"Password" unseated by "123456" on SplashData's annual "Worst Passwords" list

[snopes]

SplashData has announced its annual list of the 25 most common passwords found on the Internet. For the first time since SplashData began compiling its annual list, "password" has lost its title as the most common and therefore Worst Password, and two-time runner-up "123456" took the dubious honor. "Password" fell to #2.

http://splashdata.com/press/worstpasswords2013.htm

[FullMetal]

Amazing I have the same combination on my luggage.

[Lainie]

A few years ago my then-employer did a password audit and found a disturbing number of people using some variation of "Buckeye(s)," "Buckeye fan," etc.

[Not_Done_Living]

I have not seen a system that would allow "password" or 123456xxx as passwords for a long long time --most policies explicitly prevent that -- my companys police is

"16-24 characters, must have

At least Two Upper case letters not back to back; one special character, one numeral, no dictionary words"

[GenYus234]

And no more than two of the same characters together. IE, bb is okay, but not bbb.

[Singing in the Drizzle]

I worked for a large company that protected there proprietary information with a password usually being the commonly used name of the system it was on adding zeros or ones if extra characters were needed. Now that engineers have changed companies over the years with other companies that use that information, it has been easy to guess the passwords. For example, I would like to print a protected document I requested but is set to read only and no printing and I was created on the "Protected Revival and Enhanced System" (PRES). I would then start trying the passwords "PRES00", "PRES01" or "PRES11" and most likely get full access to the documents.

[popkulture]

Quote:

Originally Posted by Not_Done_Living

no dictionary words

Pardon me if this is a stupid question, but does this actually mean that they don't want you to use any word that appears in a dictionary? If so, it seems to me that would really make it easier for someone to guess a password. I mean, most people would probably use the name of their spouse, pet, etc. Or do they just expect passwords to be a random jumble of numbers and letters?

[Richard W]

Quote:

Originally Posted by GenYus234

And no more than two of the same characters together. IE, bb is okay, but not bbb.

I hate these restrictions. One of our systems at work has a restriction that you can't have more than three of the same character altogether - so "Mississippi" would be out because it's got 4 "s"s. (I'm not saying Mississippi in that form is a good password - it's an example). Of course, the longer your password the more likely it is to have repeated characters. I thought of a nice long memorable phrase which probably wouldn't have shown up in easy-to-guess-by-brute-force lists, and had to reject it because it happened to contain 5 "t"s. So I ended up shortening it to something significantly less secure.

I mentioned my bank in another thread, which only allows alphanumeric characters (no ^&*$£% etc) - which is even worse in a sense, since there doesn't even seem to be a vague reason behind that one. I assume they're worried that one of their systems won't handle it, or that their input sanitizer will strip some of them (although if you can use the password field for an injection attack then there's something else wrong - they shouldn't be putting the passwords in the database in plain text in the first place! - and I doubt they are) or something.

Having restrictions to force you to use a minimum length and a certain variety of different types of character is one thing, but having restrictions that force you NOT to use certain patterns is something else... Another of our systems takes a 4-digit PIN that you have to change every so often, and that has an arbitrary list of "obvious combinations" that it rejects! It's a bloody 4-digit number in the first place!

[Not_Done_Living]

Quote:

Originally Posted by popkulture

Pardon me if this is a stupid question, but does this actually mean that they don't want you to use any word that appears in a dictionary? If so, it seems to me that would really make it easier for someone to guess a password. I mean, most people would probably use the name of their spouse, pet, etc. Or do they just expect passwords to be a random jumble of numbers and letters?

i have managed without getting an alert for failure to comply for 13 years so it's not that hard to avoid a "dictionary word"

[Mad Jay]

Quote:

Originally Posted by Not_Done_Living

I have not seen a system that would allow "password" or 123456xxx as passwords for a long long time --most policies explicitly prevent that -- my companys police is

"16-24 characters, must have

At least Two Upper case letters not back to back; one special character, one numeral, no dictionary words"

[GenYus234]

Except how many people will use the words "This is my password"?

[ganzfeld]

If most people were good at randomly selecting and correctly spelling and typing four unusual words - without seeing what they've typed on the screen - then that might be a good strategy.

[GenYus234]

Why not give people the option of not hiding their password behind asterisks when setting it? It seems that very few hacks come about due to shoulder surfing anymore (if they were ever that common).

Or, provide 4 password entry fields and 4 confirm password entry fields.

[Avril]

The four fields would reduce the strength of the password, I think.

[GenYus234]

The four fields are only for setting up or changing the password, not for the login.

[popkulture]

Quote:

Originally Posted by Not_Done_Living

i have managed without getting an alert for failure to comply for 13 years so it's not that hard to avoid a "dictionary word"

Well, I certainly don't think it would be hard to avoid such words, I just meant that without using those words, the average person (such as the folks who use 123456-style easy passwords) would have fewer passwords that they would potentially use, and would make their password easier to guess. Social engineering is a common means of determining passwords, and by narrowing down the field of potentials, it makes it easier for someone using that strategy to figure out how to gain access.

[Singing in the Drizzle]

With the security systems in place that after 3 tries lock the person out of 30 min. It makes anything other than the top 200 most common passwords very hard to use. Even that list of 200 would take at least 33.5 hours to test. The full dictionary would take about 9 years. So having a password on the list of 200 most common would be a good idea because it would be easy to guess as would name and dates associated with your company and your personal information, dictionary would be useless.

I'm seeing more and more password boxes that have the option to see what your are typing, especially with long password requirements.

[Lainie]

My bank's login offers the option of seeing your password as you key it.

[Gayle]

Quote:

Originally Posted by Singing in the Drizzle

With the security systems in place that after 3 tries lock the person out of 30 min. It makes anything other than the top 200 most common passwords very hard to use. Even that list of 200 would take at least 33.5 hours to test. The full dictionary would take about 9 years. So having a password on the list of 200 most common would be a good idea because it would be easy to guess as would name and dates associated with your company and your personal information, dictionary would be useless.

I'm seeing more and more password boxes that have the option to see what your are typing, especially with long password requirements.

My system at work requires at least one capitol, one of a restricted number of symbols, one numeral, and no words of any kind including do, to, be, it, ar, etc. If you can pronounce it, it is rejected. This password must be reset every two months and cannot be reused for two years.

[Richard W]

I'm just resetting my bank password (thanks to having to use a different system than usual, I can never remember it after changing it).

I almost thought it was possible to do so using only publicly available information and with no security check, but they do at least give you an automated phone call and code, so (as well as knowing my account number, sort code and date of birth) you'd also have to have access to my phone at the time. Still doesn't seem all that secure, though...

For some reason, when it asks you which number you want to be called on, the numbers are partly masked. (Why? If somebody has got that far, or is looking over your shoulder, they've already seen more sensitive information than the phone numbers). I haven't entered a home or work number, which leads to an unfortunate unintended result:

Quote:

Home: No N***er
Work: No N***er

Hmmm....