Passwords

Messages
8,481
Name
Steve
Edit My Images
Yes
#1
Honestly, really!

Millions of people are using easy-to-guess passwords on sensitive accounts, suggests a study.
The analysis by the UK's National Cyber Security Centre (NCSC) found 123456 was the most widely-used password on breached accounts.


https://www.bbc.co.uk/news/technology-47974583
 
Last edited:
Messages
411
Edit My Images
No
#2
I was told not to use "password" as my password so I was sneaky and used 12345678. :exit:
 

arclight

Oooh that burglar's a cutie
Messages
10,721
Name
Doug
Edit My Images
Yes
#4
Honestly, really!

Millions of people are using easy-to-guess passwords on sensitive accounts, suggests a study.
The analysis by the UK's National Cyber Security Centre (NCSC) found 123456 was the most widely-used password on breached accounts.


https://www.bbc.co.uk/news/technology-47974583
Hardly a year goes by without a report stating that millions of people are doing that. How many bloody studies do we need to conclude that millions of people are stupid and/or lazy.
If the use of "common" passwords are a security risk would it not just be easier to have software written that automatically blocks the creation of the problem passwords.
 
Messages
5,481
Name
Darran, Daz or ****
Edit My Images
Yes
#5
What annoys me is that there are still websites that will not allow you to use special characters in a password.
 
Messages
7,160
Edit My Images
No
#6
Hardly a year goes by without a report stating that millions of people are doing that. How many bloody studies do we need to conclude that millions of people are stupid and/or lazy.
If the use of "common" passwords are a security risk would it not just be easier to have software written that automatically blocks the creation of the problem passwords.
A lot of sites tell you to mix letters and numbers and at least one special character. Others have a 'strength guage' so this latter type is analysing the pattern. But surely if there was a database of common bad ones and it was comparing the users attempts........is there no a risk that the hacker might use such a system to their advantage?

Oh, and what about personal responsibility?
 
Messages
7,160
Edit My Images
No
#7
What annoys me is that there are still websites that will not allow you to use special characters in a password.
I have come across one or two like that, cannot recall when or which ones but if their backend system is not robust enough (in this day & age) and they are the sites that expose your data to identify theft........then steer clear needs to be the mantra???
 
Messages
860
Edit My Images
No
#8
What annoys me is that there are still websites that will not allow you to use special characters in a password.
Yeah, I agree with you, I feel your pain.

I tried to create a harder password using a mix of letters, numbers, and special characters, but some websites throw up a wobbly and it feels like it's screaming an error message telling me I can't use special characters.

Sometimes I tried to create a harder password by having it as long as possible, say 16 characters or more, but some websites also throw up a wobbly, telling me I can't use more than 8 or 10 characters.

Really annoying! And don't get me started on Autocorrect!! :)
 
Messages
411
Edit My Images
No
#9
I spent a long time in the IT industry. It's quite worrying how many system managers' passwords are very easy to crack. Then we come to programmers... :runaway:
 

StewartR

Efrem Zimbalist Jr
Advertiser
Messages
12,018
Name
Stewart
Edit My Images
Yes
#10
What annoys me is that there are still websites that will not allow you to use special characters in a password.
What annoys me is that there are still websites that will not allow you to *not* use special characters in a password.
 
Messages
5,481
Name
Darran, Daz or ****
Edit My Images
Yes
#12
I have come across one or two like that, cannot recall when or which ones but if their backend system is not robust enough (in this day & age) and they are the sites that expose your data to identify theft........then steer clear needs to be the mantra???
I can think of one ISP that probably doesn't allow users to use special characters, I won't name them but they've been fined three times due to a lack of security.
 
Messages
5,481
Name
Darran, Daz or ****
Edit My Images
Yes
#14
Yeah, I agree with you, I feel your pain.

I tried to create a harder password using a mix of letters, numbers, and special characters, but some websites throw up a wobbly and it feels like it's screaming an error message telling me I can't use special characters.
If I remember correctly, I read an article online that said when it comes to apps they use for hacking passwords, when special characters are used rather than a matter of hours to crack using numbers and words, if just one special character is used it can take days, even weeks to crack the password.
 
Messages
5,481
Name
Darran, Daz or ****
Edit My Images
Yes
#17
I spent a long time in the IT industry. It's quite worrying how many system managers' passwords are very easy to crack. Then we come to programmers... :runaway:
I'm just glad that I am not as heavily involved with IT these days, honestly the amount of sys admins who had no clue how to secure a network properly.
One set me challenge to gain admin rights so I did, thirty minutes later I'd installed Doom on the network and and ten people were playing it :D
Another from a now defunct ISP (Tiscali) who I had the displeasure of contracting with told me I wouldn't be able to connect and download from newsgroups, I also proved him wrong as well.

It also tickles me when a company employs IT security experts and they still get hacked which is what happened to Talktalk.
 

Cobra

Just not pink enough
Staff member
Messages
85,312
Name
Phitt, Hissy Phitt
Edit My Images
No
#20

Tori_T

Staff member
Messages
7,652
Edit My Images
Yes
#21
I once knew a one-finger typist who used "fred"* (or "fredfred" if he had to) as his universal password.

* Look at your keyboard. :rolleyes:
 
Messages
411
Edit My Images
No
#22
I worked at one high security site where they ran regular password checks using a mixture of the readily available password lists. The login that failed most often was our (alleged) resident spook. (don't bother asking how I know that) :thinking:
 
Messages
7,160
Edit My Images
No
#23
Waaay back in the 1970's when we had one of the first to be used computer systems in our pathology lab at a major teaching hospital (it was connected to the main system to ensure all the results could be seen across the hospital where needed?) the passwords were quite primative.

We were all issued with our own fixed password and on the lovely green screen monitors (remember them???) the whole screen was covered in random letters & numbers but for the, fixed position in the centre) and you typed it there in plain for anyone to see it over your shoulder if they were quick & focused enough. We all learned that one password was departmental i.e. we all knew it but I was one of few people who had another password that allowed different access and that was individual.
 

Tori_T

Staff member
Messages
7,652
Edit My Images
Yes
#24
It's not just "easy to guess" passwords that are the problem; it's poor hashing/encryption, password reuse, and those f*****g horrible rules.*
Gotta use upper and lower case, numbers, special characters, and change it every 90 days without reusing your last eight passwords?
p@55W0rd01...
p@55W0rd02...
p@55W0rd03...
p@55W0rd04...

Badly stored/reversible hashes have allowed crackers to build up huge databases of passwords, and to determine rules by which people vary them. Reused ones have allowed the compilation of lookup tables for secure systems that aren't trivial to hit with brute force or dictionary attacks.


*Bill Burr, the guy who originally wrote them, admits he pulled them out of his ass, and that they've been a major security problem.
 

nilagin

Daniel-san
Messages
11,168
Name
Neil
Edit My Images
Yes
#25
Hardly a year goes by without a report stating that millions of people are doing that. How many bloody studies do we need to conclude that millions of people are stupid and/or lazy.
If the use of "common" passwords are a security risk would it not just be easier to have software written that automatically blocks the creation of the problem passwords.
I would have thought it easy to block such passwords. Most sites have the ability to let you know whether a password is weak, medium or high.
I just find it infuriating that I have to change my password for the computers at work every 3 or 4 months. It gets to the point where you start to run out of ideas on what to use next.
 

Nod

Krispy and Kremey
Messages
32,160
Name
Nod (NOT Ethel!!!)
Edit My Images
Yes
#26
Messages
20,143
Name
Alan
Edit My Images
No
#30
Waaay back in the 1970's when we had one of the first to be used computer systems in our pathology lab at a major teaching hospital (it was connected to the main system to ensure all the results could be seen across the hospital where needed?) the passwords were quite primative.

We were all issued with our own fixed password and on the lovely green screen monitors (remember them???) the whole screen was covered in random letters & numbers but for the, fixed position in the centre) and you typed it there in plain for anyone to see it over your shoulder if they were quick & focused enough. We all learned that one password was departmental i.e. we all knew it but I was one of few people who had another password that allowed different access and that was individual.
One contract I worked on was the DSS. They had a screen full of little coloured squares and the idea was you picked a point on the screen and from there created a password going in whatever direction you wanted, like... RRBYGR. I don't think it worked too well with mono screens :D
 
Messages
5,960
Name
Terry
Edit My Images
Yes
#31
Where security is less important like on this forum, I use a simple but not obvious pass word.
When it comes to banking my pass words bare no resemblance to each other, or to my simple ones.
Most, but not all my passwords, are on the Avast password app. and can be "Remembered" with the Key.
If I unlock the App they auto fill.
 

StewartR

Efrem Zimbalist Jr
Advertiser
Messages
12,018
Name
Stewart
Edit My Images
Yes
#32
If I remember correctly, I read an article online that said when it comes to apps they use for hacking passwords, when special characters are used rather than a matter of hours to crack using numbers and words, if just one special character is used it can take days, even weeks to crack the password.
Yeah but no but.

My phone keyboard has one special character above each of the 26 letters: @ : " & ~ * - + > = ( ) / ; { } % | # [ < ' ^ £ ] _
If we don't allow passwords to use these, we're limited to a set of 62 characters: A-Z, a-z and 0-9. If we allow passwords to use these special characters, we have 88 characters to play with.

An 8-character password without using special characters has 62^8 possibilities, which is around 2.2x10^14. An 8-character password allowing these special characters has 88^8 possibilities, which is around 3.6x10^15. By allowing the special characters we've made the password 16 times harder to crack by brute force.

But I can make the password harder to crack just by making it longer. Increasing from 8 to 9 non-special characters makes it 62 times harder to crack. Increasing from 8 to 10 non-special characters makes it 3844 times harder to crack.

Using non-alphabetic non-numeric characters makes passwords better, but making them longer makes them better too. If your password is something like AdtfiatwuEmg, then that's not going to be easily cracked even though it's restricted to only alphabetic characters.

[Easy way to generate passwords which are secure and easily memorised: pick a song and use the initial letters of each word until the password is long enough. The one I used in the previous paragraph was derived from 'Jerusalem'.]
 
Last edited:

Tori_T

Staff member
Messages
7,652
Edit My Images
Yes
#34
Easy way to generate passwords which are secure and easily memorised: pick a song and use the initial letters of each word until the password is long enough.
I'll bet somebody somewhere set a bot on lyrics.com and created a list of all those possibilities.
Now, if you were to take a leaf out of the WWII SOE book, and insert a deliberate mistake, say ditch mountains, and replace it with Golders, bowling, Soylent, Lincoln, telephone, etc. it'd still be easy for you to remember, but wouldn't be so likely to fall to a dictionary attack.
 
Messages
971
Name
Neil
Edit My Images
Yes
#35
I use ASCII codes for our infrastructure equipment, MFA for admin logins and currently looking at FIDO2 for our end-users.

I already use Windows Hello for Business and have FIDO2 keys for my personal device
 

StewartR

Efrem Zimbalist Jr
Advertiser
Messages
12,018
Name
Stewart
Edit My Images
Yes
#36
I'll bet somebody somewhere set a bot on lyrics.com and created a list of all those possibilities.
Now, if you were to take a leaf out of the WWII SOE book, and insert a deliberate mistake, say ditch mountains, and replace it with Golders, bowling, Soylent, Lincoln, telephone, etc. it'd still be easy for you to remember, but wouldn't be so likely to fall to a dictionary attack.
Actually I usually add a couple of digits on the end - a lot of websites insist on numeric as well as alphabetic characters - but that's a really good idea.
 
Messages
6,867
Name
Graham
Edit My Images
No
#37
I come across more and more places which require you to change your password after a set number of months. I would guess that a sizable number of people may revert to using easy to remember sequences bolted onto their standard password such as month/year etc so they don't lose track. But I do wonder how much influence this may have on people reverting to easy passwords or even writing them down.
 

Tori_T

Staff member
Messages
7,652
Edit My Images
Yes
#38
It appears you're right, that's exactly what it does.
The people who originally advised regular changes are now recommending you don't, unless there's evidence the accounts have been compromised.
 

StewartR

Efrem Zimbalist Jr
Advertiser
Messages
12,018
Name
Stewart
Edit My Images
Yes
#39
Another thought about passwords.

There are some websites - but not very many - where I really care about protecting my password. Banks, email, cloud storage, ... but not many. And then there are a whole load where I really don't care very much. For example I've just bought a case for my mobile phone, from a website I'll probably never use again. Why do I care about keeping that secure? If my account is hacked, what are the bad guys going to do - buy me another mobile phone case? So why don't I just use a password like '123456'? It's easy to remember, and if it's cracked it offers absolutely zero clues as to what my other passwords (the ones that I do care about) are.

Could that be part of the reason why passwords such as '123456' and 'password' are so common? Not because people are stupid, but because they're being forced to create passwords for websites which they really don't care about one way or the other?
 

Nod

Krispy and Kremey
Messages
32,160
Name
Nod (NOT Ethel!!!)
Edit My Images
Yes
#40
I use <mother's maiden name><company name> as disposable passwords, with appropriate substitutions if needed, so <M4identesco> would do. Other than a couple of places who have card details, I don't have much need for very secure PWs - won't do internet banking until I'm forced to!
 
Top