Home » Books in General » Far Too Many People Are Still Using “Password” as a Password

Far Too Many People Are Still Using “Password” as a Password

19 December 2017

From The Digital Reader

Motherboard reports that a study of passwords leaked over the past year show that many users are recycling the same bad passwords they have been using for years and years:

SplashData estimates that nearly 10 percent of people have used at least one of the 25 worst passwords on this year’s list, and almost 3 percent used the worst password, ‘123456’. ‘Password’ was the second most popular password.

Other numeric passwords that weren’t new to the list were ‘12345678’ in third place, ‘12345’ at number five, and ‘1234567’ in seventh place. But there were some new, more creative (or, you know, not) variations: ‘123456789’ (in sixth place), and ‘123123’ in 17th.

Additional repeat offenders include a handful of very obvious words: ‘qwerty,’ ‘football,’ ‘‘admin,’ ‘welcome,’ ‘login,’ ‘abc123,’ ‘dragon,’ ‘passw0rd,’ and ‘master.’ But there were some new passwords on the top 25 list this year, including ‘letmein,’ ‘iloveyou,’ ‘monkey,’ ‘starwars,’ ‘hello,’ ‘freedom,’ ‘whatever,’ ‘qazwsx’ (from the two left columns on a standard keyboard), and ‘trustno1.’ The new passwords replaced 2016’s ‘123456790,’ ‘princess,’ ‘1234,’ ‘solo,’ ‘121212,’ ‘flower,’ ‘sunshine,’ ‘hottie,’ ‘loveme,’ ‘zaq1zaq1,’ and ‘password1.’

Many people wrongly assume that adding a zero instead of the letter O will make their passwords more secure, but, as SplashData CEO Morgan Slain is quick to point out in a press release, “hackers know your tricks, and merely tweaking an easily guessable password does not make it secure.” Additionally, Slain points out that attackers are quick to use common pop culture terms to break into accounts online, in case you thought you were the only Star Wars fan.

. . . .

P.S. The top 25 most common passwords of 2017 were:

  1. 123456
  2. Password
  3. 12345678
  4. qwerty
  5. 12345
  6. 123456789
  7. letmein
  8. 1234567
  9. football
  10. iloveyou
  11. admin
  12. welcome
  13. monkey
  14. login
  15. abc123
  16. starwars
  17. 123123
  18. dragon
  19. passw0rd
  20. master
  21. hello
  22. freedom
  23. whatever
  24. qazwsx
  25. trustno1

Link to the rest at The Digital Reader

PG admits this doesn’t have much to do with books, but most people who are in the least bit serious about hacking your computer are interested in money – credit card numbers, bank accounts, brokerage accounts, purchasing gift cards, etc.

Since everybody knows authors are rich, most of you are prime targets.

In addition to money (or sometimes instead of money) some hackers would just like to spy on your email, change the password for your website or bank or Amazon account. They could also have fun with your KDP account or claim to have planted a virus on your computer that they will tell you how to delete if you send them some cash or Bitcoin or something equivalent.

PG agrees with Nate in the OP that the best way of strengthening your password health is to acquire some password management software.

PG has used Lastpass for a long time with good results (perfect, actually). He has also received strong recommendations for 1Password from those whose technical chops he respects. Dashlane, Stickypassword and Logmeonce are other candidates with good reputations.

Unless the North Korean secret police are trying to hack your computer, just about any password manager will keep the bad folk out and improve your overall security 1000% (if you use it).

The specific things a password manager usually does that PG finds useful are:

  1. It stores your login credentials very securely (provided you don’t use “password” as the password for your password manager). You only need to remember one good password and the password manager will remember the rest.
  2. When you go to a password-protected site, most (maybe all) password managers will automatically log you into the site if you have the password manager running unless you’ve told it not to do auto logins. You can have a 100-character ID and a 500 character password and the password manager will plug those in so you’re in right away.
  3. When you set up an id and password for a new site, the password manager will offer to save them to save you the trouble of typing them into your password manager.
  4. If all you can think of is “momisthebest” as a password, the password manager will generate a really good password for you.
    1. PG asked Lastpass for a random 10-character password using lower and upper case letters, numbers and symbols and here’s what Lastpass produced – #48s5j82KW.
    2. PG decided he needed more security, so he asked Lastpass for a 20-character password and here that one is – 027oqq3XtK^3N@jW#f5S.
    3. A 50-character password? – F6B2fq&3bJm49Iu1xoM4n6plQSWDmvFHAx%#8ROmLb88wd^mjK
    4. 100 characters – P3J!tgisFPl%jeN6LZn5RFHfBRM9R6SkjFc5UMR9suKcawoF1h4Rc1WsQ$SnKj%MDpn#MB0@3OSg*ZDDRU8JM6z8Fji4DJfU14Ec
    5. We could go on having fun like this all day, but you get the idea. In addition to having a password generator inside Lastpass, you can also access Lastpass’s generator on the web without being a customer – https://lastpass.com/generatepassword.php
  5. PG found a cool site that estimates how long it would take a brute force attack to crack a password of your choice:
    1. The password “password” takes .29 milliseconds to crack (on a middling Core I5 computer).
    2. 1234567 also takes .29 milliseconds
    3. bestmom takes 11 minutes
    4. A little baby 8-character random password – p15S16#7 – takes over 14 years.
    5. Add one character for a 9 character password – 9P0g779!x – and you’re up to over 1,000 years. If you change this password only once every 100 years, you’re as safe as houses.

You can calculate how long a brute force attack with an I5 computer would take to crack your passwords at https://www.betterbuys.com/estimating-password-cracking-times/.

Since there is actual math apparently happening behind the scenes at the BetterBuys site, PG has no idea whether the numbers are real or not.

Books in General

21 Comments to “Far Too Many People Are Still Using “Password” as a Password”

  1. Another vote for LastPass here. Same experience with it as PG. I had no idea how many passwords I had.

    • Lastpass — great stuff.

      I still keep a password-protected Word file with accounts/passwords, on the belt-and-suspenders principle. It’s really convenient for additional information. And having been an IT professional for more than 40 years, it’s (wait for it) 65 pages long. (I never clean out the dead stuff, just update it.)

  2. If you aren’t in the mood to sign up for a password manager, one thing to consider is that password *length* is the most important item when it comes to preventing the reverse-engineering of a password. A short phrase is better and easier to remember than a single word.

    eg.

    Mustang65 – not so great.

    MyMustangWasTheBest!1965 – better. You can take it from there.

  3. One of my students asked what I used for passwords. I replied, “The lesser liturgical feast days. In Greek.” Thus far no student has asked for any further information.

    I have used liturgical feasts in the past. And many other things.

  4. Way back when (pre-2000), I was with a friend when he visited an elderly person that had a problem with her grand-kids messing up her computer. The idea of password protecting it was brought up – which brought up another problem …

    “What should I use for a password?”

    “Something they wouldn’t think you’d use.”

    A crafty look came to her eyes as she softly said, “You mean like a curse word?”

    The two youngsters (to her) bursting out laughing before agreeing that that might work.

    .

    Myself, I often use the leading letters of a phrase and some numbers, caps on something other than the first letter. For a place that was going downhill after a management change, I started using: tpitP123 (this place is the Pits). Thirty days later when they demanded we change passwords yet again, the 123 became 234 …

  5. Add one character for a 9 character password – 9P0g779!x – and you’re up to over 1,000 years.

    Cool! I went to the testing site and typed in a password of the sort I use, and it passed 69+ millennia as I typed the 13th character and then switched to the infinity sign on the 14th character. My passwords are generally 20 characters long.

  6. Dark Helmet: 1-2-3-4-5? That’s the stupidest combination I’ve ever heard of in my life! That’s the kinda thing an idiot would have on his luggage!

    President Skroob: 1, 2, 3, 4, 5? That’s amazing! I’ve got the same combination on my luggage!

  7. Everyone should keep in mind while choosing passwords that your enemy is not a human. It’s not Garcia from Criminal Minds making shrewd guesses. Your enemy is a machine that can test a billion possibilities in seconds.

    The longer the password, the more possibilities the machine has to test. Therefore a long password is always better than a short password. What you think is a hard password may be simple because it contains sequences that a smart algorithm will test ahead of random sequences.

    In the ever nearer future, quantum computing will raise the speed that hackers can test even random possibilities by orders of magnitude.

    Password managers are good because they make it possible for you to use long and unpredictable passwords.

    My advice: if your password produces lots of hits on a Google search, it is weak. If it is under 12 characters, it is weak. If it is easy to remember, it is weak.

    Multi-factor authentication is not perfect, but it is harder to break than a single password, no matter how unbreakable your single password is.

    • Neuse River Sailor

      Lots of good points, and I agree in general, but a good password doesn’t have to be hard to remember. For example:

      GoingToVisitMyGrandkids4TheDay!

      is easy to remember after the second or third use, very hard to crack.

      By the way, very moving post at your site.

      • Not that hard to crack at 63 billion guesses per second, a rate that was reported in Ars Technica five years ago. A sharp compsci graduate could put together something faster today for a few thousand dollars.

        You can bet that government labs have devices that operate in the range of 100 billion guesses per second, if you are worried that some government might want to crack your account.

        Your example is long, and that is good, but all those familiar sequences (dictionary words) make it effectively quite a bit shorter.

        My suggestion is that if you must remember a password, make it part of multi-factor authentication.

    • Good points. Another thing worth considering is that you aren’t facing off against some single Core I5 PC. Your typical PC graphics card has hundreds or thousands of processors that can be put to work in parallel trying different combinations of passwords.
      And you don’t need to be some sort of genius hacker to do that, because the genius hackers have already developed the cracking software and made it available to any tyro who wants to play at being a black hat.

  8. “Since there is actual math apparently happening behind the scenes”…

    [snort] Whale math need not apply.

  9. On the other hand, stories like this make all passwords equal. I’ve used password or 1234 on multiple occasions. Just recently, I wanted to see what one of those decorating sites that advertises on TV (Wayfair?) was about.

    I don’t remember what device I was using, but it required an account. So I used something like no@nope.com and 123456. After looking, I knew I wouldn’t be returning. If I had liked what I saw, it would have gotten a real logon, but it was a throwaway. So bad password yes, but it didn’t need to be better.

  10. I was interested in Lastpass until I saw how many times they’ve been hacked. It’s only a matter of time. …

    • I don’t want to endorse any product, but I will say that LastPass has been remarkably open and prompt about reporting hacks and vulnerabilities. I don’t believe there have been any actual passwords captured. This spring, a hacker exfiltrated usernames and hints, but I haven’t seen reports that any passwords were lost. LastPass was good about getting the word out to change master passwords.

      I once espoused the “single throat to cut” theory: password managers are a single point of vulnerability that every hacker on the planet would love to hack. But I changed my mind a few years ago.

      Reason? The burden of managing strong passwords is too great. I found myself compromising too often and I realized that even my own healthy share of paranoia was not enough to keep my passwords well-managed.

      Password managers are a vulnerability, but my considered opinion is that a password manager with a solid reputation is much better for me than relying on my own methods.

      You may be willing to trust yourself with the job, and more power to you, but I will not trust myself. I still lose sleep over cybersecurity, but not as much over managing passwords.

    • I think it was LastPass I used too, before I both saw that and realized it slowed my computer down so much as to make it unusable. There’s no point in a secure computer that you can’t do anything with.

  11. Any writers here? Hahaha. Am I the only person who has noticed that the list is a strangely compelling poem? The title could be “Senselessness of False Security”. Or with a little editing, you could get a hiaku:

    “qwerty”
    Football, i love you.
    Hello freedom, whatever!
    qazwsx (trust no 1).

    PS
    Admin, welcome monkey login.

Sorry, the comment form is closed at this time.