I wonder how much passwords like "lastfm", "music" and "abcdefg123" are an indication of people just being bad with security, as opposed to people just not giving a damn... Amid the overflow of trivial sites requiring more and more login details, is there really a value in having strong passwords? Personally, I mostly don't care; I have strong passwords for important sites (banks, online stores that have my credit card details), but for the rest of logins, I use pretty trivial passwords - if someone "steals" my account, I'll just create another one!
But you are the exception. The problem is not really weak passwords, it's re-used passwords. A lot of people just use one password and they use it everywhere, so as soon as it gets cracked once, their accounts can be compromised all over the place.
The best thing I ever did for my parents was teach them to use different passwords everywhere. Against conventional wisdom, I get them to write them down in a book, because for them, keeping a book secure is much easier than knowing what to do to keep their computers secure. We already know how to keep physical objects reasonably secure, we do it every day with our credit cards, passports, jewelry etc.
Exactly. Part of the annoyance of passwords is due to the loss of perspective that comes with running a business, SAAS offering etc: you, the owner, may think it's a big deal, but if there are no credit cards involved, the databases of most websites don't contain anything the users really care about. In fact the most sensitive thing they probably hold is the password / hash thereof, because they force people (inappropriately) to use strong and therefore valuable passwords.
How does Last.fm allow "0" to be a password? You'll always have people who will tend to pick poor passwords, but shouldn't the service try to at least have some decent password standards?
I do hobby research into password guessing entropy and I'd love to get ahold of these lists of in-the-wild passwords. Is there any good source for such things? I don't need usernames, just "real" passwords (with frequency data if I can get it).
I feel like this is misleading without the % share of the total. These top 50 represent 2.7% of the total. OK, that sounds bad, but I'm not really sure how to interpret it.
Even if we get better at this, the top passwords will still be these, they'll just be lower as a % of the total. So until we have 100% unique passwords, this story will always be there, which just seems lazy.
19 comments
[ 5.4 ms ] story [ 50.2 ms ] threadThe best thing I ever did for my parents was teach them to use different passwords everywhere. Against conventional wisdom, I get them to write them down in a book, because for them, keeping a book secure is much easier than knowing what to do to keep their computers secure. We already know how to keep physical objects reasonably secure, we do it every day with our credit cards, passports, jewelry etc.
Worse yet, some such sites intentionally break pasting into the password field, making it a pain to paste in a randomly generated password.
You can fix that with a bookmarklet to re-enable pasting.
(Tested with desktop Safari, no idea about other browsers.)I may never see the sunlight again.
Even if we get better at this, the top passwords will still be these, they'll just be lower as a % of the total. So until we have 100% unique passwords, this story will always be there, which just seems lazy.