network at all, their password policy is a joke for their website.

They have a character limit of 8 characters and only allowed numbers and letters. Cracked in an hour, anyone?

There doesn't seem to be MFA either.

Hope there's nothing they want to protect there.

2 0 Reply
1. Monday 28th November 2022 16:03 GMT Anonymous Coward
  
  Re: Terrible password policy
  
  created a new login with password based on the site's criteria... success... it 'logs me out' and presents me with a login prompt... enter username and password just created...
  
  'username or password invalid'
  
  turned out that the criteria for creating a password was different from the criteria for validating a password at login and my valid password was invalid
  
  0 0 Reply
Sunday 27th November 2022 12:25 GMT myithingwontcharge

What in the space....?

12345? That's amazing, I've got the same combination on my luggage!

3 0 Reply
Sunday 27th November 2022 15:41 GMT captain veg

the password is password

I do this regularly.

Our email BOFHs prohibit executable attachments. Compressing them with 7z and "a" password does the trick.

-A.

1 0 Reply
Sunday 27th November 2022 20:42 GMT Ideasource

Alternatively

Fashion your life as if to expect your passwords to be cracked.

Anything you need to keep secret don't ever write down or tell anybody.

And always maintain multiple alternative methodogies to maintain your physical existence that doesn't rely on the convenience of temporary secrecy.

If someone wants your data access bad enough they will get it. Even if they have to kidnap you and torture you to take it.

Better to not be a Target in the first place

2 0 Reply
Sunday 27th November 2022 21:04 GMT Bbuckley

thisISn0TmYpaSSW0RD

0 0 Reply
Monday 28th November 2022 08:47 GMT Potemkine!

Better make a long understandable password you may remember than a shorter one using symbols and numbers.

When an app or a site refuses my 20-letters password as being insecure before there's no symbol in it, I tend to think that developer is an idiot.

And +1 for saying that having to change a password regularly is totally stupid. It is indeed. I can't understand how some continue to propagate that non-sense.

== Bring us Dabbsy back! ==

1 1 Reply
Tuesday 29th November 2022 12:49 GMT SotarrTheWizard

I noticed that "ChuckNorris" isn't on the list. . .

. . . .simply because **everyone** knows you can't beat Chuck Norris. . . (grin)

(And yes, I know the story of how Facebook, in the early years, used a munged version of Chuck Norris as their main internal password. . . )

0 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Other stories you might like

Roku makes 2FA mandatory for all after nearly 600K accounts pwned

Streamer says access came via credential stuffing

Cyber-crime 15 Apr 2024 | 15

Mandiant: Orgs are detecting cybercriminals faster than ever

The 'big victory for the good guys' shouldn't be celebrated too much, though

Security 23 Apr 2024 | 1

Over a million Neighbourhood Watch members exposed through web app bug

Unverified users could scoop up data on high-value individuals without any form of verification process

Security 23 Apr 2024 | 24

Europol now latest cops to beg Big Tech to ditch E2EE

Don't bore us, get to the chorus: You need less privacy so we can protect the children

Security 22 Apr 2024 | 23

Leicester streetlights take ransomware attack personally, shine on 24/7

City council says it lost control after shutting down systems

Cyber-crime 23 Apr 2024 | 25

Researchers claim Windows Defender can be fooled into deleting databases

BLACK HAT ASIA Two rounds of reports and patches may not have completely closed this hole

Security 22 Apr 2024 | 17

China creates 'Information Support Force' to improve networked defence capabilities

A day after FBI boss warns Beijing is poised to strike against US infrastructure

Public Sector 22 Apr 2024 | 8

Microsoft is a national security threat, says ex-White House cyber policy director

Interview With little competition at the goverment level, Windows giant has no incentive to make its systems safer

Public Sector 21 Apr 2024 | 109

Cybercriminals threaten to leak all 5 million records from stolen database of high-risk individuals

It’s the second time the World-Check list has fallen into the wrong hands

Cyber-crime 19 Apr 2024 | 21

Prolific phishing-made-easy emporium LabHost knocked offline in cyber-cop op

Feature Police emit Spotify Wrapped-style videos to let crims know they're being hunted

Security 18 Apr 2024 | 13

Singapore infosec boss warns China/West tech split will be bad for interoperability

When you decide not to trust a big chunk of the supply chain, tech (and trade) get harder

Cyber-crime 18 Apr 2024 | 3

Exploit code for Palo Alto Networks zero-day now public

Race on to patch as researchers warn of mass exploitation of directory traversal bug

Security 17 Apr 2024 | 3

The Register Biting the hand that feeds IT

About Us

Our Websites

Your Privacy

Situation Publishing

Copyright. All rights reserved © 1998–2024