snopes.com  

Go Back   snopes.com > Non-UL Chat > Techno-Babble

Reply
 
Thread Tools Display Modes
  #1  
Old 20 January 2014, 05:55 PM
snopes's Avatar
snopes snopes is offline
 
Join Date: 18 February 2000
Location: California
Posts: 109,614
Computer "Password" unseated by "123456" on SplashData's annual "Worst Passwords" list

SplashData has announced its annual list of the 25 most common passwords found on the Internet. For the first time since SplashData began compiling its annual list, "password" has lost its title as the most common and therefore Worst Password, and two-time runner-up "123456" took the dubious honor. "Password" fell to #2.

http://splashdata.com/press/worstpasswords2013.htm
Reply With Quote
  #2  
Old 20 January 2014, 06:42 PM
FullMetal FullMetal is offline
 
Join Date: 19 December 2005
Location: Edmonton, AB
Posts: 1,376
Default

Amazing I have the same combination on my luggage.
Reply With Quote
  #3  
Old 20 January 2014, 06:46 PM
Lainie's Avatar
Lainie Lainie is offline
 
Join Date: 29 August 2005
Location: Suburban Columbus, OH
Posts: 73,032
Default

A few years ago my then-employer did a password audit and found a disturbing number of people using some variation of "Buckeye(s)," "Buckeye fan," etc.
Reply With Quote
  #4  
Old 20 January 2014, 06:58 PM
Not_Done_Living's Avatar
Not_Done_Living Not_Done_Living is offline
 
Join Date: 02 September 2006
Location: Markham, ON
Posts: 3,735
Default

I have not seen a system that would allow "password" or 123456xxx as passwords for a long long time --most policies explicitly prevent that -- my companys police is

"16-24 characters, must have

At least Two Upper case letters not back to back; one special character, one numeral, no dictionary words"
Reply With Quote
  #5  
Old 20 January 2014, 07:04 PM
GenYus234's Avatar
GenYus234 GenYus234 is online now
 
Join Date: 02 August 2005
Location: Mesa, AZ
Posts: 24,050
Default

And no more than two of the same characters together. IE, bb is okay, but not bbb.
Reply With Quote
  #6  
Old 20 January 2014, 07:20 PM
Singing in the Drizzle Singing in the Drizzle is offline
 
Join Date: 24 November 2005
Location: Bellingham, WA
Posts: 4,745
Default

I worked for a large company that protected there proprietary information with a password usually being the commonly used name of the system it was on adding zeros or ones if extra characters were needed. Now that engineers have changed companies over the years with other companies that use that information, it has been easy to guess the passwords. For example, I would like to print a protected document I requested but is set to read only and no printing and I was created on the "Protected Revival and Enhanced System" (PRES). I would then start trying the passwords "PRES00", "PRES01" or "PRES11" and most likely get full access to the documents.
Reply With Quote
  #7  
Old 21 January 2014, 04:09 AM
popkulture popkulture is offline
 
 
Join Date: 02 January 2008
Location: Dallas, TX
Posts: 120
Default

Quote:
Originally Posted by Not_Done_Living View Post
no dictionary words
Pardon me if this is a stupid question, but does this actually mean that they don't want you to use any word that appears in a dictionary? If so, it seems to me that would really make it easier for someone to guess a password. I mean, most people would probably use the name of their spouse, pet, etc. Or do they just expect passwords to be a random jumble of numbers and letters?
Reply With Quote
  #8  
Old 21 January 2014, 07:42 AM
Richard W's Avatar
Richard W Richard W is offline
 
Join Date: 19 February 2000
Location: High Wycombe, UK
Posts: 25,067
Default

Quote:
Originally Posted by GenYus234 View Post
And no more than two of the same characters together. IE, bb is okay, but not bbb.
I hate these restrictions. One of our systems at work has a restriction that you can't have more than three of the same character altogether - so "Mississippi" would be out because it's got 4 "s"s. (I'm not saying Mississippi in that form is a good password - it's an example). Of course, the longer your password the more likely it is to have repeated characters. I thought of a nice long memorable phrase which probably wouldn't have shown up in easy-to-guess-by-brute-force lists, and had to reject it because it happened to contain 5 "t"s. So I ended up shortening it to something significantly less secure.

I mentioned my bank in another thread, which only allows alphanumeric characters (no ^&*$% etc) - which is even worse in a sense, since there doesn't even seem to be a vague reason behind that one. I assume they're worried that one of their systems won't handle it, or that their input sanitizer will strip some of them (although if you can use the password field for an injection attack then there's something else wrong - they shouldn't be putting the passwords in the database in plain text in the first place! - and I doubt they are) or something.

Having restrictions to force you to use a minimum length and a certain variety of different types of character is one thing, but having restrictions that force you NOT to use certain patterns is something else... Another of our systems takes a 4-digit PIN that you have to change every so often, and that has an arbitrary list of "obvious combinations" that it rejects! It's a bloody 4-digit number in the first place!

Last edited by Richard W; 21 January 2014 at 07:47 AM.
Reply With Quote
  #9  
Old 21 January 2014, 12:28 PM
Not_Done_Living's Avatar
Not_Done_Living Not_Done_Living is offline
 
Join Date: 02 September 2006
Location: Markham, ON
Posts: 3,735
Default

Quote:
Originally Posted by popkulture View Post
Pardon me if this is a stupid question, but does this actually mean that they don't want you to use any word that appears in a dictionary? If so, it seems to me that would really make it easier for someone to guess a password. I mean, most people would probably use the name of their spouse, pet, etc. Or do they just expect passwords to be a random jumble of numbers and letters?
i have managed without getting an alert for failure to comply for 13 years so it's not that hard to avoid a "dictionary word"
Reply With Quote
  #10  
Old 21 January 2014, 01:17 PM
Mad Jay's Avatar
Mad Jay Mad Jay is offline
 
Join Date: 19 July 2003
Location: Virginia
Posts: 13,464
Default

Quote:
Originally Posted by Not_Done_Living View Post
I have not seen a system that would allow "password" or 123456xxx as passwords for a long long time --most policies explicitly prevent that -- my companys police is

"16-24 characters, must have

At least Two Upper case letters not back to back; one special character, one numeral, no dictionary words"
Reply With Quote
  #11  
Old 21 January 2014, 01:26 PM
GenYus234's Avatar
GenYus234 GenYus234 is online now
 
Join Date: 02 August 2005
Location: Mesa, AZ
Posts: 24,050
Default

Except how many people will use the words "This is my password"?
Reply With Quote
  #12  
Old 21 January 2014, 01:27 PM
ganzfeld's Avatar
ganzfeld ganzfeld is offline
 
Join Date: 05 September 2005
Location: Kyoto, Japan
Posts: 22,850
Default

If most people were good at randomly selecting and correctly spelling and typing four unusual words - without seeing what they've typed on the screen - then that might be a good strategy.
Reply With Quote
  #13  
Old 21 January 2014, 01:31 PM
GenYus234's Avatar
GenYus234 GenYus234 is online now
 
Join Date: 02 August 2005
Location: Mesa, AZ
Posts: 24,050
Default

Why not give people the option of not hiding their password behind asterisks when setting it? It seems that very few hacks come about due to shoulder surfing anymore (if they were ever that common).

Or, provide 4 password entry fields and 4 confirm password entry fields.
Reply With Quote
  #14  
Old 21 January 2014, 01:33 PM
Avril's Avatar
Avril Avril is offline
 
Join Date: 07 August 2002
Location: Princeton, NJ
Posts: 10,478
Default

The four fields would reduce the strength of the password, I think.
Reply With Quote
  #15  
Old 21 January 2014, 01:44 PM
GenYus234's Avatar
GenYus234 GenYus234 is online now
 
Join Date: 02 August 2005
Location: Mesa, AZ
Posts: 24,050
Default

The four fields are only for setting up or changing the password, not for the login.
Reply With Quote
  #16  
Old 21 January 2014, 03:53 PM
popkulture popkulture is offline
 
 
Join Date: 02 January 2008
Location: Dallas, TX
Posts: 120
Default

Quote:
Originally Posted by Not_Done_Living View Post
i have managed without getting an alert for failure to comply for 13 years so it's not that hard to avoid a "dictionary word"
Well, I certainly don't think it would be hard to avoid such words, I just meant that without using those words, the average person (such as the folks who use 123456-style easy passwords) would have fewer passwords that they would potentially use, and would make their password easier to guess. Social engineering is a common means of determining passwords, and by narrowing down the field of potentials, it makes it easier for someone using that strategy to figure out how to gain access.
Reply With Quote
  #17  
Old 21 January 2014, 03:54 PM
Singing in the Drizzle Singing in the Drizzle is offline
 
Join Date: 24 November 2005
Location: Bellingham, WA
Posts: 4,745
Default

With the security systems in place that after 3 tries lock the person out of 30 min. It makes anything other than the top 200 most common passwords very hard to use. Even that list of 200 would take at least 33.5 hours to test. The full dictionary would take about 9 years. So having a password on the list of 200 most common would be a good idea because it would be easy to guess as would name and dates associated with your company and your personal information, dictionary would be useless.

I'm seeing more and more password boxes that have the option to see what your are typing, especially with long password requirements.
Reply With Quote
  #18  
Old 21 January 2014, 04:11 PM
Lainie's Avatar
Lainie Lainie is offline
 
Join Date: 29 August 2005
Location: Suburban Columbus, OH
Posts: 73,032
Default

My bank's login offers the option of seeing your password as you key it.
Reply With Quote
  #19  
Old 21 January 2014, 05:59 PM
Gayle Gayle is offline
 
Join Date: 21 February 2000
Location: Austin, TX
Posts: 9,805
Default

Quote:
Originally Posted by Singing in the Drizzle View Post
With the security systems in place that after 3 tries lock the person out of 30 min. It makes anything other than the top 200 most common passwords very hard to use. Even that list of 200 would take at least 33.5 hours to test. The full dictionary would take about 9 years. So having a password on the list of 200 most common would be a good idea because it would be easy to guess as would name and dates associated with your company and your personal information, dictionary would be useless.

I'm seeing more and more password boxes that have the option to see what your are typing, especially with long password requirements.
My system at work requires at least one capitol, one of a restricted number of symbols, one numeral, and no words of any kind including do, to, be, it, ar, etc. If you can pronounce it, it is rejected. This password must be reset every two months and cannot be reused for two years.
Reply With Quote
  #20  
Old 21 January 2014, 06:29 PM
Richard W's Avatar
Richard W Richard W is offline
 
Join Date: 19 February 2000
Location: High Wycombe, UK
Posts: 25,067
Default

I'm just resetting my bank password (thanks to having to use a different system than usual, I can never remember it after changing it).

I almost thought it was possible to do so using only publicly available information and with no security check, but they do at least give you an automated phone call and code, so (as well as knowing my account number, sort code and date of birth) you'd also have to have access to my phone at the time. Still doesn't seem all that secure, though...

For some reason, when it asks you which number you want to be called on, the numbers are partly masked. (Why? If somebody has got that far, or is looking over your shoulder, they've already seen more sensitive information than the phone numbers). I haven't entered a home or work number, which leads to an unfortunate unintended result:

Quote:
Home: No N***er
Work: No N***er
Hmmm....
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Is "having faith" equivalent to "assuming"? Spud Sabre Social Studies 54 17 January 2013 09:49 AM
SC Republican Fiercely Opposes "North American Union" and the "Amero" Bohemian Rhapsody in Blue Sightings 13 31 May 2008 11:46 PM
"Winkie Chant" in "The Wizard of Oz" E. Q. Taft Entertainment 18 23 May 2008 12:57 AM
"Colors" "Box of Crayons" Glurge Capri Glurge Gallery 22 08 June 2007 08:14 AM


All times are GMT. The time now is 05:33 PM.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2017, vBulletin Solutions, Inc.