Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security Idle

More Than 23 Million People Use the Password '123456' (ncsc.gov.uk) 155

Bearhouse shares a new study from the UK's "National Cyber Security Centre," which advises the public on computer security, about the world's most-frequently cracked passwords. It's probably no surprise to the Slashdot readership: people use bad passwords. A recent study of publicly-available "hacked" accounts -- by the UK National Cyber Security Centre -- reveals "123456" was top, followed by the much more secure "123456789" and hard-to-guess "qwerty". If you're a soccer (football) fan, then try "Liverpool" or "Chelsea" -- they'll work in more than half a million cases. Finally, for musicians, Metallica gets beaten down by 50cent, 140k to 190k respectively.
The most common fictional names used as passwords were "superman" (333,139 users), "naruto" (242,749), "tigger" (237,290), "pokemon" (226,947), and "batman" (203,116).

The organization recommends instead choosing three random words as a password -- and also checking "password blacklists" that show passwords that have already been found in past data breaches. (Developers and sysadmins are also advised to implement these checks as part of their rules for which user passwords will be allowed.) The organization also released a file from the "Have I Been Pwned" site containing the top 100,000 passwords.

So what are the top ten most-frequently used passwords?
  • 123456
  • 123456789
  • qwerty
  • password
  • 111111
  • 12345678
  • abc123
  • 1234567
  • password1
  • 12345

This discussion has been archived. No new comments can be posted.

More Than 23 Million People Use the Password '123456'

Comments Filter:
  • by Anonymous Coward

    C-c-c-combo-breaker!

    • by jwhyche ( 6192 )

      The password on my phone is "fuck you pig"

    • What I truly don't understand is why the 3-word password is considered so safe?
      Yes, it can be pretty long in characters, while still easy to remember.
      But in another sense, it's a 3-character password from a set of maybe 300K "characters"
      If I'm not being clear on what I mean, I'm saying that if my password is: doggoatpig, you can say that's a 10-character password and fairly hard to brute force.
      But it's also just 3 words out of a universe of 300K words, which is a pretty small universe.
      And what 3-character p

      • If you use a dictionary of 100,000 words (roughly the size of the dictionary on my computer), 3 random words is roughly equivalent to 8 random characters (a-z, A-Z, 0-9, and a bunch of symbols).

        If you limit your dictionary to the 10,000 most common words, 3 random words is roughly equivalent to 6 random characters. If you increase your pass phrase to 4 out of 10,000 words, you get a 9-character-equivalent password. 4 random words out of 100,000 words gives you an 11-character-equivalent password.

        What
        • I'm left to wonder if some words are A LOT more common in word-oriented passwords than others.
          Common words compared to exotic, more likely to misspell words.
          Short words, instead of long to type words.
          I would expect this to make guessing word-passwords even easier.
          Most places I've seen say that 8-11 random characters isn't secure anymore against modern hardware and weak, fast, non-salted hashing.
          Even rainbow tables seem to handle ever longer passwords. Not quickly, but over the years they've added more lengt

          • I'm left to wonder if some words are A LOT more common in word-oriented passwords than others. Common words compared to exotic, more likely to misspell words. Short words, instead of long to type words. I would expect this to make guessing word-passwords even easier.

            Ideally, you want the 3-4 words to be completely random, not part of some phrase or related in any way. If you limit the possible words to being under 6 characters each, then you've greatly reduced your dictionary size and made your passphrase correspondingly weaker.

            Most places I've seen say that 8-11 random characters isn't secure anymore against modern hardware and weak, fast, non-salted hashing. Even rainbow tables seem to handle ever longer passwords. Not quickly, but over the years they've added more length. Or am I just being too paranoid?

            If the system isn't using a good hashing/key-derivation algorithm, then there isn't much you can do anyway. I just checked a couple password strength meters - 8 random characters rates moderate, 10 random characters rates strong, and 12 random c

  • by Misagon ( 1135 ) on Sunday April 21, 2019 @12:50PM (#58467820)

    1, 2, 3, 4, 5, 6? That's amazing! I've got the same combination on my luggage!

    • 1, 2, 3, 4, 5, 6? That's amazing! I've got the same combination on my luggage!

      Why is it I feel like I'm surrounded by assholes?

      • I just use 654321 and ROT13 it twice for extra security.

        Nobody would ever think to try passwords backwards.

        • by rtb61 ( 674572 )

          I use three words with no spaces. The words more than 3 characters long, what ever you want, capitalise or not, about fifteen characters total. Just teach them that it is surprisingly easy to remember yet difficult to compute as long as in essence something difficult to guess and easy to remember. So random nonsense, so for a hen pecked married man, bloodytamponday, would be good, well not any more but you get the idea, for woman in an abusive relationship, drunktinydick. What ever holds to your memory, is

          • To be complete, you need three words, with brackets around one, and a number in the middle. That way you hit all the password length and breadth requirements.

    • Came in here to past that exact comment

      "1-2-3-4-5-6? That’s the kind of combination an idiot would put on his luggage!"

      • Came in here to past that exact comment

        "1-2-3-4-5-6? That’s the kind of combination an idiot would put on his luggage!"

        I came here to say first post, but I didn't get the chance.

    • Yeah, same here, I tried to use the same password as on my computer: "******" but my luggage has no "*" - a shame.

  • Whose fault? (Score:5, Insightful)

    by markdavis ( 642305 ) on Sunday April 21, 2019 @12:53PM (#58467840)

    >"More Than 23 Million People Use the Password '123456'"

    Then the systems that allow such a ridiculous password are just as much to blame as the users. All standard systems I know require at least 6 characters, which must include alpha and numbers. All the systems *I* use and administer require that but also at least 2 alpha, AND cannot contain a dictionary word AND cannot contain simple sequences (abc, 123, 321) AND no significant part of the user name. And that is just the DEFAULT configuration of any Unix/Linux machines I have used over the last 30 years. What systems are allowing any of the "top ten most-frequently used passwords" in the offered list???

    Oh, and if you really want to make passwords worse- put reasonably strong requirements in place and then RUIN it by forcing people to change them constantly... but that is a different issue.

    • by Anonymous Coward

      Not allowing a password to contain a dictionary word makes it harder for users to come up with memorable passwords (and will result in users getting more and more frustrated as they keep trying new passwords, until they eventually go for something obvious like their car's license plate number.)

      And yeah, I know, the counter is "What about password managers", to which the answer is "Few people use them, and nobody uses them for absolutely every password."

      • >"Not allowing a password to contain a dictionary word makes it harder for users to come up with memorable passwords (and will result in users getting more and more frustrated as they keep trying new passwords, until they eventually go for something obvious like their car's license plate number.) "

        That is not true, because you can just break the word with numbers:

        h8amburg3r

        Or use the first letter of each word in a sentence: I hate responding to 5 postings:

        ihrt5p

        Easy to remember, plus strong

        • That's less secure and harder to remember than simply combining 4 words. [xkcd.com]
          • >"That's less secure and harder to remember than simply combining 4 words. [xkcd.com]"

            Unfortunately, many of the systems I use, for some reason, have limits on password lengths. Generally in the 10 to 12 character range. This won't work with super long phrases. Plus, the XKCD thing is making the example password weak only because it makes some pretty strong assumptions about common substitutions and where the number and punctuation will be.

            Fortunately, there is yet another alternative. The best thing

    • Re:Whose fault? (Score:5, Interesting)

      by vux984 ( 928602 ) on Sunday April 21, 2019 @01:06PM (#58467890)

      "What systems are allowing any of the "top ten most-frequently used passwords" in the offered list???"

      Slashdot

      For the last several years, until 30 seconds ago, my password for /. was 123456. I changed it to make this post.

      I made it that way because when i opened it, it was a throwaway account; and then i left it like that on purpose until now; as a bit of subversive humor; and i didn't really care if i lost the account.

      PS - I also actually changed it BACK to 123456 just now as well to make sure /. still allowed it, and i wasn't just 'grandfathered in'.

      • I wonder how many people have tried to login as vux984 using the password 123456 in the past few minutes? I thought about it, but wasn't quite motivated enough to actually logout myself to actually try it (not to mention probably breaking some laws)...
        • by vux984 ( 928602 )

          Lol. I did change it before posting. I wasn't willing to tempt fate that much.

          • So what did you change it to? I changed it to "*******".

            • Oh that's neat. Slashdot has a filter so when you type your password in the message box it only looks like stars when you look at it after.
              I typed in "*******", but all that is displayed is "*******". You should try it.

        • but wasn't quite motivated enough to actually logout myself to actually try it

          Why log out? Open a window from any other browser installed on your system and log in from there. If you don't want to get involved in Holy Wars, you'll probably have several browsers on your system already, possibly including Firefox-oids, Ice-*-oids, Chrome-oids and Opera-oids. for example, I found an occasionally interesting site which demanded I install Flash on my regular browser, so I installed a different browser which incl

    • "More Than 23 Million People Use the Password '123456'"

      What many "people" are failing to notice is that the phrase "23 Million People" uses very small values for "people."

      How many websites do you use? That is how many "people" you are in this "context."

    • Your mentioned restrictions are silly, it would be better (more secure) to use four common words instead of what you think is a good idea.

    • If it is a bank account or email address I will make some random letter /uppercase/lowercase/digits/punctuation combo. But if it is the forum "cat lover" or whatever, my password will be far easier, because I don't care about it. How many of those accounts are actually important ?
      • If you really would be a cat lover, your cat lover account would be damn important for you.

        Please pay now the bitcoin ransom, or I sacrifice all your cat pics on a stake!!

    • by Strider- ( 39683 )

      The better password scheme is to require 10+ characters of any sort, and encourage your users to use a small snippet of a nursery rhyme or similar. "TheCowJumpedOverTheMoon" is far more secure than "74r!Baz$1"

    • Oh, and if you really want to make passwords worse- put reasonably strong requirements in place and then RUIN it by forcing people to change them constantly... but that is a different issue.

      I’ve Worked at a few of those places, and most only check the last 6 used or so when checking the new password to prevent reuse. All you have to do is a few quick changes in a row and you can keep using the same password.

      • One system I've worked on didn't allow password changes more than once every 3 days.

      • by Gonoff ( 88518 )

        ... All you have to do is a few quick changes in a row and you can keep using the same password.

        The way around this is to
        A. Enforce a minimum period before another voluntary change and
        B. Prevent password reuse of the previous N passwords.

        Like everything else, there are downsides.

        If A is a problem, they can call the helpdesk. They can decide if the user has a "cunning plan"

        The worry about B may be that we have a list of the previous, say, 20 passwords, Is that secure? They should be stored as securely as the current password. These are not their password any more anyway. So it takes a few kilob

    • All standard systems I know require at least 6 characters, which must include alpha and numbers.

      Like the ever secure "Password1" ?

  • by SlaveToTheGrind ( 546262 ) on Sunday April 21, 2019 @12:58PM (#58467856)

    Just enter a password you want to use,* and I'll check it automagically against every known data breach out there. If it doesn't come up, it's safe to use!

    * For best results, please enter your email (so I can send you the report) and the site where you want to use the password (so I can make sure it meets the site's password requirements).

    • by dex22 ( 239643 )

      Make sure you get a secure certificate, so people know you can be trusted!

      • Also let us know your mothers maiden name, your first pet, and the high school you attended for added SeCuRiTy...
    • Just enter a password you want to use,* and I'll check it automagically against every known data breach out there. If it doesn't come up, it's safe to use!

      * For best results, please enter your email (so I can send you the report) and the site where you want to use the password (so I can make sure it meets the site's password requirements).

      Did you know /. blocked you from typing your real password in a comment? It stars them out when submitted:

      *******

  • by mykepredko ( 40154 ) on Sunday April 21, 2019 @12:59PM (#58467862) Homepage

    I sure hope "ABCDEF" isn't taken.

  • How did this 'research organization' find this information out without criminal behavior? Do they need to be shut down and their staff frog marched to jail?

    Curious Minds want to know....

  • by hyades1 ( 1149581 ) <hyades1@hotmail.com> on Sunday April 21, 2019 @01:12PM (#58467918)

    Just come up with a short little rhyme, preferably with an unusual name in it, and use part or all of the rhyme in different places where you need a reasonably secure password.

    Example using a rhyme many people know (and therefore not recommended): Mary, Mary, quite contrary, how does your garden grow? With silver bells and cockle shells and pretty maids all in a row.

    You've already got capital letters involved. For really important stuff, you could add proper punctuation and enter each character by hand, never letting a password manager or browser remember the password. For less important stuff, you might use only part of the rhyme, like maybe "Bells and cockle shells".

    This might not be perfect, but it's a hell of a lot better than using something like the examples in TFA, and a short little rhyme is as easy to remember as QWERTY.

    • by vux984 ( 928602 )

      And do you use a different rhyme for each website you know? Because if you do, it doesn't matter how good your password is one of the places you use it stores it plaintext something equally atrocious; and when the site is breached you are fucked.

      " For less important stuff, you might use only part of the rhyme, like maybe "Bells and cockle shells"."

      Oh, you have 2 passwords. Not much better; same problem as above, but only half your stuff gets pwned when one of them goes. hopefully it'll be the 'less importan

      • It's really not difficult to come up with new verse-based passwords. In fact that's one of the advantages. And I can't say it's happened often, but if I get rejected on a site more than one or two times over my choice of password, I will be thinking very hard about how badly I need to visit it. Certainly for work-related stuff, I've never had a problem.

        Also, I have to say that I have nothing against password managers except that they seem to get hacked with disquieting frequency. My really important pas

        • by vux984 ( 928602 )

          I use an offline password manager (ie not a cloud service). I do sync the encrypted database to cloud storage, but that's not a concern.

          I agree that having it in your head is the best... and i "salt" some of the most important passwords with an additional bit I've memorized.

  • Password wars protecting privacy wars all comes down technology wars that let us do away with passwords that's where FTC 98 BLT 739 Caller ID Screener new improvement invention to caller id.
  • ... so many dummy sites require you to register for no reason whatsoever.
    Username "fckyou", password "12345" are just good enough for them.

  • As in 1234567891011.

    Who would ever guess that one?
  • https://xkcd.com/936/ [xkcd.com]

    As the comic pointed out, modern password policies have created mandatory passwords that are difficult to remember and relatively easy to crack. Because they are dificult to remember, and tend to also be difficult to type, people inevitably store them where they are easily read or easily cut & pasted.

    There are many approaches to solving the issues, but the incessant desire that someone upstream have access to those private passwords, and restrictions on the export of encryption, hav

  • Comment removed based on user account deletion
  • I was hoping for "********" to be in the top 10 somewhere. Oh well, humanity lets me down again.

  • and look up some pictures of Daphne Zuniga

  • nine zeroes.

    Very secure.

  • by Tom ( 822 ) on Sunday April 21, 2019 @03:52PM (#58468498) Homepage Journal

    Contrary to your initial reaction, these account passwords are not insecure passwords chosen by idiots who don't know better.

    They are throwaway accounts with passwords picked by people who couldn't care less. We've seen this for over a decade consistently, and always in leaks from sites that are forums or other low-priority things. Where a lot of people register, but don't really care. rockme.com was among the first leaks that received a lot of scrutiny - it's a music forum, so big deal if you hack an account, you can discuss your favorite band under a username that isn't yours now, congratulations, hero.

    Where I've not seen this pattern is with banking, personal finance or health sites, or others that even regular users consider high priority. People can pick better passwords - they just can't be arsed to do so for a site that maybe tomorrow they'll not even care about anymore.

    While I completely agree bad passwords are a problem - the sensationalistic, naive press reports about the topic don't help. You really can't convince a normal person to pick a random 20 character unique password for a forum account that doesn't matter to them.

  • Fox Mulder's "trustno1" password is pretty near the top and there's another 4 variations with different capitalisation.
  • If you read TFA they appear to be mostly concentrating on laptops and smart phones or silly sites that require a login and password to post comments--or even to be able to read them. That's a far cry from bank account passwords or even work-related passwords with arcane features forced upon you "for security," but which really function to harass employees. It's just an entry-level low-security device that provides a modest level of protection. It's not intended to provide robust counter-measures against the latest cracker program. In the vast majority of cases these passwords do not protect anything remotely valuable. Sure you won't be able to get into my smart phone or laptop very easily, but you're not missing anything anyway. If it's that important, call the NSA. Much ado about nothing.

  • It's not as protective as the fact that everyone's bank card and ID details have been breached by now. At least in that case - you become just one in a zillion and being such a tiny part of such a huge herd gives you the chance you'll just be overlooked.... After the no opt out credit agencies, OPM, and who knows how many others, it's a pretty sure thing that almost all humans have been pwned. I guess that's why we see spear phishing etc - to hopefully let the worthwhile idiots self-identify, because findi
  • Comment removed based on user account deletion
  • I use pretty simple passwords for accounts where it is the provider who is interested in authorizing me, not I. Especially free subscriptions to newsletters and online magazines. It is not costly to me if others freeload on my account. I wonder if many of the very simple passwords are of this ilk?
  • So my favourite passwords: "geheim" and "geh heim" are both pretty secure?

  • Schlemiel, schlemazel, hasenpfeffer incorporated...

  • Comment removed based on user account deletion
  • Comment removed based on user account deletion
  • There will always be people who use stupid passwords and even the good passwords can be bypassed using security holes in the system. Email/password login pairs are currently being leaked from left and right. Biometric solutions exist, but the big weakness in those is that one can not change ones eyes or fingers. Password managers are a moderately good solution, but there still usually is at least the email address to be leaked. Also one is still relying on a third party for ones secrets. A potential good
  • Choose a password, it must include uppercase, lowercase, digit(s) and symbol(s).

    Password#1 it is then.

  • Retards gonna retard. And they're always going to be with us.

    Shooting them before sexual maturity would be a start, but would probably run into objections for reasons I can't quite fathom.

  • 1123581321 then? That is only obvious to proper geeks who did mathematics past the age of 10...

If all else fails, lower your standards.

Working...