49 comments

[ 3.2 ms ] story [ 95.3 ms ] thread
The second password in the txt is written with a 0
I was wondering about that repetition.
Direct link to the relevant article on Gizmodo:

http://gizmodo.com/the-25-most-popular-passwords-of-2015-wer...

The linked article does nothing more than link to that article and include a link to a "convenient" text file with the top 25:

123456, password, 12345678, qwerty, 12345, 123456789, football, 1234, 1234567, baseball, welcome, 1234567890, abc123, 111111, 1qaz2wsx, dragon, master, monkey, letmein, login, princess, qwertyuiop, solo, password, starwars.

He also messes up: the first "password" is all letters; the second one (near the end) substitutes a 0 for the o "passw0rd"

EDIT: Oops, I didn't see dmichulke's post saying the same thing. Here's the reference: https://news.ycombinator.com/item?id=10930521

>Every year, SplashData complies a list of the millions of stolen passwords made public throughout the last twelve months, then sorts them in order of popularity.

The title should be most commonly stolen passwords of 2015. It isn't very surprising to me that easy-to-guess passwords are the most stolen.

Depends how they're stolen. If a site that wasn't using unsalted hashes for storing them was hacked, then it doesn't matter how guessable they are.
If they are hard to guess, there's very little chance of collisions, so you'd expect the list of most common passwords and most guessable passwords to be the same anyway.
I often either reuse a simple password or use a stupidly simple one for sites that require a signup but for which I do not care to interact with in any meaningful way.

Have to create an account on some new startups app?

username: newstartupname_myname

password: 12345!

need to sign up for a "trial" account to get access to content I probably don't even want? same thing.

so while I'm sure that there are way too many people using 123456 for their insurance or financial service login, does it really matter that someone's password to Cnet or foodnetwork is simple and easy to guess?

Same on my case, if the account is essentially useless I do exactly this. I put the same username and password with a dedicated email for this kind of things.
Reddit-esque but Relevant username!
The primary danger would be that you add sensitive information, forgetting that the account is weakly protected.

I've found that having a password manager compels me to have a strong password for every single site. Not having to remember anything (is this a weak password site? Did they require a number or capital?) is such a relief, and knowing that the account is as strongly protected as it can be (with respect to my control over the situation) is quite comforting.

Same here. If you make it a strong password that you reuse in another site, there's a danger if someone hacks into it and finds that password.
Reminds me every year that i should change my password to "INVALID" and everytime i try to login with the wrong password, i get a nice reminder.

"Wrong Password - Your password is invalid"

slow clap

That's a great idea: Take the error message and make that the entire password.
lol you might get into trouble if they change the error message in the meantime!
I'm seriously tired of dealing with passwords. With the availability of email on everything including your toaster. Every site should offer token based authentication. I used passwordless on my last side project, and it's super convenient.
All of our hard work convincing people to think of longer passwords has finally convinced the populace to type 'qwertyuiop' instead of 'qwerty' when they're asked to make an account for a service they don't care about.

The best way to improve password quality at least looking at it from the perspective of a user with my habits is to wait to have me make an account until I actually want the service. If I have to think of a password in order to try something out for the first time it's going to be the most inane garbage because I simply don't care/can't be bothered to think of some secure phrase to protect nothing.

I've used 1qaz2wsx for throw-away accounts. I mean, come on... I create at least one new account a week! >:(
What annoys the hell out of me is this constant insistence on creating accounts or even connecting your social media account.

How about just making your damn service/product good to where once people are hooked in they will actually want to create the account when they are damn well ready.

Exactly! I've been working on my own app for a bit; once I go live I completely intend on having gradual sign-up. You'll have a session. You can use the entire app, but if you want to safe your stuff you better register ;)
I'm not sure what this list is trying to accomplish but the problems with it are 1) it doesn't acknowledge that these are unlikely to be important passwords and 2) there's little indication this is much of an attack vector, if any at all.
I get how all of these are common easily remembered passwords that people would use, except for this one:

1qaz2wsx

Where did that come from as a "most common" password? Hah! Nevermind. I just looked at it on the keyboard. Posting anyway for fun.

I used to think "come up with a pattern on the keyboard" was a good plan, but apparently it is fairly common. Glad I use a password manager now (passpack).

One that did catch my eye was 1qaz2wsx

Take a look at your keyboard to see that one. While it has potential, it could be a little longer. It is still the strongest one from the list though.

How so? It could be a 100-character string of seemingly random symbols; if it's at the top of the list, it's not a strong password.

It might be a 'strong' password according to these stupid 'password enforcers' on websites which think they're smart enough to decide for us.
Not quite. That password would be "1qaz@WSX".

You see, you need a number and a special character, a lowercase letter and an uppercase character.

"Your 32 completely random characters doesn't contain enough special symbols, and is thus insecure."
It's not. It looks "randomish" to humans, but it's not actually any different from 12345678.
if it's at the top of the list, it's not a strong password.

An interesting point of view that makes the whole thing a game-theoretic problem - your choice is only good as long as not too many other people chose the same.

An analogy might be that of a stock: A password (stock) is only worth 'acquiring' as long as not too many people have it.

But I believe the difference is the quantity of passwords (money) chasing sites (stocks).

A similar version of that might be a simultaneous multiplayer number guessing game where the player wins that guesses the smallest positive number no one else has guessed.

The author, some of the comments here and especially the author of the Gizmodo article seem to lament the fact that passwords aren't stronger. I have no idea about whether or not that is justified, but a list of the most common passwords is in no way reflective of average password strengths. A good password is probably unique in the world so by definition the only passwords on this list are those that are trivially easy to come up with. A more interesting statistic, I think, is what percentage of the world's passwords is '123456'.
This is a good point. If these are each used by 2 people, it's not very interesting. It's sort of implied by the attention these stories get that the problem is much bigger than that, but I agree the story is incomplete without the magnitudes. And for the rest of us, we should care about the _trend_ of the % population using common passwords. In order to be safe, you probably need to stay above some constant level that is "good enough" for any hacker trying patterns or brute forcing. As the bottom gets more secure after reading articles like this or adopting password managers, we all need to step up our game. The first to go will be people who do things like:

- put a capital letter first and only first when a capital letter is required

- put a special character last and only last when a special character is required

- put a number next to last and only next to last when a number and a special character are both required

These will be the next patterns tried after the most common passwords, dictionary attacks, etc. -- and if you stay ahead of _these_ people then you'll be good for a while.

The second "password" in this blog's list should be "passw0rd"
This is a well studied area and never a surprise. What I haven't seen is a list of common passphrases or common android swipe patterns or common iphone PINs. Is anyone working on this stuff?

Its also 100% shameful that I can't just shove this list into Active Directory and deny these passwords to end users. I can turn on complexity or length, but nothing else. So today's "password" will be tomorrow's "tobeornottobe" once we all migrate to passphrases/12+ minimum character passwords.

Also this is blogspam citing other blogspam. The source is SplashData and they release this analysis every year.

Yeah I just Googled those and they're all available.

Denying passwords would just lead to adding 1 to the end and calling it a day. We shouldn't really put any limitations on passwords users use.

I guess the key is (pun not intended) is stolen passwords and not systems that have not been setup because I bet particularly wifi and various systems "guest", "admin" and "demo" would be high up on the list.
The thing that drives me crazy about sequential passwords like 1234567890 and qwerty is how obvious it looks when typing it out.

Don't you want to at least provide the illusion of security? And even if you have no concerns about the account being compromised, are you really able to write "qwerty" faster than your first name?

How are these gathered? Does this guy have some site he owns where he checks common hashes?
Meanwhile I find myself somewhat worrying about my unique, 32-character passwords because quantum computers
Where does correcthorsebatterystaple rank?
I wish they would include how many times each password was used. Those top 25 representing 50,000 out of a million passwords means something very different than if they represent just 1,000 out of a million.

Comparing the proportion of the million passwords that are accounted for by the top 25 (and top 100, top 1000, etc.) year to year also gives a much better measure of whether public behavior is improving than just seeing if the top 25 are obviously poor passwords.

> Hopefully, 2016 will bring much stronger passwords to the general public, but going off of previous years, I have my doubts.

Hopefully, 2016 will bring better methods of authentication to the general public, but going off of previous years, I have my doubts.

(comment deleted)
I think there's still way to many things that require dedicated accounts out there, and that erodes our ability to create secure passwords.

I think I can handle 3-5 passwords on sites I use on a regular basis just fine. The next 10 sites, and I misremember things. Past that every visit that requires a login is me going through the "forgot password, request password, log into email, wait for password reset email, click link, reset password, have it slip my mind again, reset password again, log in" cycle that may take anywhere from 10-30 minutes of my time.

But having to come up with new passwords for these website makes me lazier with them. I want a chance to remember it given low repetitions, so I follow a pattern. I might not want to type a long complicated password in twice, so I make it shorter. I might start reusing it. There's only so much space in my head I'm willing to dedicate to remembering passwords and usernames, so I start to compress things, and this becomes habitual. Against all better knowledge, even some of my more important passwords become trivial to guess.

Now as someone who is running a low usage frequency website, you could say to yourself: "User error, not my problem". You could imagine a pretty world with unicorns and users who remember their passwords for your risotto blogs comment section, and that they parkour through your login experience, straight from A to B. It says one-click login on the tin, didn't it?

No,I think requiring login at all should be a conscious design decision you have to make before you ever boot up the old Apache. Is it necessary, can you offload it to third parties, or if you do it, at what point it starts being necessary. Take a sober look at whether your website is one of the 5 I'll use often enough to remember the password for, and if it isn't, keep it in mind when deciding what to put on which side of the login wall.

(comment deleted)