'123456' and 'Password' Remain Worst Passwords of the Year for Fifth Consecutive Year

[MacGod]

Two-Factor authentication is the only way - make your password as stupid as you want... but only if you have 2MFA like a SMS text code sent at time of login to verify.

Anything can be broken - someone could mask my phone and gain access to that 2MFA also... but it is a lot more secure than just using a password (strong, or entropic or whatever)

 

[darkcompass]

123456 is better than the one Kanye has on his iPhone
https://www.theverge.com/tldr/2018/...t=chorus&utm_medium=social&utm_source=twitter

 

[The Game 161]

Password makes Best password ever lol

 

[sc0rch3d]

I'm an IT guy and started using password managers a few years ago...talk about a lifesaver and stress reliever.

I think the problem here is societal's loathe for passwords at all. We should be beyond textual user names and passwords and finding easier to define "that I am who that I say I am." I remember one company mapping veins in your hand as a unique measure of a person.

 

[nathansz]

Free password managers like iCloud Keychain, Bitwarden, etc., make remembering passwords obsolete. There is no excuse to have poor passwords in 2018.
[doublepost=1544799583][/doublepost]
That was great advice before the advent of cross platform secure password managers, but today I'd say using a password manager to generate a random high entropy password is a better solution, ideally coupled with a second factor for sensitive data like banking or sites with payment methods attached.

icloud keychain is one of my favourite things about mac/ios

i don’t even know what my passwords are for anything but my icloud account and my devices

 

[AgustoPinochet]

Those are actually more secure than our old nuclear weapons launch codes "00000000"

For 15 Years, America’s Secret Nuclear Launch Codes Were “00000000”


https://inmilitary.com/15-years-americas-secret-nuclear-launch-codes-00000000/

 

[EdT]

While I'd never use one of these passwords personally, I totally get some people's frustration. My job requires us to change multiple passwords every 3 months. At some point you get tired of making stuff up.

1. Must change password every 3 months.
2. Cannot reuse a password for at least 3 years. Password must be 8 characters or longer.
3. Every account you have must have a unique password.
4. Can’t use names of relatives or address names of places you have lived or the names of schools you attended.
5. Must have $,#,!,& somewhere in the password. Can’t have other characters like _,\,%,£,¥,€.
6. Password managers aren’t allowed. You also aren’t supposed to write your passwords down.

Other than the reuse, must be unique and character requirements they really can’t check your passwords against the rest of these rules. I guess if your companies account is hacked and they find out you broke a rule they could nail you.

But it’s all just hypothetical because no one EVER violates any of these rules and we remember each and every password with no assistance.

 

[WannaGoMac]

While I'd never use one of these passwords personally, I totally get some people's frustration. My job requires us to change multiple passwords every 3 months. At some point you get tired of making stuff up.

Multiple articles point to this exact strategy as too aggressive and leads to the post-it note problem.
But like most security things, no one wants to be the organization to diverge from the "herd security theater beliefs"
[doublepost=1544802126][/doublepost]

1. Must change password every 3 months.
2. Cannot reuse a password for at least 3 years. Password must be 8 characters or longer.
3. Every account you have must have a unique password.
4. Can’t use names of relatives or address names of places you have lived or the names of schools you attended.
5. Must have $,#,!,& somewhere in the password. Can’t have other characters like _,\,%,£,¥,€.
6. Password managers aren’t allowed. You also aren’t supposed to write your passwords down.

Other than the reuse, must be unique and character requirements they really can’t check your passwords against the rest of these rules. I guess if your companies account is hacked and they find out you broke a rule they could nail you.

But it’s all just hypothetical because no one EVER violates any of these rules and we remember each and every password with no assistance.

Holy smokes, that is insane. Without a password manager how could anyone remember more than 2-3 reliably??

 

[NoBoMac]

The XKCD comic is probably no longer a great way to go, if wanting strong passwords.

https://www.schneier.com/blog/archives/2014/03/choosing_secure_1.html

As others have mentioned, random and password managers are the way to go today.

 

[baryon]

I mean if I have to create an account on some random website just to do something I'm only going to do once and then never again, like download a PDF, then you bet I'm going to use the weakest password ever. 80% of the accounts I create are accounts I will never return to. Not all accounts are important to people, and if they get hacked, nothing happens, as long as you didn't use the same password for something more important.

 

[capvideo]

My job requires us to change multiple passwords every 3 months.

Not that IT at your job likely cares, but the National Institute of Standards has recommendations for passwords, and that is a SHOULD NOT.

Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.

 

[44267547]

It’s interesting to see the ‘Top ten most popular passwords’, which must mean those passwords were exposed at one point to know exactly how ‘popular’ they really are.

Anyways, always use a combination of Alpha-numeric, I wouldn’t recommend using just numbers or words separately, the lengthier, the more secure.

 

[EdT]

Holy smokes, that is insane. Without a password manager how could anyone remember more than 2-3 reliably??

I work for a small company and I think if someone audited our accounts and checked for either physical notes or ones stored on personal devices then the percentage of people violating at least some of these rules is probably 100%, including the owners. I can’t prove that but no one can remember all those requirements-especially over 3 years and without having a list somehow somewhere of what you have used previously.

I think it ends up more for show. When customers ask what security we have in place they trot these rules out.

 

[rpe33]

One of the good things about being bilingual is I can make all my passwords in another language.

 

[zonk44]

Nothing surprising there. I would be more surprised if the most used password was "AsY9mHQaNj8FkqC@C(jj"

 

[vicviper789]

I know a lot of websites enforce a minimum password length, must use a certain number of characters, special characters, numbers, and they can’t be repeating and so on.

Knowing that people will likely choose the bare minimum to make it easy to remember, wouldn’t adding arbitrary rules make it easier to crack passwords because you are adding more information about what the password could be?

 

[Superhai]

I take the XKCD approach to password creation—a sentence comprised of nonsensical but easy to remember words.

Unless you use some a dialect of old Greek or another rare language, those passwords are very quickly cracked. You just take the dictionary of the most common English (and other common languages) and run it through. A computer from the 90’es will use less than a second on this task if your password is less than 6-8 words.

 

[Cordorb]

“00000000”
The hard part in those day was telling which were the zero's and which were the Oh's

and later when fonts were invented " do we slash the zero or the oh's"

and then there was teletype 5 hole paper tape where the shift char got dropped.

---------------------------------------

I like the word WRONG or INCORRECT as a password then depending on the computer system it will tell you the password if you do not get it right. ie. sorry your password is wrong.

 

[WannaGoMac]

I work for a small company and I think if someone audited our accounts and checked for either physical notes or ones stored on personal devices then the percentage of people violating at least some of these rules is probably 100%, including the owners. I can’t prove that but no one can remember all those requirements-especially over 3 years and without having a list somehow somewhere of what you have used previously.

I think it ends up more for show. When customers ask what security we have in place they trot these rules out.

Whats crazy is 2-factor authentication is easy to add to most systems nowadays which mitigates a lot of these password change issues.

 

[MacsRgr8]

Nothing surprising there. I would be more surprised if the most used password was "AsY9mHQaNj8FkqC@C(jj"

Holy smokes!
How did you guess mine..!

 

[ArtOfWarfare]

Why people are not using an app with password generators confuses me.

I don't think I know a single person who does that, and I'm a rather tech-savvy person, and I work with a lot of tech-savvy people.

People don't do it for the same reason they don't turn on Two Factor authentication - it's confusing and requires too much setup.

For people to use that, it'd have to be 100% automatic, and somehow sync across all your devices, without any setup at all.

... I have to confess that my bank phone secret word is in this article, though. But you have to enter my account number, passcode, date of birth, SSN, before they ask for the secret word... and it's so infrequent that I need it that I intentionally made it stupid easy to remember.

 

[EdT]

Whats crazy is 2-factor authentication is easy to add to most systems nowadays which mitigates a lot of these password change issues.

That means changing a system that’s been in place for years, and because we are a small company and hire out our IT it means paying that company to come up with new security protocols. Basically we don’t know that there’s been a problem, everyone is turning a blind eye to what is really going on, and fixing this situation that hasn’t caused a problem will cost.

We honestly don’t know if it really HAS caused a problem but honestly I don’t think so. Our company is too small, and too specialized to generate a lot of interest from hackers, competitors, etc. It would be more profitable to break into our banking and accounting and they have an outside company handle that so the rules probably aren’t the same. I don’t know for certain because I’m not in accounting.

 

[Polaroid]

Who cares, let people use whatever password they want, its their risk.

 

[idktbh]

fake news

 

[Unity451]

Great work, everyone! Here's to a solid 2019!