Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security Privacy IT

One Out of Every 142 Passwords is '123456' (zdnet.com) 71

In one of the biggest password re-use studies of its kind, an analysis of more than one billion leaked credentials has discovered that one out of every 142 passwords is the classic "123456" string. From a report: The study, carried out last month by computer engineering student Ata Hakcil, analyzed username and password combinations that leaked online after data breaches at various companies. These "data dumps" have been around for more than half a decade, and have been piling up as new companies are getting hacked. The data dumps are easily available online, on sites like GitHub or GitLab, or freely distributed via hacking forums and file-sharing portals. Over the years, tech companies have been collecting these data dumps. For example, Google, Microsoft, and Apple, have collected leaked credentials to create in-house alert systems that warn users when they're utilizing a "weak" or "common" password.
This discussion has been archived. No new comments can be posted.

One Out of Every 142 Passwords is '123456'

Comments Filter:
  • by jfdavis668 ( 1414919 ) on Thursday July 02, 2020 @11:52AM (#60254510)
    Had to be said.
  • You have to move your fingers from the default places and stretch them to reach all of those keys. Better to use a common word, like password.
  • 123456 is also one out of every 1,000,000 passwords.

  • Surely it only matters if those passwords are being used on accounts that matter to the user. If it's a typical "oh, I have to create an account to comment here, which I'll then immediately forget about ah... username hfashf873124 location: vatican birth date: 1/1/2000 Password: 123456." then what's the problem?

  • by RyanFenton ( 230700 ) on Thursday July 02, 2020 @12:05PM (#60254578)

    Just like some folks make their wifi password an easy one to guess/share in an apartment, I think a lot of folks just don't want to close the door on someone getting through on a lot of things.

    I know I've created a fairly large amount of pure junk accounts just because companies forced me to create an account to see how a product worked.

    That's the same reason that folks doing surveys of people have to filter out a fairly large number of fictional names from their results.

    People reject security measures they see no personal benefits to - they especially reject the effort needed to maintain those security systems.

    Forcing them to make the effort makes them put that same effort into actively breaking those systems in clever ways.

    That's why the real expense of a security system is often really giving people a stake in it worth the effort of maintaining it.

    It's also why a large portion of folks really hate most forms DRM, on a game they spent money on.

    It's only the large portions of systems that reject weak passwords that have 123456 as rare as it is - I wonder how many times it has to be auto-rejected?

    Ryan Fenton

    • Agreed, it would be much more interesting to see how many use '1234' as the PIN on their checking account, or something else that matters.

      123456 is a good password for when you don't really want a password because you're more worried about accidentally locking out yourself than any need to lock out others.

    • Absolutely, and websites subject to being hacked are probably also the ones you wouldn't care much about security.

    • by znrt ( 2424692 ) on Thursday July 02, 2020 @01:47PM (#60254926)

      there was a fun movement for a while in spanish speaking circles called the 'lalala movement'. the philosophy: if any site required registration you'd try lalala/lalala or lalala/lalala99 combinations. if they didn't work you'd register one of those with a discardable email account, making the site available to the next initiate in the movement.

      it even worked for a while :)

  • by hcs_$reboot ( 1536101 ) on Thursday July 02, 2020 @12:05PM (#60254582)
    Just changed my password
  • I would totally use a password like 123456 for most social accounts that did not have any credit card associated with them, including, but not limited to:

    Facebook
    Twitter
    free pandora account
    roll20
    discord
    reddit
    instagram
    and of course, Slashdot

    The passwords on these accounts are mostly for the benefit of the CORPORATION, not the user.

    • Wow, I secured my Facebook with a U2F key. Not a thing on it that would be embarrassing to me if it got out, but the hell I would want someone logging in and putting something embarrassing on it.

      • by q4Fry ( 1322209 )

        Yeah, I just signed into GP's Pandora and deleted all their stations in favor of Justin Bieber.

    • I would totally use a password like 123456 for most social accounts that did not have any credit card associated with them, including, but not limited to:

      Facebook Twitter Slashdot

      The passwords on these accounts are mostly for the benefit of the CORPORATION, not the user.

      So what are your user names for Facebook and Twitter so that I can use your accounts to send some death threats to the President and maybe post some kiddy porn?

  • There are lots of stupid sites that require you to log in, and I use a stupid password for them. Like the NYTimes to view 5 articles a month. I don't care if anyone hacks my account, because it's just a throwaway.

    Banks, email -- I use LastPass + 2-factor. But lots of junk sites I'll use the same junk password.

    • by PPH ( 736903 )

      They don't really care so much. They got you to give them your e-mail address as one step in activating the account. That's what they were after.

  • by backslashdot ( 95548 ) on Thursday July 02, 2020 @12:10PM (#60254606)

    Passwords should have multiple characters and not exist in dictionaries (such as Webster) that's why I've set my slashdot password to Slashdot1! so nobody can guess it.

    I checked the dictionary personally.

    • Funny and insightful. Password policies are so ridiculous. You don't like my k18do5 password, but Password1! is ok ? Then I'll do nothing important on your platform as I just don't trust your security engineers. That's why Paypal and Ebay have always been a no go for me.

    • by ediron2 ( 246908 )

      haha! JohnTheRipper does dictionaries plus permutations.

      (insert the Princess Bride's character Inigo Montoya saying: "Unless the enemy has studied his Agrippa which I have.")

      I know you're joking, and likely know, but it's worth noting for the n00bs:
      Right after JtR or other engines try all 100,000 common words and passwords, they go to work on slight variations: Backwards. Different capitalization. 2-word combinations. Leetspeak and other character substitutions (like 0's for Os, !'s for 1, L or I, et

  • 870 out of every 123456 passwords is 123456.

  • by unfortunateson ( 527551 ) on Thursday July 02, 2020 @12:20PM (#60254652) Journal

    Back in the early days of the internet, I used the "Bender stop trying to destroy the world" approach, and set a password to something that nobody would ever associate with me.
    But when I first saw a list of common passwords that shouldn't be used, sure enough "baseball" was on the list -- and I changed that one immediately.

    So consider what everyone else's passwords are, not just yours.

  • by WoodstockJeff ( 568111 ) on Thursday July 02, 2020 @12:27PM (#60254674) Homepage

    The passwords were collected from sites that did not think it important to keep the passwords in a safe manner, so it is a good chance the users felt the same.

    Use of salted hashed passwords has been standard fare for a LONG time. If you're even a little serious about things, a dump of your passwords would be pretty much unusable. No one would be able to identify which passwords were most common, because "123456" would hash differently for each.

    • by danlip ( 737336 )

      This list of companies that don't take security seriously includes Equifax (at least as of 2017), and for all you know it includes your bank. I don't think you can assume that users know which sites are not serious about security and only use crap passwords on crap sites.

      Also even the easiest password I have (which probably dates to 1995) is better than 123456.

    • That more than a few companies generate one salt and use it on all passwords.(Meaning generating a new rainbow table might be worth doing.)
  • by ArhcAngel ( 247594 ) on Thursday July 02, 2020 @12:31PM (#60254688)
    correcthorsebatterystaple
  • I'm not surprised that passwords are terrible; especially if your dataset is composed of ones that have leaked; but I am a bit surprised that complexity rules are lax enough that six-character passwords with no letters or special characters would be as common as that.

    It's still depressingly common to find sites that freak out if you try to use spaces or certain special characters in passwords; but enforcement of at least 'alphanumeric' is something I would have assumed would have become a baseline some
    • by vyvepe ( 809573 )
      The rules requiring special characters in passwords are stupid. The password checker should decide based on the entropy of the text not based on presence of a special character. Special characters do not help that much and they are hard to type on some devices.
    • by cusco ( 717999 )

      I work in physical security, and am appalled by the security policies of much of the hardware in my industry. One of the largest manufacturers of security cameras has a hard-coded admin user named 'system' with an unchangeable password of 12345. Some don't allow numbers or special characters, some are limited to only 6 or 8 characters, some don't allow view-only accounts. Only Axis and Pelco force installers to change the root password at first login, and both of them will allow you to change it back to

  • Ha, I have a very strong password, 37 random characters sourced from /dev/urandom. I have it taped to my Monitor with another sign over the stiky saying "Company Confidential"

    Per our security standards, no one is suppose to look at confidential items unless they have access first. So I am very safe

  • Part of the issue I have with using secure passwords is most sites have different and arbitrary password requirements.

    One site may say "only symbols allowed are !,$#@" while others allow all symbols. This forces me to make different passwords for different sites, and try to remember all of them.

    So, for less critical accounts, I use simple passwords. I don't trust password managers either.

    • Part of the issue I have with using secure passwords is most sites have different and arbitrary password requirements.

      One site may say "only symbols allowed are !,$#@" while others allow all symbols. This forces me to make different passwords for different sites, and try to remember all of them.

      So, for less critical accounts, I use simple passwords. I don't trust password managers either.

      A password manager is definitely very handy. I have passwords that I don't even know but a quick copy/paste and I'm logged in.

    • As far as I'm concerned, if you know that my password doesn't have a !, ^, $, A, a, and 1 in it, how do I know that you're not storing it in plaintext? What I put into the password field is my business, and my concern. All you need is the mangled garbage of a salted and hashed text string.

      • Exactly. I was reading the comments here to find out HOW they could do such a study looking at hashes without having stored the actual passwords. I guess they did store the actual passwords. So who's the dummy?
    • Amusingly, had Comcast do a bulk user password change on pretty much every business cable modem in the region a few years back - they set it to something that could not pass validation in their own UI (those awful DPC3939/DPC3941 Cisco modem-gateways), so had to manually submit the password change form from the browser debugger -___-
  • more like 1 out of 142 passwords is 42

  • Many passwords are demanded by the provider, but add no particular protection to the user -- free subscriptions to online news feeds, for example. In such instances, less secure passwords may well make sense to people. I wonder how many of these super-unsafe passwords are of that variety?
  • I have at last check 107 different passwords for different sites.

    Some of those sites do not require any security at all. For instance if some equipment vendor wants me to log in before I can see their data sheets, why would I bother with a secure password? I don't happen to use 123456 but I use something extremely easy to remember because it doesn't matter at all if someone guesses it.

    For my bank accounts I use pw0n3d

    I could use a phone password manager, but if my phone fails, I am forked.

  • I had a factory replacement of the control unit for my eBike. When the replacement unit came back, I couldn't be bothered to look up how to change the password. It's 1234 - but physical security is the key, as I'm sure there is a factory wipe method that is easy enough to remove this password.

  • Comment removed based on user account deletion
  • This is why I switched to using '12345678'...it adds ~7.2 bits of entropy over my old password of '123456'!
  • I use a 4 tier approach:

    1. Easy password for sites that do not store personal information/shouldn't require a password. Would have no problem giving it to anyone who asked.
    2. Medium password. Sites I would feel comfortable sharing login details with friends and acquaintances. Wifi. Netflix.
    3. Strong password. Sites I may need to share with wife and family. Amazon. Walmart.
    4. Paranoid password. Sites that force me to store financial data. Email. Google. Banking

  • One out of every 999,999 6-digit numbers is also 123,456. What are the odds of that?
  • How about "one in 142 *cracked* passwords from poorly implemented security systems is 12345"?
  • There are so many sites nowadays that require an account just for farming contact info. I really don't give a damn if some message board that required me to sign up just to view a post gets spammed by my account I only used once.

Real programmers don't comment their code. It was hard to write, it should be hard to understand.

Working...