Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

'123456' Named 2014's Worst Password of the Year

V.K. said:
yes, they do. password managers eliminate the need to memorize most passwords altogether and also make them unbreakable. a truly random password of length 16 consisting just of lower case letters has more than 2^64 combinations. no computer will ever bruteforce that.
making long hard to crack but easy to remember passwords using pass phrases as you suggest is ok for one or two main passwords but is a hopelessly bad strategy for managing all your passwords.
Most people have way too many important passwords that should be unique for that to work: several bank and credit card passwords, several email account passwords, several utilities passwords (cable, heating etc), insurance, social networks (twitter, facebook and so on), online shopping (ebay, amazon, paypal), travel sites (travelocity, expedia).
This is 20+ passwords minimum. for most people it's 30+. No regular person can memorize so many different passwords even if they are all pass phrases. so if you are not using a password manager you inevitably end up using the same password for multiple sites which is a really bad idea for sites that I listed which all have access to a lot of your financial and personal info.
Click to expand...

That's why you keep 3-5 passphrases. One for social, one for forums, one for banking, and one for shopping.

ThisLittleBirdieWentToTarget
ThisGuyStoleMyVisaCard

This makes it easy to differentiate between shopping and banking.


The password managers are only as good as their ability to be updated and available. If my iPhone breaks, and I need to log into my account to transfer money because I'm stuck somewhere, I'm SOL. Why? Because my banking password was in 1Password and my email account to reset my password is also in 1Password. And since my iPhone broke, I can't even use 2-factor auth.

So tell me again, how are password managers better? :rolleyes:
 
jamesdmc said:
For this reason, my Dropbox.com password isn't as secure as I'd like. From time to time, I have to use this process to access my passwords from a computer that's not mine.
Click to expand...

Use two-factor authentication for DropBox.
 
Don't blame the password, blame the service

Brute force password hacks involve repeatedly trying passwords based on a dictionary of often used passwords. Obviously if you use a password on this list you are going to be hacked quickly, but the problem mostly lies in a system that allows repeated failed attempts using random passwords until one succeeds.

People forget their passwords, I have about 6 in rotation with a few variations of each in use, and there are a few times where I might type in the wrong variant once or twice before I remember the one that I use for that account, however a system that allows a user to enter dozens, hundreds, or even thousands of failed passwords before hitting the right one, a reasonable and sane approach is to shut down the account and notify the owner that either they are a complete idiot, or that someone has hacked and found the correct password to access the account.

I can easily envision a password authentication service that looks at your trends and determines whether you are just slightly forgetful of what password to use, or if someone is obviously trying to hack into your account. If the passwords used are completely different on each failed attempt, then this is an obvious hack. If the IP's of the source of the failed attempt are random or in completely different regions of the planet then the last successful attempt, that is an obvious hack. One failed login every hour, day, week or even month suggests a low level brute force attack.

The idea that any hacker can try a bunch of passwords and break into someone's account is ludicrous today and represents either an ignorance or laziness about the authentication schemes used by the most popular cloud services.

Yes, obviously if your password is "password" or "123456" it won't take much to get in, but even slight variations of these passwords would involve having to make several failed attempts, and these should be painfully obvious for any well defined authentication service.

Ultimately, I think that services have to be less "forgiving" about failed login attempts even if it is from the legitimate account user. If it takes you 3, 4 , 5 failed attempts to login then you should be shut out and prove you are the legitimate owner of the account. I think too often authentication systems are set up assuming users are idiots that can't remember a password and must make dozens of failed attempts, but I think that has to change.

3 strikes you're out should be the ultimate rule for any authentication system, regardless of the amount of time between logins. If people are forced into painful account recovery methods they will better manage and remember their passwords. It's not 1980 anymore, passwords are not a burden, they are a reality of a secure cloud.
 
ron7624 said:
I've not explored password apps. I have a document that I keep with my passwords and that doc that is not shared anywhere in any way. I do have a back up copy.
But, I'm afraid to use an app like 1password because if I lost my device, how would I be able to log in to all of my sites that relied on that app?
I'm missing something here. If it is in a cloud, then it is not secure. If it is somewhere retrievable, then it's not secure. Right? That app would be password protected... so not totally secure.
Click to expand...

Here is how it works. You have an app that accesses a "vault" that you open with a master password. I use 1Password. When I set up a log in, I ask it to generate a password (you can specify the formula that it uses and the length). It then stores that password. There are browser plugins so that when I hit a site, I access the plugin (in Safari I right click), enter my master password and 1Pass puts my complex password in.

I sync my vault with drop box so all my macs and my phone have updated passwords. When I get to a machine that is not mine, I open the 1Password app on my phone and I have to read and type my password into the website. Not elegant, but not that much of a hassle.

The bad thing about 1Password is that they make you pay for each platform, so I had to pay for Mac, iPhone and PC versions, which sucks. But I love the app.

Edit: As far as security, nothing is secure, including your word file. You're going to have to take some kind of leap of faith. If you can't trust storing things in the cloud you are going to have a frustrating future.
 
I also wanted to point out that you can be compelled to provide biometric data. For example, The police show up at my house with a warrant to search my phone. If I have touch ID enabled they can force me to put my finger on the button and open my phone. If I have a password I can tell them to piss off.
 
jclo said:
That uses the exact same data, how is it any different? It also mentions SplashData and SplashID. We're in no way advertising SplashID, but felt it deserved a mention since SplashData did the work putting together the report.
Click to expand...

There's a difference between a mention and actively promoting a product. I also just grabbed any link to the story. There are FAR better out there which either provide more detail or didn't have the fluff filler.
 
Nunyabinez said:
Edit: As far as security, nothing is secure, including your word file. You're going to have to take some kind of leap of faith. If you can't trust storing things in the cloud you are going to have a frustrating future.
Click to expand...

If I might add to that security topic. It is not like sharing a word document. These password vaults are encrypted. Just getting someones vault means nothing. If you guess their master password or crack the encryption, then it is different.
 
Primejimbo said:
It might have once already.
http://www.pcworld.com/article/227268/lastpass_ceo_exclusive_interview.html
Click to expand...

I should have mentioned "up to date"

It seems that all these new technologies, weather Bio-metric, passwords, or possible 2 factor can all be bypassed somewhat.... There is no one thing that is always secure and will never be breakable...

Maybe Apple is just looking for that #1 thing..

aka If u have bloodshot eyes (both of them) drunk, partying etc,,, suddenly u cannot access the building using Bio-Metric.

That would p*** me off almost more because i can't get in,,, Then again if u were drunk, u wouldn't remember you're password anyway.
 
The nature of passwords mixed with having ten thousand things demanding one is what causes this. There's a need for a better solution. Unfortunately, fingerprint readers are the best thing anyone has come up with. It's still insecure but it's more humane computing ... when it works. Then there's the courts who claim fingerprints aren't private and can be forced out of you to unlock a device, while they cannot force you to share a password...

But yeah... Fundamental problem needing a fix.

http://angryartboy.blogspot.com/2012/10/accessibility-not-just-for-people-with.html?m=1
 
aajeevlin said:
True. I think the problem is that many people created some sort of account prior to 2006 (or before the time that >8 characters alphanumeric password was strictly enforced). The website never bother to ask people to change, so they just kind of using the same old password.
Click to expand...

If they stored the password (fairly) safely as a hash, they have no way of knowing it's a short password, at least not until the user logs in. Unless they stored the length separately.

----------
BasicGreatGuy said:
If only my Mac was touch ID. :cool: That is another very long password that I have to type in all the time.
Click to expand...

You should look at smartcards! It's a safe way of storing RSA keys, the card generates the private key and it can never be copied off it. Furthermore it blocks after several unlock attempts so you can safely use fairly short pincodes. Not to mention the fact that the card can only be used while it's in the computer.
 
>8 characters is not exactly what i'm worried about...

Its more the site weather they accept it, and what length. Like my bank doesn't.

"Yes, I would use strong password everywhere,if I could, but due to a certain site that restricts me...."

How many time have we all come across that..

If a phone was lost/stolen providing u never ever ask to "remember password" it will be fine...... That's the issue...

They secure themselves, but they make it easy elsewhere.....Link broken :)
 
Last edited:
unplugme71 said:
That's why you keep 3-5 passphrases. One for social, one for forums, one for banking, and one for shopping.

ThisLittleBirdieWentToTarget
ThisGuyStoleMyVisaCard

This makes it easy to differentiate between shopping and banking.


The password managers are only as good as their ability to be updated and available. If my iPhone breaks, and I need to log into my account to transfer money because I'm stuck somewhere, I'm SOL. Why? Because my banking password was in 1Password and my email account to reset my password is also in 1Password. And since my iPhone broke, I can't even use 2-factor auth.

So tell me again, how are password managers better? :rolleyes:
Click to expand...
ok, let me tell you again.
keeping 3-5 passphrases is very bad because you use the same password for many sites. if just one of the social sites gets hacked, all the other ones are immediately in danger. same for banks etc. I never do that.

as for your other point about password managers if you only have a single computing device then you can certainly have problems if you travel and it breaks. but who does that these days? people always have at least two when they travel - a laptop and a phone or a tablet. I certainly do and I've never had two of them die at the same time. on my last trip to Europe which lasted 2+ months I had my mbp, my iphone and my ipad. the mbp died but I had no problems using 1password because the other two devices were just fine. this is not a real issue for most people.
 
Last edited:
ChrisCW11 said:
Brute force password hacks involve repeatedly trying passwords based on a dictionary of often used passwords. Obviously if you use a password on this list you are going to be hacked quickly, but the problem mostly lies in a system that allows repeated failed attempts using random passwords until one succeeds.

People forget their passwords, I have about 6 in rotation with a few variations of each in use, and there are a few times where I might type in the wrong variant once or twice before I remember the one that I use for that account, however a system that allows a user to enter dozens, hundreds, or even thousands of failed passwords before hitting the right one, a reasonable and sane approach is to shut down the account and notify the owner that either they are a complete idiot, or that someone has hacked and found the correct password to access the account.

I can easily envision a password authentication service that looks at your trends and determines whether you are just slightly forgetful of what password to use, or if someone is obviously trying to hack into your account. If the passwords used are completely different on each failed attempt, then this is an obvious hack. If the IP's of the source of the failed attempt are random or in completely different regions of the planet then the last successful attempt, that is an obvious hack. One failed login every hour, day, week or even month suggests a low level brute force attack.

The idea that any hacker can try a bunch of passwords and break into someone's account is ludicrous today and represents either an ignorance or laziness about the authentication schemes used by the most popular cloud services.

Yes, obviously if your password is "password" or "123456" it won't take much to get in, but even slight variations of these passwords would involve having to make several failed attempts, and these should be painfully obvious for any well defined authentication service.

Ultimately, I think that services have to be less "forgiving" about failed login attempts even if it is from the legitimate account user. If it takes you 3, 4 , 5 failed attempts to login then you should be shut out and prove you are the legitimate owner of the account. I think too often authentication systems are set up assuming users are idiots that can't remember a password and must make dozens of failed attempts, but I think that has to change.

3 strikes you're out should be the ultimate rule for any authentication system, regardless of the amount of time between logins. If people are forced into painful account recovery methods they will better manage and remember their passwords. It's not 1980 anymore, passwords are not a burden, they are a reality of a secure cloud.
Click to expand...

You are only describing an online attack. A brute force attack generally is not some guy or automated service sitting there at a web portal trying zillions of passwords on one or more accounts. This is too easy to spot and to block, and even if it wasn't blocked, it would take waaaaaaay too long.

What happens far more commonly is using some sort of vulnerability to access the system in an unintended manner and getting a copy of the password file. The brute force attack occurs offline on passwords in that file until the information is compromised. The better your password is, the harder it is to uncover using these methods. Once compromised, the logins and passwords are sold, in bulk, to criminals who then use it to steal services, identities, and more.

Unfortunately we are finding in cases like the Sony attack that the companies are storing passwords in the clear, so that compromising the content of the file isn't even necessary, and having a great password is nearly useless.
 
Nunyabinez said:
Here is how it works. You have an app that accesses a "vault" that you open with a master password. I use 1Password. When I set up a log in, I ask it to generate a password (you can specify the formula that it uses and the length). It then stores that password. There are browser plugins so that when I hit a site, I access the plugin (in Safari I right click), enter my master password and 1Pass puts my complex password in.

I sync my vault with drop box so all my macs and my phone have updated passwords. When I get to a machine that is not mine, I open the 1Password app on my phone and I have to read and type my password into the website. Not elegant, but not that much of a hassle.

The bad thing about 1Password is that they make you pay for each platform, so I had to pay for Mac, iPhone and PC versions, which sucks. But I love the app.

Edit: As far as security, nothing is secure, including your word file. You're going to have to take some kind of leap of faith. If you can't trust storing things in the cloud you are going to have a frustrating future.
Click to expand...

Thanks for that breakdown. Everything I have is in the cloud - except my passwords - I have a 50gb Box account and several other accounts including drop box that I use for pictures, music, video and work files.
I started out saving my passwords in a word file before there were apps and probably will continue. My word file is password protected, and it resides only on a thumb drive, backed up to another. Not on a cloud in a vault, not on a device. Stealable maybe, but not useable. If someone got it, it would be hard to crack unless they knew my birthday. ;) Folks are more likely to steal my device than a thumb drive.
Actually, the word file is so massive that I shudder to think about even trying to load my info into a password manager, which is probably the real reason that I have not attempted to use one.
As far as the leap of faith goes, I'm plunging every time I do on line bill paying, banking, etc, etc, etc.
I do like doing everything electronically, hate snail mail and feel pretty secure in that I use common sense in dealing with staying secure on line, not ever sharing any info for any reason and also in working with the really nice people from Nigeria that want to send me their money for safe keeping. Sooo trusting.
 
ChrisCW11 said:
Brute force password hacks involve repeatedly trying passwords based on a dictionary of often used passwords. Obviously if you use a password on this list you are going to be hacked quickly, but the problem mostly lies in a system that allows repeated failed attempts using random passwords until one succeeds.

People forget their passwords, I have about 6 in rotation with a few variations of each in use, and there are a few times where I might type in the wrong variant once or twice before I remember the one that I use for that account, however a system that allows a user to enter dozens, hundreds, or even thousands of failed passwords before hitting the right one, a reasonable and sane approach is to shut down the account and notify the owner that either they are a complete idiot, or that someone has hacked and found the correct password to access the account.

I can easily envision a password authentication service that looks at your trends and determines whether you are just slightly forgetful of what password to use, or if someone is obviously trying to hack into your account. If the passwords used are completely different on each failed attempt, then this is an obvious hack. If the IP's of the source of the failed attempt are random or in completely different regions of the planet then the last successful attempt, that is an obvious hack. One failed login every hour, day, week or even month suggests a low level brute force attack.

The idea that any hacker can try a bunch of passwords and break into someone's account is ludicrous today and represents either an ignorance or laziness about the authentication schemes used by the most popular cloud services.

Yes, obviously if your password is "password" or "123456" it won't take much to get in, but even slight variations of these passwords would involve having to make several failed attempts, and these should be painfully obvious for any well defined authentication service.

Ultimately, I think that services have to be less "forgiving" about failed login attempts even if it is from the legitimate account user. If it takes you 3, 4 , 5 failed attempts to login then you should be shut out and prove you are the legitimate owner of the account. I think too often authentication systems are set up assuming users are idiots that can't remember a password and must make dozens of failed attempts, but I think that has to change.

3 strikes you're out should be the ultimate rule for any authentication system, regardless of the amount of time between logins. If people are forced into painful account recovery methods they will better manage and remember their passwords. It's not 1980 anymore, passwords are not a burden, they are a reality of a secure cloud.
Click to expand...

I think you are making some good points here. 3 strikes may be harsher than necessary, but I like the idea of location being a factor in evaluating failed attempts.
 
50 locked Apple devices. Sad state of Apple locking

Here is an eBay auction for 50 locked Apple products. The vast majority are probably not stolen just bad passwords or other iforgets.

A sad state of Apple locking

I have a couple of iPad first gen 64's that I like to hold on to just because Apple can not lock me!
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back