All of our hard work convincing people to think of longer passwords has finally convinced the populace to type 'qwertyuiop' instead of 'qwerty' when they're asked to make an account for a service they don't care about.
The best way to improve password quality at least looking at it from the perspective of a user with my habits is to wait to have me make an account until I actually want the service. If I have to think of a password in order to try something out for the first time it's going to be the most inane garbage because I simply don't care/can't be bothered to think of some secure phrase to protect nothing.
What annoys the hell out of me is this constant insistence on creating accounts or even connecting your social media account.
How about just making your damn service/product good to where once people are hooked in they will actually want to create the account when they are damn well ready.
I'm not sure what this list is trying to accomplish but the problems with it are 1) it doesn't acknowledge that these are unlikely to be important passwords and 2) there's little indication this is much of an attack vector, if any at all.
I often either reuse a simple password or use a stupidly simple one for sites that require a signup but for which I do not care to interact with in any meaningful way.
Have to create an account on some new startups app?
username: newstartupname_myname
password: 12345!
need to sign up for a "trial" account to get access to content I probably don't even want? same thing.
so while I'm sure that there are way too many people using 123456 for their insurance or financial service login, does it really matter that someone's password to Cnet or foodnetwork is simple and easy to guess?
Same on my case, if the account is essentially useless I do exactly this. I put the same username and password with a dedicated email for this kind of things.
The primary danger would be that you add sensitive information, forgetting that the account is weakly protected.
I've found that having a password manager compels me to have a strong password for every single site. Not having to remember anything (is this a weak password site? Did they require a number or capital?) is such a relief, and knowing that the account is as strongly protected as it can be (with respect to my control over the situation) is quite comforting.
The author, some of the comments here and especially the author of the Gizmodo article seem to lament the fact that passwords aren't stronger. I have no idea about whether or not that is justified, but a list of the most common passwords is in no way reflective of average password strengths. A good password is probably unique in the world so by definition the only passwords on this list are those that are trivially easy to come up with. A more interesting statistic, I think, is what percentage of the world's passwords is '123456'.
This is a good point. If these are each used by 2 people, it's not very interesting. It's sort of implied by the attention these stories get that the problem is much bigger than that, but I agree the story is incomplete without the magnitudes. And for the rest of us, we should care about the _trend_ of the % population using common passwords. In order to be safe, you probably need to stay above some constant level that is "good enough" for any hacker trying patterns or brute forcing. As the bottom gets more secure after reading articles like this or adopting password managers, we all need to step up our game. The first to go will be people who do things like:
- put a capital letter first and only first when a capital letter is required
- put a special character last and only last when a special character is required
- put a number next to last and only next to last when a number and a special character are both required
These will be the next patterns tried after the most common passwords, dictionary attacks, etc. -- and if you stay ahead of _these_ people then you'll be good for a while.
>Every year, SplashData complies a list of the millions of stolen passwords made public throughout the last twelve months, then sorts them in order of popularity.
The title should be most commonly stolen passwords of 2015. It isn't very surprising to me that easy-to-guess passwords are the most stolen.
If they are hard to guess, there's very little chance of collisions, so you'd expect the list of most common passwords and most guessable passwords to be the same anyway.
if it's at the top of the list, it's not a strong password.
An interesting point of view that makes the whole thing a game-theoretic problem - your choice is only good as long as not too many other people chose the same.
An analogy might be that of a stock:
A password (stock) is only worth 'acquiring' as long as not too many people have it.
But I believe the difference is the quantity of passwords (money) chasing sites (stocks).
A similar version of that might be a simultaneous multiplayer number guessing game where the player wins that guesses the smallest positive number no one else has guessed.
I think there's still way to many things that require dedicated accounts out there, and that erodes our ability to create secure passwords.
I think I can handle 3-5 passwords on sites I use on a regular basis just fine. The next 10 sites, and I misremember things. Past that every visit that requires a login is me going through the "forgot password, request password, log into email, wait for password reset email, click link, reset password, have it slip my mind again, reset password again, log in" cycle that may take anywhere from 10-30 minutes of my time.
But having to come up with new passwords for these website makes me lazier with them. I want a chance to remember it given low repetitions, so I follow a pattern. I might not want to type a long complicated password in twice, so I make it shorter. I might start reusing it. There's only so much space in my head I'm willing to dedicate to remembering passwords and usernames, so I start to compress things, and this becomes habitual. Against all better knowledge, even some of my more important passwords become trivial to guess.
Now as someone who is running a low usage frequency website, you could say to yourself: "User error, not my problem". You could imagine a pretty world with unicorns and users who remember their passwords for your risotto blogs comment section, and that they parkour through your login experience, straight from A to B. It says one-click login on the tin, didn't it?
No,I think requiring login at all should be a conscious design decision you have to make before you ever boot up the old Apache. Is it necessary, can you offload it to third parties, or if you do it, at what point it starts being necessary. Take a sober look at whether your website is one of the 5 I'll use often enough to remember the password for, and if it isn't, keep it in mind when deciding what to put on which side of the login wall.
Readit News
The best way to improve password quality at least looking at it from the perspective of a user with my habits is to wait to have me make an account until I actually want the service. If I have to think of a password in order to try something out for the first time it's going to be the most inane garbage because I simply don't care/can't be bothered to think of some secure phrase to protect nothing.
How about just making your damn service/product good to where once people are hooked in they will actually want to create the account when they are damn well ready.
http://gizmodo.com/the-25-most-popular-passwords-of-2015-wer...
The linked article does nothing more than link to that article and include a link to a "convenient" text file with the top 25:
123456, password, 12345678, qwerty, 12345, 123456789, football, 1234, 1234567, baseball, welcome, 1234567890, abc123, 111111, 1qaz2wsx, dragon, master, monkey, letmein, login, princess, qwertyuiop, solo, password, starwars.
EDIT: Oops, I didn't see dmichulke's post saying the same thing. Here's the reference: https://news.ycombinator.com/item?id=10930521
Have to create an account on some new startups app?
username: newstartupname_myname
password: 12345!
need to sign up for a "trial" account to get access to content I probably don't even want? same thing.
so while I'm sure that there are way too many people using 123456 for their insurance or financial service login, does it really matter that someone's password to Cnet or foodnetwork is simple and easy to guess?
I've found that having a password manager compels me to have a strong password for every single site. Not having to remember anything (is this a weak password site? Did they require a number or capital?) is such a relief, and knowing that the account is as strongly protected as it can be (with respect to my control over the situation) is quite comforting.
- put a capital letter first and only first when a capital letter is required
- put a special character last and only last when a special character is required
- put a number next to last and only next to last when a number and a special character are both required
These will be the next patterns tried after the most common passwords, dictionary attacks, etc. -- and if you stay ahead of _these_ people then you'll be good for a while.
The title should be most commonly stolen passwords of 2015. It isn't very surprising to me that easy-to-guess passwords are the most stolen.
Take a look at your keyboard to see that one. While it has potential, it could be a little longer. It is still the strongest one from the list though.
How so? It could be a 100-character string of seemingly random symbols; if it's at the top of the list, it's not a strong password.
An interesting point of view that makes the whole thing a game-theoretic problem - your choice is only good as long as not too many other people chose the same.
An analogy might be that of a stock: A password (stock) is only worth 'acquiring' as long as not too many people have it.
But I believe the difference is the quantity of passwords (money) chasing sites (stocks).
A similar version of that might be a simultaneous multiplayer number guessing game where the player wins that guesses the smallest positive number no one else has guessed.
You see, you need a number and a special character, a lowercase letter and an uppercase character.
I think I can handle 3-5 passwords on sites I use on a regular basis just fine. The next 10 sites, and I misremember things. Past that every visit that requires a login is me going through the "forgot password, request password, log into email, wait for password reset email, click link, reset password, have it slip my mind again, reset password again, log in" cycle that may take anywhere from 10-30 minutes of my time.
But having to come up with new passwords for these website makes me lazier with them. I want a chance to remember it given low repetitions, so I follow a pattern. I might not want to type a long complicated password in twice, so I make it shorter. I might start reusing it. There's only so much space in my head I'm willing to dedicate to remembering passwords and usernames, so I start to compress things, and this becomes habitual. Against all better knowledge, even some of my more important passwords become trivial to guess.
Now as someone who is running a low usage frequency website, you could say to yourself: "User error, not my problem". You could imagine a pretty world with unicorns and users who remember their passwords for your risotto blogs comment section, and that they parkour through your login experience, straight from A to B. It says one-click login on the tin, didn't it?
No,I think requiring login at all should be a conscious design decision you have to make before you ever boot up the old Apache. Is it necessary, can you offload it to third parties, or if you do it, at what point it starts being necessary. Take a sober look at whether your website is one of the 5 I'll use often enough to remember the password for, and if it isn't, keep it in mind when deciding what to put on which side of the login wall.
"Wrong Password - Your password is invalid"
slow clap