The Worst Passwords of 2018 are Just as Dumb as You'd Expect;
"Password" will never be a good password. Period.
[...] It doesn't look like we're getting any smarter about our passwords.
On Thursday, software company SplashData released its annual list of the Top 100 worst passwords, and it includes some pretty obvious blunders. Coming in at No. 1 is, you guessed it, "123456," and in second place is, yup, "password." This is the fifth year in a row these passwords have held the top two spots.
Newcomers to the list include "666666" (No. 14), "princess" (No. 11) and "donald" (No. 23).
[...] To compile its list, SplashData evaluated more than 5 million leaked passwords, mostly from users in North America and Western Europe. The company estimates that about 10 percent of people have used at least one of the Top 25 worst passwords, and about 3 percent have used "123456."
[...] Here are the 25 worst passwords of 2018, according to SplashData:
1) 123456
2) password
3) 123456789
4) 12345678
5) 12345
6) 111111
7) 1234567
8) sunshine
9) qwerty
10) iloveyou
11) princess
12) admin
13) welcome
14) 666666
15) abc123
16) football
17) 123123
18) monkey
19) 654321
20) !@#$%^&*
21) charlie
22) aa123456
23) donald
24) password1
25) qwerty123
(Score: 3, Funny) by Anonymous Coward on Friday December 14 2018, @10:16AM (1 child)
I'm sad to see that "monkey" has lost its luster and has dropped all the way down to #18. A few years ago it was as high as #6.
What kind of person would use "monkey" for their password and then stop using it? What is the world coming to?
(Score: 3, Interesting) by zocalo on Friday December 14 2018, @11:06AM
Talking of password policies, I'm assuming that the relative positions of "12345..." style passwords have at least some correlation with the minimum password length permitted by policies (or maximum length for truly lame websites), so it seems that more sites permit six character passwords (this is the most common password length in the top 25) than anything else, and eight characters seems to be more popular than 5 or 7.
UNIX? They're not even circumcised! Savages!
(Score: 0) by Anonymous Coward on Friday December 14 2018, @11:24AM (7 children)
I see that "abcdef" is not on the list (well, at least not on the short list; I can't see the full list without JavaScript), so I guess I'm still safe. :-)
But of course I'm joking here; as xkcd reader I certainly know that the only truly safe password is "Correct Horse Battery Staple" and use it everywhere. ;-)
(Score: 4, Interesting) by Rosco P. Coltrane on Friday December 14 2018, @12:18PM (5 children)
I use passwords that are obvious to the learned for my wifi access points (I manage around 1,500 for my company). For instance:
SSID: "fritteredawaybydetail", Pass: "simplify"
SSID: "eequals", pass: "mcsquared"
SSID: "somethingrotten", pass: "denmark"
SSID: "hovercarftfisfull", pass: "ofeels"
I've yet to detect a successful login. It pays to capitalize on the state of the educational system.
(Score: 0) by Anonymous Coward on Friday December 14 2018, @12:25PM (4 children)
who's that MC Squarre
(Score: 5, Funny) by Anonymous Coward on Friday December 14 2018, @01:11PM (2 children)
MC Square is the peg MC Hammer drove into the MC Round hole.
(Score: 0) by Anonymous Coward on Friday December 14 2018, @06:49PM
Was that peg going into a McWindow or a McMac?
(Score: 1) by Ethanol-fueled on Saturday December 15 2018, @01:22AM
Wow, inoffensive nerd humor I actually found to be funny. A rare case, indeed.
(Score: 2) by AthanasiusKircher on Saturday December 15 2018, @02:47AM
Undoubtedly the guy whose "hovercarft" is full of eels (poor guy). These days, it's hard to get a proper exterminator for the eels in one's hovercarft. Ah, the state of educatoin in these timse.
(Score: 2) by KritonK on Sunday December 16 2018, @04:09PM
Mine isn't either.
Nobody would ever think that it's the same as the combination for my luggage!
(Score: 2) by takyon on Friday December 14 2018, @12:36PM (1 child)
11) princess
16) football
Nice users:
8) sunshine
10) iloveyou
13) welcome
Evil user:
14) 666666
Le troll:
23) donald
The sneaky one:
24) password1
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 2, Interesting) by Ethanol-fueled on Saturday December 15 2018, @01:24AM
The real head-scratcher is, what the hell fucking sites still allow such weak passwords? Asking for a friend who is definitely not a hacker.
(Score: 3, Funny) by Anonymous Coward on Friday December 14 2018, @01:34PM
This is due to Trump's hidden war on the satanic cabal. They have been reduced to enjoying their dark arts in the password realm.
(Score: 5, Insightful) by MrGuy on Friday December 14 2018, @01:43PM (2 children)
If I'm being required to sign up to get access to something on a site, and there's no commerce or PII implications (i.e. they don't know anything about me other than my e-mail), then I have a weak throwaway password I don't mind seeing compromised that I used for quite some time (i.e. before I got a password manager, when having a strong password became as easy as having a weak one). I didn't feel like generating/remembering a strong password for a site I used only occasionally when I didn't really care if my account got "compromised."
(Score: 2) by VLM on Friday December 14 2018, @01:55PM (1 child)
I do almost the same thing, with the slight variation that if I know they don't save payment information for one click re-ordering, I'll use the generic password for casual shopping.
Tis the season to order gift baskets for my clients and distant (physically or otherwise...) relatives and that's not (yet) an amazon thing. Why? Thats an excellent question as however much amazon Inc might suck, their UI experience is near perfection.
In theory a dedicated and extremely bored hacker could figure out my wife's login info at one of the bazillion gift basket companies, log in as her, find the historical shipping info, and get a fraction of my client and relative list. I suppose the worst thing someone could do is find the IT director who's gluten-free like my kid is, then use his own money (because the site doesn't store payment information) and send the poor guy a loaf of organic artisan whole wheat bread or similar. Thats about as bad as it gets, I guess. I suppose the attacker, using his own money, could make the message something like "F U celiac is a fake disease" to piss him off, or frankly more likely he'd laugh at me.
Its not a terribly useful or realistic attack vector. I mean, why steal my gift basket login when you could steal my AWS account or my brokerage account info?
(Score: 2) by Freeman on Friday December 14 2018, @04:47PM
I have no idea what UI you're referring to, because I've used the Amazon UI and it sucks. Just look at the search and filter options available from Newegg, then compare that with the features for Amazon. Also, Amazon sticks random junk up in my face all the time. No, I don't want some random piece of junk that has no bearing on what I'm searching for, thanks. Amazon definitely has some things going for it, their UI, isn't one of them. I also try to avoid purchasing things from the Amazon Empire as much as possible.
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 2) by looorg on Friday December 14 2018, @02:18PM (3 children)
How do they rank them? I just skimmed the article really but I can't find anything about how they rank them, as in how do they pick the worst one. Is it frequency (as in how many times it occurs in the datasets they have gathered) or what?
After all (5) 12345 should be a worse password then (1) 123456. After all it's at least a character shorter, so even if you don't use some kinda dictionary attack but instead brute force it then it should find (5) before (1) -- even tho it's probably just a matter of seconds but still. Naturally one would assume that the common once, or just words that are found in a normal dictionary would be worse then words that are not but on the other hand if you bruteforce guess then it might be all about length and if you cram in some special-characters or not. So in that regard (24) password1 is a better then (2) password. Bruteforce it's an extra character but if you run a dictionary or wordlist attack it might not matter all that much.
(Score: 2) by nobu_the_bard on Friday December 14 2018, @03:17PM (1 child)
Yeah I couldn't find any data about their sources.
For example, if this data is culled from websites that had plaintext password leaks, then it's data that only represents the subset of websites that had plaintext password leaks. That's already a pretty good sign it's a trash website, which implies most of the accounts are probably trash.
In an era of fake news, not giving any hint of your sources or methods makes your news post worthless.
Of course maybe it was in the video at the top I didn't watch. I doubt it, it looked like it was not more than 2 minutes long.
(Score: 3, Insightful) by Anonymous Coward on Friday December 14 2018, @04:06PM
It is amazing that people are told by the fake news that we are in a "new era" of fake news and they believe it. There is nothing new about it. You should have always demanded (non-anonymous) sources and methods.
(Score: 0) by Anonymous Coward on Friday December 14 2018, @04:31PM
They rank them by the number of times that each bad password was found in data breach dumps. So "123456" was found the most (excluding any good passwords that may have occurred more often).
(Score: 2, Insightful) by Anonymous Coward on Friday December 14 2018, @02:20PM (3 children)
These ratings are not reflecting the reality well in modern Internet economy, when CEOs play pocket billiards to rising number of registered users, and to download a f..n driver it is needed to sign up to 6 services. Here people just go with 12345678 using a one-time account.
I wrote a small blog post about it some time ago, but I don't know are ULRs supported, so I'll summarize the experiment here: There is a service C., where users may share and download files, but only files below 1MB are free to download - larger ones require a free account.
Procedure to create account is following: First information is that password has to be at least 8 characters long. Then, if you enter numbers only, it informs that at least a single letter is needed. Account name by default is an username from e-mail address. So I decided to try to harvest accounts using usernames generated from one of well-known temporary e-mail services (bXXXXXXX where X are digits). After a few days of trying I found about 500 accounts with no files, made probably to download one file.
Let's try to bruteforce into them. We have 8 characters information, and then an information about letter, so dictionary was:
12345678a
a12345678
And that was all. Got about 90 working accounts.
So what? Yes, there are poor passwords. But they are used with responsibility - for poor resources.
(Score: 0) by Anonymous Coward on Friday December 14 2018, @02:30PM (1 child)
You aren't sure if this site supports links?
(Score: 4, Funny) by The Archon V2.0 on Friday December 14 2018, @03:53PM
> You aren't sure if this site supports links?
Never tried it. Let's find out:
https://en.wikipedia.org/wiki/Sausage [wikipedia.org]
Looks good to me.
(Score: 1, Touché) by Anonymous Coward on Friday December 14 2018, @05:01PM
If you posted a link to your blog you no longer would fulfill the "anonymous" portion of AC.
(Score: 0) by Anonymous Coward on Friday December 14 2018, @03:30PM
Still works for me and hasn't been cracked.
(Score: 1, Interesting) by Anonymous Coward on Friday December 14 2018, @03:41PM
If a site demands more respect for its accounts than the users are willing to give in form of passwords, the passwords need to be generated by the site and assigned to the user.
(Score: 2, Funny) by nitehawk214 on Friday December 14 2018, @03:44PM (1 child)
peakaboo? https://www.youtube.com/watch?v=jpFNS1RojAw [youtube.com]
"Don't you ever miss the days when you used to be nostalgic?" -Loiosh
(Score: 2, Interesting) by nitehawk214 on Friday December 14 2018, @03:46PM
Also, fun fact, the computer's voice is provided by Harlan Ellison, playing... Harlan Ellison. :)
"Don't you ever miss the days when you used to be nostalgic?" -Loiosh
(Score: 3, Interesting) by OrugTor on Friday December 14 2018, @04:11PM (1 child)
Strong passwords are a tough sell when data breaches are commonplace.
(Score: 0) by Anonymous Coward on Friday December 14 2018, @04:33PM
Except that sites that enforce strong password requirements usually salt and hash the passwords before they are stored (unlike sites that just don't care about password strength).
(Score: 3, Interesting) by Azuma Hazuki on Friday December 14 2018, @05:22PM (1 child)
Maybe I'm just paranoid, but I've got almost a dozen different passwords, all over 16 characters long, and they're not phrases or birthdays or anything. I've developed mnemonics for memorizing long strings of stuff that looks like /dev/urandom threw up somehow...
I am "that girl" your mother warned you about...
(Score: 3, Insightful) by chromas on Friday December 14 2018, @11:49PM
Ah, perl 6.
(Score: 3, Interesting) by xpda on Saturday December 15 2018, @12:01AM
Sometimes a stupid password isn't stupid.
On some sites, I don't care who uses my account or what they do with it. I would prefer not to even have a password. So, I use a simple word (if allowed), probably high up on the list of stupid passwords. I occasionally get a note that I've been hacked, but I don't mind a bit. I'm happy to share my account (again, on some sites).
(Score: 0) by Anonymous Coward on Sunday December 16 2018, @09:45PM
I must change it immediately!!!!!!