Millions of people still use 123456 as their password

[imreloadin]

Keepass FTW!!!

Want a pseudo-randomly generated password with 50 characters including uppercase/lowercase letters, numbers, and special characters? No prob, just click this button and save your entry with your desired username!

[Paparachipupopep]

I prefer Blur as my password manager for its added disposable Email address functionality. As a password manager it's inferior to competitors, but the overall package is excellent.

[RyomaSJibenG]

abc@123 is where its at people

[Fnige]

10 hours ago, Ryujin2003 said:

In case people aren't familiar with this resource:

 

https://www.bennish.net/password-strength-checker/

 

Gives you the estimated strength based on dictionary use and hack time from brute force algorithms.

 

Average number of guesses needed to crack: 4308712000000000
Strength score (1-5): 5

Approx times to crack ... 
   100/hour: centuries
  10/second: centuries
 10k/second: centuries
 10B/second: 5 days

This is my password on basically every account I use

[Paparachipupopep]

My goto crappy password is edcbaH@x0r. First 5 letters of the alphabet backwards, then easy to remember slang. abc and 123 and similar alphabet strings are sometimes banned, and sometimes there's a caps and length requirement. edcbaH@x0r can generally pass all annoying complexity requirements, and I've only seen it not accepted at a sites with harsh limitations on the symbols that you can use.

[Fluph]

16 hours ago, imreloadin said:

Keepass FTW!!!

Want a pseudo-randomly generated password with 50 characters including uppercase/lowercase letters, numbers, and special characters? No prob, just click this button and save your entry with your desired username!

I use lastpass and it makes creating passwords so much easier and secure.

Anything I create that I need to remember I use a phrase.

[NumLock21]

On 4/23/2019 at 1:53 AM, SlimyPython said:

? Elaborate

It's a site glitch.

[Fnige]

1 hour ago, NumLock21 said:

It's a site glitch.

wait... dp = Double post... ok

[Kamina]

Open up a random page inside of a dictionary. That's your new password now.

 

Now add some numbers and symbols to it.

[jake9000]

https://haveibeenpwned.com/Passwords

 

This is the hot new thing and you should expect to see it rolling out to many services just as you have with 2fa. One thing to note is that it's fairly fuzzy and adding some extra features to a weak password isn't going to make it stronger. It seems I get a few business users every month calling me up saying they can't get any password to work no matter how much extra stuff they put on it. I have to tell them to use something more original or ask their manager to buy them a Yubikey. 

The attack risk is called a Password Spray attack. Say someone wanted to attack the forum here with its 550k members. They could do something clever, or they could just try "Spring2019" against every account and probably get a couple dozen hits. 

 

Also keep in mind to use unique passwords everywhere. Even if every service you register with properly salts and hashes their PWs, you can't count on a stolen encrypted database staying encrypted for long. I've got security consultants sending me marketing spam advertising that they can reliably crack stuff in the 18-24 character range now and would I care to put my architecture to the test. Sure live systems are rate limited, but once that database is offline all bets are off. 

[Prariedog13]

just make your password "password123456" nobody will ever guess

 

[Prariedog13]

use 1234567

[FiveSquared25]

On 4/22/2019 at 10:44 AM, tarfeef101 said:

I would have better passwords if companies didn't try to save 5 cents on storage space by creating stupid password requirements. Specifically length limits. 

Just this morning I got signed out of origin, and had to sign in again. Had to reset it cause it was a 16 character limit and I generally use more than that, so I had no idea what it was.

Yeah EA, I'm sure the couple extra bytes would totally cripple your business. 


Hell I've even seen banks with a tiny limit on length. Like, wtf?! It's a bank password!! If I want it to be secure, let me!

Dude, password managers and https://imgs.xkcd.com/comics/password_strength.png

[wasab]

My favorite

 

Pass="password"

User="admin"

 

And they wonder how they got hacked. 

[Teddy07]

4 minutes ago, wasab said:

My favorite

 

Pass="password"

User="admin"

 

And they wonder how they got hacked. 

My router login data for years

[wasab]

On 4/28/2019 at 6:51 PM, jake9000 said:

https://haveibeenpwned.com/Passwords

 

This is the hot new thing and you should expect to see it rolling out to many services just as you have with 2fa. One thing to note is that it's fairly fuzzy and adding some extra features to a weak password isn't going to make it stronger. It seems I get a few business users every month calling me up saying they can't get any password to work no matter how much extra stuff they put on it. I have to tell them to use something more original or ask their manager to buy them a Yubikey. 

The attack risk is called a Password Spray attack. Say someone wanted to attack the forum here with its 550k members. They could do something clever, or they could just try "Spring2019" against every account and probably get a couple dozen hits. 

 

Also keep in mind to use unique passwords everywhere. Even if every service you register with properly salts and hashes their PWs, you can't count on a stolen encrypted database staying encrypted for long. I've got security consultants sending me marketing spam advertising that they can reliably crack stuff in the 18-24 character range now and would I care to put my architecture to the test. Sure live systems are rate limited, but once that database is offline all bets are off. 

This reminds me...

I'm currently working on a school project in which I have to create a web app with MySQL database and Java as the back end. 

 

My group members literally store user passwords in plain text without any hashing. 

 

Their code is also a mix of copy and paste from stack overflow and elsewhere on the internet. Pretty sure anyone can break into our database and gain unauthorized access with some simple SQL injection. 

 

 

[wasab]

5 minutes ago, Teddy07 said:

My router login data for years

As long as nobody crack your wifi password, or have physical access to your machine it is nothing to worry about. 

[Results45]

On 4/23/2019 at 3:02 PM, ZacoAttaco said:

Thanks for the resource, seems like a neat little site.

If anyone else isn't familiar with password cracking at all here is an excellent video on the subject.

 

 

Common password "dictionary" databases anyone?

• https://github.com/danielmiessler/SecLists/tree/master/Passwords
• https://mega.nz/#!U1FyRIwY!UzlxkbDYXmfOdRmMoFcsJo7RhR71aFbIiYxbs_IsYjE
• https://wiki.skullsecurity.org/Passwords

[inteli7.Ti]

Maybe I'm being paranoid, but why would I test if my password is tough to crack by giving it to another website (Password Strength Checker) ? Even if the website is secure, the website knows that this user's password is likely the one they inputted.

[Jito463]

On 5/6/2019 at 4:37 PM, inteli7.Ti said:

Maybe I'm being paranoid, but why would I test if my password is tough to crack by giving it to another website (Password Strength Checker) ? Even if the website is secure, the website knows that this user's password is likely the one they inputted.

Supposedly, it runs the test on a local script rather than on the website itself.  That said, I would still never input my actual password into any website other than the one I need to login to.  However, I did test my password strength by using the same pattern that my password is based on (characters/special characters/etc in the same sequence).

[RichPiano]

Quote

People’s names are still commonly used as passwords, the most popular being Ashley, followed by Michael, Daniel, Jessica and Charlie. And when it comes to using band names, Blink182 is the most common, followed by 50cent. Superman, meanwhile, is the most popular fictional character name used as a password.

Dammit, 50cent has been my go to password for years playa.

[Andreas Lilja]

On 5/6/2019 at 5:37 PM, inteli7.Ti said:

Maybe I'm being paranoid, but why would I test if my password is tough to crack by giving it to another website (Password Strength Checker) ? Even if the website is secure, the website knows that this user's password is likely the one they inputted.

http://rumkin.com/tools/password/passchk.php

 

This one works without an active connection.

[RejZoR]

On 5/8/2019 at 2:16 AM, Jito463 said:

Supposedly, it runs the test on a local script rather than on the website itself.  That said, I would still never input my actual password into any website other than the one I need to login to.  However, I did test my password strength by using the same pattern that my password is based on (characters/special characters/etc in the same sequence).

You don't really need anything advanced. It just checks the length, what characters are used and in what sequence (if repeated like 123456). And then it throws out the estimate.

I frankly wouldn't input any of my real passwords in it either just to be sure tho. If you're using password managers like LastPass, they already show you the password strength during generation within the app so there is no need for extra usage of some website. And since password manager already stores all your passwords, I'm guessing you're already trusting it at that point.

[NunoLava1998]

On 4/22/2019 at 8:28 PM, TetraSky said:

In other news, the sky is blue and grass is green. (usually)

[NunoLava1998]

22 minutes ago, valdyrgramr said:

You should really lay off the acid.

nnkjç gisoh