Hacked Adobe Users Had Easy-To-Guess Passwords

HardOCP News

[H] News
Joined
Dec 31, 1969
Messages
0
How the hell did 1.9 million people use "123456" as a password? Really? Really?

"123456" was the most popular password among the millions of Adobe users whose details were stolen during an attack on the company. About 1.9 million people used the sequence, according to analysis of data lost in the leak.
 

AceGoober

Live! Laug[H]! Overclock!
Joined
Jun 25, 2003
Messages
24,563
That many users using that password sequence just boggles the mind...
 

Megalith

24-bit/48kHz
Staff member
Joined
Aug 20, 2006
Messages
13,003
I use KeePass-generated passwords for just about everything, except for frequent log-ins that may be performed on mobile devices.
 

evilsofa

[H]F Junkie
Joined
Jan 1, 2007
Messages
10,078
4.7% of users have the password password;
8.5% have the passwords password or 123456;
9.8% have the passwords password, 123456 or 12345678;
14% have a password from the top 10 passwords
40% have a password from the top 100 passwords
79% have a password from the top 500 passwords
91% have a password from the top 1000 passwords
98.8% have a password from the top 10,000 passwords

http://xato.net/passwords/more-top-worst-passwords/

You can get a .zip file there of the top 10,000 passwords. Some of the ones you use might be in there. One of your relatives or close friends does use one, guaranteed.
 

Qinsp

2[H]4U
Joined
Jan 7, 2011
Messages
2,154
Idiots.

asdfasdf is ALOT easier for a dumb password.

If they make you cap, number and add a special char, it's ASDF!1asdf
 

Qinsp

2[H]4U
Joined
Jan 7, 2011
Messages
2,154
I have so many stinking passwords that I have "junk" ones. Ones that I don't about. They are 8 characters and easy to type.
 

Koolthulu

Gawd
Joined
Mar 24, 2011
Messages
773
Not much point in making a password with 50 random characters that you can't possibly remember, when most companies are just going to store them unencrypted on an unprotected server anyway.
 

PCunicorn

[H]ard|Gawd
Joined
Mar 26, 2013
Messages
1,638
4.7% of users have the password password;
8.5% have the passwords password or 123456;
9.8% have the passwords password, 123456 or 12345678;
14% have a password from the top 10 passwords
40% have a password from the top 100 passwords
79% have a password from the top 500 passwords
91% have a password from the top 1000 passwords
98.8% have a password from the top 10,000 passwords

http://xato.net/passwords/more-top-worst-passwords/

You can get a .zip file there of the top 10,000 passwords. Some of the ones you use might be in there. One of your relatives or close friends does use one, guaranteed.

Whoa. But at least I don't ;) I would like to tell you how awesome my secret password is and I still remember it, but well, then it wouldn't be so secret :p
 

LOCO LAPTOP

[H]F Junkie
Joined
May 4, 2006
Messages
12,146
4.7% of users have the password password;
8.5% have the passwords password or 123456;
9.8% have the passwords password, 123456 or 12345678;
14% have a password from the top 10 passwords
40% have a password from the top 100 passwords
79% have a password from the top 500 passwords
91% have a password from the top 1000 passwords
98.8% have a password from the top 10,000 passwords

http://xato.net/passwords/more-top-worst-passwords/

You can get a .zip file there of the top 10,000 passwords. Some of the ones you use might be in there. One of your relatives or close friends does use one, guaranteed.

Just checked, None of mine are on there. My old password that I used when I was a kid is however.
 

Qinsp

2[H]4U
Joined
Jan 7, 2011
Messages
2,154
One of my machines has a fingerprint password vault. ie - if I give it my fingerprint, it looks up the right password for that device/account/site/etc.

But even that is not a fix. Password proliferation is going nuts.

This is why people use simple passwords. If you make things a PITA, people will bypass it.

Having a password for everything in life (my microwave has a password) is a kludge, not a fix.
 

ChedWick

Gawd
Joined
Sep 16, 2011
Messages
596
You stand a pretty good chance of guessing business user passwords with a combo of either the month and year or season and year. Fall2013, Winter2013, October2013, December2013 etc etc.
 

Kueller

Supreme [H]ardness
Joined
Jun 19, 2001
Messages
5,983
You stand a pretty good chance of guessing business user passwords with a combo of either the month and year or season and year. Fall2013, Winter2013, October2013, December2013 etc etc.

Heh, this assumes they have basic security procedures like requiring passwords be changed every so often. I know many businesses that don't change passwords unless they get new hardware.
 

Spidey329

[H]F Junkie
Joined
Dec 15, 2003
Messages
8,683
One of my machines has a fingerprint password vault. ie - if I give it my fingerprint, it looks up the right password for that device/account/site/etc.

But even that is not a fix. Password proliferation is going nuts.

This is why people use simple passwords. If you make things a PITA, people will bypass it.

Having a password for everything in life (my microwave has a password) is a kludge, not a fix.

I just use LastPass. It's so fricken annoying trying to remember all the random passwords I have.
 

ChedWick

Gawd
Joined
Sep 16, 2011
Messages
596
Heh, this assumes they have basic security procedures like requiring passwords be changed every so often. I know many businesses that don't change passwords unless they get new hardware.

Very true. It's these basic security policies with lacking lacking complexity policies that create these vulnerable trends.
 

Spidey329

[H]F Junkie
Joined
Dec 15, 2003
Messages
8,683
I just use LastPass. It's so fricken annoying trying to remember all the random passwords I have.

**Should also be noted that LP also has dual-factor authentication. You can either use a cipher grid for a second authentication or an app that does the RSA style key 30 second key number.
 

Qinsp

2[H]4U
Joined
Jan 7, 2011
Messages
2,154
Want to make a million?

Market a system where devices, websites, accounts have a 2D barcode (those irritating square blocks with spastic blackmarks in the them).

When you initial go to set a password, you aim either a cellphone or a webcam at the barcode and click.

Now the phone or computer has sent a very random password and stored it.

When you go to that device, account or site again, you click again, and it pukes up the right PW.
 

RealityCrunch

[H]ard|Gawd
Joined
Nov 16, 2011
Messages
1,393
"Someone didn't bother reading my carefully prepared memo on commonly-used passwords. Now, then, as I so meticulously pointed out, the four most-used passwords are: love, sex, secret, and...god!" - The Plague
 
Joined
Nov 7, 2003
Messages
928
a lot of times when i'm setting up an account for someone on something and it asks for them to setup a password, they are disappointed that they cannot make it "password" "PASSWORD" or whatever their username is.
 

Ashbringer

Supreme [H]ardness
Joined
Jan 25, 2010
Messages
5,522
spaceballs-luggage-quote-how-to-create-strong-password.jpg
 

Poseur

Limp Gawd
Joined
Oct 7, 2009
Messages
352
Mine was not guessed. My password was similar to "13poci7". No way that was guessed, but my account was compromised somehow. I had to get a new credit card too.
 

filip

2[H]4U
Joined
Aug 15, 2012
Messages
2,585
wow this reminds me of my brother, but in a different way... his password is 45 characters long including at least 35 characters randomly generated. How he remembers that is beyond me.
 

Quix

2[H]4U
Joined
Jun 12, 2011
Messages
3,710
I can tell you from my personal experience as a developer the reason my company enforces a password policy is that we we're worried about liability if one of our clients gets "hacked" (that's when someone just guesses their password). This whole thing is really annoying for everyone. We need to get together and come up with a better solution. I've got some free time in March... 2017.

PS, our passwords have to be 8 characters+, have upper case, lower case, a number and not contain anything from the list of 100 most common passwords + the name of the company and product. We provide an automatic generator if they can't figure out how to actually do that.
 

mat9v

Weaksauce
Joined
Dec 23, 2005
Messages
106
The number of easy password in that database also comes from the fact that a lot of accounts are those for trial versions. Even I, a password freak (my most important passwords are over 30 chars long), used 123456 for that account :)
 

Zangmonkey

Supreme [H]ardness
Joined
Jul 6, 2005
Messages
4,609
I am getting really tired of these major companies using insecure credential storage... it wasn't long ago that freaking Sony was hacked and their entire password table was in plaintext....
 

Rouzuki

Limp Gawd
Joined
Mar 11, 2007
Messages
279
My last boss had a stupidly easy password and I told him several times that he should change it and why.

But he didn't care. I think a lot of people are like my boss.
 

Ultima99

Supreme [H]ardness
Joined
Jul 31, 2004
Messages
4,905
Who wants to bet some of these users will read this and get smart, changing their password to 123457???
 

drescherjm

[H]F Junkie
Joined
Nov 19, 2008
Messages
14,937
That many users using that password sequence just boggles the mind...

Maybe they do not care if someone breaks into their account because there is nothing valuable for a hacker to get.

I used to use less secure passwords for forums. Since if someone broke in what would they get. The ability to impersonate me to post spam? Access to my email address?

Now I use LastPass to generate passwords for all forums. That has been hacked at least 1 time that I can remember. As a result I do not put financial (or any other important) account passwords in lastpass however that means these technically have a easier to brute force crack password. But then you would hope that all financial institutions would lock your account after 5 or so wrong guesses in a short period and allow you to unlock it with some alternate method.
 

McFry

[H]ard|Gawd
Joined
Oct 25, 2011
Messages
1,715
You can make perfectly complicated passwords by just using sentences. A password like "ijusthadthetimeofmylife" is like 1000x more secure than "J#ks*21%".

Come up with a few key phrases that are unique to you and just rotate them about your login history, since obviously you dont want them all to be the same.

Doesnt hurt that many sites these days have inane complexity requirements. You will probably have to attach some generic number/uppercase character to your password phraseology so that it meets the requirements of the site, but thats about it.
 

jmyers

n00b
Joined
Nov 6, 2013
Messages
1
If you have enough money and time you can crack any password. Ordinary people prefer convenience over security and they will never understand why it's important to use sound security practices. It goes back to the old sheep and sheep dog analogy.
 

Skripka

[H]F Junkie
Joined
Feb 5, 2012
Messages
10,792
If you have enough money and time you can crack any password. Ordinary people prefer convenience over security and they will never understand why it's important to use sound security practices. It goes back to the old sheep and sheep dog analogy.

What is the purpose of making a password so contrived and hard to remember...that you have to write it down somewhere? Just like the Russian spies who encrypted their hard drive with a 20+ character password of gibberish that would have been extremely hard to crack...were it not for the fact that no one can remember a 20 character gibberish password, and the spies had to write it down.


The entire password-model of security seems to me to simply be obsolete given the available tools. It was fine for when compute power was severely limited.
 
Top