Hacked Adobe Users Had Easy-To-Guess Passwords

HardOCP News

[H] News
Joined
Dec 31, 1969
Messages
0
How the hell did 1.9 million people use "123456" as a password? Really? Really?

"123456" was the most popular password among the millions of Adobe users whose details were stolen during an attack on the company. About 1.9 million people used the sequence, according to analysis of data lost in the leak.
 
That many users using that password sequence just boggles the mind...
 
I use KeePass-generated passwords for just about everything, except for frequent log-ins that may be performed on mobile devices.
 
4.7% of users have the password password;
8.5% have the passwords password or 123456;
9.8% have the passwords password, 123456 or 12345678;
14% have a password from the top 10 passwords
40% have a password from the top 100 passwords
79% have a password from the top 500 passwords
91% have a password from the top 1000 passwords
98.8% have a password from the top 10,000 passwords

http://xato.net/passwords/more-top-worst-passwords/

You can get a .zip file there of the top 10,000 passwords. Some of the ones you use might be in there. One of your relatives or close friends does use one, guaranteed.
 
Idiots.

asdfasdf is ALOT easier for a dumb password.

If they make you cap, number and add a special char, it's ASDF!1asdf
 
I have so many stinking passwords that I have "junk" ones. Ones that I don't about. They are 8 characters and easy to type.
 
Not much point in making a password with 50 random characters that you can't possibly remember, when most companies are just going to store them unencrypted on an unprotected server anyway.
 
4.7% of users have the password password;
8.5% have the passwords password or 123456;
9.8% have the passwords password, 123456 or 12345678;
14% have a password from the top 10 passwords
40% have a password from the top 100 passwords
79% have a password from the top 500 passwords
91% have a password from the top 1000 passwords
98.8% have a password from the top 10,000 passwords

http://xato.net/passwords/more-top-worst-passwords/

You can get a .zip file there of the top 10,000 passwords. Some of the ones you use might be in there. One of your relatives or close friends does use one, guaranteed.

Whoa. But at least I don't ;) I would like to tell you how awesome my secret password is and I still remember it, but well, then it wouldn't be so secret :p
 
4.7% of users have the password password;
8.5% have the passwords password or 123456;
9.8% have the passwords password, 123456 or 12345678;
14% have a password from the top 10 passwords
40% have a password from the top 100 passwords
79% have a password from the top 500 passwords
91% have a password from the top 1000 passwords
98.8% have a password from the top 10,000 passwords

http://xato.net/passwords/more-top-worst-passwords/

You can get a .zip file there of the top 10,000 passwords. Some of the ones you use might be in there. One of your relatives or close friends does use one, guaranteed.

Just checked, None of mine are on there. My old password that I used when I was a kid is however.
 
One of my machines has a fingerprint password vault. ie - if I give it my fingerprint, it looks up the right password for that device/account/site/etc.

But even that is not a fix. Password proliferation is going nuts.

This is why people use simple passwords. If you make things a PITA, people will bypass it.

Having a password for everything in life (my microwave has a password) is a kludge, not a fix.
 
You stand a pretty good chance of guessing business user passwords with a combo of either the month and year or season and year. Fall2013, Winter2013, October2013, December2013 etc etc.
 
You stand a pretty good chance of guessing business user passwords with a combo of either the month and year or season and year. Fall2013, Winter2013, October2013, December2013 etc etc.

Heh, this assumes they have basic security procedures like requiring passwords be changed every so often. I know many businesses that don't change passwords unless they get new hardware.
 
One of my machines has a fingerprint password vault. ie - if I give it my fingerprint, it looks up the right password for that device/account/site/etc.

But even that is not a fix. Password proliferation is going nuts.

This is why people use simple passwords. If you make things a PITA, people will bypass it.

Having a password for everything in life (my microwave has a password) is a kludge, not a fix.

I just use LastPass. It's so fricken annoying trying to remember all the random passwords I have.
 
Heh, this assumes they have basic security procedures like requiring passwords be changed every so often. I know many businesses that don't change passwords unless they get new hardware.

Very true. It's these basic security policies with lacking lacking complexity policies that create these vulnerable trends.
 
I just use LastPass. It's so fricken annoying trying to remember all the random passwords I have.

**Should also be noted that LP also has dual-factor authentication. You can either use a cipher grid for a second authentication or an app that does the RSA style key 30 second key number.
 
Want to make a million?

Market a system where devices, websites, accounts have a 2D barcode (those irritating square blocks with spastic blackmarks in the them).

When you initial go to set a password, you aim either a cellphone or a webcam at the barcode and click.

Now the phone or computer has sent a very random password and stored it.

When you go to that device, account or site again, you click again, and it pukes up the right PW.
 
"Someone didn't bother reading my carefully prepared memo on commonly-used passwords. Now, then, as I so meticulously pointed out, the four most-used passwords are: love, sex, secret, and...god!" - The Plague
 
a lot of times when i'm setting up an account for someone on something and it asks for them to setup a password, they are disappointed that they cannot make it "password" "PASSWORD" or whatever their username is.
 
spaceballs-luggage-quote-how-to-create-strong-password.jpg
 
Mine was not guessed. My password was similar to "13poci7". No way that was guessed, but my account was compromised somehow. I had to get a new credit card too.
 
wow this reminds me of my brother, but in a different way... his password is 45 characters long including at least 35 characters randomly generated. How he remembers that is beyond me.
 
I can tell you from my personal experience as a developer the reason my company enforces a password policy is that we we're worried about liability if one of our clients gets "hacked" (that's when someone just guesses their password). This whole thing is really annoying for everyone. We need to get together and come up with a better solution. I've got some free time in March... 2017.

PS, our passwords have to be 8 characters+, have upper case, lower case, a number and not contain anything from the list of 100 most common passwords + the name of the company and product. We provide an automatic generator if they can't figure out how to actually do that.
 
The number of easy password in that database also comes from the fact that a lot of accounts are those for trial versions. Even I, a password freak (my most important passwords are over 30 chars long), used 123456 for that account :)
 
I am getting really tired of these major companies using insecure credential storage... it wasn't long ago that freaking Sony was hacked and their entire password table was in plaintext....
 
My last boss had a stupidly easy password and I told him several times that he should change it and why.

But he didn't care. I think a lot of people are like my boss.
 
Who wants to bet some of these users will read this and get smart, changing their password to 123457???
 
That many users using that password sequence just boggles the mind...

Maybe they do not care if someone breaks into their account because there is nothing valuable for a hacker to get.

I used to use less secure passwords for forums. Since if someone broke in what would they get. The ability to impersonate me to post spam? Access to my email address?

Now I use LastPass to generate passwords for all forums. That has been hacked at least 1 time that I can remember. As a result I do not put financial (or any other important) account passwords in lastpass however that means these technically have a easier to brute force crack password. But then you would hope that all financial institutions would lock your account after 5 or so wrong guesses in a short period and allow you to unlock it with some alternate method.
 
You can make perfectly complicated passwords by just using sentences. A password like "ijusthadthetimeofmylife" is like 1000x more secure than "J#ks*21%".

Come up with a few key phrases that are unique to you and just rotate them about your login history, since obviously you dont want them all to be the same.

Doesnt hurt that many sites these days have inane complexity requirements. You will probably have to attach some generic number/uppercase character to your password phraseology so that it meets the requirements of the site, but thats about it.
 
If you have enough money and time you can crack any password. Ordinary people prefer convenience over security and they will never understand why it's important to use sound security practices. It goes back to the old sheep and sheep dog analogy.
 
If you have enough money and time you can crack any password. Ordinary people prefer convenience over security and they will never understand why it's important to use sound security practices. It goes back to the old sheep and sheep dog analogy.

What is the purpose of making a password so contrived and hard to remember...that you have to write it down somewhere? Just like the Russian spies who encrypted their hard drive with a 20+ character password of gibberish that would have been extremely hard to crack...were it not for the fact that no one can remember a 20 character gibberish password, and the spies had to write it down.


The entire password-model of security seems to me to simply be obsolete given the available tools. It was fine for when compute power was severely limited.
 
Back
Top