Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

'123456' Named 2014's Worst Password of the Year

There are so many password management software, so how come, in articles like this, it's always 1Password or LastPass that get mentioned. Is it because these are so outright more superior to all the other password software? Or is it because they've got marketing deals to get their name mentioned?

I use mSecure, which is fairly frill-free but gets the job done simply without being distracted by lots of features I'll never use.
 
bushido said:
Maybe a silly question but I never used one of those tools before. (yes I admit I am too lazy) What if you want to sign in on a phone or a computer that doesn't have the tools. How will I be able to sign in if I don't know that auto generated password?
Click to expand...

1password and I think others will give the ability to reveal the complex password.
1password has a computer client and so you can use it in your computer. I also got a browser which auto fills the password in the required fields
 
I don't get why people make passwords so hard to remember. 1Password and LastPass doesn't make it any easier, nor do those password strength meters.

See, the password "password" is a dictionary word. It's easy to guess, and easy to remember.

The password "P@5sw0rD" is not a dictionary word. It's easy to guess, and hard to remember.

However, "ThisIsMyComplicatedPassword" is also not a dictionary word although it contains several dictionary words. It's hard to guess, and easy to remember.
 
terraphantm said:
It's from xkcd.com

I would rather use a passphrase, but many sites these days require you to have a capital letter, number, and symbol which I have a hard time remembering. Many still also have length limits

With all the hacks last year, seems like the weaknesses are more the servers than the passwords themselves
Click to expand...

You can totally use pass phrases. Here is an example:
terraphantmIs#1
#
 
unplugme71 said:
I don't get why people make passwords so hard to remember. 1Password and LastPass doesn't make it any easier, nor do those password strength meters.

See, the password "password" is a dictionary word. It's easy to guess, and easy to remember.

The password "P@5sw0rD" is not a dictionary word. It's easy to guess, and hard to remember.

However, "ThisIsMyComplicatedPassword" is also not a dictionary word although it contains several dictionary words. It's hard to guess, and easy to remember.
Click to expand...
yes, they do. password managers eliminate the need to memorize most passwords altogether and also make them unbreakable. a truly random password of length 16 consisting just of lower case letters has more than 2^64 combinations. no computer will ever bruteforce that.
making long hard to crack but easy to remember passwords using pass phrases as you suggest is ok for one or two main passwords but is a hopelessly bad strategy for managing all your passwords.
Most people have way too many important passwords that should be unique for that to work: several bank and credit card passwords, several email account passwords, several utilities passwords (cable, heating etc), insurance, social networks (twitter, facebook and so on), online shopping (ebay, amazon, paypal), travel sites (travelocity, expedia).
This is 20+ passwords minimum. for most people it's 30+. No regular person can memorize so many different passwords even if they are all pass phrases. so if you are not using a password manager you inevitably end up using the same password for multiple sites which is a really bad idea for sites that I listed which all have access to a lot of your financial and personal info.
 
I like to use really long phrases or sentences as passwords. Easy to remember but hard to guess or crack.

----------
unplugme71 said:
I don't get why people make passwords so hard to remember. 1Password and LastPass doesn't make it any easier, nor do those password strength meters.

See, the password "password" is a dictionary word. It's easy to guess, and easy to remember.

The password "P@5sw0rD" is not a dictionary word. It's easy to guess, and hard to remember.

However, "ThisIsMyComplicatedPassword" is also not a dictionary word although it contains several dictionary words. It's hard to guess, and easy to remember.
Click to expand...

Agreed.
 
It will of course depend on the websites that have had their information leaked. Pre iCloud Keychain, if I signed up to a website to simply trial it, I'd supply a terrible password too, as I would not trust them to store my "real" passwords correctly. Whilst I doubt this will account for all of the reasons, it could certainly account for some of them.
 
password apps

I've not explored password apps. I have a document that I keep with my passwords and that doc that is not shared anywhere in any way. I do have a back up copy.
But, I'm afraid to use an app like 1password because if I lost my device, how would I be able to log in to all of my sites that relied on that app?
I'm missing something here. If it is in a cloud, then it is not secure. If it is somewhere retrievable, then it's not secure. Right? That app would be password protected... so not totally secure.
 
aajeevlin said:
True. I think the problem is that many people created some sort of account prior to 2006 (or before the time that >8 characters alphanumeric password was strictly enforced). The website never bother to ask people to change, so they just kind of using the same old password.
Click to expand...

Actually my bank (a big bank) has a restriction that the password can't be more than 8 characters long. They do however require a alpha numeric, case mixed password with a special character.
 
mtneer said:
Actually my bank (a big bank) has a restriction that the password can't be more than 8 characters long. They do however require a alpha numeric, case mixed password with a special character.
Click to expand...

Many sites have such requirements and they seem like a pain, its a good idea.
 
So many sites want a registration for every little thing. It's stupid to think all those "123456" passwords are for serious accounts. It's mostly people who couldn't care less about the security of their throw away accounts.
 
maflynn said:
Many sites have such requirements and they seem like a pain, its a good idea.
Click to expand...

My point was based on the XKCD cartoon on page 1 which seemed to suggest that the "complication" of the password mattered less than the character length in the face of brute force attacks.
 
farewelwilliams said:
totally related to Apple/Mac somehow.
Click to expand...

Given that this is apple centric site, I'm really surprised that there is reference to (advertising for?) paid password managers in the article with no mention of the excellent (and FREE) iCloud Keychain built into iOS 7 and later, and synced to OS X via an encrypted iCloud connection.

The best practical advice for folks using all apple gear is to use this in combination with 1. site unique passwords generated by the keychain and 2. To enable as much 2 factor authentication as is possible on the sites you visit.

For those using a Balkanized set-up of Apple and non-Apple gear, who still prefer to use Safari on their apple gear, a free solution is still possible (but not fully automated regarding syncing.). Install a web browser with an integral password manager (like Firefox or Chrome, etc.) With no automated syncing between these two systems, you will have to manually enter authentication data in the corresponding system during set up, and after any password changes, otherwise you will have all the benefits of a competent and safe password manager for free.

For those not wedded to using Safari on their Apple gear, then use Chrome on all your gear to get authentication syncing among your devices (this should eventually become possible with Firefox once they release an iOS app.)

There is no need to spend money on a 3rd party password manager unless it offers additional features that you need; the OEM password managers are solid and probably enough for the majority of casual users.

If you follow these instructions, you will have a strong unique password for every site, cross-site breach risk will be eliminated, you will never have to guess a password again, you will have no need of maintaining a password list in excel (also, make sure you have a valid recovery email address on file with every site on the slim chance something gets borked and you have to reset your password.)

In the end, the only password you will need remember is the one for your AppleID. (And keep it safe as it IS the golden key to all of your other passwords!)
 
a) Change your password to 'incorrect'. When you forget it the app reminds you by saying 'your password is incorrect.'

Or change it to ****** so it displays properly when you enter it.
 
Password managers are a must. People don't need to memorize passwords for sites. That is the entire idea behind these password managers. 1Password and LastPass even mention it as so: "The only password you need to know" or "The last password you will ever memorize".

You only need to make one safe and secure master password and memorize that ONE password. That is IT. Let 1Password or LastPass make ridiculous, random, and long passwords for everything else you use.

Also, for the security questions that most sites require, use the password manager and store the questions and responses in a secure note/vault. For the responses, use a random, long, ridiculous password-like value.

Example:
What was the name of your first pet?
iluvg87GVGg97g8ov(^vo8&FO*voyc76vo*G

I have 1Password, I just find that to be more safer since I need to have the vault locally or synced with iCloud. I use a 70 character password for the master password. I followed the xkcd style, so it was very very easy to remember.

correct horse battery staple

is much easier to remember than

b8ibvg*&8obo8&G(8voIUBpiuvouycxI*Ig87b*(Oivuipucv7g8CY&

The password managers do not have restrictions like some websites do. Use a very safe, very long, xkcd-like password for your master password. Let your password manager do the rest. Use a unique password PER SITE. You don't have to remember them anymore, so there is no reason to use the same passwords.
 
ron7624 said:
I've not explored password apps. I have a document that I keep with my passwords and that doc that is not shared anywhere in any way. I do have a back up copy.
But, I'm afraid to use an app like 1password because if I lost my device, how would I be able to log in to all of my sites that relied on that app?
I'm missing something here. If it is in a cloud, then it is not secure. If it is somewhere retrievable, then it's not secure. Right? That app would be password protected... so not totally secure.
Click to expand...

I find it more secure than LastPass. With 1Password you can use iCloud sync (or wifi sync). For iCloud sync to work, you must use an Apple device associated with your iCloud account.

Also, it just syncs the vault. You still need to authenticate by logging in. The vault is encrypted. Just getting a copy of the vault means nothing.

Just make it about a 50 character long xkcd-like password and you should be good. If you get an email from Apple saying JoeSomebody's iPhone was used to log in to iCloud, you can take action and change all the passwords and the master password.
 
This has very little to do with passwords and everything to do with how little some people value their data. Practicing complacency and denial they live happily ever after.
 
I can't believe you linked to your article about the celebrity iCloud hack and titled it a "well-known iCloud breach", when the title of the linked article says "Not a breach"
 
I'm surprised b2LWTtC^Uk&otyJbMXCsNXk,wRgW%67*4koU)34(*42{.6V8RW didn't make it to top 10.
 
poiihy said:
I like to use really long phrases or sentences as passwords. Easy to remember but hard to guess or crack.

----------



Agreed.
Click to expand...

Yup. And in reality, its these websites to blame. One of my local banks doesn't allow passwords longer than 8 characters. United Airlines before the merger allowed 4 digit pins. There's no way to remove it now. So most passwords are stuck on 4 digits, not even 4 characters. I contacted their security group and their response was "United takes security very seriously."
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back