'123456' and 'Password' Remain Worst Passwords of the Year for Fifth Consecutive Year

[pika2000]

To help users stay safe, SplashData said that their passwords should be no shorter than twelve characters and have mixed types of characters in each one.

We already know that this is a BAD advice. Not only this makes password hard to remember, it makes no difference to the bots brute forcing the password.

An actual good password is in a form of a sentence. It's easier to remember, and it's way longer than 12 characters.

 

[basical]

Thank god mine didn't make the list.

000000

 

[Kanyay]

000000

**** man you figured it out

 

[nburwell]

I can definitely see my parents using these passwords. *facepalm*

 

[Polaroid]

No one is saying anyone shouldn’t use ‘XYZ’ for a password. I think we all understand the ‘Risks’, but the article is clearly indicating how little effort someone is taking to use a common password for their bank accounts or company log-in, ect, that should require more thought in today’s world of cyber infiltration.

Companies are when I have a perfectly safe password but they don’t think it’s good enough cause it doesn’t fit their criteria.

 

[Mizouse]

My work has a similar policy except that it’s even more agreessive in that I have to change it every 30 days!

1. Must change password every 3 months.
2. Cannot reuse a password for at least 3 years. Password must be 8 characters or longer.
3. Every account you have must have a unique password.
4. Can’t use names of relatives or address names of places you have lived or the names of schools you attended.
5. Must have $,#,!,& somewhere in the password. Can’t have other characters like _,\,%,£,¥,€.
6. Password managers aren’t allowed. You also aren’t supposed to write your passwords down.

Other than the reuse, must be unique and character requirements they really can’t check your passwords against the rest of these rules. I guess if your companies account is hacked and they find out you broke a rule they could nail you.

But it’s all just hypothetical because no one EVER violates any of these rules and we remember each and every password with no assistance.

Multiple articles point to this exact strategy as too aggressive and leads to the post-it note problem.
But like most security things, no one wants to be the organization to diverge from the "herd security theater beliefs"
[doublepost=1544802126][/doublepost]

Holy smokes, that is insane. Without a password manager how could anyone remember more than 2-3 reliably??

Not that IT at your job likely cares, but the National Institute of Standards has recommendations for passwords, and that is a SHOULD NOT.

 

[cableguy84]

You should have replied to yourself in this thread saying "not anymore it isn't".

Not anymore it isn’t

 

[Kanyay]

Not anymore it isn’t

Not anymore it isn't

 

[justperry]

Pretty sure the number one password and next up username is "admin"

 

[Gueeds]

I never understood why companies enforce changing passwords after X days or whatever. Mostly people just enumerate passwords so it doesn’t make it any more secure:

password1, password2, password3, and so on

 

[justperry]

Its not that great, not one special character.

Not that great....

Or 10^48 X 17576(CTV=26x26x26)

Infiniti already after about 20 characters, this was on a core i5, get the fastest computer ever and it will still be infiniti, even if it's all numbers, the computer does not know if the sequence is all numbers or not, in this (Data)case it wasn't.

Edit: there's most likely a secret message hiding in Data's password sequence, as I mentioned before there's the CTV, Cable TV, and the more I look at the numbers the more I do think there's something more to it.

I never understood why companies enforce changing passwords after X days or whatever. Mostly people just enumerate passwords so it doesn’t make it any more secure:

password1, password2, password3, and so on

Exactly, we do the same on my job, there are some restrictions but it's similar to this

Ab2017_100, in 6 months we just input Ab2017_200, next year Ab2018_100 so this is just counteractive.

 

[trekkie604]

Mandatory video on password security:

My luggage only has a combo of 3 digits. 1-2-3 it is!

 

[Jimmy Bubbles]

how about 12,13,14,15,16? *chuckle*

 

[d.steve]

Huhuuuu, I won again - my password is number one on the list!!!

You know you're not supposed to reuse the same password, right? So you should be using all of the passwords on the list, not just the first one.

 

[FelixDerKater]

Annual list of worst passwords of the year... Pick one.

 

[name99]

The "users" name is also a big one haha! Nothing like cryptic secure passwords.

Remember the standard rule: 99% of what you read on the internet (and yes, this includes macrumors) is clickbait.

In this case, specifically, the question that isn't asked is: WTF cares?
I would say that at least 80% of the sites where I am required to use passwords are utter ********. I don't give a fsck about password protection when i register with ARM.com because that's the only way I can download their damn technical material. Same with IBM. Same with various slideware sites. Do I care very much about the password I am forced to use for various comment registration sites? Not especially. etc etc.

My guess is that pretty much EVERY ONE of these low quality passwords is being used for ******** registration purposes, essentially as a protest by the person being registered of "this is how much I respect your attempt to acquire my email address under the PRETENSE that you care about my security".

 

[TIOATIOA]

Mine is hunter2. Glad it didn’t make the list!

 

[haleyp]

And by worst, they mean maybe best, or easiest? For most things there's no reason for a secure password nor a motivation for hacking it. In these cases, one should not waste a secure password.

also http://correcthorsebatterystaple.net/

 

[matteuk]

Can someone explain to me how they can do a survey on peoples passwords when passwords are secret?

 

[MhaelK]

Mine is hunter2. Glad it didn’t make the list!

Mine is ********. It also didn’t make the list.

 

[shyam09]

This is my password for MR.

violable.pelf.padding.startle.darksome.rift.evidence.anybody.manasses.hackle

There. Now people know. My password has made the list!

 

[0947347]

Mandatory video on password security:

That was the first thing that I thought of reading the title of this article
[doublepost=1544834300][/doublepost]

Mine is ********. It also didn’t make the list.

Wow, you use same password as me

 

[unplugme71]

I’ve used “password” for 7 years and never once got hacked. Interesting.

 

[Emanuel Rodriguez]

Multiple articles point to this exact strategy as too aggressive and leads to the post-it note problem.
But like most security things, no one wants to be the organization to diverge from the "herd security theater beliefs"
[doublepost=1544802126][/doublepost]

Holy smokes, that is insane. Without a password manager how could anyone remember more than 2-3 reliably??

I find the best approach is to come up with an algorithm you can use to create these secure passwords as often as necessary. If you ever forget a password, you can just refer to your algorithm. Memorize the algorithm, and no problem.

 

[Abazigal]

When it comes to a password that you have to type in multiple times a day, I can understand why some people would go with a simple one that is easily remembered, especially if they think that the odds of them getting hacked is very low.

For me, I use 1Password to randomly generate all my passwords, but then it also means I need to refer to my phone or Apple Watch when I want to log in to my work laptop, because it takes me a while to commit it to memory. Repeat this every 3 months when we have to reset it, and you see why the takeup rate is so low.