Passwords That Should Never Be Used

The Original Yama writes "Strong passwords are your first step in securing your systems. If a password can be easily guessed or compromised using a simple dictionary attack, your systems will be vulnerable to hackers, worms, Trojans, and viruses. PCLinuxOnline provides an alphanumerical list of list of commonly used weak passwords that should never be used. If any of these passwords look hauntingly familiar and are being used, you should change the password immediately."

huh?

[Hythlodaeus]

Q54arwms is a commonly used password? Is this some part of the collective unconscious I'm unaware of? Half the things in the list seem like they came out of a random generator, yet they are common?

Re:missed one...

[linzeal]

One that I have seen more than ofter, fuckyou. Heh, when you make registration too difficult they get pissed at you.

Re:huh?

[Josh Booth]

I'm assuming that most of the passwords are defaults that some guy in a computer lab decided looked strong. However, when every system you ever produced uses the same password, even if it is completely random, you'll have a security problem.

Re:strong passwords = broken by design

[lambent]

A mag-strip card IS a type of password. Depending on the institution that issued it, it's a rediculously long propietary password. It's a string of encoded bits. Nothing magical about it.

Furthermore, most people (and by most, i mean just about everyone), NEVER change either their PIN or their card, unless it's stolen. Is that type of system any more secure?

Use and algorithm to generate your password

[Zugok]

Given the case a password has to be changed every month

pick as day from every month of the year which has some significance and is easy to remember. This date remains the same year after year, which I think is sufficient variability because you are going to do more with the date.

arrange the date and the current year in numerical format such as MMDDYYYY or YYYY-MM-DD

use date seperator . / or - as their mathematical operators, combine different operators be creative e.g. YYYY.MM-DD or DD/MM-YYYY or simply YYYY-MM-DD.

take the result and convert it into hex (because hex can also contain letters A-F)

if the hex result is does not meet password etiquette (unlikely), attach a description of the signifcance to the date chosen, if the date is a birthday, choose that person's name for exapm. Say the hex result is 1FF0, and the name is Stacey, generate a password like Stacey1FF0 or S1tFaFcoey or Sta1FF0cey. Again, be creative.

Dates are easy to remember, not a lot of effort is required. In this method, all that needs to be remembered is an algorithm.

Granted with each passing year, the variation in the password is not going to change a lot to the password that month a year ago, so it is still important to change how the the mathematical operators are used, how the YYYY MM DD are aranged. To add more variability, perhaps throw in the day into the mix like 1 for Monday, 2 for Tuesday. That's rather simplistic, but there is a lot more that can be done be creative. It's not hard.

Password rules at IBM Watson Research

[Latent Heat]

There is this story I heard attributed to IBM Watson that some wag has concocted a detailed list of password restrictions (no all numbers, no all characters, and so on) where the joke was that if you rigorously applied all of the rules, there was only one legal password.

REALLY bad password

[utahjazz]

Given that most web developers write code like this:

sqlexec("SELECT * FROM users where pwd = '" + pwd + "'")

I find a good password to be:

'; DELETE FROM USERS; SELECT '

Re:Universal Passwords

[Prior Restraint]

One of my credit cards (which I have since cancelled) demanded that the 4-digit PIN not start with zero or one.

Re:REALLY bad password

[Anonymous Coward]

Or, if you just want to play around without breaking things, a common scenario is code like

sqlexec("SELECT * FROM USERS WHERE USERNAME = '$username' AND PASSWORD = '$password'")

...and you can get cute results with any valid username plus a password of

' OR 1 = 1--

Honey Pot Passwords?

[LoveMe2Times]

Does anybody out there use honeypot passwords? It seems like such an obvious idea, but it doesn't seem to be generally implemented -- at least no system that's ever given me a password has let me configure honeypot passwords. Personally, I'd really like to have a honeypot PIN for my bankcard and honeypot passwords for all of the online shopping/bills/finance stuff--ie, the stuff where it's important.

For those unfamiliar, the idea behind a honeypot password is either

1. to pick one or many "guessable" passwords like those in the article and use them as honeypot passwords. Allow somebody to log into the system using them but set off a silent alarm. Presumably, any would-be hacker will "crack" the honeypot password before the "real" password and will quit trying to get the real one.
2. Have one "real looking" password (especially PIN) that you can give out if somebody demands it at gun or knife point (you get the idea). If used, it immediately notifies the authorities (silently) and shuts down the account/card in say 1/2 hour (presumably enough time for you to get away). For the would-be mugger etc there's no way to tell if they got the "real" or the honeypot password.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Universal Passwords

[james b]

Thinking out loud: the thing about 'must include non-alpha' is that it essentially forces the users to pick non-dictionary words. That's good all by itself. Sure, some of them will just use 'password1' or whatever, which is still dictionary-able (but not much *more* so, since they're probably going to pick the word they always choose anyway and just add a number). And with many users, you'll get stuff that's somewhat hard to do a dictionary attack on, like 'jack4betty' or 'y311ow'.
Does this make any sense? I mean, I can see how suboptimal use provides no further protection, but is it likely to reduce the keyspace much in a real world scenario?

Re:strong passwords = broken by design

[babbage]

A mag-strip card IS a type of password

Kinda... not really.

The important thing to keep in mind for any authentication system -- not just computers, but any system that requires people to identify themselves -- is that there are basically three ways to go about it:

1. Something you know. (A password or passphrase; your mother's maiden name; your favorite song.)
2. Something you have. (Some kind of physical token like an ATM card, the key for your car or house, the hardware decorder in a DVD player, or one of the hardware dongles that was briefly popular for enforcing software licenses a few years ago.)
3. Something you are. (Biometrics: your thumbprint or retina scan; your photo & physical description on a license or passport [which itself is something you have -- see above]; DNA samples; voice or handwriting recognition; etc.)

Good security systems use at least two of these authentication classes: the ATM doesn't work unless you insert your card (something you have) and enter your PIN (something you know); when travelling abroad, customs agents will examine your passport (something you have), will cross-check your appearance against the passport's photo & description (something you are), and may ask probing questions about your travel plans (something you know).

Bad security systems rely exclusively on one of these elements. Basically all Internet security comes down to things you know, a/k/a passwords. From your point of view, an online purchase may seem to involve something you know (a password) and something you have (the numbers on your credit cards), but from the merchant's point of view they're just taking your word for it because they have no way to validate that the security token you're using is actually in your possession -- hence, credit card fraud. Likewise, I've voted in every election since I turned 18, and not once has an election worker asked for anything more than my name & address (something I claim I know) -- they never ask for an ID (something I have) or a fingerprint (something I am) etc. With this kind of scrutiny, it wouldn't be very hard for someone to spend all day voting in every precinct around. (I'm hopeful that electronic voting may actually fix this problem, but if as seems likely it introduces even more avenues for fraud then forget it.)

So, a password is essentially something you know, while an access card is something you have. There's a subtle but essential difference. If it was a string of numbers stamped on the card in an easily human readable way, then it could be considered as a form of password, but the fact that you need a machine to read it really enforces the point that it's something different. And that's why it's a good thing! A computer security system that relied on both traditional passwords as well as this kind of physical token would stand a much better chance of being robust than any system that used only passwords or tokens.

The problem is, almost nobody has a computer capable of reading such tokens. Aside from point of sale systems, almost no one has any use for card reading wedges, so building an authentication system around a requirement for card readers would be difficult to deploy broadly. Setting it as a general company policy might not be hard to do for most companies, if only because there you have a hope of installing the reader hardware for all users. Requiring a dual "know/have" or "know/are" system only for certain systems (access to sensitive areas, etc) would be prudent for any business to implement, but going from there to building a business of providing such systems to the general public would be much harder as long as the infrastructure doesn't exist -- that is, as long as Dell isn't shipping access card readers with every machine they sell.

So: something you know, something you have, something you area. Keep these in mind and the analysis of secure authentication mechanisms gets much clearer.

Yeouch... [ot]

[Anonymous Coward]

As a naive guy running a website before, I used to verify passwords that way. How do you avoid using an sql query that doesn't open the door for nasty hacks like this?

Re:Honey Pot Passwords?

[stevey]

Because it's a simple way of locking out other people of their accounts.

I could go over to a colleagues PC and deliberately enter the wrong password five times when she's away to lunch.

When she comes back she finds her account has been disabled, and she's locked out until the sysadmin resets it.

At home this might not be a problem, but allowing people to lockout a remote worker from their VPN connection when they're working on something important isn't a good idea.

I log failed passwords on our machines sure, but disabling them automatically is too much for me.

Re:Universal Passwords

[Eivind]

You're rigth, in principle, practically however, you are wrong.

It is true, for example that excluding 5-and-under passwords reduces the keyspace. But that is still a win if that part of the keyspace was overpopulated.

Put differently, if everyone has passwords 8 characters or less, choosen from a set of 64 characters (I realise there's more, but some are much more used than others, so the effective strength of a password choosen by a user is seldom more than 6bit/char)

• There's 2^(5*6) = 2^30 passwords that are exactly 5 characters long.
• There's 1.015 * 2^30 passwords that are 5 or less characters wrong.
• There are about 2**(8*6) = 2**48 passwords in total.
• So, by excluding the shorter ones, you've excluded 0.00038% of your keyspace.

If users choose passwords randomly, then one in 262000 users would choose a password with 5 or less characters, and for an attacker, searching this keyspace would be no more fruitful than searching any other random part of the keyspace.

Problem is, users do NOT typically choose passwords anywhere close to randomly. A more typical scenario is that 10% of all the users choose passwords 5 characters or less.

In that case, searching the 5-or-less part of the keyspace is 26000 times more likely to net you a working password than choosing a random part of the keyspace to search.

In practice, you can brute-force the 30-bit 5-and-under keyspace in minutes, and you'll have passwords for 10% of the user-accounts, allthough you only searched less than one thousandth of one percent of the keyspace.

THAT is why requiring users to have passwords over a minimum length does not, as you claim, harm security. (instead it helps quite a bit)

Re:strong passwords = broken by design

[hyc]

Well, that's all great, but the "something you have" is turned into "something you know" by the computer itself. And if all you're doing is logging into a local box so that you can use it to access a remote server or application, then once again you're only dealing in terms of "something you know" (or perhaps, something your computer knows and asserts on your behalf).

It's OK when the electronic security system is just an interface to a physical lock, like an electronic gate control. You seldom/never have interactive command access to the actual computer that operates the lock, so it's relatively safe from hacking. But if you're just logging into a computer for the sake of using that computer, then you can easily extract the transform of "what you have" into "what the computer knows" and propagate it further from there.