Dark Helmet: So the combination is... 12345? That's the stupidest combination I've ever heard in my life! The kind of thing an idiot would have on his luggage!
Don't trust this list. The only way anyone could actually see or count passwords for this list is if the system itself is insecure. Unix has been hashing and salting passwords for, what, decades?
Perhaps the numeric password is first since so many places that ask for a password ask for numbers as part of the password. Though come to think of it they usually want both letters and numbers.
@6 -- Not true. A dictionary attack will easily get all of these passwords; you don't need access to the hashed passwords for that, only some kind of open network service that authenticates, or physical access to the system.
And SYSV style unix password encryption is very weak. That's why modern unixes shadow the passwd file.
@Paul, "I know a couple of my passwords are really bad. I figure the badness, at this point, almost works as protection"
YOUR THEORIES ON SECURITY ARE VERY INTERESTING. PLEASE, WHAT IS YOUR IP ADDRESS, I WISH TO SUBSCRIBE TO YOUR NEWSLETTER?
The best worst password is always a mathematical identity, like 31415 or 112358, something that the person who set it thinks is so damn clever (and yet so easy to remember!) that no one else would ever consider it.
#8, that's not really what I meant. Unless you're suggesting the author of the article took thousands (millions) of hashed passwords and dictionary attacked them all to come up with this list?
Yeah, #8's reply is glaringly irrelevant to yours and fairly out of date, but dictionary attacks, along with audit logs for systems/password expiry, is one of the ways that this sort of information gets collected.
See the book that the password information comes from.
I thought license plate #'s, pet's names, family/friends/SO's names, birthdays, anniversaries, and "Soylent Green Is People" were the most popular passwords.
How is it "Dick" is #91 and "Big Dick" is # 186? For that matter "Cock" and "Johnson" are in the 200-300 range, why? "Pussy" is # 5.
So many sites these days ask for you to "become a member" for the lamest crap so I can see where one would enter an easy password like "123456" or "password" because it doesn't really matter anyway.
I know that 'remember' happens to top the list and I don't see it there. I have had my password set to 'changepassword' on a number of occasions as well. Wonder where they sourced this lis from, certainly not bona fide hackers.
@2: Prepare Spaceball 1 for immediate departure! And change the combination on my luggage.
My passwords are all Romanizations of obscure Chinese words plus the birthdate of this guy I had a crush on in college. Nobody's gonna read MY hotmail!
I think that "Fuckyou" is the best password and if you don't think so then you need to be more open about other people and be more accepting. Big up to the man up stairs Big JC ya heerr peaccccceeeeee
my original password when i first started using windows was really easy (in fact, it's the verb that was both their slogan for a while and the action that would happen after you entered the password), but when I went to work for a large company as an adult, we used SAP software, which required a change every 60 days, using a series of letters and numbers and you couldn't have re-use previously used passwords. So after a while, I invented a little system to easily come up with an acceptable new password, and one ended up being stuck in eternity as the password I use for almost every website. Geeky to think that Apple Computer's corporate policies gave me the password I still use 8 years later.
Common Passwords: The top 20 passwords are (in order): password1, abc123, myspace1, password, blink182, qwerty1, fuckyou, 123abc, baseball1, football1, 123456, soccer, monkey1, liverpool1, princess1, jordan23, slipknot1, superman1, iloveyou1 and monkey.
These days, hard drives are large enough that you can just precompute full rainbow tables for every possible salt on a traditional Unix crypt(3) password. Do that for, say, all passwords of length 6 or less plus dictionaries for 10 different languages, and that's very roughly 120GB -- easily fitting on one modern hard drive. Once you've gone to the trouble of generating the rainbow tables (which you can do quickly in parallel), you can look up any password's hash (salt included) in constant time (i.e. practically instantly), so long as it's one of the passwords you put into the rainbow table.
Modern Unixen use a much stronger MD5-based hashing scheme by default. If your /etc/shadow (or, heaven forbid, /etc/passwd) contains a "$", then you have MD5 or better. The MD5 scheme usually uses 48 random bits of salt, instead of a mere 12, so the rainbow tables are unimaginably large (13 bits uses twice the space as 12, 14 bits uses twice the space as 13, and so on). This means you have to crack one user's passwords at a time... or read /etc/shadow, extract the list of salts that are actually in use, then build rainbow tables based on those. Except that's dumb: as soon as a user changes his/her password, you need to build a new rainbow table for him/her, so there's no benefit in remembering the thousands/millions of failed passwords by writing them to a (massive array of) hard drive(s).
That basically just leaves dictionary attacks. If your password appears in a dictionary (including dictionaries of names, dictionaries of foreign languages, or dictionaries of online slang), or it's a word in a dictionary plus a few digits on the end, then your password is laughably easy. It just takes time... or a botnet. These days, it's usually a botnet. Thousands of computers, all trying entire dictionaries against every account on a given website, times thousands of botnets each attacking one or more websites at any given moment... yeah, bad passwords don't really stand a chance against that.
The strongest passwords that a human can actually memorize are usually either (best) an entire phrase in a natural language like English, complete with punctuation, or (still good) condensing such a phrase into a single word using mnemonics or abbreviations, including digits or punctuation in substitution for words, plus at least one random bit of punctuation somewhere in the middle of the password. Lots of systems, websites in particular, limit the maximum length of your password (the fools), so you're probably stuck using the latter instead of the former.
And for heaven's sake, don't use the same password at all websites! Botnets are smart enough to try your password at other sites. They can guess your username at a second website not just from your username at the hacked site, but also from using bits of profile information and from Google searches on you. Use the same password at multiple sites, and you could be facing dozens your accounts all being hacked successfully on the same day. And you might not even notice it until the owners of the botnet sell the information to the highest bidder, weeks later.
Thousands of computers, all trying entire dictionaries against every account on a given website, times thousands of botnets each attacking one or more websites at any given moment... yeah, bad passwords don't really stand a chance against that.
I've always wondered why this works. After 10 or so failed attempts, shouldn't the system simply not accept any further attempts?
Nevermind. My password is obviously 1dopeydope.
And SYSV style unix password encryption is very weak. That's why modern unixes shadow the passwd file.
@Paul, "I know a couple of my passwords are really bad. I figure the badness, at this point, almost works as protection"
YOUR THEORIES ON SECURITY ARE VERY INTERESTING. PLEASE, WHAT IS YOUR IP ADDRESS, I WISH TO SUBSCRIBE TO YOUR NEWSLETTER?
Yeah, #8's reply is glaringly irrelevant to yours and fairly out of date, but dictionary attacks, along with audit logs for systems/password expiry, is one of the ways that this sort of information gets collected.
See the book that the password information comes from.
How is it "Dick" is #91 and "Big Dick" is # 186? For that matter "Cock" and "Johnson" are in the 200-300 range, why? "Pussy" is # 5.
(I'd better go change my Slog password now...)
My passwords are all Romanizations of obscure Chinese words plus the birthdate of this guy I had a crush on in college. Nobody's gonna read MY hotmail!
Fuckme Tigers, Badboy
Forever...
Bonnie
Access Coffee
Braves Midnight Shit
Panties
Mike Johnson Naughty
Shaved
http://www.schneier.com/blog/archives/20…
These days, hard drives are large enough that you can just precompute full rainbow tables for every possible salt on a traditional Unix crypt(3) password. Do that for, say, all passwords of length 6 or less plus dictionaries for 10 different languages, and that's very roughly 120GB -- easily fitting on one modern hard drive. Once you've gone to the trouble of generating the rainbow tables (which you can do quickly in parallel), you can look up any password's hash (salt included) in constant time (i.e. practically instantly), so long as it's one of the passwords you put into the rainbow table.
Modern Unixen use a much stronger MD5-based hashing scheme by default. If your /etc/shadow (or, heaven forbid, /etc/passwd) contains a "$", then you have MD5 or better. The MD5 scheme usually uses 48 random bits of salt, instead of a mere 12, so the rainbow tables are unimaginably large (13 bits uses twice the space as 12, 14 bits uses twice the space as 13, and so on). This means you have to crack one user's passwords at a time... or read /etc/shadow, extract the list of salts that are actually in use, then build rainbow tables based on those. Except that's dumb: as soon as a user changes his/her password, you need to build a new rainbow table for him/her, so there's no benefit in remembering the thousands/millions of failed passwords by writing them to a (massive array of) hard drive(s).
That basically just leaves dictionary attacks. If your password appears in a dictionary (including dictionaries of names, dictionaries of foreign languages, or dictionaries of online slang), or it's a word in a dictionary plus a few digits on the end, then your password is laughably easy. It just takes time... or a botnet. These days, it's usually a botnet. Thousands of computers, all trying entire dictionaries against every account on a given website, times thousands of botnets each attacking one or more websites at any given moment... yeah, bad passwords don't really stand a chance against that.
The strongest passwords that a human can actually memorize are usually either (best) an entire phrase in a natural language like English, complete with punctuation, or (still good) condensing such a phrase into a single word using mnemonics or abbreviations, including digits or punctuation in substitution for words, plus at least one random bit of punctuation somewhere in the middle of the password. Lots of systems, websites in particular, limit the maximum length of your password (the fools), so you're probably stuck using the latter instead of the former.
And for heaven's sake, don't use the same password at all websites! Botnets are smart enough to try your password at other sites. They can guess your username at a second website not just from your username at the hacked site, but also from using bits of profile information and from Google searches on you. Use the same password at multiple sites, and you could be facing dozens your accounts all being hacked successfully on the same day. And you might not even notice it until the owners of the botnet sell the information to the highest bidder, weeks later.
I've always wondered why this works. After 10 or so failed attempts, shouldn't the system simply not accept any further attempts?