The 25 worst passwords of 2011

[ioni]

The 25 worst passwords of 2011

http://www.cnet.com.au/the-25-worst-passwords-of-2011-339326551.htm

password

123456

12345678

qwerty

abc123

monkey

1234567

letmein

trustno1

dragon

baseball

111111

iloveyou

master

sunshine

ashley

bailey

passw0rd

shadow

123123

654321

superman

qazwsx

michael

football

[David H. Lipman]

The 25 worst passwords of 2011

http://www.cnet.com.au/the-25-worst-passwords-of-2011-339326551.htm

password

123456

12345678

qwerty

abc123

monkey

1234567

letmein

trustno1

dragon

baseball

111111

iloveyou

master

sunshine

ashley

bailey

passw0rd

shadow

123123

654321

superman

qazwsx

michael

football

Password creation notes.

Never use "dictionary" words.

Never use your name.

Do choose at least 8 characters and, depending on the system, use a combination of; UPPERCASE, lowercase, numbers and special characters. This is called creating a Strong Password.

Take the password shown above; iloveyou and to make it a strong password one can make it; $eYeL0veU

You still have the basis iloveyou but it is modified to a strong password and as such it is easy to remember.

Wiki on Password Strength

Note also if a system asks for only numbers and calls it a "password" that is incorrect. That a Personal Identification Number or PIN not a password as passwords are always alphanumeric.

[AdvancedSetup]

This one was working for me (but now that I've posted I guess I'll have to change it)

x*D/X[:be_g(-98ra}P4f+qt@CMz=R'EW`U2

[GT500]

Unlike Ron, I shall refrain from posting my passwords...

However, I would like everyone to note that that list does not even begin to delve into some of the worst passwords I have seen in 2011, and most of those were Department of Homeland Security employees...

The list of those passwords that I saw is now gone, so I will leave everyone with a simple warning to never do this:

***censored***

[David H. Lipman]

This one was working for me (but now that I've posted I guess I'll have to change it)

x*D/X[:be_g(-98ra}P4f+qt@CMz=R'EW`U2

That's a STRONG password alright, it exceeds NSA minimum standards, but the problem is one of memorizing it.

As the number of characters and complexity increase the ability to memorize the password decreases.

The concept of an effective password is the combination a strong password and a password algorithm. You memorize the algorithm and not necessarily the password.

Many believe that when you need to change the password, the entire password needs to be changed. If you do that then the ability to memorize the password decreases. When it comes to change the password, you "tweak" the algorithm. That could mean incrementing or decrementing a number, incrementing or decrementing a letter of the alphabet, incrementing or decrementing a key of a pattern on the keyboard, etc.

I have managed a lot of personnel and dealing with their respective passwords for all sorts of systems where all had a minimum of 10 digits; 2 x upper, 2 x lower, 2 numbers and 2 x special characters. Some systems had a minimum of 14 digits and had to be changed every 90 days (some were 45 days) and when I taught the user to use a password algorithm and how to memorize the algorithm, their dependency to get "help" when they were password related "locked-out" decreased dramatically.

NOTE: For those who have to deal with a large number of passwords, here is a suggestion:

Create a MS Excel spreadsheet that has the needed information in each column. Each row is a different system or web site. Password protect the spreadsheet using "RC4, Microsoft Enhanced RSA and AES Cryptographic Provider" with a "key length" of 128 bits and store the XLS in a password protected Archive file (example: ZIP) using a minimum of 256 bit AES encryption and the name of the ZIP file and the name of the XLS file being non-descriptive of the password purpose. This "double wrapper" system is very good even if a system is compromised.

( Of course the XLS and ZIP passwords should be Strong Passwords )

{ I can't tell you the number of times I have found user passwords taped to their notebook, taped under the keyboard, etc, etc. It isn't funny }

[DarkSnakeKobra]

This one was working for me (but now that I've posted I guess I'll have to change it)

x*D/X[:be_g(-98ra}P4f+qt@CMz=R'EW`U2

WOW. What is that advanced Algebra or something? lol

[AdvancedSetup]

Nope, pretty much as David said. Something that means something to you that you can easily follow. In most cases this type of password would not be easy for many to follow.

However also many times if the system allows it a long phrase is often enough to thwart human and machine.

somedayiwantcookiestobefreeformyselfandeveryoneintown

All of those words are in a dictionary but they're not in a pattern that humans or computers can easily guess or decode. Alone each word could be cracked in a millisecond but together it creates a very complex task to decode it.

Also don't forget though that even though it is very easy - you would have to type that in every single time you needed it which can be annoying as well so a smaller phrase that does use various upper/lower characters and some numbers/symbols would be easier to use on a day to day basis.

[mountaintree16]

Personally, all my passwords are different and they are completely random. I am not sure if any of the accounts I have will allow special characters but that is a good thing to have in a password as well.

Sometimes I do have a word but I'll have it upper/lower & abbreviated or spelled uniquely...

And they tend to be at least 10 characters long if not longer!

[David H. Lipman]

Also don't forget though that even though it is very easy - you would have to type that in every single time you needed it which can be annoying as well so a smaller phrase that does use various upper/lower characters and some numbers/symbols would be easier to use on a day to day basis.

Which brings up another factor in password strength and complexity - syntax error.

As the number of characters and complexity increase for a given password the chances for an error in entering the password increases.

Thus, depending on the system, increasing the possibility of an account lock-out condition.

[noknojon]

Which brings up another factor in password strength and complexity - syntax error.

As the number of characters and complexity increase for a given password the chances for an error in entering the password increases.

Thus, depending on the system, increasing the possibility of an account lock-out condition.

I took to altering most passwords every month, printing them, laminating the page, and destroying the page at the end of the month.

My current MBAM password is 11 symbols long with mixed numbers and letters making it even hard for me to remember.

My BleepingComp one is only 10 symbols, but includes upper and lower case (some ask for Upper/Lower mixes) with 5 numbers mixed in the middle.

I find that my ISP is the only one to complain when I apply to change the password monthly, so I only do that Quarterly now.

Since I never use banks, PayPal, or Credit cards on line it cuts the number of passwords I need to change.

If I can get my wife to change her F/book every 2 months I feel like I have been a success at doing it .........

She still has no idea of Malware infections, and wonders why I go to all the trouble.

[GT500]

somedayiwantcookiestobefreeformyselfandeveryoneintown

All of those words are in a dictionary but they're not in a pattern that humans or computers can easily guess or decode. Alone each word could be cracked in a millisecond but together it creates a very complex task to decode it.

Speaking entirely from a computer programming/logic perspective (yes I did learn a programming language from a legitimate college once upon a time), if I knew to expect a password to be like that, then it would be possible to crack it with what is usually called a "Dictionary Attack". All you have to do is string together random words in a dictionary until you figure out the password, and such a thing would not be difficult as long as the server you are trying to log in to does not temporarily lock the account.

My understanding is that many tools that do dictionary attacks will even compensate for common or phonetic misspellings of words, and substitution of numbers and symbols for letters. This, unfortunately, makes any password that relies on a word/name to be at least somewhat insecure.

What I have been doing for my most important logons (such as the one for these forums) is to use Steven's password generator to create a random password that is at least 20 characters long, saving it to a list of usernames and passwords in a text file, adding that text file to a 256-bit AES encrypted 7-Zip archive on a flash drive, and then using Eraser to do a US Air Force 5020 3-pass shred on the text file that was stored on my computer. When I need the passwords, I extract the list from that 7-Zip archive onto my desktop, copy and paste the password I need, then use Eraser to get rid of the text file again.

I know that Steven does something similar with his passwords, but he prefers to use something such as TrueCrypt to encrypt the entire flash drive instead of using an encrypted 7-Zip/ZIP/RAR/etc. archive to store them in.

[David H. Lipman]

To add to GT500's information on "Dictionary Attacks" variants of the SDBot, a network worm, will use a built-in laundry list of well known "bad" passwords and will use them to "worm" their way into administrative, hidden, shares such as admin$ and IPC$.

[ioni]

What I have been doing for my most important logons (such as the one for these forums) is to use Steven's password generator to create a random password that is at least 20 characters long, saving it to a list of usernames and passwords in a text file, adding that text file to a 256-bit AES encrypted 7-Zip archive on a flash drive, and then using Eraser to do a US Air Force 5020 3-pass shred on the text file that was stored on my computer. When I need the passwords, I extract the list from that 7-Zip archive onto my desktop, copy and paste the password I need, then use Eraser to get rid of the text file again.

Nice one !