dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1149
share rss forum feed


antdude
A Ninja Ant
Premium,VIP
join:2001-03-25
United State
kudos:4

Who's using 'password' as a password? TOO MANY OF YOU!



Hank
Searching for a new Frontier
Premium
join:2002-05-21
Burlington, WV
kudos:3

1 recommendation

I can't believe you don't, must have an excellent memory.


jaykaykay
4 Ever Young
Premium,MVM
join:2000-04-13
USA
kudos:24

1 recommendation

reply to antdude
It's hard to believe, after so long a time and so much education as most have gotten from somewhere that they continue to do that. In my way of thinking that's asking for trouble, and I guess if someone wants it, why not make it easy, eh?


Dustyn
Premium
join:2003-02-26
Ontario, CAN
kudos:11

1 recommendation

reply to antdude
No one uses "Admin" ?
That's surprising.
I'm safe because I'm using "passwords".


jadinolf
I love you Fred
Premium
join:2005-07-09
Ojai, CA
kudos:8

1 recommendation

I just use the serial number of my Springfield 1911
--
Printed on 100% recycled bytes


Ian
Premium
join:2002-06-18
ON
kudos:3

2 recommendations

reply to antdude
12345. Good enough for my luggage lock, good enough for online security.

These are lists compiled from hacked databases. Which means, likely from the least secure sites.

And while the article mentions that sites like Yahoo, LinkedIn, eHarmony, and Last.fm were mentioned as being hacked, not that the list was compiled from them. I suspect most were culled from modest, silly little websites. Sites where people might just briefly register for, and not really care about.

I'd be curious to know it in a statistical context as well. i.e. What percentage of people are using terrible passwords on sites where security is a legitimate concern?

As a practical matter, why aren't more sites enforcing minimum password strengths?

Or why aren't sites using Hash(salt+password) instead of just hash(password)? Good luck finding hash(1212 times(4409986182706068992password)) in your Rainbow Tables looking through the leaked hashes. If a cracker found a site that was properly using hashing multiple times as well as salts, they'd likely give up and move onto the next database, rather than keep going.

Stupid web admins are at least as large of a problem as stupid users, imo.
--
“Any claim that the root of a problem is simple should be treated the same as a claim that the root of a problem is Bigfoot. Simplicity and Bigfoot are found in the real world with about the same frequency.” – David Wong


sivran
Seamonkey's back
Premium
join:2003-09-15
Irving, TX
kudos:1
Pretty much. My password on say, fark, would be one far less secure (and probably not unique, either) than my password on my bank's website.
--
Think Outside the Fox.


Raphion

join:2000-10-14
Samsara
reply to antdude
Just pad it with a lot of spaces


antdude
A Ninja Ant
Premium,VIP
join:2001-03-25
United State
kudos:4
Reviews:
·Time Warner Cable
reply to Ian
said by Ian:

12345. Good enough for my luggage lock, good enough for online security...

"So the combination is... one, two, three, four, five? That's the stupidest combination I've ever heard in my life! That's the kind of thing an idiot would have on his luggage!"

"That's amazing. I've got the same combination on my luggage."

Thanks Spaceballs movie!
--
Ant @ AQFL.net and AntFarm.ma.cx. Please do not IM/e-mail me for technical support. Use this forum or better, »community.norton.com ! Disclaimer: The views expressed in this posting are mine, and do not necessarily reflect the views of my employer.


mattmag
Premium,ExMod 2000-03
join:2000-04-09
NW Illinois
kudos:3

2 recommendations

reply to antdude


I've outsmarted all those people who attempt to crack my password, because I changed it to "newpassword".

Yeah, that fixed 'em!!


ashrc4
Premium
join:2009-02-06
australia

1 recommendation

newpasswordz*2 would be even better.
OH wait i posted it already....sorry


Hank
Searching for a new Frontier
Premium
join:2002-05-21
Burlington, WV
kudos:3

1 recommendation

Really! Can't you guys be a little more creative than that.

Use something really clever like "drowssapwen."


nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
kudos:7

1 recommendation

reply to antdude
I would never use "password". I much prefer "secret" because it is shorter and easier to type.

Please don't tell anybody.
--
AT&T Uverse; Zyxel NBG334W router (behind the 2wire gateway); openSuSE 12.2; firefox 17.0


battleop

join:2005-09-28
00000
reply to Hank
I use *********.


antdude
A Ninja Ant
Premium,VIP
join:2001-03-25
United State
kudos:4
Reviews:
·Time Warner Cable
said by battleop:

I use *********.

Hey, that's my password too!

TheMG
Premium
join:2007-09-04
Canada
kudos:3
Reviews:
·NorthWest Tel
reply to jaykaykay
said by jaykaykay:

It's hard to believe, after so long a time and so much education as most have gotten from somewhere that they continue to do that.

What education?

I'll bet you anything, that even in this day and age, the topic of password security is not taught in most schools across the world.

Hell, when I went through school (graduated from high school in 2005), all they taught was basic Windows and Microsoft Office usage. Not a single word about security.

It hasn't been any different in the workplace either. The IT department enforces a password policy (the typical minimum X characters with at least one number and symbol type of thing), but never did they ever explain to employees the importance of secure password and how to create one.

Fact is, people aren't being told why secure passwords are important, what threats exist and how it relates to password security. Most people have never even heard terms like "brute force", "dictionary attack", or "keylogger".

07108968

join:2012-12-11
North Coast
reply to antdude
Too many use the same password for everything or a password that is too easy to guess.


cableties
Premium
join:2005-01-27
I'll tell you one thing that is frustrating on passwords, now that I use a serious pwd (strong) generator, am I the only one that finds many of the financial institutions (banking, CU, stocks, merchants...) are inadequate with having a 16 character limit? And some not even allowing non-alpha-numerics like "?" or "_" or "!" symbols!

Where I work, we can use sentences or random words separated by spaces or symbols.

No wonder we get hacked. 6-16 character limits. I don't think these sites/places take our finances and information seriously...
--
Splat

TheMG
Premium
join:2007-09-04
Canada
kudos:3
Reviews:
·NorthWest Tel

1 edit
said by cableties:

No wonder we get hacked. 6-16 character limits. I don't think these sites/places take our finances and information seriously...

16 character limit is fine as long as the website or service in question limits the number of unsuccessful attempts, which most if not all banks do.

For instance, the bank I'm with will lock you out after 3 successive login failures. After that, you need to contact the bank by phone or in person and verify your identity to have the password reset.

This means an attacker has 3 chances to get it right. In other words, as long as the password isn't guessable, it doesn't matter that the password isn't insanely long.

The only effective attack method when the number of unsuccessful attempts in a given time period is greatly limited would be a dictionary attack. So as long as the password isn't guessable, you're good.

Very lengthy passwords are important mostly when the rate at which attempts can be made is very high or unlimited. File or hard drive encryption is a good example of that. The speed at which someone can brute-force encrypted data is only dependent on how much processing resources are available to the attacker.

In most cases when someone's online account to a website gets "hacked", it's as a result of one of the following:

A) keylogger
B) dictionary attack
C) vulnerability in the site's code or server
D) poor website security policy, allowing the attacker to perform a password reset
E) social engineering
F) using the same password for more than one site (and the password at another site gets compromised)

Brute forcing of online accounts are a relatively rare thing, as it would take nearly forever, even for a seemingly short 16 character password. Assuming the web site in question imposes no limits on failed login attempts, internet latency (ping) alone would make the process take years/decades, not to mention you'd probably unintentionally DDoS the web server in the process. Besides, if the website administrator did his job, such malicious activity should raise a red flag pretty quickly.

07108968

join:2012-12-11
North Coast
reply to cableties
In most cases the issue isn't character limit but the password itself, people like to pick passwords that are easy to remember which makes them easier to guess.

Other "common" passwords are grand-children's names, and pet's names.
Passwords shouldn't be real words, but if they are they should be mixed upper and lower case, maybe mixed with numbers within.

You have 52 alphabet characters, 10 numbers, maybe 10+ special characters, most banks and such give you three "tries" then you are locked out.

Too many want to use the same password for everything so it is easier to remember, sometimes they will even use the same screen name too.

Those with the resources to "brute force" a 16 character password are not going to waste the time required on a personal bank account, those are usually guessed or the person is tricked into giving it out.


EGeezer
zichrona livracha
Premium
join:2002-08-04
Midwest
kudos:8
reply to antdude
I use ROT26 encryption. It's twice as secure as ROT13.


Ian
Premium
join:2002-06-18
ON
kudos:3
reply to 07108968
said by 07108968:

Those with the resources to "brute force" a 16 character password are not going to waste the time required on a personal bank account, those are usually guessed or the person is tricked into giving it out.

There isn't anyone the world who qualifies.

Assuming 100 trillion guesses per second, it would still take 1.41 hundred million centuries to brute-force a 16 digit password.
--
“Any claim that the root of a problem is simple should be treated the same as a claim that the root of a problem is Bigfoot. Simplicity and Bigfoot are found in the real world with about the same frequency.” – David Wong