Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security

The Most Popular Passwords Are Still "123456" and "password" 197

BarbaraHudson writes: The Independent lists the most popular passwords for 2014, and once again, "123456" tops the list, followed by "password" and "12345" at #3 (lots of Spaceballs fans out there?) . "qwerty" still makes the list, but there are some new entries in the top 25, including "superman", "batman", and "696969". The passwords used were mostly from North American and Western European leaks.
This discussion has been archived. No new comments can be posted.

The Most Popular Passwords Are Still "123456" and "password"

Comments Filter:
  • qwerty? (Score:5, Funny)

    by by (1706743) ( 1706744 ) on Tuesday January 20, 2015 @02:25PM (#48858765)
    My password is ',.pyf, you insensitive clod!
    • Re:qwerty? (Score:5, Funny)

      by kurkosdr ( 2378710 ) on Tuesday January 20, 2015 @04:25PM (#48860053)
      My password is 'incorrect". So if I ever forget it, the computer will helpfully remind me that "password is incorrect"
      • Just hope that the system doesn't insist on you having a combination of letters, numbers, lowercase, uppercase and special characters
      • Good one. Or should I say Gud1?

        I had a consultant that would frequently forget his password. I finally set it to "I forgot" and gave it to him. Three weeks later, sure enough, he drops by because he can't get in. I ask him "What's your password?" and he says "I forgot". So I just looked at him. Finally he got it. No issues since then.

    • My medium-security passwords were usually L33tSp34k versions of one or two dictionary words, plus whatever capitalization and punctuation were required. But now that I'm occasionally accessing the web through tablets and accessing work systems over cellphone, I've had to switch to Android-friendly passwords, so the letters get grouped together, followed by the numbers, and usually any punctuation is the limited set that appear on the same keypads as the letters or the numbers. So it's Abc,1234 instead of

      • by TWX ( 665546 )
        I wonder how secure l33t sp34k is now; if it's automatically being tried simply because it's so ubiquitous.
    • by gatkinso ( 15975 )

      I used qwerty on /. for about 9 years before I finally changed it. Funny thing - it was also my hotmail password for even longer.

  • I thought the most popular password was just {enter}

    • Re:I thought (Score:5, Interesting)

      by ganjadude ( 952775 ) on Tuesday January 20, 2015 @02:36PM (#48858917) Homepage
      after reading the article, im still confused as there isnt enough info to really make anything of this

      The data is compiled from leaked passwords in 2014, by password company SplashData.

      ok, so it was leaked passwords....but from where? for what reasons? on what devices? I would wager alot of "stock" devices will have simple PWs. and to most people, if it works, it doesnt need to be addressed. Also if PWs are from web pages? what are the pages? because if they are not secure pages (work, banks, personal info) most people simply dont care. I mean to leave comments on damn near any page, you need to register. I know on some pages ive created accts to leave a post and never plan on going back, im sure ive used some weak passwords for those sites.

      in the end, without a breakdown of types of accounts / passwords, its a little hard to claim anything based on this data that is worth anything.

      • Re:I thought (Score:5, Interesting)

        by JackieBrown ( 987087 ) on Tuesday January 20, 2015 @02:44PM (#48859045)

        I bought a Netgear AC1450-100NAR Dual Band Slim Gigabit Smart WiFi Router.

        The instructions specifically state that it would be a bad idea to change the SSID and password. I did anyways, of course, but was surprised to read this advice.
        http://ww.amazon.com/gp/produc... [amazon.com]

        • the fact that "admin" is on there as a PW, I would wager a lot of people dont change their router PW let alone SSID and SSID PW
          • You are correct that this is the password to access the setting for the router through their webgui. The password to connect to the wifi, though, was similar to badorange456. (To be honest, it was actually harder than anything I ever manually set since I get frustrated typing long passwords into consoles using a gamepad.)

            • yes, but im sure that someone out there has made, or is working on a way to crack those defaults too. Of the dozen or so routers ive set up in the past 3 years, almost all of them still follow a formula such as "color+number" or "fruit+number" . We are not getting passwords like 1nV@l!Dp2s$w04d by default yet
            • Let me know when Gaming Consoles can do WPS and I'll be happy to put a huge long ugly password in. I would love to be able to use the button on my router.

          • I've had a number of devices over the years where the default password was the MAC address of the admin port or first wired Ethernet port or equivalent, and was also printed on a label on the device. It's not perfect, but it's at least unique, and is strong enough that in most cases, people won't try to crack it, or anybody who might try cracking it has physical access to the box (in which case you're toast anyway.)

      • Re:I thought (Score:5, Insightful)

        by crunchygranola ( 1954152 ) on Tuesday January 20, 2015 @03:17PM (#48859365)

        after reading the article, im still confused as there isnt enough info to really make anything of this

        Yep. There is much less to this than meets the eye.

        In addition, a list of most common passwords will always have defaults and obvious simple strings as the top candidates, this will never change. What would be more useful to know is whether the relative proportion of passwords fitting this description is declining (I doubt it, but we need to see the data).

      • I don't think too many devices have "696969" as a default password (customers would complain); the same applies to "superman" and "batman" except this time it would be the trademark holders who would be doing the complaining.

        And if they had revealed what web sites or devices used these passwords the most, everyone would be complaining about how they're making the net "less secure", same as when someone reveals a zero-day defect, instead of maybe just changing their password because "well, I use 'password'

        • I see no reason for anyone to complain about those as defaults. a string of numbers (696969) is not bad in anyway unless you really want to stretch the whole 69 thing. Batman and superman as a password I cant see how trademark owners could argue that a password is infringing on the trademark. As for the rest of your arguments I agree we shouldnt say "these are the most used passwords from slashdot" but I would like to know that they were talking about user submitted passwords over default PWs
          • you would be amazed at what people will make formal complaints about. I shit you not we had people submit formal complaints to our organisation over some error messages where we used a few names from greek mythology as they considered it blasphemous that we were using religious icons that did not represent their beliefs. We also received complaints about error number 666 and various other items. Their are so many retards in this world just looking for a reason to feel victimised or insulted, I am surprised

            • So pretty much rule 34 of the internet, but for complaints. If it exists,someone will complain about it or be offeneded by it
        • Who would complain about a *default* password they didn't like? They already bought the widget and have the ability to change the password... Who bases their buying decision on the default password of the device?

      • Maybe more websites need to enforce strong password rules on their users. I know that plenty of sites either read the password entered or check the hash and reject it if it doesn't meet certain criteria. Ideally, end users would come up with secure passwords on their own, but since they can't, administrators need to do some prodding.

        • NO! NO NO! My biggest risk is websites which I don't care about trying to force me to use a very secure password. I use a word like "password" for example to access the Boston Globe online because a) I don't have anything to secure there, b) I don't care if someone learns my password and reads the Boston Globe, and most important c) I don't want an employee in Boston to have access to one of my more secure passwords. Unfortunately, sites like this force me to use "strong password rules" and then when
      • by bmo ( 77928 )

        ok, so it was leaked passwords....but from where?

        From everywhere. From pron.com, for example. Plaintext usernames, emails, and passwords. With .mil addresses and admin addresses to boot. They are there if you bother to look.

        From a csv file I have of the pronz.com list:

        Hi! We like porn (sometimes) so these are email/password
        combinations from pron.com which we plundered for the lulz

        Check out these government and military email
        addresses that signed up to the porn site...

        They are too busy fapping to def

    • Ok, not any more, but for many years the root/admin/whatever password on Stallman's MIT machines was just carriage return. The point was extreme openness, so that anybody could log on, see anything, fix anything, copy any code.

  • As illustrated by Stanfordâ(TM)s password policy shuns one-size-fits-all security http://arstechnica.com/securit... [arstechnica.com] via https://itservices.stanford.ed... [stanford.edu]
  • Mine is (Score:2, Funny)

    by Anonymous Coward

    hunter2. But I guess that all should appear as '*******' to you as it is encrypted.

    • Oh it does appear as *******. Its just that you can see it so you know you put it in correctly. Type another and it will do it again. You see, you could put your bank password in and it will only show the real password on your computer. Its microsoft's way of protecting you. Try it, you will see.

  • That's the same combination I have on my luggage!

    At least 123456 has one more digit.

  • by R3d M3rcury ( 871886 ) on Tuesday January 20, 2015 @02:34PM (#48858889) Journal

    But no Marvel characters?

  • And? (Score:5, Interesting)

    by NitsujTPU ( 19263 ) on Tuesday January 20, 2015 @02:34PM (#48858891)

    1) Clearly bad passwords will be the most popular. Some people will blow off security and will pick a bad password.
    2) There are no data in the article regarding how frequently these passwords are used.
    3) There is no representation of what these passwords are protecting. Maybe these are passwords to something harmless like accounts in some children's game. In which case, who cares?

    • I bet you my slashdot password vs your slashdot password that the passwords are protecting crap.
    • 1) Clearly bad passwords will be the most popular. Some people will blow off security and will pick a bad password.

      Inversely, the most popular passwords will always be bad.

    • The most popular passwords are by nature the worst. Be it "123456" or "yy447dkwumm", if it is popular, it is not a good PW.

      What would interest me in addition to what are they protecting would be what percentage of accounts using those PWs is ever hacked vs. more secure PWs.
    • Yeah, my passwords to sites I'm not overly concerned about are a common single word or if I want to feel mildly more secure I toss a number in the middle of it. Just a throw away really.
    • > 2) There are no data in the article regarding how frequently these passwords are used.

      There are 448,232 passwords in my corpus right now. The top ones today are:

      password frequency
      | bobb17 | 5 |
      | iceman69 | 5 |
      | demon133 | 5 |
      | robert8 | 5 |
      | saintt9 | 5 |
      | alpha123 | 5 |
      | jordan | 3 |
      | pass | 3 |
      | 1234 | 3 |

  • On my own computers behind a firewall. I consider use of the password password about the same as having none.
  • by Ravaldy ( 2621787 ) on Tuesday January 20, 2015 @02:39PM (#48858975)

    Because the media lost much of it's credibility a long time ago and because they keep fear mongering, people pay less attention to the news. What ends up happening is people don't react until they become a victim or someone close becomes a victim. Everybody thinks it happens to other people.

    • Well most of the people who's passwords are guessed and accounts cracked are dumb. About a month ago I went to try and log into my bank account to pay some bills and found the account had been locked. The password is 24 random characters as are the answers to the 5 security questions so it is highly unlikely that it would be broken. When I called to get the account unlocked they also asked one of the security questions. So long as the bank can manage to not leak the info I should be good. Granted that is a
  • I got a kick out of this one.

    (changing password now)

  • by Luthair ( 847766 ) on Tuesday January 20, 2015 @02:45PM (#48859057)
    The article mentions this is based on sites compromised, I wonder if this list isn't to some extent self-selecting towards bad passwords. Lower value sites are more likely to be compromised than high value sites like Amazon or Google, and on low value sites people are much more likely to use garbage. Personally I use a pw database but still use junk passwords on sites when its irrelevant if the account were to be compromised.
    • The article mentions this is based on sites compromised, I wonder if this list isn't to some extent self-selecting towards bad passwords. Lower value sites are more likely to be compromised than high value sites like Amazon or Google, and on low value sites people are much more likely to use garbage. Personally I use a pw database but still use junk passwords on sites when its irrelevant if the account were to be compromised.

      Do you really want to be low-hanging fruit anywhere on the net for an account whose creation can be traced back to you? Seems to me that having the DHS or FBI seizing your computers because some jerk used your account to post death threats in the name of Islamic Jihad for the lulz is not worth the ease of using a simple, throw-away password,

  • I actually use 12345 (Score:5, Interesting)

    by Opportunist ( 166417 ) on Tuesday January 20, 2015 @02:47PM (#48859083)

    Really. Yes, really.

    There are certain accounts that just don't matter. Until the "5-minutes-valid" mail provider existed, I did the same with gmx mail addresses. Create, use, never bother to use it again. Since with more and more services there is no sensible way to "disable" or "close" accounts, well, one more corpse floating in their sea of dead accounts.

    For example, I sometimes want to read something on Facebook and they insist that it's only visible to people who hand them their information. And, well, creating a throwaway account for Ivana Beritsh is faster than finding one that already has 12345 as its password...

    • by Poeli ( 573204 )

      Try http://bugmenot.com/ [bugmenot.com]

      It really helps a lot on those annoying sites.

  • by Anon-Admin ( 443764 ) on Tuesday January 20, 2015 @02:47PM (#48859095) Journal

    P@ssw0rd! did not make the list and half the places I have worked have used that as the password because it meets the windows complexity rules.

    • Oldy-But-Goody (Score:3, Insightful)

      by Tablizer ( 95088 )

      Evolution of Passwords:

      1978:

      password

      1983: Rule: Don't use 'password', too common.

      passgas

      1990: Rule: Must contain at least one digit

      passgas7

      1995: Rule: Must contain mixed case

      Passgas7

      1999: Rule: Must contain at least one punctuation character

      Passgas7&

      2004: Rule: Must change every 2 months

      Passgas7& ... Passgas8* ... Passgas9( ... Passgas1! ...

      2009: Rule: Don't use same punctuation as digit key

      Passgas7$ ... Passgas8$ ... Passgas9$ ...

      2012: Rule: D

  • by RevWaldo ( 1186281 ) on Tuesday January 20, 2015 @02:48PM (#48859103)
    Since a site with proper hashing, where in theory the actual passwords are unknowable, wouldn't be on the list. And presumably sites with proper security on the back end would have stronger password complexity requirements in the first place, and vice versa. The blame falls more on the bar than the drunkards it serves.

    .
    • by rgmoore ( 133276 )

      Since a site with proper hashing, where in theory the actual passwords are unknowable, wouldn't be on the list.

      This is simply not true. It may be impossible to reverse the hash and recover the password directly, but it is both possible and practical to carry out a dictionary attack on a file of hashed passwords. That's exactly why you're supposed to avoid easily guessed passwords and why those crappy passwords are crappy: they're susceptible to dictionary attacks.

    • I'd say it's the other way around. If these sites were hashing and salting passwords, these simple passwords were low hanging fruit that were easy to crack.
  • 18 shadow (Unchanged)

    Please, please don't tell me that this word's popularity is an ill-conceived response to /etc/shadow. I may have to weep for humanity.

  • Why isn't everything requiring at least 8 characters now?
    (Also at least 1 letter as well).

  • Geez, Babs, look at you all submitting and stuff.

    That's several stories in the last few days.

    Just don't go all Bassett Houndleton on us and start posting long, tedious opinion pieces.

    • Geez, Babs, look at you all submitting and stuff.

      That's several stories in the last few days.

      Just don't go all Bassett Houndleton on us and start posting long, tedious opinion pieces.

      The latest weather
      report from hell
      forecasts "it be hot"
      the next millennium as well
      If stupid stories
      you wish to peruse
      there's my journal
      for all to abuse.

      Burma Shave

      Short enough? :-)

  • It doesn't matter how secure the password is, if a site or service gets compromised then it is highly likely that the password will get revealed. What makes a difference in those cases is how well encrytped or hidden the password is, and how determined the attacker is. Attackers can use precomputed tables made up of all sorts of phrases, letters, numbers etc which will get a handle on even very secure passwords.

    It's far more important to have a different password on each site.. or at least a different pas

    • > or at least a different password on each site you care about. For some sites is really doesn't matter if it gets hacked or not. The Gawker breach a few years back for example.. who would really give a stuff about having their Gawker password compromised.

      Yeah, it's a very good idea to have your bank password be different from your reddit password. Also, most places let you reset your password by using your email address, so the email password is something of a "master key", it should be good.

      A good pas

    • by jmkaza ( 173878 )

      Great point. I always laugh when this list comes out each year, 'cause the guy who used jelHk7$%jh78df+EK9 was just as compromised as the guy who used abc123.

  • Most important password institution including banks , have strong password policy which would reject "123456", and "password" (heck bank even have a second factor where you use the bank card decoder device but I have no idea on how secure it is). Those password are most probably email or forums password. And as secure as i want to be, I do the same. Email not linked to a bank account and used for spam registration or whatnot => weak password like "jodie123" like my slashdot password. Bank account and ema
  • This sounds bogus to me, everything from windows to most forums, ISP's and Telco's that I am aware of won't let you use such simple passwords. The only place I know that I could use 123456 or password for me is on one of my work smart cards (I have 3 but only one is so weak on security).

  • IT make us change them, so mine is now 123457, which isn't on the list!
  • by future assassin ( 639396 ) on Tuesday January 20, 2015 @03:30PM (#48859481)

    When I sign up for a website I have a pattern where I take certain letters from the web sites name and add certain amount of numbers to that. Its easy to remember for me and slim chance of someone finding my combo and its a different password for every site I sing up for.

  • Clearly a lot of teenage boys' passwords were leaked as well.

  • by CronoCloud ( 590650 ) <[cronocloudauron] [at] [gmail.com]> on Tuesday January 20, 2015 @03:54PM (#48859725)

    I see "correcthorsebatterystaple" isn't in there, I'm surprised.

    http://xkcd.com/936/ [xkcd.com]

  • The article is a little light and fluffy. Doesn't say how these passwords were leaked.

    Seems likely, though, that the very fact that they were leaked at all might be a form of selection bias. For example if the leakage vector involved some sort of cracking, it is hardly surprising at all that simple passwords dominate the list.

  • Why is anyone expecting this to change? It's fairly obvious that overwhelming majority of people with these passwords have little to no contact with people who can tell them why it's wrong. It's also fairly obvious that they're not very interested in the issue either.

    So why expect change?

news: gotcha

Working...