×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Passwords That Should Never Be Used

timothy posted more than 9 years ago | from the not-even-worth-trading-for-chocolate dept.

Security 239

The Original Yama writes "Strong passwords are your first step in securing your systems. If a password can be easily guessed or compromised using a simple dictionary attack, your systems will be vulnerable to hackers, worms, Trojans, and viruses. PCLinuxOnline provides an alphanumerical list of list of commonly used weak passwords that should never be used. If any of these passwords look hauntingly familiar and are being used, you should change the password immediately."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

239 comments

missed one... (5, Funny)

Anonymous Coward | more than 9 years ago | (#9046884)

I worked ISP tech support and the one I remember showing up way too often was:

thx1138

Re:missed one... (3, Interesting)

linzeal (197905) | more than 9 years ago | (#9047000)

One that I have seen more than ofter, fuckyou. Heh, when you make registration too difficult they get pissed at you.

Re:missed one... (1)

zoloto (586738) | more than 9 years ago | (#9047448)

I don't get it... help anyone?

but back on topic. this list is interesting:


P PAPER, pass, PASS, Pass, passwd, Passwd, PASSWORD, password, Password, pat, patrick, PBX, pc, PCUSER, PDP11, PDP8, PFCUser, PHANTOM, phoenix, piranha, pmd, PO, PO8, poll, Polrty, POST, Posterie, postmast, POSTMASTER, postmaster, POWERCARTUSER, powerdown, PRIMARY, prime, primenet, primeos, primos, primos_cs, PRINT, PRINTER, PRIV, private, prost, PSEAdmin, public, PUBSUB, pw, pwd, pwp


nowhere in there is pussy. seriously when I was admining a smaller isp in a far away state this and it's variants would come up quite a bit.

I've secured my Internet privacy (4, Funny)

prostoalex (308614) | more than 9 years ago | (#9046886)

I've protected my privacy and use Gator [gator.com] for all my passwords.

Re:I've secured my Internet privacy (1, Flamebait)

ThumbSuck (629952) | more than 9 years ago | (#9048132)

I've protected my privacy and use Gator for all my passwords.

This would be funny, but when I've seen Microsoft 'how-to-be-safe-on-net' brochure recommending use of Gator I simply cannot see anything funny here.

I keep it simple (5, Funny)

Anonymous Coward | more than 9 years ago | (#9046896)

I use PASSWORD for everything.

Re:I keep it simple (4, Funny)

ConceptJunkie (24823) | more than 9 years ago | (#9047395)

Yeah, I could have guessed that. I think a lot of people are using your /. account to post. I see that username dozens of times in every story.

I'm surprised that the classic "xyzzy" isn't in the list. Other words I would have expected to see "fred", "bofh", "windows", and "billgatescanbitemyshinymetalass".

Anonymous Coward NY Times passwd (3, Funny)

me98411 (754004) | more than 9 years ago | (#9046921)

I do not see "slashdotcoward" in the list. Looks like it is a strong passwd. Isn't that the login and passwd used by Anonymous Coward for NY times?

Top 10 Passwords Not to be Used (5, Funny)

AtariAmarok (451306) | more than 9 years ago | (#9046922)

10. iluvalqueda

9. idareyoutoguessthis

8. oldfattylumpkinwhosewisenoseledushere

7. *******

6. (my actual password)

5. cowboyneal

4. pencil

3. neo

2. secret

1. password

Re:Top 10 Passwords Not to be Used (4, Funny)

Josh Booth (588074) | more than 9 years ago | (#9046988)

I'm surprised "gandalf" is not there. Everyone knows that it's the password of every other root account in the world.

strong passwords = broken by design (4, Insightful)

eraserewind (446891) | more than 9 years ago | (#9046942)

Your users shouldn't require anything more than a 4 digit pin & a magnetic card. If it's enough to protect their money, it's surely enough to protect some stupid data.

Any lame brained security system that depends on people choosing difficult to remember passwords and changing them every 3-6 months is broken by design.

Re:strong passwords = broken by design (2, Interesting)

lambent (234167) | more than 9 years ago | (#9047071)


A mag-strip card IS a type of password. Depending on the institution that issued it, it's a rediculously long propietary password. It's a string of encoded bits. Nothing magical about it.

Furthermore, most people (and by most, i mean just about everyone), NEVER change either their PIN or their card, unless it's stolen. Is that type of system any more secure?

Re:strong passwords = broken by design (4, Interesting)

babbage (61057) | more than 9 years ago | (#9048100)

A mag-strip card IS a type of password

Kinda... not really.

The important thing to keep in mind for any authentication system -- not just computers, but any system that requires people to identify themselves -- is that there are basically three ways to go about it:

  1. Something you know. (A password or passphrase; your mother's maiden name; your favorite song.)
  2. Something you have. (Some kind of physical token like an ATM card, the key for your car or house, the hardware decorder in a DVD player, or one of the hardware dongles that was briefly popular for enforcing software licenses a few years ago.)
  3. Something you are. (Biometrics: your thumbprint or retina scan; your photo & physical description on a license or passport [which itself is something you have -- see above]; DNA samples; voice or handwriting recognition; etc.)

Good security systems use at least two of these authentication classes: the ATM doesn't work unless you insert your card (something you have) and enter your PIN (something you know); when travelling abroad, customs agents will examine your passport (something you have), will cross-check your appearance against the passport's photo & description (something you are), and may ask probing questions about your travel plans (something you know).

Bad security systems rely exclusively on one of these elements. Basically all Internet security comes down to things you know, a/k/a passwords. From your point of view, an online purchase may seem to involve something you know (a password) and something you have (the numbers on your credit cards), but from the merchant's point of view they're just taking your word for it because they have no way to validate that the security token you're using is actually in your possession -- hence, credit card fraud. Likewise, I've voted in every election since I turned 18, and not once has an election worker asked for anything more than my name & address (something I claim I know) -- they never ask for an ID (something I have) or a fingerprint (something I am) etc. With this kind of scrutiny, it wouldn't be very hard for someone to spend all day voting in every precinct around. (I'm hopeful that electronic voting may actually fix this problem, but if as seems likely it introduces even more avenues for fraud then forget it.)

So, a password is essentially something you know, while an access card is something you have. There's a subtle but essential difference. If it was a string of numbers stamped on the card in an easily human readable way, then it could be considered as a form of password, but the fact that you need a machine to read it really enforces the point that it's something different. And that's why it's a good thing! A computer security system that relied on both traditional passwords as well as this kind of physical token would stand a much better chance of being robust than any system that used only passwords or tokens.

The problem is, almost nobody has a computer capable of reading such tokens. Aside from point of sale systems, almost no one has any use for card reading wedges, so building an authentication system around a requirement for card readers would be difficult to deploy broadly. Setting it as a general company policy might not be hard to do for most companies, if only because there you have a hope of installing the reader hardware for all users. Requiring a dual "know/have" or "know/are" system only for certain systems (access to sensitive areas, etc) would be prudent for any business to implement, but going from there to building a business of providing such systems to the general public would be much harder as long as the infrastructure doesn't exist -- that is, as long as Dell isn't shipping access card readers with every machine they sell.

So: something you know, something you have, something you area. Keep these in mind and the analysis of secure authentication mechanisms gets much clearer.

Re:strong passwords = broken by design (1)

eraserewind (446891) | more than 9 years ago | (#9048245)

A mag-strip card IS a type of password. Depending on the institution that issued it, it's a rediculously long propietary password. It's a string of encoded bits. Nothing magical about it.

Yes, of course it is. It is not however a password that a human has to remember (besides keeping it in their pocket or whatever). Any security system that relies on humans behaving un an unhumanlike way (remembering numberous frequently changing complicated passwords) is inherently broken. People just won't do it with any reliability. They will find some way around it, even if it means writing down all their passwords on a post-it stuck to their monitor.

Furthermore, most people (and by most, i mean just about everyone), NEVER change either their PIN or their card, unless it's stolen. Is that type of system any more secure?
Well, as you said yourself, the PIN is not the password, just one component of a much bigger password. If it's big enough, and if the physical card part of the system is well designed, then the only time they should change the is when it is stolen, right?

Password rules at IBM Watson Research (2, Interesting)

Latent Heat (558884) | more than 9 years ago | (#9047446)

There is this story I heard attributed to IBM Watson that some wag has concocted a detailed list of password restrictions (no all numbers, no all characters, and so on) where the joke was that if you rigorously applied all of the rules, there was only one legal password.

This one real cool password I had... (2, Funny)

Kevin Stevens (227724) | more than 9 years ago | (#9046947)

It used to be so great...

There was this obscure OS that no one had ever heard of... man it was cool... it was like unix on the pc... and this guy that developed it... this guy from scandanavia. You see it was really clever because it was a play on his actual name, and easy to remember.

Then... 1998 came. Its been downhill from there. I wouldnt even trust it to a hotmail account now.

huh? (4, Interesting)

Hythlodaeus (411441) | more than 9 years ago | (#9046960)

Q54arwms is a commonly used password? Is this some part of the collective unconscious I'm unaware of? Half the things in the list seem like they came out of a random generator, yet they are common?

Re:huh? (4, Interesting)

Josh Booth (588074) | more than 9 years ago | (#9047064)

I'm assuming that most of the passwords are defaults that some guy in a computer lab decided looked strong. However, when every system you ever produced uses the same password, even if it is completely random, you'll have a security problem.

Re:huh? (1)

jfdawes (254678) | more than 9 years ago | (#9047086)

Probably the default for some piece of enterprise software that can't do it's job without creating an account to use.

Re:huh? (5, Informative)

m.koch (703208) | more than 9 years ago | (#9047676)

Q54arwms is a commonly used password? Is this some part of the collective unconscious I'm unaware of? Half the things in the list seem like they came out of a random generator, yet they are common?

As google told me, these are default passwords from this list [defaultpassword.com] which is in fact much more useful.

Hmm, not really trolling... (4, Informative)

smoondog (85133) | more than 9 years ago | (#9046965)

OK, every once in a while we get an article similar to this. The links change but the article is the same. Passwords are inherently insecure to some sort of guessing attack, is the statement.

I'm going to suggest something here that is perhaps a little controversial. Perhaps, if password zealots spent less time complaining about passwords and spent more time protecting machines from this sort of attack (w/o making an easy path to a DOS attack) this wouldn't be an issue. Imagine this: Passwords are never transfered as plain text. Any systematic attempt at guessing a password is prevented before the attacker gains access. Users make mistakes a few times, even for the most simple passwords, one must sample tens of passwords to break in. Systematic attempts are predictable, just like trolls on slashdot are (generally) identifiable (remember those page lengthening posts?) and spam is filterable.

In my not so humble opinion, password guessing attacks are an administrator problem, not a user problem. And the administrators seem more interested in pestering users than actually developing systems to prevent this type of attack.

-Sean

Universal Passwords (3, Insightful)

Schezar (249629) | more than 9 years ago | (#9046982)

The uni I work for (RIT [rit.edu] ) is working to migrate their entire campus to a Microsoft Active Directory environment. Part of the reason for this is to give users a universal username/password for any and all university services.

Now, they enforce basic password etiquette (minimum length, non-alpha character requirement, etc...), which helps the situation somewhat (aside from the office biddies who write them on post-it notes on their CRTs), but the situation is far from secure.

Students use their webmail (Exchange... I won't even get into that one...) and register for classes (telnet), and generally aren't careful with their passwords. I couldn't tell you how many times I've sat down at a public terminal to find someone else's account all set up for me to exploit. And since the password is universal, I can do anything I want.

Myself, I use a different password for everything I connect to, and thus don't have to worry about being wholly compromised in an instant. Then again, I'm a geek, so I'm not exactly the norm.

Does anyone else see this push toward universal logins/passwords as a problem?

Re:Universal Passwords (3, Insightful)

jfdawes (254678) | more than 9 years ago | (#9047144)

Now, they enforce basic password etiquette (minimum length, non-alpha character requirement, etc...), which helps the situation somewhat


Er, no? Most "password etiquette" schemes are a complete crock. Generally all they do is reduce the key space and therefore make the passwords easier to brute force attack.

You must have a password of at least 6 characters? Well, there goes everything 5 characters and less - don't have to check those.

Hmm, and while we're at it, most people are going to have a password between 6 and 9 characters, don't bother trying anything else until the second pass.

You have to have at least one non-alpha, well - I can reduce my attack to constrain my guesses around that requirement - just reduced the number of attempts necessary by 24%.

Any other rules you want to add to make attacking the password easier?

Re:Universal Passwords (2, Informative)

CanSpice (300894) | more than 9 years ago | (#9047386)

Limiting passwords to 6 characters or longer doesn't significantly reduce your keyspace. If you only allow lowercase letters, there are 12356630 possible combinations that are 5 characters and shorter, and there are 321272406 that are 6 characters and shorter. Thus if you don't allow anything shorter than 6 characters you've reduced your keyspace by roughly 3 percent.

If you allow upper and lowercase characters, there are 387659012 combinations that are 5 characters and shorter, and 20158268676 that are 6 characters and shorter. If you limit your passwords to being exactly 6 characters long then you've reduced your keyspace by 1.9 percent.

Those percentages only go up if you allow passwords that are longer than 6 characters, and if you allow characters other than letters in your passwords.

Sure, you're reducing your keyspace but it's not nearly as catastrophic as you make it sound.

Re:Universal Passwords (3, Insightful)

jfdawes (254678) | more than 9 years ago | (#9047489)

Yup. The length being constrained to greater than some number (typically 6 or 8) characters is about the only password constraint that makes sense some kind of sense, but still - any reduction in keyspace means less work.

Assuming we take the example of the guy who had the 5 byte password that takes 18 days to crack, 1.9% still saves you 8 hours. Not an unuseful amount of time.

It's the daft "must include an non-alpha" and "must start with an alpha (or worse, a capital)" and other brain dead, crack smoking, glue sniffing password "rules" that are the real killers

Re:Universal Passwords (2, Interesting)

Prior Restraint (179698) | more than 9 years ago | (#9047557)

One of my credit cards (which I have since cancelled) demanded that the 4-digit PIN not start with zero or one.

Re:Universal Passwords (1)

Frnknstn (663642) | more than 9 years ago | (#9047823)

Want some more numbers? Assuming that 18 days is time it takes to test the entire space that was limited to a 4 or 5-byte (8 bit) password, it would have taken him at most 23 seconds to find the unrestricted, 3 byte password that the unrestrected user had chosen.

Re:Universal Passwords (2, Interesting)

james b (31361) | more than 9 years ago | (#9047881)

Thinking out loud: the thing about 'must include non-alpha' is that it essentially forces the users to pick non-dictionary words. That's good all by itself. Sure, some of them will just use 'password1' or whatever, which is still dictionary-able (but not much *more* so, since they're probably going to pick the word they always choose anyway and just add a number). And with many users, you'll get stuff that's somewhat hard to do a dictionary attack on, like 'jack4betty' or 'y311ow'.
Does this make any sense? I mean, I can see how suboptimal use provides no further protection, but is it likely to reduce the keyspace much in a real world scenario?

Re:Universal Passwords (1)

Frnknstn (663642) | more than 9 years ago | (#9047416)

Okay, let me give you some numbers. If you don't have any password scheme, all your users will have a password from one to six chars long. That is:
321272406 possible passwords.

If you limit them as you suggest, and they all pick between 6 and 9 chars, with one number, that makes:
98814936052800 possible passwords

Since 98814936052800 is clearly larger than 321272406, you are clearly an idiot.

Re:Universal Passwords (1)

jfdawes (254678) | more than 9 years ago | (#9047449)

98814936052800 minus 321272406 is some larger than 98814936052800?

Sir, you are a savant.

Thank you for enlightening me to a definition of "minus" that I was not aware of.

If you were thinking clearly, you would start your attack with a dictionary that you could prune based on known password rules.

Re:Universal Passwords (2, Funny)

Frnknstn (663642) | more than 9 years ago | (#9047523)

Forgive me, but I have no idea what you are talking about. Nowhere do I claim any such thing. I do claim that 98814936052800 is greater than 321272406 (98814936052800 > 321272406).

98814936052800 is the number of all passwords with lengths from six to nine with at least one number.

321272406 is the number of all passwords with lengths from one to six, as would be picked by unregulated users.

Re:Universal Passwords (1)

jfdawes (254678) | more than 9 years ago | (#9047619)

The number of unconstrained passwords of 9 characters or less would then be: 98,815,257,325,206. No?

Because you don't have to check anything with 5 or less, you reduce the key space to 98,814,936,052,800 combinations, the number you give.

This is less work. Not much, granted, but it's still less. Anything that reduces the key space only needs to be coded into the cracking routines once to achieve that reduction in work every time.

Re:Universal Passwords (1)

Frnknstn (663642) | more than 9 years ago | (#9047704)

You are still not understanding the basic premise of this topic. If you do not limit the number of chars in a password, almost all your passwords will be six or less chars.

If you do limit as per your suggestion, you will increase the number of passwords by over three hundred thousand times. How does this make the passwords LESS secure?

Re:Universal Passwords (1)

aePrime (469226) | more than 9 years ago | (#9047778)

I'm going to have to back Frnknstn here.

Here's the way I looked at it. If you allow 5 characters or less, you get n^1 + n^2 + n^3 + n^4 + n^5 possible passwords, where n = number of valid characters. This recurses out to n(1 + n(1 + n(1 + n(1 + n)))). For example, let's say we allow lower-case letters and numbers (n = 36). This means there are 62,193,780 possible passwords of 5 characters or less. Now, lets say you have a limit of 6 characters, and all of your users are lazy and use the minimum. This is 36^6 possible passwords. This means that there are 2,176,782,336 possible passwords. The passwords of 5 characters or less is a tiny fraction of the total space!

Re:Universal Passwords (1)

Frnknstn (663642) | more than 9 years ago | (#9047648)

Furthermore, you seem to be laboring under the misconception that REDUCING the number of words in a dictionary INCREASES the chance of a successful match.

Of the 804 words in the presented common-use list, only 140 match your suggested password scheme. Instead of having 804 chances to crack any particular password, you now only have 140.

Certainly, you can bulk out your password list with randomly generated entries, but that is not what dictionaries of commonly used passwords are used for! Now you are again faced with the vastly increased number of possible passwords.

Re:Universal Passwords (1)

jfdawes (254678) | more than 9 years ago | (#9047696)

...

Your initial attack is a dictionary attack. You eliminate passwords from the dictionary that do not meet the rules for the password you are trying to break. This means that IF the dictionary attack was going to succeed, you now succeed sooner.

If the dictionary attack fails, you then do the brute force attack which simply searches the full key space, which has been reduced by the constraints on the password.

Software enforced password constraints cause low hanging fruit to hang lower.

Re:Universal Passwords (1)

Frnknstn (663642) | more than 9 years ago | (#9047724)

Not at all! You have reduced the amount of time to test a dictionary by 5/6ths, but you have also decreased the chance of a match by the same amount, and increased the length of an already-long brute force attack fo 3000 times.

And this is ignoring the benificial effect that making the end users THINK about their password has.

Re:Universal Passwords (1)

jfdawes (254678) | more than 9 years ago | (#9047889)

Er, I guess you're just a troll, but what the hell, I've got ten minutes before I have to leave.

Let's assume you have two passwords, X and Y. X and Y both meet some arbitary password constraints.

You also have a dictionary, D1 of 1000 entries.

Let's further assume that X is in the dictionary and Y isn't.

Now, remove all entries from the dictionary that do not meet the password constraints in use giving dictionary D2.

To search the dictionary for X will now take 83% of the time and you WILL find it. The probability of is THE SAME as it was before you reduced the dictionary because the probability of X being one of the removed entries is 0.

To search the dictionary for Y will also take 83% of the time and you WON'T find it. You have again saved time because you were going to do the dictionary attack anyway, but you now finish earlier.

Now you get to do a brute force search for Y and AGAIN, the key space is reduced because you do NOT need to generate/check passwords that do not meet the rules. The brute force attack is shorter because you don't need to check some stuff.

Example: rule: passwords must be at least 2 characters and must include a non alpha.
Given: We're only using 2 character passwords.
Using simple maths and 101 possible key strokes: 101 * (101 - 52) possible entries, is 4949.
No constraints: 101 * 101 + 101 is 10302.

With constraints you have to check less than half the unconstrained set.

And the same users that pick stupid passwords with no constraints are the same users that pick stupid passwords with some alpha shoved in it because the software insists on it.

If you really want a piece of software to eliminate bad passwords, just run some crack utility on your own password file and notify users with ones that turn up.

Re:Universal Passwords (1)

Frnknstn (663642) | more than 9 years ago | (#9048375)

I am no troll, but you sir, remain an idiot.

Of course forcing users to have ONLY TWO chars (101*101) is going to produce less passwords than allowing users to have EITHER one or two chars (101 * 101 + 101).

That means absolutely nothing for the issue at hand, as nobody would limit their users to a two-char password. When the number of chars scale up, the number of passwords also scales up, but geometrically, not linearly.

Thus, even limiting the number of chars to 9 ONLY is still 25 times better than allowing the choice of any password from 1 to 8 chars.

Your gasp of probablity is very weak. If half the entries are removed from a list, the chance of ANY PARTICULAR PASSWORD, be it assigned X, Y, Z or any other variable name, is also halved. We could carry your reasoning to its illogical conclusion: Given that any password may appear on a cracker's dictionary, and given that the cracker could prune his list to contain only that password, that cracker can and will defeat any password with only one attempt.

Then with your password Y, in a perfect world, you would save some time over an identical test with no non-alpha requirement. But as this is NOT a perfect world, the test is not identical, as people pick fewer chars. Thus, you in fact save no time, because you now have to check passwords far longer than you would have otherwise checked.

Users that pick stupid passwords with no constraints may be the same users that pick stupid passwords with some alpha shoved in it because the software insists on it, BUT SHOVING THE EXTRA NUMBER IN MEANS THAT THE CRACKER NEEDS TO CHECK FAR MORE PASSWORDS.

Once again, look at the example you gave at the start, and look at the numbers. Shoving the number in increased the number of passwords from:
(26^6 + 26^7 + 26^8 + 26^9)
= 5646671469504
to:
(36**6 + 36**7 + 36**8 + 36**9) - (26^6 + 26^7 + 26^8 + 26^9)
= 98814936052800

Once again I ask, how can that be easier to crack?

Can you give me even one example where adding a number to a password of length greater than two decreases the number of possible passwords?

Re:Universal Passwords (1)

Frnknstn (663642) | more than 9 years ago | (#9048475)

I must apollogise for calling you an idiot. Statistics can often be counter-intuitive (as in the case of the Monty Hall problem [google.com] .) You are wrong, but I am sorry for insulting you.

Re:Universal Passwords (0)

Anonymous Coward | more than 9 years ago | (#9047194)

i know you're password

Re:Universal Passwords (1)

CuriHP (741480) | more than 9 years ago | (#9047783)

In all fairness, the Exchange e-mail system is about 8 billion times better than the old one. I used to routinely have mail that would not delete unless I telnetted into grace and removed it with pine.

Shift a key over and throw in some numbers... (1)

pr0c (604875) | more than 9 years ago | (#9047031)

My policy for a long time has been to pick two words and shift my keys over one sometimes alternating and then I throw a number (or its shift key version) into it somewhere. An example of this would be SlashdotNews = A2kaagsirMred or Aka$agsirMred it is easy to remember even for non techie people. It is secure enough for me...

Re:Shift a key over and throw in some numbers... (0)

Anonymous Coward | more than 9 years ago | (#9048323)

I'm a fan of choosing some letters of a meaningful sentence, and throwing in a punctuation mark, capital letter, and/or number.

iaF0cs!l seems pretty random to me. It doesn't look like a dictionary word, and the number of permutations needed to brute force it is (26+26+10+14)^8 or 1.11e15.

Some pretty complex ones are there too... (3, Informative)

Artega VH (739847) | more than 9 years ago | (#9047068)

As a comment at the bottom says:
A52896nG93096a

but also:
dn_04rjc
ksdjfg934t
sldkj754

----
I was going to ask why how this list was compiled,
but since I got really interested I happened to
google these and found the following:
This seems to indicate [defaultpassword.com] that ksdjfg934t is a default
password for a SuperMicro PC BIOS Console.

And from the same site: Micronics has a PC-BIOS
which uses dn_04rjc as the default password as
does Micron for the password sldkj754.

I want to know how often these passwords are used
for services that a open to the internet, or even
to the local network. I would imagine that these
bios passwords are only able to be entered
locally? If so why does that merit a place on this
"Passwords that should NEVER be used!" list...
apart from the fact that now this list will be
used in lame dictionary attacks....

Re:Some pretty complex ones are there too... (2, Insightful)

gl4ss (559668) | more than 9 years ago | (#9047360)

it's just a stupid list to made up to get some 'content' into a contentless article, f'kin waste of time really(the whole article). they could have just linked to some dictionary file used in these attacks and saved the hassle since they can't possible cover the passwords one shouldn't use and since they decided to go for the default/master bios passwords and shit like that the whole point is lost.

Re:Some pretty complex ones are there too... (1)

Emnar (116467) | more than 9 years ago | (#9047501)

Interesting. Those passwords are mostly made up from the home row on a qwerty keyboard [earthlink.net] . Obviously somebody just banged them in (literally) instead of using any kind of random character generator.

I wonder if anybody has written a password cracker that focuses on the "asdfghjkl;" row. That's certainly a much, much more limited set of combinations than the full keyboard, especially without capitals!

Favorites from the Real World (2, Funny)

angst_ridden_hipster (23104) | more than 9 years ago | (#9047077)

Of course, none of these are very good as passwords (mostly vulnerable to dictionary attacks), but amusing nonetheless:

Mr.Root

logout

friend
friend and enter

open sesame
open tahini

open the door HAL

admit1

lemmeIN

hey,babe
what'syoursign?

Since I'm a little slow, the last two had me puzzled. It was explained to me that they were "pass words," i.e., words used in making passes.

Weed the idiots out... (1)

identity0 (77976) | more than 9 years ago | (#9047082)

Am I the only one here who thinks we need to have an Ask Slashdot called "What's your Slashdot Password" to weed the idiots out?

Wow, I'm suprised how few there are on that list. I would have thought things like city/state names, zip codes, and movie/band names would be more common.

John the Ripper (4, Informative)

Dammital (220641) | more than 9 years ago | (#9047094)

Last July I installed John the Ripper [openwall.com] on my home firewall. John is a password cracker, something like crack and l0phtcrack [insecure.org] . I wanted to see how vulnerable my own passwords were.

From what I can tell, John runs a dictionary-based attack against your master.passwd file, then runs the dictionary with various shifts in capitalization, then runs the dictionary again with an assortment of numeric digits inserted into its guesses.

Finally John just runs a brute-force attack, generating passwords with successively longer and longer lengths until it lucks out.

In my case John finally did luck out, finding one of my passwords after 18 days of crunching numbers. This particular account had a relatively weak password -- though no dictionary attack would have found it, it was still only five bytes long. That's a wakeup call for me. I've been using shorter passwords for years, thinking that by avoiding common words I was safe. But I can see that they're breakable now.

It's one thing for someone to preach that you should really have longer passwords; it's quite another to see it for yourself. If your passwords are easy to guess, or are variants of dictionary words, or can be generated easily by brute force -- there are widely available tools that can give the keys to the city to any lowlife that wants into your machine.

Run one of the password crackers on your own system today, and become enlightened! And don't be comforted by the 18 days it took to crack my easy five-character password on a 300MHz Celeron notebook: there's also a distributed version [ktulu.com.ar] of John the Ripper that divides up the work of cracking your password file among many computers.

The more I learn about security, and the tighter I make my systems, the more afraid I am. If you aren't afraid, you are either very very good at what you do -- and I humbly bow before you -- or you haven't much of a clue.

Re:John the Ripper (0)

Anonymous Coward | more than 9 years ago | (#9048344)

In my case John finally did luck out, finding one of my passwords after 18 days of crunching numbers.

Is your password on a high-profile system? If not, I'm sure spending 18 days of crunching numbers isn't really worth it for stealing credit card numbers since there are plenty more easy targets.

I'm safe! (2, Funny)

babbage (61057) | more than 9 years ago | (#9047120)

Woohoo! My trusty old 1234567890 didn't make the list!

/me wipes brow at his well-chosen password

Re:I'm safe! (1)

Josh Booth (588074) | more than 9 years ago | (#9047331)

"So the combination is one, two, three, four, five? That's the stupidest combination I've ever heard in my life! The kind of thing an idiot would have on his luggage!" Obligatory Spaceballs quote.

An honest look at password creation (5, Funny)

WarPresident (754535) | more than 9 years ago | (#9047135)

(January)
User: Tim
Password: NEWUSER

YOU MUST CHANGE YOUR PASSWORD EVERY 30 DAYS
PASSWORD MUST HAVE AT LEAST 6 ALPHA AND 2 NUMERIC/OTHER CHARACTERS
New Password: password

PASSWORD MUST HAVE AT LEAST 6 ALPHA AND 2 NUMERIC/OTHER CHARACTERS
New Password: password01

OK ...
(February)
User: Tim
Password: password01

YOU MUST CHANGE YOUR PASSWORD EVERY 30 DAYS
PASSWORD MUST HAVE AT LEAST 6 ALPHA AND 2 NUMERIC/OTHER CHARACTERS
New Password: password01

THIS PASSWORD HAS BEEN USED RECENTLY
YOU MUST CHANGE YOUR PASSWORD EVERY 30 DAYS
PASSWORD MUST HAVE AT LEAST 6 ALPHA AND 2 NUMERIC/OTHER CHARACTERS
New Password: password02

OK ...
(March)
User: Tim
Password: password02

YOU MUST CHANGE YOUR PASSWORD EVERY 30 DAYS
PASSWORD MUST HAVE AT LEAST 6 ALPHA AND 2 NUMERIC/OTHER CHARACTERS
New Password: password03

OK ...

repeat ad nauseum

Re:An honest look at password creation (5, Funny)

BRSloth (578824) | more than 9 years ago | (#9047389)

Login: yes
Password: i dont have one
password is incorrect

Login: yes
Password: incorrect

Re:An honest look at password creation (1)

dtfinch (661405) | more than 9 years ago | (#9047465)

I've dealt with setups like that. Started with a password nobody would ever guess, and it gradually got weaker and weaker every time I was forced to change it. Now I just toggle back and forth between two weak passwords.

Re:An honest look at password creation (1)

WarPresident (754535) | more than 9 years ago | (#9047770)

I've dealt with setups like that. Started with a password nobody would ever guess, and it gradually got weaker and weaker every time I was forced to change it. Now I just toggle back and forth between two weak passwords.


More than two dozen accounts here, only 7 different passwords, sad to say. Once they all had different passwords, but then I lost my slip o' paper from my wallet and had to change them all at the same time. It's easier to have a few passwords and change them regularly on a particular day. Though I did have the idea for a relatively simple hash that I could do in my head to generate a password for each system. Still had to have a slip o' paper for IDs, and had to spend time thinking up the password. Not too much of a time waster til you have to ssh 5 systems deep...

Re:An honest look at password creation (2, Interesting)

squiggleslash (241428) | more than 9 years ago | (#9047751)

Interestingly "NEWUSER" isn't on the list, and most organizations I've worked with use that as the initial password for new accounts...

Ok, now the mind boggles. The other password I see all the time as a "default" is "welcome". That's not on the list either. How does 240653C9467E45 make the list, but not WELCOME or NEWUSER?

Re:An honest look at password creation (0)

Anonymous Coward | more than 9 years ago | (#9048040)

Another very common one for new accounts is the name of the company.

Re:An honest look at password creation (1)

KnightStalker (1929) | more than 9 years ago | (#9048464)

That's the default password for a Windows user created for some sort of Compaq management utility. (No, I don't really know that. I just know... um, someone, who, um, knows everything.)

Disappointed ... (1)

jc42 (318812) | more than 9 years ago | (#9047163)

... I couldn't find any of my passwords there. Not even the ones that were machine generated.

It was especially disappointed that the numeric section didn't include 17 or 42. Or 1742, for that matter. Where are they getting their lists.

And "mrroot" wasn't there, either. (A shout-out to my old Project Athena cohort. ;-)

Security is control! (0)

Anonymous Coward | more than 9 years ago | (#9047164)

I use just "enter" for my password. You should too.
- rms

That's the same combo on my luggage! (0)

TheWanderingHermit (513872) | more than 9 years ago | (#9047223)

Kind of like setting the password for your atmospheric shield to 1-2-3-4-5, then later finding out it's the same combination President Skroob uses for his luggage.

Re:That's the same combo on my luggage! (0)

Anonymous Coward | more than 9 years ago | (#9047572)

Evil will always triumph over good because good is dumb.

Re:That's the same combo on my luggage! (1)

TheWanderingHermit (513872) | more than 9 years ago | (#9047628)

Evil will always triumph over good because good is dumb.

Must be. On any stupidity scale, I'd rank using an obvious combo for an atmosphere shield that protects the whole planet a lot higher than using the same combon on luggage!

Where on earth did they get this list? (1)

0x0d0a (568518) | more than 9 years ago | (#9047254)

Where did they come up with these passwords? It looks like the result of a run someone did a tech university back in the day with crack or sniffing or something. I mean, while I agree that many of the passwords listed there were weak, I'm dubious about how common they are, unless g6PJ, 3ep5w2u, or I5rDv2b2JjA8Mm are particularly common egregious offenders.

Honestly, this is filler as far as content quality goes.

How are my passwords? (2, Funny)

MBCook (132727) | more than 9 years ago | (#9047343)

Lets see...

fizzlebop... OK
coodleschmidt... OK
sneedalbiz... OK
testripithia... OK
crumblehip... OK
skazeltank... OK

OK, all my passwords are safe. No one will ever guess 'em.

.

.

Crud!

Use and algorithm to generate your password (2, Interesting)

Zugok (17194) | more than 9 years ago | (#9047374)

Given the case a password has to be changed every month

pick as day from every month of the year which has some significance and is easy to remember. This date remains the same year after year, which I think is sufficient variability because you are going to do more with the date.

arrange the date and the current year in numerical format such as MMDDYYYY or YYYY-MM-DD

use date seperator . / or - as their mathematical operators, combine different operators be creative e.g. YYYY.MM-DD or DD/MM-YYYY or simply YYYY-MM-DD.

take the result and convert it into hex (because hex can also contain letters A-F)

if the hex result is does not meet password etiquette (unlikely), attach a description of the signifcance to the date chosen, if the date is a birthday, choose that person's name for exapm. Say the hex result is 1FF0, and the name is Stacey, generate a password like Stacey1FF0 or S1tFaFcoey or Sta1FF0cey. Again, be creative.

Dates are easy to remember, not a lot of effort is required. In this method, all that needs to be remembered is an algorithm.

Granted with each passing year, the variation in the password is not going to change a lot to the password that month a year ago, so it is still important to change how the the mathematical operators are used, how the YYYY MM DD are aranged. To add more variability, perhaps throw in the day into the mix like 1 for Monday, 2 for Tuesday. That's rather simplistic, but there is a lot more that can be done be creative. It's not hard.

Fundmental Numbers (1)

Theory of Everything (696787) | more than 9 years ago | (#9047411)

I'm surprised that some common fundamental numbers didn't make the list:

271 (or 271828, 2.71, etc).
314 (or 3.14, 314159, P!=3.14, etc).
137

and so on.

This is perfect... (1)

km790816 (78280) | more than 9 years ago | (#9047457)

If any of these passwords look hauntingly familiar and are being used, you should change the password immediately...because if someone hasn't tried it yet, they will now.

That's nothing (1)

dacarr (562277) | more than 9 years ago | (#9047506)

Once I was working for a pharmaceuticals distributor of an undisclosed location. I happened to watch my supervisor type her password into the mainframe.

It was APPLE2.

wtf (0)

Anonymous Coward | more than 9 years ago | (#9047514)

What happened to, "beer?"

How about? (0)

Anonymous Coward | more than 9 years ago | (#9047526)

Well I might use fmdidgad...frankly my dear I don't give a damn or the first letters of a slogan. If I want to really be nasty I use the windows calculator "1.4121235445157648123104397328816e+497"=pi^1000! for encrypted files, I don't know how effective something like that will be though.

REALLY bad password (4, Interesting)

utahjazz (177190) | more than 9 years ago | (#9047556)

Given that most web developers write code like this:
sqlexec("SELECT * FROM users where pwd = '" + pwd + "'")
I find a good password to be:
'; DELETE FROM USERS; SELECT '

Re:REALLY bad password (1, Interesting)

Anonymous Coward | more than 9 years ago | (#9047707)

Or, if you just want to play around without breaking things, a common scenario is code like
sqlexec("SELECT * FROM USERS WHERE USERNAME = '$username' AND PASSWORD = '$password'")
...and you can get cute results with any valid username plus a password of
' OR 1 = 1--

PHBs seriously love "password" (2, Insightful)

Wylfing (144940) | more than 9 years ago | (#9047592)

I can't count how many technologically ignorant managers I've met who, giggling and leaning in close, explain that they've thought up the cleverest password ever. It's "password"! It's so obvious no one will think of it!

Re:PHBs seriously love "password" (0)

Anonymous Coward | more than 9 years ago | (#9047680)

while they're leaning in close, that's your best chance to give them a *slap*.

It's a secret! (1)

arhar (773548) | more than 9 years ago | (#9047657)

My friend told me this story: he put a password on his computer at home and periodically changed it. He had only two passwords, really: "guessit" and "secret". His kids asked him all the time, what is his password, to which he truthfully replied, "It's secret" or "Guess it!". Needless to say, they never did.

Honey Pot Passwords? (3, Interesting)

LoveMe2Times (416048) | more than 9 years ago | (#9047730)

Does anybody out there use honeypot passwords? It seems like such an obvious idea, but it doesn't seem to be generally implemented -- at least no system that's ever given me a password has let me configure honeypot passwords. Personally, I'd really like to have a honeypot PIN for my bankcard and honeypot passwords for all of the online shopping/bills/finance stuff--ie, the stuff where it's important.

For those unfamiliar, the idea behind a honeypot password is either

  1. to pick one or many "guessable" passwords like those in the article and use them as honeypot passwords. Allow somebody to log into the system using them but set off a silent alarm. Presumably, any would-be hacker will "crack" the honeypot password before the "real" password and will quit trying to get the real one.
  2. Have one "real looking" password (especially PIN) that you can give out if somebody demands it at gun or knife point (you get the idea). If used, it immediately notifies the authorities (silently) and shuts down the account/card in say 1/2 hour (presumably enough time for you to get away). For the would-be mugger etc there's no way to tell if they got the "real" or the honeypot password.

Whew! (1)

multiplexo (27356) | more than 9 years ago | (#9047772)

Thank goodness that the password I use for all of my systems and accounts, "thr0bbingl0v3m3at", wasn't on the list!

When I was working in IT (3, Informative)

einTier (33752) | more than 9 years ago | (#9047790)

When I was working in IT, I often said, "give me the names of a given person's children, their pets, their significant others, the kind of car they drive, their job title, and any hobbies, and I'll guess 95% of all passwords."

It's scary how many people think the name of their child makes a great password.

Uncanny! (2, Funny)

crawdaddy (344241) | more than 9 years ago | (#9047810)

Numeric insecure password list: 0, 1, 1.1, 2, 5, 7, 12, 30, 110, 111, 123, 1111, 1234, 2002, 2003, 2222, 2600, 8429, 12345, 54321, 111111, 121212, 123123, 123456, 166816, 256256, 654321, 1234567, 1322222, 7061992, 11111111, 12345678, 19920706, 22222222, 88888888, 123456789, 1. 1, 1234qwer, 123abc, 123asd, 123qwe, 1RRWTTOOI, 240653C9467E45, 24Banc81, 3098z, 3ep5w2u, 4Dgifts, 4getme2, 4tas, 57gbzb

12345?! That's incredible! That's the same combination I use on my luggage!

Re:Uncanny! (1)

sadler121 (735320) | more than 9 years ago | (#9048336)

OK, laugh all you want, but when I came into a Mission Office, while I was serving a mission (run by old guys) ~50% of the computers had the password 12345, and even after we told the old guys to change the password, they still reverted back to 12345. :-P

Things To Never Use (2, Funny)

Piquan (49943) | more than 9 years ago | (#9048101)

MEMORANDUM

From: Information Services

To: All personell

Re: Secure computing practices

The following, found during a routine review of our authentication system, are insecure and should never be used:

  • accounting
  • admin
  • backup
  • boss
  • cisco
  • congress
  • death
  • engineer
  • ibm
  • internet
  • kiddie
  • love
  • manager
  • sex
  • snake
  • user
  • windows
  • www

Avoid anything on this list. Any personell using anything on this list will be required to attend a mandatory fnord security training class, and may possibly face reprimands for repeat offenses.

Public Key Authentication (1)

rimu guy (665008) | more than 9 years ago | (#9048421)

Why are we still using passwords for everything? I must sign up for 2 or 3 new websites a week. I've been using the Internet for 32 years now. So that means I've signed up for just over 8388640 passwords.

Would someone please write a browser plugin that will enable public/private key authentication using my ssh agent [greenend.org.uk]

. Then I just need to tell them my public key.

ADV: Get your own 'no password required' virtual private server [rimuhosting.com]

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...