Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
Compare cell phone plans using Wirefly's innovative plan comparison tool ×
Businesses Security Idle IT

The Most Popular Bad Passwords of 2015 (dice.com) 165

Nerval's Lobster writes: For years, security experts have told people they need better passwords protecting their online accounts: no more '123456' or 'qwerty' or 'password.' Based on SplashData's fifth annual list of the 25 most common passwords, however, it's clear that relatively few people are listening to that advice. The firm based its list on more than 2 million leaked passwords during the year. The most popular, as in 2014, was '123456,' followed by 'password' and the ingenious, uncrackable '12345678.' One new entry on this ignoble list: 'starwars' in 25th place, no doubt thanks in part to the popularity of 'The Force Awakens' and the accompanying marketing campaign. Seems like a lot of people have forgotten (or never learned) that, while it's a pain to create (much less remember) a complicated password with lots of numbers and special characters, it's nothing compared to the pain of having your online accounts compromised. Maybe, as some have proposed, we could someday kill passwords for most services.
This discussion has been archived. No new comments can be posted.

The Most Popular Bad Passwords of 2015

Comments Filter:
  • by Anonymous Coward on Thursday January 21, 2016 @02:09AM (#51342083)

    I can imagine people don't put the same thought into a password for a throwaway account compared to say that of a bank account password. So I'd be interested as to the source of the leaked passwords. Not that it excuses any of those passwords in the list.

    • One of the problems I have is with my work passwords. I used to put some thought and creativity into my passwords. But the policy of having to change my password every 3 months (and 1 month for some apps) has made it difficult to keep up with security / ability to remember my "clever" password.

      Now it's a simple password with a * in it and a number in it. Then I add 1 to that number which covers me for 9 months.

      • After a while, they'll add something to detect that number, so you then just move it to the middle of the word. And if they get wise to that, then just repeat it - still easy to remember, something like "Passw00rd!", "Passw11rd!", etc. And of course you'll need one alternate base word to swap in when they limit you to "no repeats" within 13 changes.
        Another tip is to just write down your password, but write it in a "masked" fashion - like Pxxxxx, giving you a letter or two as hints without giving away the

        • After a while, they'll add something to detect that number

          How would they do that? Unless they're storing passwords in plain text. In that case, though, there's basically no point in requiring strong passwords.

          • You usually have to put in your current password to change it, except for self-service password resets. Otherwise, they'd find the last digit in the password and try all ten possibilities and try it against your saved previous password hashes.

      • by Creepy ( 93888 )

        3 months would be a joy. Try 35 days. I guess that was an improvement over our old policy of 30 days, but we also need a chipped ID badge and a machine generated PIN now. Apparently the 35 days was chosen because that is about the average time it takes to hack wifi with a brute force attack or something like that. Personally I think it was just made up numbers pushed to management based on a perceived threat.

    • my wife likes a password that is easy to enter. Its #Aaaaaaaa001. Essentially meets most password vetting software.
      Sometimes she changes it to #January001, #February001, #March0001
      At least she does not use swear words for passwords.

  • Thanks for the helpful list of first attack passwords for a brute force.

    Always mind boggling what someone will use as a PW.
    • Well if you were actually going to try to brute force something, you'd already have 99% of these in your dictionary. Seriously. In fact, I'd go ahead (if I had the power) and force all of my domains users to see a brute force crack in action and how ridiculously simple it is. 1 download, 2 clicks or 1 line of commands. I'd force each user to run that tool against a test password request with THEIR weak password. Just so they can see with their own eyes how trivial it is to crack these "passwords" If t
      • by Creepy ( 93888 )

        There was a time when nearly every router could be hacked with admin/admin. Often username is ignored on the router, too, so all you needed to know is the default password is admin. This still is often the default password on many routers, but they often block access to wireless and non-LAN machines by default now, so it is definitely more difficult to hack than it was in the 1980s and 1990s. I remember hacking my university router this way in the 1990s, and one of my fellow labbies put a packet sniffer on

        • There was a time when nearly every router could be hacked with admin/admin.

          Why the use of past tense, has anything changed? In any case it's quite useful, when I'm at a motel somewhere and need to fix their wireless, it saves me having to guess whether they've used "password" or "password1" to keep me out.

  • Cool! (Score:4, Funny)

    by penguinoid ( 724646 ) on Thursday January 21, 2016 @02:10AM (#51342087) Homepage Journal

    I knew it, my password is the top of the list! Only the best for me.

    • Lucky you! Mine didn't make the list AT ALL! Not even close.

      I'm going to have to rethink my strategy if I want my password to become popular. :(

    • I knew it, my password is the top of the list! Only the best for me.

      I saw passw0rd in the list. In my guest SSID, I've created an SSID that I'd make available, and given it a password of P@55w0rd. It combines uppercase (P), lowercase (w, r, d), numbers (0) and special characters (@) as demanded by some password systems. I usually take a common word, replace 'i's, 'o's', 's's, 'z's and so on so as to make them less likely to guess, and also, satisfy the demands of complicated password systems that insists that one combine various case types into the password

  • Last year I switched over to using a Yubikey for U2F and SSH authentication. It has been a dream having this little thing everywhere I go. No more passwords at all. Either tap the button to log in, or NFC to my phone, or use a simple PIN number for SSH access.

    • My last job required using a "soft token" in conjunction with the a "hard token". The softtoken is software either installed on your machine or your smartphone that requires a pin, from there once you enter the pin, it generates a challenge and response, that response is good for 30 seconds. You did need to enter that response in like a password, but it was unique and only good for 30 seconds. That gets you into their systems. To connect to customer systems (VOIP mostly) that's when the hard token comes
  • by mark-t ( 151149 ) <markt@nospAm.nerdflat.com> on Thursday January 21, 2016 @02:19AM (#51342111) Journal

    New for this year, but 12th on the list.

    While it's certainly not a particularly strong password, I'm honestly surprised that something like that would make a list of the 25 worst.

  • by sillivalley ( 411349 ) <sillivalley&comcast,net> on Thursday January 21, 2016 @02:22AM (#51342119)
    Here's the top 25 captured by my SSH honeypot so far this year as count [account/password]:
    2132 [root/root]
    2110 [root/admin]
    2107 [root/123456]
    2107 [root/1234]
    2104 [root/password]
    2102 [root/root123]
    2102 [root/12345]
    2101 [root/p@ssw0rd]
    2101 [root/123]
    2098 [root/1]
    2091 [root/test]
    1907 [root/wubao]
    1905 [root/!q@w]
    1905 [root/jiamima]
    1905 [root/!@]
    1900 [root/idc!@]
    1900 [root/!]
    1899 [root/!qaz@wsx]
    1899 [root/admin!@]
    203 [root/superuser]
    203 [root/public]
    203 [root/power]
    203 [root/calvin]
    203 [root/alpine]
    203 [root/admin123]

    Around 400k ssh login attempts so far in 2016, mostly from China.
    If someone could explain "wubao" and "jiamima" I would greatly appreciate it!
    • jiamima is encryption key or encrypted code, or maybe add a new password. wubao maybe 'without protection' or the equivalent of no password.
    • by tgv ( 254536 )

      Nice.

      For what it's worth, wubao might mean this: https://en.wiktionary.org/wiki... [wiktionary.org], the second meaning of which looks like "secret". Someone, perhaps you, might have asked this question before, https://ewedaa.wordpress.com/2... [wordpress.com]

    • Do you do anything else besides logging?

      I once set up an ssh honeypot in a chroot jail (with noexec and hardly anything in /bin; this was in 2005, before VMs were easy to run) to see what would happen; login guest/guest. Surely someone logged in, but they didn't attempt anything once inside. Maybe they were going to come back, but I didn't wait for it.

      • by Bert64 ( 520050 )

        I've done a few, usually on an exotic architecture with a patched shell and kernel to log commands to syslog on another host...

        What you saw was probably just the scanner, it will log in and just take note of your ip and password for later use. Sometime later you'll usually get someone log in and take a look around... I found that while the scans often come from asia, the actual logins usually come from european countries like romania or italy.

        They will usually try uname to see what os is running, and often

    • by Bert64 ( 520050 )

      Those are just from the dictionary fed to the ssh brute forcing tool, it doesn't mean any of them ever actually got a hit on a live system...
      I have exactly the same, continuous SSH brute force attempts, often the same ip will come back later and try the exact same passwords for no apparent reason.

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      calvin is/was the default password for most DRACs (Dells Remote Access Controllers).
      Its interesting to see it that high on the list.

      What ist China hunting for?
      DRACs that are directly exposed to the Internet with the default password in place?
      And are the other top hits default passwords as well?

    • I used to run Kippo too until the SD crapped out on my raspberry pi. I speculated some of the more popular passwords were ones the malware had successfully used in the past, or possibly passwords the malware or competing malware set to make access easy when calling back. Do you allow interactive login?
    • by ACE209 ( 1067276 )

      ..., mostly from China.

      or maybe from Verizon

      http://tech.slashdot.org/story... [slashdot.org]

      The relevant snippet from the summary:

      Spamhaus detected over 4 million IP addresses, mainly stolen from China and Korea, and routed on Verizon's servers with forged paperwork.

    • If someone could explain "wubao" and "jiamima" I would greatly appreciate it!

      wubao: No Password

      jiamima: Password

  • by sittingnut ( 88521 ) <sittingnut@gmai l . com> on Thursday January 21, 2016 @02:26AM (#51342135) Homepage

    "while it's a pain to create (much less remember) a complicated password with lots of numbers and special characters, it's nothing compared to the pain of having your online accounts compromised."
    one must question that assertion.
    are the accounts these passwords belong to really in need of security in the 1st place? are they not, most of them, throwaway accounts with not much value in them?

    without some measure of value of accounts secured by the passwords identified, lists like this don't tell us much.

    so called "security experts" should do more worthwhile research to find out the sort of insecure passwords used by people who want to keep some thing valuable secure.

    • My Hello Kitty Online Adventures account uses "1" as the password.

    • by tlhIngan ( 30335 ) <.slashdot. .at. .worf.net.> on Thursday January 21, 2016 @02:50AM (#51342187)

      This.

      Telling me "password" is a bad password isn't news. It's obvious. And you know what? For accounts I don't care about, it's a perfectly good password.

      You want me to create an account to leave a comment on your stupid little blog? I don't see what's wrong with password.

      Hell, a lot of forums are like that too - want to get this download? Register for an account! So yes, I'm going to use password, because chances are, I won't ever visit it again.

      Now, my Amazon, Paypal, banking and other passwords? You can bet they aren't on that list!

      And guess what? There's a ton of sites that need registration, so no wonder they stay on the top - for these worthless accounts, people will use worthless passwords. If your password database has a lot of these passwords, perhaps you might want to rethink your account strategy. Maybe your visitors don't see your accounts system as valuable as you do.

      • Adding-

        Admins do themselves no favors by making ludicrous demand from lusers like "the password must contain a special character, but may not begin or end with a special character, have two numbers, and can only be be 8 characters long... you got that?".

        Or requiring password changes every 60 days, especial for accounts I use maybe bi-yearly. Or refuse recycling passwords. And the list goes on.

        Anymore more it is easier just to bang my head against the keyboard as my password and have them email me a new one.

        • Yes, it's especially annoying having to reduce the security of the strong passwords I generate using a password manager because a major organisation has employed a coder who thinks that "between 6 and 8 characters, including a digit and a special character" is a stronger password than "MXxFrmyx6pUCbyBvNx3zerBb06DABs" ("Must contain a special character").

          And I know I'm not the only one frustrated by this [9gag.com].

          • Yes, it's especially annoying having to reduce the security of the strong passwords I generate using a password manager because a major organisation has employed a coder who thinks that "between 6 and 8 characters, including a digit and a special character" is a stronger password than "MXxFrmyx6pUCbyBvNx3zerBb06DABs" ("Must contain a special character").

            And I know I'm not the only one frustrated by this [9gag.com].

            I love the ones that say things like "Must contain ONE number, ONE upper case character and ONE special character. And must be 8 characters exactly." Boy that simplifies things a lot. I had a fucking BANK that demanded this kind of 'secure' password...

          • The worst is the ones that have some sort of restriction on what characters you *can't* use in the password, because it means whoever programmed it had no clue what they were doing.
            • The worst is the ones that have some sort of restriction on what characters you *can't* use in the password

              Does this include inability to use Chinese characters because the password field is printable ASCII (U+0020 through U+007E)?

            • The worst is the ones that have some sort of restriction on what characters you *can't* use in the password, because it means whoever programmed it had no clue what they were doing.

              Like that news site, what's it called, Slashdot? Not in the passwords, on the site itself.

          • by sudon't ( 580652 )

            Right! My online banking forced low complexity passwords! Letters and numerals only, relatively short max length. I wrote them about this, and they replied with some crap about their servers being secure. On top of which, they blocked autofill, so that I always had to open my password manager and look up the password. Fucking annoying. Of course, BB&T is no longer my bank.

        • I just sent United Healthcare some "feedback" on that one. They have stupid rules that include requiring one of only 6 symbols. Like I can remember which stupid symbol they allowed that I stuck in my password... Instead I end up resetting my password every time I log in. I tried explaining to them their ridiculous rules do nothing to secure my account if it locks me out and forces me to reset my password after 3 incorrect attempts. And that it's far more likely that their login database gets hacked than my

      • The ones that irritate me the most are the sites that say, "login with your Facebook account or your gmail account blah blah blah".

        I don't have a stupid Facebook account and you're not getting my gmail account. Sometimes I just use an email address like "guest@whateversiteiamat.com or "password" as the password.

        News sites are notorious for this if you want to leave a comment.
        • They irritate me too and I do have a Facebook account. I would prefer to login that way, but then it takes you to the permissions page and it's "gives access to all your friends, photos, contact information, etc. and permission to post as you on your wall, on other's walls, and in private messages."

          I'm like how about no... I'm not giving away permission for someone to assume my entire identity to not have to create a login to post a stupid comment on your stupid site.

        • eatshit@and.die is one like to use when places ask for an e-mail address that only want it so they can bombard me with crap.
        • Sometimes I just use an email address like "guest@whateversiteiamat.com

          Step 2 of 2: Check your e-mail!

          Your comment is almost posted. A confirmation request has been sent to the e-mail account guest@whateversiteiamat.com. This e-mail contains a link to confirm that guest@whateversiteiamat.com is yours. Follow this link, and your comment will be posted immediately.

        • The point is that, once you do have a facebook account, you're not really increasing the likelihood of anything bad happening by re-using it as a generic login.

          Whatever SmallNewssite.com does with your facebook information is trivial compared to what facebook itself does. Same with gmail, whatever the few remaining google fanboys here might think.

      • by chihowa ( 366380 )

        Until I just recently changed it, "password" has been my password for this account on Slashdot for over fifteen years. Not only is it a fine password for accounts of little consequence, but it actually works well for accounts where nobody ever even bothers to try to break in.

        • Until I just recently changed it, "password" has been my password for this account on Slashdot for over fifteen years. Not only is it a fine password for accounts of little consequence, but it actually works well for accounts where nobody ever even bothers to try to break in.

          You might not care about your slashdot account but someone who wants to 'hack' into your slashdot account so they can swear allegiance to ISIS and threaten the life of the President of the United States of 'Murica might care. Of course the'd be behind 7 proxies, but you weren't behind 7 proxies last time you logged into it. Sucker!

          • by chihowa ( 366380 )

            I can't say I'd care too much about that, but my point was more that there's not even much interest in attempting to compromise most internet accounts. In over 15 years, no person or bot attempted to log into this account with the most common password on the internet. Expecting users to come up with and remember strong passwords for inconsequential sites is a waste of everybody's time.

      • by Quirkz ( 1206400 )

        I'm going to argue there's never a time that "password" is ever really perfectly good. It's just too common, and the first thing to be checked. Even on throwaway accounts, unless you're literally trying to give away your email address and what other data points the site collects, you might as well make it not one of the first things anyone with any curiosity at all might try. Now your dog's name or your kid's name or your street, or anything else still week and relatively obvious to anyone who knows you is

      • by tepples ( 727027 )

        You want me to create an account to leave a comment on your stupid little blog? I don't see what's wrong with password.

        What happens when someone guesses your password to a comment section or forum and uses your account to post libel, copyright infringement, child sexual abuse photos, or other contraband information?

    • one must question that assertion. are the accounts these passwords belong to really in need of security in the 1st place? are they not, most of them, throwaway accounts with not much value in them?

      without some measure of value of accounts secured by the passwords identified, lists like this don't tell us much.

      so called "security experts" should do more worthwhile research to find out the sort of insecure passwords used by people who want to keep some thing valuable secure.

      True. But the answer depends. As the longish Wired article linked to above also hints at, if you link ("daisychain") your accounts, you might consider a simple throwaway e-mail account as not important. But then you go use the e-mail address as the login for another account, and/or as a backup where password resets for the other account get sent to. It now has become the weakest link in your daisychain (to mix metaphors).

      And that's one of the password's weak spots in the modern economy: having so many serv

    • Exactly, I need a ridiculously complicated password to use the Rally app that reminds me to eat my veggies and then I get points for which I can get in on a raffle. I could care less if someone breaks in and signs me up for a few chances at winning a Whole Foods gift card that I won't win. Maybe they'll eat some veggies for me too.

      Meanwhile, unnecessarily complicated password requirements for things that NEED to be secure are still a waste. Brute force isn't really a thing anymore as most secure login porta

      • What is more likely than my password being brute forced is their database gets compromised which negates any security a long or complex password provides.

        Depends. If they were smart and salted the passwords and just stored the salted hashes as a SHA256 or SHA512 sum then having strong passwords still protects, if instead they just stored the password in plaintext in the DB well your fucked anyway. If all they have is a listing of usernames and hashes they still would have to brute force, or rainbow table them but they do that offline.

    • Yeah... for sites that require a login for no good reason (like it's a free site or game that wants your user info so they can try to sell you premium features later), I'll just use something like password as the password. If someone wants to use that account because they are too lazy to create their own, more power to them.

  • Finally... a "Most Popular *THING* of *YEAR*" list where they actually waited for the year to finish before releasing it. I'm impressed.

  • Splash ID sells password vaults that can sync to cloud.

    Supposedly this is all encrypted.

    So.. where is Splash getting this info from?

    • Oh, forgot -- cloud sync was added 2009, if I remember right. Which is six or seven years ago, depending on where in 2009 it was actually introduced. And this is their fifth list of bad passwords?

      Questions abound.

      • It's in the fucking summary.

        The firm based its list on more than 2 million leaked passwords during the year.

        But hey, let's rather jump to conclusions, since this is slashdot and everything.

  • by m.alessandrini ( 1587467 ) on Thursday January 21, 2016 @04:05AM (#51342375)
    Seriously, can you give me advice if this is a safe approach? To remember the passwords for the many web accounts, and to not reuse the same password everywhere, I use a password made from a fixed difficult sequence of characters (the same for all sites), then add a couple of letters depending on the site's name. If sites, as it should be, store only the digest/checksum of the password, even in case of stolen database one should not be able to reverse it and find the original password with the "algorithm" to apply it to other sites. I'm not a crypto expert, do you think this can be reasonably safe?
    • Re: (Score:3, Insightful)

      by Anonymous Coward

      Advertising it, especially in a format associated with a probably common handle (and what appears to a real name,) certainly isn't.

    • What are the chances they are all using hashes? Just about nil.

      Still, I use a similar system. I use the same base password with minor variations, and email myself a password hint so I can look it up later.

    • by sudon't ( 580652 )

      "...do you think this can be reasonably safe?"

      If someone knows basically how you do it, they could probably figure it out. Remember, a lot of "hacked" accounts are compromised by people known to the victim, or by people who can have a look at your personal information, (like your Facebook account - how locked down is that?). Otherwise, I suppose any single password will look random.
      You ever considered looking into a good password manager? You only have to remember one good password, and the password manager can create strong unique, (yet, memorable, if

      • by tepples ( 727027 )

        Probably because synchronizing the password manager across all devices that one uses is an extra-cost feature.

  • This new entry stood out to me: 1qaz2wsx (New)

    Look at the position on the keyboard. People are treating the keyboard like an android/iphone lock screen, at least that's my guess. Very cool to see behavior change as our devices do.

    • by Quirkz ( 1206400 )

      I used to have 5tgb6yhn as a password. I didn't even have to type it, I could just swipe my finger across the keyboard twice, down the two rows, and hit it pretty reliably. It seemed convenient, but only when nobody was looking, because anyone with any sense who saw me log in that way would be able to guess it almost immediately.

  • I wonder how many of these leaked passwords are from disposable accounts. I use weak passwords like this when sites force you to create a useless account to perform an one time action... the account contains no valuable information (you can sign up with bogus email, name etc) but they force you to have one anyway.

    I feel like these kind of shitty sites that force you to sign up for a pointless account are also likely to have shitty security and have their account info leaked.

  • "Shadowfax" didn't even make the list.

  • ...so I'll say it again. Your front door is protected by a 5-digit key, and it's next to a few dozen glass windows.

    Maybe two of my passwords actually protect something more valuable than my house when I'm not in my house. None of them protect anything more valuable than my house when I am in my house.

    Oh, I also said that what separates my 140kph car from an on-coming 140kph car is a 3inch wide strip of yellow paint. Sometimes two of them.

  • Microsoft Research department spent a lot of time looking into password security.

    They found that for tech people the absolute minimum time between password changes, while still having good passwords was 183 days. A more realistic minimum safe time to use is 365 days.

    For non-tech people they found that the absolute minimum was 365 days. A more realistic minimum was 548 days.

    When going under these numbers people would have to sticky note their password to their monitor, write them down somewhere else us

Whenever people agree with me, I always think I must be wrong. - Oscar Wilde

Working...