Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Yep, People Are Still Using '123456' and 'Password' As Passwords In 2014

Soulskill posted about 7 months ago | from the get-a-password-manager-for-pete's-sake dept.

Security 276

Nerval's Lobster writes "Earlier this week, SplashData released its annual list of the 25 most common passwords used on the Internet — and no surprise, most are so blindingly obvious it's a shock that people still rely on them to protect their data: '12345,' 'password,' 'qwerty' '11111,' and worse. There were some interesting quirks in the dataset, however. Following a massive security breach in late 2013, a large amount of Adobe users' passwords leaked onto the broader Web; many of those users based their password on either 'Adobe' or 'Photoshop,' which are terms (along with the ever-popular 'password') easily discoverable using today's hacker tools. 'Seeing passwords like "adobe123" and "photoshop" on this list offers a good reminder not to base your password on the name of the website or application you are accessing,' Morgan Slain, CEO of SplashData, wrote in a statement. Slashdotters have known for years that while it's always tempting to create a password that's easy to remember — especially if you maintain profiles on multiple online services — the consequences of an attacker breaking into your accounts are potentially devastating."

cancel ×

276 comments

Sorry! There are no comments related to the filter you selected.

On the contrary: (4, Insightful)

iroll (717924) | about 7 months ago | (#46040361)

If your password for Adobe is Adobe123, and Adobe leaks your password (AGAIN), nobody is going to be getting into your email, or your facebook account, or your bank account, etc., etc.

Re:On the contrary: (4, Insightful)

Anonymous Coward | about 7 months ago | (#46040445)

Except now they know your email address and the fact you use the name of the company in your password...

Re:On the contrary: (1)

Algae_94 (2017070) | about 7 months ago | (#46041053)

They actually only know your email and that your Adobe password was 'Adobe123'. That might indicate that you reuse that password pattern, but you might not.

rubber-necker woot-woot (2)

epine (68316) | about 7 months ago | (#46041365)

They actually only know your email and that your Adobe password was 'Adobe123'. That might indicate that you reuse that password pattern, but you might not.

Trust me, the NSA uses statistics and not fuzzy logic. Trust me, in the general case, it's an entropy leak. As someone with apg-generated unique passwords for every place I visit (as short as 10 characters if I really don't give a shit) I might have one such password in my portfolio, but it would be a joke, a highly self-conscious joke. It's still an entropy leak. I'm sure the NSA has a special folder for people with my sense of humour.

Now to trash on the story summary.

and worse

And worse than "password"? Oh, please. In the most contrived example, you might find a way. But generally, "password" has a death grip on most worstest. Just couldn't resist tacking on the rubber-necker woot-woot, could you?

completely agree (1)

Anonymous Coward | about 7 months ago | (#46040467)

A site like Adobe, if I had to have an account there for some reason, would have no relationship to other accounts, would need no particular security because it would be unimportant, and even remembering a password would be too much bother.

Now Slashdot, my password for that is important, it's *************8**

Re:completely agree (0)

Anonymous Coward | about 7 months ago | (#46040619)

A site like Adobe, if I had to have an account there for some reason, would have no relationship to other accounts, would need no particular security because it would be unimportant, and even remembering a password would be too much bother.

Now Slashdot, my password for that is important, it's *************8**

Way tougher than my slashdot password.

Re:completely agree (5, Funny)

The Grim Reefer (1162755) | about 7 months ago | (#46040689)

A site like Adobe, if I had to have an account there for some reason, would have no relationship to other accounts, would need no particular security because it would be unimportant, and even remembering a password would be too much bother.

Now Slashdot, my password for that is important, it's *************8**

Is that 12 or 13 stars before the 8? I keep trying to log in as Anonymous Coward with the password you provided and it's not working. Or does the 8 need to be capitalized?

Re:completely agree (0)

Anonymous Coward | about 7 months ago | (#46041065)

A site like Adobe, if I had to have an account there for some reason, would have no relationship to other accounts, would need no particular security because it would be unimportant, and even remembering a password would be too much bother.

Now Slashdot, my password for that is important, it's *************8**

Is that 12 or 13 stars before the 8? I keep trying to log in as Anonymous Coward with the password you provided and it's not working. Or does the 8 need to be capitalized?

Yes, the 8 must be capitalized. Some of the stars need to be capitalized as well, but I won't tell you which ones.

Re:completely agree (1)

maxwell demon (590494) | about 7 months ago | (#46041203)

I'd guess it's the female stars.

Re:On the contrary: (5, Funny)

Anonymous Coward | about 7 months ago | (#46040477)

Unless I, as the criminal mastermind that I am, decide to try 'Facebook123', 'Chase123', etc, etc.

Re:On the contrary: (1)

The Grim Reefer (1162755) | about 7 months ago | (#46040701)

Unless I, as the criminal mastermind that I am, decide to try 'Facebook123', 'Chase123', etc, etc.

You must have a fluffy white cat too.

Re:On the contrary: (5, Insightful)

Anonymous Coward | about 7 months ago | (#46040919)

Won't work. People would use a blank password if the websites which require registration to download something free or access a support forum allowed it. So what do you start with? Name of the company. Nope, has to have letters AND numbers. So adobe123. That's a password which says "I don't give a fuck. I'm not even going to use this account again. Just let me download this file." It does not mean that people use the same scheme for passwords to sites where a hacked account could actually do them some harm. Anyway, remember how we know what passwords people use: The companies which demand ever more complex passwords don't properly secure them and lose them, in cleartext form! How can you expect users to care when not even the companies whose business depends on customers' trust care?

Re:On the contrary: (1)

Anonymous Coward | about 7 months ago | (#46040519)

Isn't Adobe123 a little better than simply 123? How about using Adobe with 20 extra character (difficult) password on the end?

Re:On the contrary: (5, Insightful)

Desler (1608317) | about 7 months ago | (#46040533)

And strong passwords are meaningless if the company is storing them in a really stupid way such that they can be recovered in plain text by an attacker. At that point, adobe123 is no less secure than a 64-character randomly-generated password.

Re:On the contrary: (3, Insightful)

ackthpt (218170) | about 7 months ago | (#46040749)

If your password for Adobe is Adobe123, and Adobe leaks your password (AGAIN), nobody is going to be getting into your email, or your facebook account, or your bank account, etc., etc.

Even if the user is stupid, it's not like the site author couldn't dedicate a few minutes to to code evaluation of the password and tell the user 'Not good enough, not even secure in the least, do you want to see a picture of people who think that password is secure?' and display some of those Faces of Meth people.

even this lolcat is smarter than you

Re:On the contrary: (3, Informative)

Desler (1608317) | about 7 months ago | (#46040799)

And yet when an attacker can recover their plaintext password is doesn't really matter how "secure" the password was. I could have the strongest, most random password possible but if an attacker can steal it from you in plaintext, so what?

Re:On the contrary: (1)

ackthpt (218170) | about 7 months ago | (#46041233)

And yet when an attacker can recover their plaintext password is doesn't really matter how "secure" the password was. I could have the strongest, most random password possible but if an attacker can steal it from you in plaintext, so what?

Indeed. I keep waiting for retina scan or DNA analysis, but it hasn't happened, yet.

and when it does the NSA will store all of that, too

Re:On the contrary: (5, Insightful)

brunes69 (86786) | about 7 months ago | (#46041245)

You are missing the point. Adobe.com should not be telling me my password is insecure. Adobe.com should not be asking me for passwords in the first place, because the idea that I should need a seperate password for Adobe.com is stupid. Implement OpenID properly and allow people to log in with an already existing identity. The biggest problem with passwords on the internet is every single mom and pop website thinks they need to have their own login and authentication mechanism when in reality all they need is a way to confirm an identity. My nirvana is every single website in existance allows me to log in with my OpenID account, which is nice and secure and has two factor authentication. Then I only have ONE password to remember.

There is absolutely no reason the internet could not work this way if site admins would get their heads out of their asses and stop rolling their own authentication schemes, because between Google, Yahoo, Twitter, Facebook, and other 3rd parties, every web user already HAS an OpenID capable login..

Re:On the contrary: (1)

Anonymous Coward | about 7 months ago | (#46041369)

Why anyone would trust Adobe with security is amazing. Only the Java web plugin and IE6 can hold a candle to the security fails of Flash and Acrobat Reader.

Re:On the contrary: (3, Insightful)

brainboyz (114458) | about 7 months ago | (#46041381)

And forcing everyone to use one is just as bad. I don't want any of those sites authenticating me everywhere I go. One more way to tie your life together online.

Re:On the contrary: (0)

Anonymous Coward | about 7 months ago | (#46041373)

I'd argue against that from a perspective of assigning blame. If the site gets hacked and Louis User loses a billion dollars through having his password compromised, the site would probably be considered more liable for his loss if he could testify "I tried my first five favorite passwords and the site said they were weak. But when I tried password123456, the site didn't say it wasn't weak!"

Re:On the contrary: (0)

Anonymous Coward | about 7 months ago | (#46041431)

When I sign up to post comments on Gawker or another site that has been owned in the past, why would I care about having a secure (beyond the minimum of security) password? If anything, I would just want to use a throw-away that protects the accounts that I actually want to secure.

On top of that, any site author that requires actual security (like my bank) should spend those few minutes to put together two-factor access, which is infinitely more secure than PaSS$$Werd12 anyways.

put this in your trove (-1)

Anonymous Coward | about 7 months ago | (#46040371)

https://www.youtube.com/results?search_query=hitler%20zion&sm=3 & curate it

Maybe people don't care (4, Interesting)

timeOday (582209) | about 7 months ago | (#46040395)

Many of the accounts you are forced to create nowadays are for the benefit of whoever wants to track you, not for your own benefit. When I was forced to sign up for an Apple Developer or iTunes Store account to get software updates for my MacBook I hoped there would be a pool of shared profiles people had set up for anybody to re-use, but not finding them I assume Apple detects and de-activates them.

Re:Maybe people don't care (5, Insightful)

khasim (1285) | about 7 months ago | (#46040475)

My simple process for this is that if the site does not have my credit card info or even my name then I don't care what the password is.

And I don't care if your site is cracked any my 12345 password is revealed. All they're going to get is the cat's name and a birthdate of 1900-01-01.

Re:Maybe people don't care (1)

dejanc (1528235) | about 7 months ago | (#46040679)

Ditto.

So many sites nowadays require you to register so I use throwaway emails in combination with throwaway passwords. E.g. if I want to try out Trove (that was mentioned in a previous article), I really don't want to put in more than a few seconds thought into it, so my email will be trove@domain-which-i-use-to-collect-spam.com and password probably something along the lines of asdf1234. If I find the service useful, Firefox will remember my email and password for login and/or I'll be able to recover the password using their system. If, more likely, I forget about them, I don't care if my credentials get compromised.

Re:Maybe people don't care (1)

Anonymous Coward | about 7 months ago | (#46040687)

I think you must be the oldest person on Slashdot!

What's your secret?

Re:Maybe people don't care (1)

maxwell demon (590494) | about 7 months ago | (#46040849)

Ah, so that's what I have to enter at the password reset question "what is your cat's name?" ;-)

Re:Maybe people don't care (1)

zlives (2009072) | about 7 months ago | (#46041161)

hey!! we share a birthdate

qwerty? (4, Funny)

slapout (93640) | about 7 months ago | (#46040401)

I knew it was a good idea to change my password to 'dvorak'.

"it's a shock" (5, Insightful)

neminem (561346) | about 7 months ago | (#46040415)

Quoth, "It's a shock that people still rely on them to protect their data".

Important fact that many of these studies miss: not everybody cares about their data, and not all data is the same. Anyone using a password like this to protect their bank account, or their email address (that they use to send forgotten password requests from their bank account) deserves to have their money stolen.

On the other hand, anyone who uses a password like this to protect the fact that they once logged into some random crappy site that they joined to post one comment, and which they have subsequently never used again and have forgotten about, deserves... absolutely nothing bad to happen to them as a result. Who cares if someone gets their password to some random crappy site? I certainly don't. It would be a much worse idea to use a more secure password to those throwaway sites, because then you'd be tempted to use the same password you used on more secure sites you actually cared about.

There are probably a lot of passwords to throwaway sites like that in any database of stolen passwords, specifically because people are more likely to use better passwords on the sorts of sites that are also (I certainly hope!) less likely to get all their passwords leaked.

Re:"it's a shock" (4, Insightful)

lgw (121541) | about 7 months ago | (#46040783)

Anyone using a password like this to protect their bank account, or their email address (that they use to send forgotten password requests from their bank account) deserves to have their money stolen.

No one deserves to have their money stolen. The concept you're looking for is "responsibility". Anyone using an easy password for a bank account is irresponsible, but if they get their money stolen what they deserve is our compassion.

Currently banks seem to be proud of the level of fraud protection they offer customers, perhaps even competing on that basis. That's a good thing. Not everyone is capable of remembering a complex password, after all.

Re:"it's a shock" (1)

grnbrg (140964) | about 7 months ago | (#46040897)

This.

I've probably contributed a "Mr. Test Testuser, 123 Main St, Somewhere, CA, 90210" password 1234 once or twice a year for the last decade....

Re:"it's a shock" (1)

neminem (561346) | about 7 months ago | (#46041079)

Heh. I tend to use my real name everywhere that asks for my name, regardless of temporary-ness, because who cares if they have my name, and it's jarring seeing someone else's name (plus, maybe you do want to be able to prove that you're yourself for something later. It's difficult to prove you're yourself if you claim to be Mr ASDF ASDF in account creation.)

I do enjoy giving fake addresses, though. I generally claim to live on 666 Hell St. (Every once in a blue moon a site will inform me that there isn't actually a 666 Hell St, Texas, or at the very least that the area code isn't a Texas zip code (I'm way too lazy to look up actual Texas zip codes), but that's pretty rare.)

Re:"it's a shock" (1)

Anonymous Coward | about 7 months ago | (#46041321)

I do enjoy giving fake addresses, though. I generally claim to live on 666 Hell St. (Every once in a blue moon a site will inform me that there isn't actually a 666 Hell St, Texas, or at the very least that the area code isn't a Texas zip code (I'm way too lazy to look up actual Texas zip codes), but that's pretty rare.)

That's why I know 10101 is a zip code in New York. It's the first made up zip code I found that worked. Then some site told me my state was wrong, so I looked it up. So far no one has ever given me problems with a fake street name.

Password Evolution (5, Funny)

thevirtualcat (1071504) | about 7 months ago | (#46040423)

Create a password: password

Everyone is using "password." We need to stop that.

Create a password containing both letters and numbers: password1

Everyone is using "password1." We need to stop that.

Create a password containing numbers and both capital and lowercase letters: Password1

Everyone is using "Password1." We need to stop that.

Create a password containing numbers, both capital and lowercase letters and a special symbol: Password1!

And so it goes.

Re:Password Evolution (1)

Mashiki (184564) | about 7 months ago | (#46040523)

It would probably be easier if we let people use nonsensical pass-phrases instead of continuing to make it more difficult. I could walk around any government office, or business and probably find 90% of the passwords in no time. With that they'd be some form of incomprehensible jibberish that no one could remember unless they were using it for everything.

Re:Password Evolution (0)

Anonymous Coward | about 7 months ago | (#46041351)

so: we have either pwd that is easy to remember and guess and password that is difficult to crack and to remember and consequently is written somewhere on a yellow sticker. I use a special application for that but it is not better really as I keep a backup of the db and password written in special secrete place (on yellow sticker) of course. There is no really good way to get over this - you have to relate to physical objects not accessible from the tubes but then they can get stolen physically. A HW tocken that reads your iris for instance?

Re:Password Evolution (1)

Anonymous Coward | about 7 months ago | (#46040727)

I've even seen p@ssw0rd used on production systems... there isn't enough hours in the day to clean up all of the security nightmares before they compound further.

Re:Password Evolution (3, Insightful)

Anonymous Coward | about 7 months ago | (#46040767)

I don't understand what it being 2014 has to do with anything. Do we expect humanity to get smarter about passwords every year?

Re:Password Evolution (4, Funny)

TheloniousToady (3343045) | about 7 months ago | (#46040935)

I don't understand what it being 2014 has to do with anything. Do we expect humanity to get smarter about passwords every year?

No, we expect people to be using "2014" in passwords.

Re:Password Evolution (0)

Anonymous Coward | about 7 months ago | (#46040781)

Here's what you do then. Get an extra box, and every now and then feed it a copy of your triple-salted SHA-65536-encrypted passwords. Have the box continuously try to brute-force passwords, and everytime it gets one, make that user reset their password.

Re:Password Evolution (1)

Anonymous Coward | about 7 months ago | (#46040803)

The thing is, we don't actually know the extent of the problem, at least not based on TFA. They don't attach "percent of all passwords" to each rank. So let's imagine a scenario:

In 2010, the most common password is "password." Let's say it accounts for 20% of all passwords. Security experts start making headlines saying "this is terrible!" and people actually start to listen.

In 2014, let's say 0.1% of all passwords are "password", and 0.9% are split up between other obvious passwords, but then 99% of the rest are unique, high-entropy passwords. Sure, maybe we'll find overlap, birthday paradox and all that. The bottom line is, the situtation is way better.

Now, is that actually the case? I have no idea. I'm not seeing real percentages attached. But the very nature of "good" and "bad" passwords is such that the most common passwords are always going to be the worst passwords.

Re:Password Evolution (4, Informative)

ackthpt (218170) | about 7 months ago | (#46040821)

Create a password: password

Everyone is using "password." We need to stop that.

Create a password containing both letters and numbers: password1

Everyone is using "password1." We need to stop that.

Create a password containing numbers and both capital and lowercase letters: Password1

Everyone is using "Password1." We need to stop that.

Create a password containing numbers, both capital and lowercase letters and a special symbol: Password1!

And so it goes.

I was on an information system a few years back, if it didn't like your password, you couldn't use it and had to choose something more arcane. The downside of that is really nasty passwords, with changes of case, numbers and symbols end up written on Post-it notes and stuck on the fronts of computers.

Re:Password Evolution (1)

mark-t (151149) | about 7 months ago | (#46041045)

How about "Create a mixed-case password at least 8 characters long, having at least one upper case letter that is not in the initial position, at least one lower case letter, and at least one digit and one special symbol that are not in either of the final two positions, and which contains no english word that is more than 4 characters"?

Re:Password Evolution (2)

CrimsonAvenger (580665) | about 7 months ago | (#46041423)

well, the constraints you put on the upper case letters, numbers, and special symbols should make it somewhat easier to brute force that password.

Re:Password Evolution (0)

Anonymous Coward | about 7 months ago | (#46041119)

Avoid the stupid numbering of "password" altogether and use my favorite password "assword."

Why? (0)

Anonymous Coward | about 7 months ago | (#46040429)

Because you can't fix stupid and you can't fight indifference. Neither one dares and battling that is like pushing string.

12345? (0)

Anonymous Coward | about 7 months ago | (#46040433)

That's the same combination that luggage jokes use.

No surprise (4, Insightful)

Dan East (318230) | about 7 months ago | (#46040437)

Considering the internet is still used by the same set of people from 2013, and 2012, and 2011, etc, it shouldn't be surprising they're using the same kinds of crappy passwords.

Re:No surprise (1)

maxwell demon (590494) | about 7 months ago | (#46041117)

Considering the internet is still used by the same set of people from 2013, and 2012, and 2011, etc

I strongly doubt that. I'm pretty sure that some people started using the internet in 2014, and some stopped using it in 2013.
The sets certainly will have a very large overlap, but it's definitely not the same set.

I would have thought.... (1)

mark-t (151149) | about 7 months ago | (#46040461)

...that the decision to use such a password (or perhaps more correctly, the lack of a decision to utilize a good password) would usually just be a response to either a necessity or else a merely common convention of having one in a given context, and not out of any expectation that it actually offer any real protection for anything.

Oblig XKCD (0)

Anonymous Coward | about 7 months ago | (#46040463)

http://xkcd.com/936/

Obligatory: I can memorize two dozen different randomly generated 20 char passwords and you can too

Obligatory: XKCD's solution is so insecure, anybody can crack his code using brute force

Re:Oblig XKCD (2)

sunderland56 (621843) | about 7 months ago | (#46040573)

*Anyone* can crack *any* password using brute force: https://xkcd.com/538/ [xkcd.com]

Re:Oblig XKCD (1)

Obfuscant (592200) | about 7 months ago | (#46040909)

*Anyone* can crack *any* password using brute force

Only if they're using the correct character space. I use lots of upside down and flipped left-right characters in mine, outside the range of even UTF8. And no, I don't have an APL keyboard.

slashdot123 (0)

Anonymous Coward | about 7 months ago | (#46040483)

time to change your password!

BS article written for morons. (2)

wcrowe (94389) | about 7 months ago | (#46040531)

Let's call it what it is. It is not a list of the most common passwords used on the internet. It is a list of the most common passwords used at Adobe,.. maybe. They don't know what the Adobe passwords are right now. They cannot know all the passwords used on the internet, so they cannot know the most common ones used on the internet. It's a bullshit article written for morons.

our fault (5, Insightful)

Tom (822) | about 7 months ago | (#46040565)

Of course they do. Anyone surprised?

One of the reasons (one, it's a complex topic) is that we, the security professionals, are too dense to properly explain things in a language the user understands correctly.

For example, we tell them their password should be difficult to guess. But "guess" is the entirely wrong word to use, because it implies something that's not happening in the real world. When you say "guess" to a normal person, his mental image is that of some attacker thinking there, trying a few different things. What we experts mean is that some script will do 10,000 login attempts with a dictionary attack, or some hacker will check your pilfered password hash against a rainbow table.

Quite a few regular users are seriously convinced that "123456" is a "hard to guess" password, because it wouldn't be their first or second guess for someone elses password.

Here's what you need to do, IMNSHO:

We've had several of these breaches with leaked passwords over the years. Collect them, take the top 10,000 or so passwords and put them into a list. Add that list to John with a simple (because you want to be fast) ruleset for permutations. When the user picks a password, run that in the background. And instead of telling him to use a "difficult to guess" password, tell him that you run the same program that some evil people use, and if it can crack his password, he needs to use a different one.

Tell him that John needed 0.0253 (or whatever) seconds to crack his password, and show him the rule so he understands (e.g. "passw0rd" is a permutation of "password", the #2 most often used password).

It'll take 20 minutes for him to find a password that works, and he'll have to write it down to remember it. Problem solv... oh, wait...

Maybe, you know, the problem is in the method. Passwords suck.

Re:our fault (1)

Obfuscant (592200) | about 7 months ago | (#46040831)

It'll take 20 minutes for him to find a password that works, and he'll have to write it down to remember it. Problem solv... oh, wait...

Yeah, this.

I hate sites that force password changes after a given amount of time. I comply, and then I change my password right back.

One site I need to have access to goes one step further. They require regular changes and remember the last four passwords you've used. I have to write that one down. They're also the organization that sends regular emails to employees FROM AN OUTSIDE VENDOR reminding people that they need to log in with their company credentials to submit their mandatory timesheet. And they've created a Cyber Security department in IT to help train people to be secure and avoid phishing emails. Job security.

Re:our fault (1)

Tom (822) | about 7 months ago | (#46041155)

No, stupidity.

Many IT people actually try, but they have no understanding for what this looks like from a regular users perspective. I've given talks on and consulted on the subject - I think I get through to the techies, but it does take some explaining to do, and it probably only works because I am one myself.

I've worked in a large corporation with a 400 page security policy. The security and compliance departments were very proud of it. Some individuals within IT liked it a lot. Nobody else in the company that I met even knew it existed.

Re:our fault (0)

Anonymous Coward | about 7 months ago | (#46041219)

One site I need to have access to goes one step further. They require regular changes and remember the last four passwords you've used. I have to write that one down.

You can always do what I do when my company password expires and needs to be changed (it also remembers the last 3 passwords). Change the password four times resulting in the 4th and final password change being the original password.

Re:our fault (1)

maxwell demon (590494) | about 7 months ago | (#46041319)

One site I need to have access to goes one step further. They require regular changes and remember the last four passwords you've used. I have to write that one down.

That reminds me of the script that was installed at one place where I worked. On login it automatically detected a request to change the passwords, and then just as automatically set it to as many different passwords as the system stored, to reset it it the old password afterwards which now had fallen off the system's list. I'm pretty sure that's not what the sysadmin intended. ;-)

Re:our fault (1)

Ken D (100098) | about 7 months ago | (#46040851)

Yes they do. Especially when you require people to jump through hoops they do not want to jump through, like register to comment.

At my office there is some complicated password policy, and they expire every 90 days. No one at my location has been able to compose an acceptable password from scratch. The only thing that works is to to subtly modify your existing password.

We suspect that the unique password rule actually compares your new password against all passwords every used by anyone else in the company. Which is about as unfriendly as sites that give you no help in choosing a unique username ("Sorry 'xX_Bob246783_Xx' is not available, try again")

Re:our fault (1)

PRMan (959735) | about 7 months ago | (#46041259)

Which is a goldmine for attackers, since they can verify that SOMEBODY at the organization is certainly using that password.

Re:our fault (1)

tlhIngan (30335) | about 7 months ago | (#46041027)

One of the reasons (one, it's a complex topic) is that we, the security professionals, are too dense to properly explain things in a language the user understands correctly.

or the problem is the websites in question are so damn full of themselves that they believe they have the keys to Fort Knox.

I mean, a lot of my website passwords are ... "password" or "123456". I mean, who cares that some obscure blog or forum somewhere is using that password? They get compromised? So what? Oh yay, they can impersonate someone with a post count that can be counted on one hand.

You can bet my banking password is NOT on the list, nor my eBay, Paypal or other important password.

Hell, I bet /. has a lot of users with similarly simple passwords. Because the sites don't matter to the user. They had to register for some reason, so they did, But they did it with the probable intention of never coming back.

And that's the big problem - these password lists can be useless because they don't tell us anything - if the site was useless to begin with, does it really matter? Or if the site forced you to create an account to read some stupid blog post or get a document?

Re:our fault (4, Insightful)

brunes69 (86786) | about 7 months ago | (#46041195)

A much bigger reason is that no one gives a crap if someone knows their password to Adobe.com

I am a security professional myself. You know what my password is for 1/2 the sites I have accounts on? 1234. Why? Because I don't care.

The solution is identity federation. The whole concept that Adobe.com or Mom & Pop Blog have passwords at all is ridiculous. If they allowed OpenID logins and stuck nice Google / Facebook / Twitter / Yahoo / OpenID buttons on there then no one would need all these crappy passwords, they would just use their already created and secure federated ID.

Obligatory (1)

multimediavt (965608) | about 7 months ago | (#46040623)

[face palm]

Sometimes the password protects ... nothing (1)

Anonymous Coward | about 7 months ago | (#46040639)

While it's true that a complex and perhaps unique password is an important element of security, it is *not* true that there is always something worth protecting. I don't mind using trivial passwords on services if I will only use the service once, and there are no consequences to the account being compromised.

We should take these statistics with a similar note of caution. Just because someone chooses a weak password for something, does not imply that that user is making a mistake - indeed, the user could know something that we don't, like that the account in question is throw-away.

When this happens, it is the service provider, whose services may be abused, rather than the user, who may be at risk.

Someone didn't bother reading... (1)

MugenEJ8 (1788490) | about 7 months ago | (#46040683)

...my carefully prepared memo on commonly-used passwords. Now, then, as I so meticulously pointed out, the four most-used passwords are: love, sex, secret, and god.

Fools! (3, Funny)

the_skywise (189793) | about 7 months ago | (#46040691)

My password was Edoba123 !

Ha! Capitalization, numbers, and a non dictionary word! STRONG PASSWORD!

I am so smrt!

Re:Fools! (4, Funny)

Nemyst (1383049) | about 7 months ago | (#46040763)

My password was hunter2, which means all the hackers ever see is *******. It's the ultimate safe password.

Throwaway accounts (1)

Jumunquo (2988827) | about 7 months ago | (#46040711)

People make lots of throwaway accounts because every company wants to force people to register, so it's not surprising you keep seeing generic passwords used. Adobe has downloads that you have to register to get, so it's not surprising seeing lots of generic, insecure passwords. I imagine for a lot of these accounts, all you will get is a fake name, throwaway email address, and what was downloaded.

Hmm (0)

Anonymous Coward | about 7 months ago | (#46040725)

My password today for mundane sites is: all those asshats that think they are so smart 123!"#
(numbers and special characters added for sites that requires them)

No surprise! (1)

Emmi59 (971727) | about 7 months ago | (#46040743)

What do you expect to be the *most common* passwords used? Something like "nx4897)(/)hahaha98@79"? Would be more interesting to know *how often* simple passwords are used. If the highest percentage of a single weak password in use was about 0.0001%, everything should be fine. But if >=10% of all passwords used were a weak, that would be bad...

Add some non-ASCII characters (1)

Gabest (852807) | about 7 months ago | (#46040769)

You may be able to brute force 256*8 numbers, but never the whole unicode range. (pässwörd)

Re:Add some non-ASCII characters (1)

maxwell demon (590494) | about 7 months ago | (#46040983)

Yeah, and you may not be able to log in again if the password request input encoding changes for whatever reason ...

XKCD nailed this ages ago (1, Informative)

Ralph Spoilsport (673134) | about 7 months ago | (#46040775)

You don't need a "complex" password to have a strong password. You need a long password. Uppercase / lowercase / weird chars don't matter as much as sheer length in brute force attacks.

https://xkcd.com/936/ [xkcd.com]

Re:XKCD nailed this ages ago (0)

Anonymous Coward | about 7 months ago | (#46040907)

Look at what this cretin says about password length:

http://security.stackexchange.com/questions/33196/is-there-a-length-beyond-which-increasing-password-length-provides-no-additional

"So the strength of a password does not come from what it is, and in particular does not come from its length. The password length has no direct relation to password security. What makes a password strong is its randomness;"

Unbelievable.

Re:XKCD nailed this ages ago (0)

Anonymous Coward | about 7 months ago | (#46041113)

And he is absolutely correct. His answer is to the point and explains in detail what is required for a good password. You just did not get it that both, XKCD and the guy on stackexchange are correct. So read both again, think and then come back here...

Re:XKCD nailed this ages ago (2)

SleazyRidr (1563649) | about 7 months ago | (#46041253)

If the hackers decide to use a dictionary attack, then an xckd-style password is about as good as one 4 characters long. It needs to create randomness in the domain where the hackers might be looking for it. Of course, the old method of switching out letters for number or whathaveyou don't really fare well either.

Re:XKCD nailed this ages ago (1)

Carnildo (712617) | about 7 months ago | (#46041463)

If the hackers decide to use a dictionary attack, then an xckd-style password is about as good as one 4 characters long.

Four characters, yes, but four from a bloody huge alphabet (2048 characters). An XKCD-style password is almost as strong as four random Chinese characters.

Luckily, (4, Funny)

tpstigers (1075021) | about 7 months ago | (#46040807)

my cat's name is &%GRang876$%#lkkjhaeyluihjsdkaClghiu.

Re:Luckily, (1)

sconeu (64226) | about 7 months ago | (#46041333)

Based on her response to the can opener, my cat's name is apparently "rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr"

Where are they getting their study data? (0)

Anonymous Coward | about 7 months ago | (#46040843)

What sort of site is storing their passwords in plaintext to allow this study to be done? Probably the crappy sites that people use throwaway passwords on. Value of study? zero.

dumb pic from link (1)

pouar (2629833) | about 7 months ago | (#46040867)

I'm guessing the guys who picked those passwords is about as competent as that guy in that jpeg on the second link. He's trying to use a key to unlock a laptop and wears a mask so the monitor can't tell who he is.

What do you expect (0)

Anonymous Coward | about 7 months ago | (#46040871)

Let's be honest, we would still be mocking them if they used passwords shorter than 18 characters and/or any dictionary words.

Unless they a unique 18 character high entropy password for each of their sensitive accounts then obviously they are stupid and/or lazy.

The impossibility of passwords (0)

Anonymous Coward | about 7 months ago | (#46040943)

For every site you are requested to come up with a random string that is hard to remember, and then remember it.

Re:The impossibility of passwords (1)

maxwell demon (590494) | about 7 months ago | (#46041157)

For every site you are requested to come up with a random string that is hard to remember, and then remember it.

No. You are requested to come up with a string that is hard to guess. There's absolutely no requirement that it is hard to remember.

Scunthorpe (1)

I'm not god any more (613402) | about 7 months ago | (#46041021)

Don't append 123 to the website name to create a password. Instead append Scunthorpe, this will cause the Great Firewall of the UK to protect your data.

That's nothing! (0)

Anonymous Coward | about 7 months ago | (#46041025)

One of my passwords is 63 characters long.

Though it is a combination of seven other different passwords.

Re:That's nothing! (0)

Anonymous Coward | about 7 months ago | (#46041231)

Yeah well mine is 64!
passwordpasswordpasswordpasswordpasswordpasswordpasswordpassword

Pretty good right?!?

And apparently (1)

puppetman (131489) | about 7 months ago | (#46041041)

Websites, corporate domains, and so on, still allow "password" and "123456".

You can't use these silly passwords if there is a password-strength check that was set up with a bit of common sense.

Yu0 Fail It... (-1)

Anonymous Coward | about 7 months ago | (#46041241)

they are Come your own beer Revel in our gay the accounting FreeBSD had long very distracting to Creek, abysmal AsshOle to others niggerness? And

If only they had a simple offline password keeper. (0)

Anonymous Coward | about 7 months ago | (#46041285)

Like the open source one currently being developed by the Hackaday readers.... http://hackaday.com/tag/developed-on-hackaday/

Re:If only they had a simple offline password keep (1)

Mathieu Stephan (2892907) | about 7 months ago | (#46041317)

every suggestion is by the way very welcome...

Good news! (3, Funny)

hamster_nz (656572) | about 7 months ago | (#46041329)

i'm going to use '123456' from now on. If somebody is knocking doors with that password, odds are they will access else's account before mine.

Passwordmaker (1)

Hobadee (787558) | about 7 months ago | (#46041385)

This is why I use PasswordMaker [passwordmaker.org] . I get a separate, secure password for every site, only have to remember a single password, (and a simple configuration) and don't have a list of passwords stored anywhere.

I'm constantly advocating for it yet nobody ever listens to me...

End Users (0)

Anonymous Coward | about 7 months ago | (#46041449)

In general you're never going to stop this. People (most) when it comes to selecting multiple usernames and passwords are sick of it. They become tired of the tedious requirements of managing over 100 sites of passwords and the others are just too lazy to care.

sigh (1)

geekoid (135745) | about 7 months ago | (#46041453)

" Slashdotters have known for years that while it's always tempting to create a password that's easy to remember "

Yes it's temping, and you should do it. Just becasue it's easy to remember doesn't mean it's easy to crack. Example:
Street I lived on when I was a kid:
Parakeet

Name of my first pet:
Toby

This is easi informaiton for me to rememberm but not information that random,e p[eople would know, in fact Oyther than my immediat family, no one would know.

So:
P4r4k33t_T0by_A

Rotate the A

I would never forget that. NO, it' s NOT what I used, but I do use a similar technique.

Want a harder one. fine.
yb0T_t33k4r4P_a

They all vary (4, Insightful)

speedlaw (878924) | about 7 months ago | (#46041465)

The reason passwords suck is: This one wants eight characters, with a symbol and letter This one wants eight characters, with NO symbols, and a letter This one wants upper and lower case letters This one wants upper and lower case with a symbol and number This one want upper and lower with no symbols. The formats change all the time, so it is no wonder that most people end up with a post it note stuck to the computer, or if stealthy, inside the draw.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>