Become a fan of Slashdot on Facebook

 


Forgot your password?
Close
typodupeerror
×
Privacy Security The Internet

The Worst Passwords of 2020 Show We Are Just As Lazy About Security As Ever (zdnet.com) 128

Posted by BeauHD from the nothing-has-changed dept.
After analyzing 275,699,516 passwords leaked during 2020 data breaches, NordPass and partners found that the most common passwords are incredibly easy to guess -- and it could take less than a second or two for attackers to break into accounts using these credentials. Only 44% of those recorded were considered "unique." ZDNet reports: On Wednesday, the password manager solutions provider published its annual report on the state of password security, finding that the most popular options were "123456," "123456789," "picture1," "password," and "12345678." With the exception of "picture1," which would take approximately three hours to decipher using a brute-force attack, each password would take seconds using either dictionary scripts -- which compile common phrases and numerical combinations to try -- or simple, human guesswork.

As one of the entrants on the 200-strong list describes the state of affairs when it comes to password security, "whatever," it seems many of us are still reluctant to use strong, difficult-to-crack passwords -- and instead, we are going for options including "football," "iloveyou," "letmein," and "pokemon." When selecting a password, you should avoid patterns or repetitions, such as letters or numbers that are next to each other on a keyboard. Adding a capital letter, symbols, and numbers in unexpected places can help, too -- and in all cases, you should not use personal information as a password, such as birthdates or names.
This discussion has been archived. No new comments can be posted.

The Worst Passwords of 2020 Show We Are Just As Lazy About Security As Ever More

The Worst Passwords of 2020 Show We Are Just As Lazy About Security As Ever

Comments Filter:

  • 12345 (Score:4, Funny)

    by Kitkoan ( 1719118 ) on Wednesday November 18, 2020 @06:35PM (#60740714)
    1-2-3-4-5? That's the kind of combination an idiot would put on his luggage!
  • I'm surprised these stupid passwords are still possible. Most websites and apps have so many rules, it's impossible to use something so simple.

    • Re:You can still do this? (Score:5, Insightful)

      by darkain ( 749283 ) on Wednesday November 18, 2020 @07:11PM (#60740836) Homepage

      Consider this... these are from password dumps.

      Any site smart enough to force those restrictions would use salted hashed passwords, preventing these types of discoveries even if the DBs leaked.

      So, yeah, not surprised in the least that sites that are exploited are also sites that dont have strong requirements.

      • Re:You can still do this? (Score:4, Interesting)

        by aaarrrgggh ( 9205 ) on Wednesday November 18, 2020 @08:28PM (#60741094)
        My password for one banking site was FuckingHel1! as every “secure” password I tried was rejected... too long, wrong symbols, etc. My other favorite is sites that silently truncate a password.

        • There was one site, which I will not name, that did some sort of financials. It required 6-8 characters, alphanumeric, first character alphabetic. No special characters. No long passwords. An exhaustive search would be something like a quarter of a quadrillion passwords, and would find every single password.

          • Hello, tsp.gov. Thankfully, they're better now.
        • I've found a few websites that accepted an empty password for any user. People just don't test the negative cases.

          • Re: (Score:2)

            by micheas ( 231635 )
            Well, there was the one version of wordpress that would log you in if you just deleted the password field from the form with your dev tools.

        • Re: (Score:2)

          by Z00L00K ( 682162 )

          Banking site using user selected password? That's not secure.

          The bank I have requires a one time password generated by a dongle that has a display and can't be connected to the computer.

          • My wife’s Swedish account works that way. It is a real pain for a few hundred dollars. Meanwhile, my joint brokerage account cannot support two different logins with separate tokens...

            • Re: (Score:2)

              by Z00L00K ( 682162 )

              Not much of a pain compared to the pain you will get for losing the contents of your bank accounts.

              B.t.w. I'm in Sweden too.

              • Risk management isn’t absolute though. I am happy to use a [forget the Swedish word for the pin dohickey] for my brokerage account as an example, but for a trivial sum that is much easier stolen by check fraud (ok, not relevant in Sweden), I don’t care to bother.

      • Consider this... these are from password dumps.

        The takeaway is, this is a highly biased sample, and these results cannot be used for any generalized conclusions. Therefore, we can't make any claims like, "We Are Just As Lazy About Security As Ever."

      • not entirely - look at something like #53 on the list Bangbang123 - it hits on length, capitals, letters and numbers and if it required sp characters would probably be changed to Bangbang123! which would be as easily cracked - that means that you only need a dictionary attack to crack these and not a brute attack

    • Re: (Score:3)

      by Kisai ( 213879 )

      That's just proving the point, that password complexity rules are pointless.
      https://xkcd.com/936/

      Come up with a mnemonic for your non-important sites, and a different one for your important sites, and also hope your important sites aren't stupid and prevent brute forcing.

      I have a bridge you sell you in manhattan if you think the weakness is just the password. It's also the username. If I use kissmyass for my bank sites and social media, someone is going to try try that username, no password dump required. T

      • Often the admins add all kinds of rules to your password so that even my autogenerated passwords are rejected at places, and certainly the 4 word passwords. The only way out then is relying on password storage.

        I also once used layered passwords: all my simple accounts used the same password, more important accounts were different though.

    • Re: (Score:2)

      by Z00L00K ( 682162 )

      The huge problem here is that there are so many different sites people log on to today. In addition to that many accounts at their workplace require changing password several times per year and then it's causing new problems with people not remembering their password unless they have a method/pattern to work with.

  • CorrectHorseBatteryStaple (Score:4, Informative)

    by memory_register ( 6248354 ) on Wednesday November 18, 2020 @06:37PM (#60740720)
    Obligatory XKCD password comic:

    https://xkcd.com/936/

    • The password rules at my work prohibit you from using dictionary words longer than 3 letters. So that's out, unless I want to do something like Abewasshtdedinhed1! (Gotta have the nukber and special character in there, you know)

      • Re: (Score:2)

        by Zumbs ( 1241138 )
        How many languages does the rule engine read?

      • > The password rules at my work prohibit you from using dictionary words longer than 3 letters.

        And those are bad rules. Like the xkcd comic correctly says, it only leads to passwords that are easy to guess and hard to remember. And the harder they are to remember, the more likely they'll be written on a sticky in the top right hand drawer. (Reference at least two films -- see if you can guess them -- but happens a lot in real life, too.)

        I'm actually happy to say that my company recently switched to pa

        • Re: (Score:2)

          by Kisai ( 213879 )

          Yep, I haven't seen too many stickies at work, but those that have them, are usually things like "Welcome123!" and "Laptop123!"

          • Yep, I haven't seen too many stickies at work, but those that have them, are usually things like "Welcome123!" and "Laptop123!"

            Or, if you're required to change your password monthly, include capitals and a number and never repeat, use Jan2020, Feb2020, Mar2020... Dead simple to remember and won't repeat in the lifetime of civilization.

            Life finds a way.

            Oh, on finding stickies, look under the keyboard.

        • And the harder they are to remember, the more likely they'll be written on a sticky in the top right hand drawer. (Reference at least two films -- see if you can guess them -- but happens a lot in real life, too.)

          Sneakers and Wargames.

          • And the harder they are to remember, the more likely they'll be written on a sticky in the top right hand drawer. (Reference at least two films -- see if you can guess them -- but happens a lot in real life, too.)

            Sneakers and Wargames.

            I haven't seen Sneakers, I'll put it on the list. I was thinking of Wargames ("pencil") and Alfred Hitchcock's Marnie.

        • And the harder they are to remember, the more
          likely they'll be written on a sticky in the top right hand
          drawer.

          I can't help wondering how often that actually
          leads to a password breach, given that the hacker isn't
          even remotely likely to live in the same country,
          let alone have a chance to open someone's desk.

          I think probably around 0%.

    • Obligatory XKCD password comic: https://xkcd.com/936/ [xkcd.com]

      Sadly when users finally wise up and start creating strong passwords, the #1 password on the Humans Suck at Passwords list will be exactly correcthorsebatterystaple...which naturally every multi-million dollar strong password checker in the known universe will allow, simply because the Learn-To-Code lead programmer is a rather huge fan of certain nerdy comic strips...

      • When I was looking at password strength meters for a project, one of them (I think the one developed by Facebook) had "correct horse battery staple" in its list of well-known passwords that it reported would be guessed practically instantaneously.

      • Obligatory XKCD password comic:

        https://xkcd.com/936/ [xkcd.com]

        Sadly when users finally wise up and start creating strong passwords, the #1 password on the Humans Suck at Passwords list will be exactly correcthorsebatterystaple...which naturally every multi-million dollar strong password checker in the known universe will allow, simply because the Learn-To-Code lead programmer is a rather huge fan of certain nerdy comic strips...

        Um um... excuse me I have to go change something...

    • Obligatory XKCD password comic: Password Strength [xkcd.com]

      Whelp, that solves the mystery of Trump and: Person, woman, man, camera, TV [wikipedia.org]

    • Re: (Score:2)

      by AmiMoJo ( 196126 )

      The XKCD method is only good advice where you have no choice but to memorize a password, e.g. your computer login or password manager password.

      In most other cases there are better options. All major browsers have a password manager built in and will sync between devices. Obviously enable 2 Factor Authentication (2FA) wherever you can.

      Long random passwords are actually easier and less effort than XKCD style phrases these days, at least for anything web related.

  • The worst of them all (Score:3)

    by fabioalcor ( 1663783 ) on Wednesday November 18, 2020 @06:41PM (#60740734)

    "maga2020!" https://it.slashdot.org/story/... [slashdot.org]

  • I suspect you are preaching to the choir here. Nobody willing to use those passwords is likely to read /. Tangentially. if I end a sentence with '/.', do I need a closing period? I've wondered for years if closing a parenthetical with an ascii smily face sufficiently closes the parenthetical. (i. e. Who cares? :-)

    • Tangentially. if I end a sentence with '/.', do I need a closing period?

      You need to properly source it . . . so the correct syntax is '. /.'

    • You made me chuckle with the parenthetical smiley.
      I often want to put an ASCII smile at the end of a parenthetical. It doesn't quite work. (But I'll do it anyway. :))

  • I always use two words that have nothing to do with anything, usually random things seen around the cubicle, or wherever I am at the time, sometimes funny combinations, random caps, and numbers specials added to either the middle or end. my first password like this (which is on every list already, I'm sure) was joe4blow, One made on the spot was FingerhEAven&7&7. What's good is its random, but you can remember it,it rhymes and it's quirky.

    • I always use two words that have nothing to do with anything, usually random things seen around the cubicle...

      That's one reason I have my doubts about the XKCD scheme. In theory they might be random words with 11 bits of entropy each, in practice I suspect the pool of words to be much smaller, with most people picking something like "monitorkeyboardmouselamp".

  • Maybe it's a sign of a different problem (Score:4, Insightful)

    by BoB235423424 ( 6928344 ) on Wednesday November 18, 2020 @06:52PM (#60740792)

    Perhaps the issue is that people are required to have accounts/passwords for far too many things. If forced to login to a website just to see content or browse (not purchase) items, then people don't care about security nor about creating a secure password. The proliferation of web sites requiring accounts for no good reason versus ones that people actually care about would weight the counts of passwords people don't care about much higher in such lists.

    Slashdot is a good example. I was able to post as AC for years without ever having an account. Only recently was I finally forced to create one. I get pretty much no benefit from it other than being able to do what I had for two decades before they required it.

  • We still doin this?? (Score:1)

    by Anonymous Coward

    Passwords, really?? That's so 1990s. Why haven't we killed the damn things yet? By now everything should use passphrases, authenticator apps, 2FA, thumb/face recognition, public keys, mouse/keyboard movement digests, or punch-the monkey-to-win codes. Anything is better than passwords.

    Eight characters, arcane combinations that are impossible to remember (password must contain: capitals! punctuation! no not that punctuation! voiceless fricatives followed by an alveolar stop, but only every other Tu

    • By now everything should use passphrases, authenticator apps, 2FA, thumb/face recognition, public keys,
      mouse/keyboard movement digests, or punch-the monkey-to-win codes.

      An interesting variation is passfaces, where a person
      memories a random face, they has to pick it out from
      a crowd of other random faces. This is then repeated a
      number of times. This is effective since
      once a person memorizes a face, they will likely
      remember it for many years to come.

  • The Humans Suck At Passwords list from 1990 is the same as it is today. Instead of publishing I-Told-You-So shit-lists, perhaps we in IT should simply stop assuming users would ever wise up. Hell, at least take a note from those in Insurance; they have stupid humans figured out to a highly profitable science.

    Go ahead. Look at the Best Worst Passwords lists from 10 years ago. Then 20. Then 30. Those with the same sources of grey in their beards already know I'm right.

    Perhaps one day We can be smart eno

    • The best thing IT can do is switch to passphrases.

    • Perhaps one day We can be smart enough to start blaming the morons running all of the websites that still accept bullshit passwords. I mean hell, it's not like this is a Solve-for-IPv6 problem (speaking of MFA adaptation) to correct permanently.

      Perhaps some day we can compare the cloud people who give away credit card information of millions of people and think thats a more important weak link than grandma's computer with "Password1".

      Meanwhile, tonight I'm messing with setting up a VPN connection that the guy doesn't have a certificat for yet, and my computers are screaming at me every step of the way Security theater has come to computers near you!

      • Perhaps one day We can be smart enough to start blaming the morons running all of the websites that still accept bullshit passwords. I mean hell, it's not like this is a Solve-for-IPv6 problem (speaking of MFA adaptation) to correct permanently.

        Perhaps some day we can compare the cloud people who give away credit card information of millions of people and think thats a more important weak link than grandma's computer with "Password1".

        Perhaps one day the simple luddites will actually read the EULA, and realize they probably agreed to give their cloud data away. If you're talking about massive data breaches, that's another matter entirely. A 30-character randomly generated password turns into shit just as easily as "Password1" does when published unencrypted/unhashed online. Perhaps one day we'll fire the idiots who favor backwards compatibility above all, and couldn't figure out how to use a salt shaker if the password hashing machine

        • Perhaps one day the simple luddites will actually read the EULA, and realize they probably agreed to give their cloud data away. If you're talking about massive data breaches, that's another matter entirely.

          It's data breaches. The apparent ease with which the bad guys can get millions of Credit card numbers is breathtaking. Why go after me and get one, while entire cities worth of people are there for the picking?

          Low hanging fruit and a hella lot more of it than the 1 Card stored on individual's computers. This is the problem with remote data storage, AKA the cloud. You have to trust that the people running it are smarter than the people trying to breach it. They aren't. I don't consider myself very smart. B

    • The list is the same, but the number of people using the most common passwords has decreased. Approximately 1% of the users are using 123456 as their password (and frankly, any website that allows a six character password needs to re-think their security).

  • I don't care enough to have a good password (Score:5, Insightful)

    by FeelGood314 ( 2516288 ) on Wednesday November 18, 2020 @07:12PM (#60740842)
    Most of the sites I go to that require me to log in are not important enough for me to have a strong password. Most sites that want me to create an account want the account for their benefit not mine. Even my netflix account doesn't need a good password because I don't care if my kids or friends use the account. My WiFi router doesn't have a password and I reuse the same password on many many sites because I don't care if my accounts on those sites are breached. I know 2 strong passwords, my email and my password manager. My banking, amazon, tax fillings and other important things all have their passwords in my password manager.

    Any company that expects you to remember more than 1 password that has a capital, lower case, number, a special character and for you to change the password every month is setting themselves up for people to use weak passwords. I did a survey at one security company and discovered over 75% of the employees were willing to admit their password was a common 6 letter word in either English or their first language with the first letter capitalized, '!' or '#' and then a number they incremented every month (the special character and number could also be reversed). There were 15000 employees. An attacker was rate limited in trying passwords for a specific employee but if they didn't care which employee they compromised they could try Purple!3 on every single account in about 2 seconds. At one try every 2 seconds the rate limiter would not be tripped so effectively they could try 7500 passwords a second.

    • Re: (Score:2)

      by antdude ( 79039 )

      What's your login for Netflix since you don't care? :P

    • My WiFi router doesn't have a password

      I understand and agree with most of your sentiments above, but you really should use a good password on your router as well.

      There are various browser exploits that can give an attacker access to the LAN interface of your router. If the admin password on your router is easy to guess, they can (among other things) change your DNS server IP to redirect your lookups to a DNS server they control. This, in turn, can allow them to trick you into entering one of your strong passwords a webpage that looks just

    • Re: (Score:2)

      by AmiMoJo ( 196126 )

      I use strong random passwords for every site, but only because I'm lazy. It's quicker to just have the browser generate a password and save it than to type it in manually every time.

      It's literally quicker and less effort to use good passwords now.

  • WTF does that even mean? And it's got 60K+ in their sample size.

    • Re: (Score:2)

      by Ambvai ( 1106941 )

      It means 'password' in Portuguese, which is partly why it might be common in certain places... Why on earth it showed up so frequently on the list when the equivalent in other languages, like 'ji32k7au4a83', didn't is beyond me though.

  • There are many easy to remember mnemonics (Score:4, Insightful)

    by 140Mandak262Jamuna ( 970587 ) on Wednesday November 18, 2020 @07:39PM (#60740924) Journal
    There are many easy to remember things that form good passwords. For example I remember Clive LLyod scoring 242 not out in Wankade Stadium against India in Bomaby in 1975. Cl242no can form the core password. Then for each site, you can derive a three letter mnemonic from the site name itself, like /. for slashdot or TwT for twitter or GmA1L for gmail. You can easily create unique password for each site and you just need to remember the core password and the mnemonic used for that site.

    Or you might remember a particular score in Superbowl. Dc52Bb17 is a decent core password.

    Or you might remember the stock option strike price you got when you joined, like 2500InTc245.

    Turn on 2FA if it is offered.

    Do not use same formula for important sites like banks and brokerage houses.

    You do all this and your spouse decides the wedding anniversary is the "best" password for the joint account, and you look like John Keats in La Belle Dame Sans Merci.. Hey JkLbdsm is also not a bad core password.

    • So I guess the ultimate question for someone holding this level of password wisdom is...just how often have you found your strong passwords, sitting on display in public pwned sites?

      Sarcasm aside, one does have to assume you've had good results securing your online world for a while now.

  • my password grew from
    1234
    to
    1234567890qwertyuiop

    • A critical password (racf) that we only used two or three times a month required a capital letter and a number, and you could never reuse a password.

      Through experimentation we discovered that the following would work:

      Jan97

      Feb97

      Mar97

      Apr97

      ...and it wouldn't repeat in any of our lifetimes.

  • Just sayin'.

    • Remember that in Swordfish, from a empty password prompt UI, one is able to tell the password encryption method, password length as well as guess the password ONE CHARACTER AT A TIME! (which, if it was really true, would mean the time to solve it should drop...geometrically?)

  • ... it seems many of us are still reluctant to use a Password Manager that generates (and remembers for you) strong, difficult-to-crack passwords -- and instead, we are trying to remember all of the passwords for all of our many dozens of accounts ourselves, thereby forcing us to choose incredibly easy to remember passwords such as "football," "iloveyou," "letmein," and "pokemon." When selecting a password, you should allow your Password Manager app do it for you, thereby avoiding patterns or repetitions, s

    • what a log of hogwash. When someone cracks your password manager you are truly toast.

      • There are few ways to get hold of the password manager database, and the easiest one is compromise the user computer. But if you do that, you can install a keylogger and grab everything.

        And what is more common? Password leaks from insecure services (as I write this, HaveIBeenPwned records 10,240,427,866 leaked accounts), or a keylogger being installed?

        My password manager is not a cloud based one (so no fear of it being left insecure and get stolen), and the master password is almost 60 bytes long. I b

  • These are passwords for systems where users don't care about security and passwords, are, essentially useless (enforced by system administrators for whatever reason). Meaning - might as well post them right next to the login box.

  • For what it's worth, I use passphrases that are deliberately mispelled with weird Capitalization and special characters.

    But we need to be honest - what is the point of all this when retailers and the presumably impregnable fortress of the cloud simply gives our credit cards away by the millions?

    We can rail on about the stupid stupid users, howbow we do something about the real problem.

  • I make up fake cars. Car names are always letter, number, capital and lowercase. Toss in a ! or ? at the end and it's good. BMW888xi! MB553amg
  • Use a password manager. Password generating and storage is a solved problem: a password manager.

    Seriously people, stop all schemes of creating hard to guess, easy to remember passwords. We are not made to remember passwords!

    Password size is important, but less than having unique passwords for each service. It does not matter if your password is 100 bytes long, but you have it for every single service, and one of them stores passwords in plain text and gets hacked. And forget about creating a way to ge

    • Assuming that you always log in from the same device. If you use different devices, you have to be able to get at least compatible password managers on each one, and the devices have to communicate with each other. If you have the same manager on multiple devices, and they all die at once (say, in a house fire), you're screwed.

      There's downsides to everything.

  • The real reason why everyone's lazy with passwords (Score:5, Insightful)

    by Pluvius ( 734915 ) <pluvius3NO@SPAMgmail.com> on Wednesday November 18, 2020 @08:54PM (#60741178) Journal

    After analyzing 275,699,516 passwords leaked during 2020 data breaches

    Why the hell should anyone put effort into coming up with strong passwords when a hacker is just going to steal them anyway? If your login security doesn't at least include some sort of 2FA, it's worthless. And before you say it, fuck password managers. Getting locked out of all of my accounts because some app fucked up is not my idea of a good time.

    Rob

    • Re: (Score:2)

      by AmiMoJo ( 196126 )

      Most stolen passwords are hashed and salted. The hacker has to decrypt them and they always start with a dictionary attack on the most common ones. Dictionary attacks usually crack 80% or more of hashed passwords.

      If you chose a decently strong password the chances are they won't bother with you, it's not worth the effort to crack it via brute force. There are millions of weaker ones to target.

      It's like putting a decent lock on your door. It's not impossible to pick and people sell tools to make picking it q

    • Why the hell should anyone put effort into coming up with strong passwords when a hacker is just going to steal them anyway?

      That isn't a foregone conclusion. 275 million passwords isn't a lot when data dumps are able to access them millions at a time from a single website. There are a lot of shitty websites out there and the Venn diagram of websites which have their passwords posted online and websites which have at least the common sense to demand a minimum level of complexity doesn't overlap much.

  • STANDARD WEAK PASSWORD REPLY FORM

    Passwords are weak because

    [] The human mind can store very few passwords like "iGDjgGc@!Q04#Gs"
    [] everybody including their dog requires a password for people to user their site
    [] People don't like having to remember
    which unique password goes to what
    [] And people really hate being forced to frequently change their passwords
    \_and if you force this, passwords written on Post-It notes will be taped to every computer monitor in your office
    [] Some people can't be

    • A nice eight or twelve line poem with a few words switched out for ones you would never forget is virtually uncrackable for any purpose an average person would have, and easy to remember.

      • You want everyone to type an 8-12 line poem, with everything obscured by ***s, with zero errors, or they get locked out?
        Sounds like a 1970s typing teacher's idea of hazing to me, not practical security advice.

        • Back in high school, when we were taught typing class (on TYPEWRITERS), the author of the lesson book decided it would be fun for students to type in a very tedious sequence of characters to make some sort of lame ascii art.

            And no, the 'picture' did not come out quite well for me, and I imagine for others in the class as well.

  • on passwords... (Score:3)

    by Tom ( 822 ) on Thursday November 19, 2020 @06:49AM (#60742132) Homepage Journal

    Ah, the usual nonsense...

    Here's the thing, or rather, things: First, brute-force is essentially a non-issue. It is quite rare to see actual brute-force attempts, and if your software allows brute-force, it's broken. Plain and simple. The only brute-force attacks that aren't easily defeated by not being a complete idiot are the ones on stolen hashes - and then you've already fucked up by having your hashes stolen. You probably also didn't hash, salt and pepper them properly, at least when we look at the sheer number of credentials that get lost due to hacks every year.

    Second, brute-force times are misleading. Nobody who isn't completely braindead does the kind of brute-forcing that you calculate there. All of the brute-force tools know to start with common words, have a library of common permutations, etc. etc.

    Third, users pick stupid passwords very often not because they're stupid, but because they don't care. Your silly website that I'm going to visit once in my life and that forces me to make an account so I can see or download the content I came for? I don't care if my password on that gets hacked. In fact, I use the same password for all such sites, because I couldn't care less. I use strong passwords for sites I care about. My e-mail is in plenty of those hacks of badly secured websites that also couldn't store their passwords securely - but none of my actual passwords for sites I actually care about are.

    Fourth, for things that matter, turn on 2FA already. Done.

    Fifth, for things that don't matter enough for that, length beats complexity. End of discussion. Ignore those "password strength" meters. Half of them think that AAaa11!! is a very strong password. I haven't tried but I'm reasonably sure that John cracks that in half a second tops.

  • The very existence of passwords is pissing people off. On the one hand, the fact that some people can't mind their own business necessitates passwords. But on the other, you wind up with draconian password rules that require 20-character passwords with no repeats and have to be changed every few months while disallowing the last ten passwords you used. Ultimately, people are stupid and nefarious people will take advantage of that fact.

  • horse battery staple

  • There is a sucker born every day. New idiots come online all the time. "We" is not a fixed set of people.

  • As we used to say when I was doing computing science at school in the late 1970s, "PEBCAK" :
    P roblem
    E xists
    B etween
    C hair
    A nd
    K eyboard
    It seems that things haven't improved in the intervening 40-odd years.

    A proposal : since the "cloud" knows everything about you, stop making people choose hard passwords for things like their bank account or pacemaker, and simply use "the cloud" to apply the objectively worst password you have used in the last 5 years to your most important log-ins.

    OK, a few million

  • The biggest risk to authentication security these days is not brute force attacks, dictionary attacks, rainbow table attacks or weak crypto. It is credential stuffing.

    Bad actors can get lists of hundreds of thousands of username/password combinations that are valid somewhere and then try them all on thousands of new sites every day. If there is one match, which would be because someone reused both username and password on more than one site, then they've got a toe in the door to test the app for more securi

  • we're not lazy at all. we (users) just don't agree on the importance of security.

    I drive on a highway at 100kph with on-coming at an opposing 100kph risking 200kph collisions, my only security being a stripe of yellow paint.

    I have a deadbolt on my front door, right next to a big glass window.

    My air conditioner can be turned off by anyone walking by, no matter the temperature.

    My furnace's exhaust vent can be plugged by anyone at any time.

    My car's windshield wipers can be just taken by anyone in any parking

Slashdot Top Deals

The 11 is for people with the pride of a 10 and the pocketbook of an 8. -- R.B. Greenberg [referring to PDPs?]

Close