Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security

Passwords That Should Never Be Used 239

The Original Yama writes "Strong passwords are your first step in securing your systems. If a password can be easily guessed or compromised using a simple dictionary attack, your systems will be vulnerable to hackers, worms, Trojans, and viruses. PCLinuxOnline provides an alphanumerical list of list of commonly used weak passwords that should never be used. If any of these passwords look hauntingly familiar and are being used, you should change the password immediately."
This discussion has been archived. No new comments can be posted.

Passwords That Should Never Be Used

Comments Filter:
  • by Anonymous Coward on Monday May 03, 2004 @07:32PM (#9046884)
    I worked ISP tech support and the one I remember showing up way too often was:

    thx1138

    • Re:missed one... (Score:3, Interesting)

      by linzeal ( 197905 )
      One that I have seen more than ofter, fuckyou. Heh, when you make registration too difficult they get pissed at you.
    • I don't get it... help anyone?

      but back on topic. this list is interesting:


      P PAPER, pass, PASS, Pass, passwd, Passwd, PASSWORD, password, Password, pat, patrick, PBX, pc, PCUSER, PDP11, PDP8, PFCUser, PHANTOM, phoenix, piranha, pmd, PO, PO8, poll, Polrty, POST, Posterie, postmast, POSTMASTER, postmaster, POWERCARTUSER, powerdown, PRIMARY, prime, primenet, primeos, primos, primos_cs, PRINT, PRINTER, PRIV, private, prost, PSEAdmin, public, PUBSUB, pw, pwd, pwp


      nowhere in there is pussy. seriously when
  • by prostoalex ( 308614 ) * on Monday May 03, 2004 @07:32PM (#9046886) Homepage Journal
    I've protected my privacy and use Gator [gator.com] for all my passwords.

  • by Anonymous Coward on Monday May 03, 2004 @07:34PM (#9046896)
    I use PASSWORD for everything.
  • by me98411 ( 754004 ) on Monday May 03, 2004 @07:36PM (#9046921) Homepage
    I do not see "slashdotcoward" in the list. Looks like it is a strong passwd. Isn't that the login and passwd used by Anonymous Coward for NY times?
  • by AtariAmarok ( 451306 ) on Monday May 03, 2004 @07:36PM (#9046922)

    10. iluvalqueda

    9. idareyoutoguessthis

    8. oldfattylumpkinwhosewisenoseledushere

    7. *******

    6. (my actual password)

    5. cowboyneal

    4. pencil

    3. neo

    2. secret

    1. password

  • by eraserewind ( 446891 ) on Monday May 03, 2004 @07:39PM (#9046942)
    Your users shouldn't require anything more than a 4 digit pin & a magnetic card. If it's enough to protect their money, it's surely enough to protect some stupid data.

    Any lame brained security system that depends on people choosing difficult to remember passwords and changing them every 3-6 months is broken by design.

    • A mag-strip card IS a type of password. Depending on the institution that issued it, it's a rediculously long propietary password. It's a string of encoded bits. Nothing magical about it.

      Furthermore, most people (and by most, i mean just about everyone), NEVER change either their PIN or their card, unless it's stolen. Is that type of system any more secure?
      • A mag-strip card IS a type of password

        Kinda... not really.

        The important thing to keep in mind for any authentication system -- not just computers, but any system that requires people to identify themselves -- is that there are basically three ways to go about it:

        1. Something you know. (A password or passphrase; your mother's maiden name; your favorite song.)
        2. Something you have. (Some kind of physical token like an ATM card, the key for your car or house, the hardware decorder in a DVD player, or one of the hardware dongles that was briefly popular for enforcing software licenses a few years ago.)
        3. Something you are. (Biometrics: your thumbprint or retina scan; your photo & physical description on a license or passport [which itself is something you have -- see above]; DNA samples; voice or handwriting recognition; etc.)

        Good security systems use at least two of these authentication classes: the ATM doesn't work unless you insert your card (something you have) and enter your PIN (something you know); when travelling abroad, customs agents will examine your passport (something you have), will cross-check your appearance against the passport's photo & description (something you are), and may ask probing questions about your travel plans (something you know).

        Bad security systems rely exclusively on one of these elements. Basically all Internet security comes down to things you know, a/k/a passwords. From your point of view, an online purchase may seem to involve something you know (a password) and something you have (the numbers on your credit cards), but from the merchant's point of view they're just taking your word for it because they have no way to validate that the security token you're using is actually in your possession -- hence, credit card fraud. Likewise, I've voted in every election since I turned 18, and not once has an election worker asked for anything more than my name & address (something I claim I know) -- they never ask for an ID (something I have) or a fingerprint (something I am) etc. With this kind of scrutiny, it wouldn't be very hard for someone to spend all day voting in every precinct around. (I'm hopeful that electronic voting may actually fix this problem, but if as seems likely it introduces even more avenues for fraud then forget it.)

        So, a password is essentially something you know, while an access card is something you have. There's a subtle but essential difference. If it was a string of numbers stamped on the card in an easily human readable way, then it could be considered as a form of password, but the fact that you need a machine to read it really enforces the point that it's something different. And that's why it's a good thing! A computer security system that relied on both traditional passwords as well as this kind of physical token would stand a much better chance of being robust than any system that used only passwords or tokens.

        The problem is, almost nobody has a computer capable of reading such tokens. Aside from point of sale systems, almost no one has any use for card reading wedges, so building an authentication system around a requirement for card readers would be difficult to deploy broadly. Setting it as a general company policy might not be hard to do for most companies, if only because there you have a hope of installing the reader hardware for all users. Requiring a dual "know/have" or "know/are" system only for certain systems (access to sensitive areas, etc) would be prudent for any business to implement, but going from there to building a business of providing such systems to the general public would be much harder as long as the infrastructure doesn't exist -- that is, as long as Dell isn't shipping access card readers with every machine they sell.

        So: something you know, something you have, something you area. Keep these in mind and the analysis of secure authentication mechanisms gets much clearer.

        • US Army does this (Score:2, Informative)

          by Amata ( 554796 )

          The US Army (and the rest of the military) is in fact going to this type of approach. Every soldier, for an ID card, is issued a card with a smart chip. This card, among other uses, is inserted into a smart card reader that is hooked up to every Army AIS (around here at least) to log on. The old user/pass method may also be used to log on, but I'm not sure how long that will last.

          Brief overview may be found here: army.carlisle.mil [army.mil]

        • Well, that's all great, but the "something you have" is turned into "something you know" by the computer itself. And if all you're doing is logging into a local box so that you can use it to access a remote server or application, then once again you're only dealing in terms of "something you know" (or perhaps, something your computer knows and asserts on your behalf).

          It's OK when the electronic security system is just an interface to a physical lock, like an electronic gate control. You seldom/never have i
      • A mag-strip card IS a type of password. Depending on the institution that issued it, it's a rediculously long propietary password. It's a string of encoded bits. Nothing magical about it.

        Yes, of course it is. It is not however a password that a human has to remember (besides keeping it in their pocket or whatever). Any security system that relies on humans behaving un an unhumanlike way (remembering numberous frequently changing complicated passwords) is inherently broken. People just won't do it with any
    • There is this story I heard attributed to IBM Watson that some wag has concocted a detailed list of password restrictions (no all numbers, no all characters, and so on) where the joke was that if you rigorously applied all of the rules, there was only one legal password.
    • > Your users shouldn't require anything more than a
      > 4 digit pin & a magnetic card. If it's enough to
      > protect their money...

      But it isn't.
  • It used to be so great...

    There was this obscure OS that no one had ever heard of... man it was cool... it was like unix on the pc... and this guy that developed it... this guy from scandanavia. You see it was really clever because it was a play on his actual name, and easy to remember.

    Then... 1998 came. Its been downhill from there. I wouldnt even trust it to a hotmail account now.
  • huh? (Score:5, Interesting)

    by Hythlodaeus ( 411441 ) on Monday May 03, 2004 @07:42PM (#9046960)
    Q54arwms is a commonly used password? Is this some part of the collective unconscious I'm unaware of? Half the things in the list seem like they came out of a random generator, yet they are common?
  • by smoondog ( 85133 ) on Monday May 03, 2004 @07:42PM (#9046965)
    OK, every once in a while we get an article similar to this. The links change but the article is the same. Passwords are inherently insecure to some sort of guessing attack, is the statement.

    I'm going to suggest something here that is perhaps a little controversial. Perhaps, if password zealots spent less time complaining about passwords and spent more time protecting machines from this sort of attack (w/o making an easy path to a DOS attack) this wouldn't be an issue. Imagine this: Passwords are never transfered as plain text. Any systematic attempt at guessing a password is prevented before the attacker gains access. Users make mistakes a few times, even for the most simple passwords, one must sample tens of passwords to break in. Systematic attempts are predictable, just like trolls on slashdot are (generally) identifiable (remember those page lengthening posts?) and spam is filterable.

    In my not so humble opinion, password guessing attacks are an administrator problem, not a user problem. And the administrators seem more interested in pestering users than actually developing systems to prevent this type of attack.

    -Sean
    • You mean just as it is silly to demand people get a drivers license - when car builders should just make cars sure to drive for everyone? :)

      I know that dictionary attacks would be simpler to solve than my example, by why not try to remove the SOURCE of the problem - instead of trying to solve the problems people lack of knowledge generate?

      IMO BOTH measures should be used - it is a problem of BOTH lazy(stupid) users and lazy(stupid) sysadmins.
  • by Schezar ( 249629 ) on Monday May 03, 2004 @07:44PM (#9046982) Homepage Journal
    The uni I work for (RIT [rit.edu]) is working to migrate their entire campus to a Microsoft Active Directory environment. Part of the reason for this is to give users a universal username/password for any and all university services.

    Now, they enforce basic password etiquette (minimum length, non-alpha character requirement, etc...), which helps the situation somewhat (aside from the office biddies who write them on post-it notes on their CRTs), but the situation is far from secure.

    Students use their webmail (Exchange... I won't even get into that one...) and register for classes (telnet), and generally aren't careful with their passwords. I couldn't tell you how many times I've sat down at a public terminal to find someone else's account all set up for me to exploit. And since the password is universal, I can do anything I want.

    Myself, I use a different password for everything I connect to, and thus don't have to worry about being wholly compromised in an instant. Then again, I'm a geek, so I'm not exactly the norm.

    Does anyone else see this push toward universal logins/passwords as a problem?
    • by jfdawes ( 254678 ) on Monday May 03, 2004 @08:01PM (#9047144)
      Now, they enforce basic password etiquette (minimum length, non-alpha character requirement, etc...), which helps the situation somewhat


      Er, no? Most "password etiquette" schemes are a complete crock. Generally all they do is reduce the key space and therefore make the passwords easier to brute force attack.

      You must have a password of at least 6 characters? Well, there goes everything 5 characters and less - don't have to check those.

      Hmm, and while we're at it, most people are going to have a password between 6 and 9 characters, don't bother trying anything else until the second pass.

      You have to have at least one non-alpha, well - I can reduce my attack to constrain my guesses around that requirement - just reduced the number of attempts necessary by 24%.

      Any other rules you want to add to make attacking the password easier?
      • Limiting passwords to 6 characters or longer doesn't significantly reduce your keyspace. If you only allow lowercase letters, there are 12356630 possible combinations that are 5 characters and shorter, and there are 321272406 that are 6 characters and shorter. Thus if you don't allow anything shorter than 6 characters you've reduced your keyspace by roughly 3 percent.

        If you allow upper and lowercase characters, there are 387659012 combinations that are 5 characters and shorter, and 20158268676 that are 6 c
        • by jfdawes ( 254678 ) on Monday May 03, 2004 @08:54PM (#9047489)
          Yup. The length being constrained to greater than some number (typically 6 or 8) characters is about the only password constraint that makes sense some kind of sense, but still - any reduction in keyspace means less work.

          Assuming we take the example of the guy who had the 5 byte password that takes 18 days to crack, 1.9% still saves you 8 hours. Not an unuseful amount of time.

          It's the daft "must include an non-alpha" and "must start with an alpha (or worse, a capital)" and other brain dead, crack smoking, glue sniffing password "rules" that are the real killers
          • One of my credit cards (which I have since cancelled) demanded that the 4-digit PIN not start with zero or one.

          • by james b ( 31361 )
            Thinking out loud: the thing about 'must include non-alpha' is that it essentially forces the users to pick non-dictionary words. That's good all by itself. Sure, some of them will just use 'password1' or whatever, which is still dictionary-able (but not much *more* so, since they're probably going to pick the word they always choose anyway and just add a number). And with many users, you'll get stuff that's somewhat hard to do a dictionary attack on, like 'jack4betty' or 'y311ow'.
            Does this make any sense?
          • by Eivind ( 15695 )
            But 5 byte-and-under passwords aren't 1.9% of (say) a 8-byte password keyspace. If users use a small set of characters (64) then it's 0.00038 % of the keyspace. If they use a better (i.e. larger) set of characters, then it's even less.

            I agree that rules that restrict the keyspace *more* than they force users to increase entropy are pointless or even harmful. "Must start with a capital" is obviously in this category. "Must include some sign that is not a letter" is probably not, because, again, the rule ex

      • by Eivind ( 15695 ) <eivindorama@gmail.com> on Tuesday May 04, 2004 @06:08AM (#9049679) Homepage
        You're rigth, in principle, practically however, you are wrong.

        It is true, for example that excluding 5-and-under passwords reduces the keyspace. But that is still a win if that part of the keyspace was overpopulated.

        Put differently, if everyone has passwords 8 characters or less, choosen from a set of 64 characters (I realise there's more, but some are much more used than others, so the effective strength of a password choosen by a user is seldom more than 6bit/char)

        • There's 2^(5*6) = 2^30 passwords that are exactly 5 characters long.
        • There's 1.015 * 2^30 passwords that are 5 or less characters wrong.
        • There are about 2**(8*6) = 2**48 passwords in total.
        • So, by excluding the shorter ones, you've excluded 0.00038% of your keyspace.
        If users choose passwords randomly, then one in 262000 users would choose a password with 5 or less characters, and for an attacker, searching this keyspace would be no more fruitful than searching any other random part of the keyspace.

        Problem is, users do NOT typically choose passwords anywhere close to randomly. A more typical scenario is that 10% of all the users choose passwords 5 characters or less.

        In that case, searching the 5-or-less part of the keyspace is 26000 times more likely to net you a working password than choosing a random part of the keyspace to search.

        In practice, you can brute-force the 30-bit 5-and-under keyspace in minutes, and you'll have passwords for 10% of the user-accounts, allthough you only searched less than one thousandth of one percent of the keyspace.

        THAT is why requiring users to have passwords over a minimum length does not, as you claim, harm security. (instead it helps quite a bit)

    • In all fairness, the Exchange e-mail system is about 8 billion times better than the old one. I used to routinely have mail that would not delete unless I telnetted into grace and removed it with pine.
  • by lightspawn ( 155347 ) on Monday May 03, 2004 @07:44PM (#9046989) Homepage
    I've been using that same old password from one of my favorite movies [google.com].

    Of course, I use the variant spelling.

  • My policy for a long time has been to pick two words and shift my keys over one sometimes alternating and then I throw a number (or its shift key version) into it somewhere. An example of this would be SlashdotNews = A2kaagsirMred or Aka$agsirMred it is easy to remember even for non techie people. It is secure enough for me...
  • by Artega VH ( 739847 ) on Monday May 03, 2004 @07:51PM (#9047068) Journal
    As a comment at the bottom says:
    A52896nG93096a

    but also:
    dn_04rjc
    ksdjfg934t
    sldkj754

    ----
    I was going to ask why how this list was compiled,
    but since I got really interested I happened to
    google these and found the following:
    This seems to indicate [defaultpassword.com] that ksdjfg934t is a default
    password for a SuperMicro PC BIOS Console.

    And from the same site: Micronics has a PC-BIOS
    which uses dn_04rjc as the default password as
    does Micron for the password sldkj754.

    I want to know how often these passwords are used
    for services that a open to the internet, or even
    to the local network. I would imagine that these
    bios passwords are only able to be entered
    locally? If so why does that merit a place on this
    "Passwords that should NEVER be used!" list...
    apart from the fact that now this list will be
    used in lame dictionary attacks....
    • it's just a stupid list to made up to get some 'content' into a contentless article, f'kin waste of time really(the whole article). they could have just linked to some dictionary file used in these attacks and saved the hassle since they can't possible cover the passwords one shouldn't use and since they decided to go for the default/master bios passwords and shit like that the whole point is lost.

  • by angst_ridden_hipster ( 23104 ) on Monday May 03, 2004 @07:52PM (#9047077) Homepage Journal
    Of course, none of these are very good as passwords (mostly vulnerable to dictionary attacks), but amusing nonetheless:

    Mr.Root

    logout

    friend
    friend and enter

    open sesame
    open tahini

    open the door HAL

    admit1

    lemmeIN

    hey,babe
    what'syoursign?

    Since I'm a little slow, the last two had me puzzled. It was explained to me that they were "pass words," i.e., words used in making passes.
  • Am I the only one here who thinks we need to have an Ask Slashdot called "What's your Slashdot Password" to weed the idiots out?

    Wow, I'm suprised how few there are on that list. I would have thought things like city/state names, zip codes, and movie/band names would be more common.
  • John the Ripper (Score:5, Informative)

    by Dammital ( 220641 ) on Monday May 03, 2004 @07:55PM (#9047094)
    Last July I installed John the Ripper [openwall.com] on my home firewall. John is a password cracker, something like crack and l0phtcrack [insecure.org]. I wanted to see how vulnerable my own passwords were.

    From what I can tell, John runs a dictionary-based attack against your master.passwd file, then runs the dictionary with various shifts in capitalization, then runs the dictionary again with an assortment of numeric digits inserted into its guesses.

    Finally John just runs a brute-force attack, generating passwords with successively longer and longer lengths until it lucks out.

    In my case John finally did luck out, finding one of my passwords after 18 days of crunching numbers. This particular account had a relatively weak password -- though no dictionary attack would have found it, it was still only five bytes long. That's a wakeup call for me. I've been using shorter passwords for years, thinking that by avoiding common words I was safe. But I can see that they're breakable now.

    It's one thing for someone to preach that you should really have longer passwords; it's quite another to see it for yourself. If your passwords are easy to guess, or are variants of dictionary words, or can be generated easily by brute force -- there are widely available tools that can give the keys to the city to any lowlife that wants into your machine.

    Run one of the password crackers on your own system today, and become enlightened! And don't be comforted by the 18 days it took to crack my easy five-character password on a 300MHz Celeron notebook: there's also a distributed version [ktulu.com.ar] of John the Ripper that divides up the work of cracking your password file among many computers.

    The more I learn about security, and the tighter I make my systems, the more afraid I am. If you aren't afraid, you are either very very good at what you do -- and I humbly bow before you -- or you haven't much of a clue.

  • I'm safe! (Score:3, Funny)

    by babbage ( 61057 ) <cdevers@cis.usou ... minus herbivore> on Monday May 03, 2004 @07:59PM (#9047120) Homepage Journal

    Woohoo! My trusty old 1234567890 didn't make the list!

    /me wipes brow at his well-chosen password

    • "So the combination is one, two, three, four, five? That's the stupidest combination I've ever heard in my life! The kind of thing an idiot would have on his luggage!" Obligatory Spaceballs quote.
  • by WarPresident ( 754535 ) on Monday May 03, 2004 @08:00PM (#9047135) Homepage Journal
    (January)
    User: Tim
    Password: NEWUSER

    YOU MUST CHANGE YOUR PASSWORD EVERY 30 DAYS
    PASSWORD MUST HAVE AT LEAST 6 ALPHA AND 2 NUMERIC/OTHER CHARACTERS
    New Password: password

    PASSWORD MUST HAVE AT LEAST 6 ALPHA AND 2 NUMERIC/OTHER CHARACTERS
    New Password: password01

    OK ...
    (February)
    User: Tim
    Password: password01

    YOU MUST CHANGE YOUR PASSWORD EVERY 30 DAYS
    PASSWORD MUST HAVE AT LEAST 6 ALPHA AND 2 NUMERIC/OTHER CHARACTERS
    New Password: password01

    THIS PASSWORD HAS BEEN USED RECENTLY
    YOU MUST CHANGE YOUR PASSWORD EVERY 30 DAYS
    PASSWORD MUST HAVE AT LEAST 6 ALPHA AND 2 NUMERIC/OTHER CHARACTERS
    New Password: password02

    OK ...
    (March)
    User: Tim
    Password: password02

    YOU MUST CHANGE YOUR PASSWORD EVERY 30 DAYS
    PASSWORD MUST HAVE AT LEAST 6 ALPHA AND 2 NUMERIC/OTHER CHARACTERS
    New Password: password03

    OK ...

    repeat ad nauseum
  • ... I couldn't find any of my passwords there. Not even the ones that were machine generated.

    It was especially disappointed that the numeric section didn't include 17 or 42. Or 1742, for that matter. Where are they getting their lists.

    And "mrroot" wasn't there, either. (A shout-out to my old Project Athena cohort. ;-)

  • Would have the password 12345 on his luggage!
  • Where did they come up with these passwords? It looks like the result of a run someone did a tech university back in the day with crack or sniffing or something. I mean, while I agree that many of the passwords listed there were weak, I'm dubious about how common they are, unless g6PJ, 3ep5w2u, or I5rDv2b2JjA8Mm are particularly common egregious offenders.

    Honestly, this is filler as far as content quality goes.
  • by MBCook ( 132727 ) <foobarsoft@foobarsoft.com> on Monday May 03, 2004 @08:25PM (#9047343) Homepage
    Lets see...

    fizzlebop... OK
    coodleschmidt... OK
    sneedalbiz... OK
    testripithia... OK
    crumblehip... OK
    skazeltank... OK

    OK, all my passwords are safe. No one will ever guess 'em.

    .

    .

    Crud!

  • Given the case a password has to be changed every month

    pick as day from every month of the year which has some significance and is easy to remember. This date remains the same year after year, which I think is sufficient variability because you are going to do more with the date.

    arrange the date and the current year in numerical format such as MMDDYYYY or YYYY-MM-DD

    use date seperator . / or - as their mathematical operators, combine different operators be creative e.g. YYYY.MM-DD or DD/MM-YYYY or sim

  • If any of these passwords look hauntingly familiar and are being used, you should change the password immediately...because if someone hasn't tried it yet, they will now.
  • Once I was working for a pharmaceuticals distributor of an undisclosed location. I happened to watch my supervisor type her password into the mainframe.

    It was APPLE2.

  • i'd be frightened if my 33 character password was listed!
  • REALLY bad password (Score:5, Interesting)

    by utahjazz ( 177190 ) on Monday May 03, 2004 @09:08PM (#9047556)
    Given that most web developers write code like this:
    sqlexec("SELECT * FROM users where pwd = '" + pwd + "'")
    I find a good password to be:
    '; DELETE FROM USERS; SELECT '
    • That seems rather odd, selecting all records that match a given password. The point of the example is fine, but the example itself is weird.

      I used to routinely embed control characters in my passwords (tab, ctrl-C, ctrl-G, ctrl-M, whatever) but then discovered that not all programs performed "raw" input the same way. There's nothing quite so annoying as having your system login program crash (and so deny you access to a system) as you're entering your password, because the program couldn't deal with embedd
  • by Wylfing ( 144940 ) <brian@nOspAm.wylfing.net> on Monday May 03, 2004 @09:16PM (#9047592) Homepage Journal
    I can't count how many technologically ignorant managers I've met who, giggling and leaning in close, explain that they've thought up the cleverest password ever. It's "password"! It's so obvious no one will think of it!

  • by billh ( 85947 )
    Enough said.
  • by Anonymous Coward
    The only SAFE password is a long one: http://support.microsoft.com/default.aspx?scid=kb; en-us;276304 [microsoft.com]!
  • Honey Pot Passwords? (Score:4, Interesting)

    by LoveMe2Times ( 416048 ) on Monday May 03, 2004 @09:44PM (#9047730) Homepage Journal
    Does anybody out there use honeypot passwords? It seems like such an obvious idea, but it doesn't seem to be generally implemented -- at least no system that's ever given me a password has let me configure honeypot passwords. Personally, I'd really like to have a honeypot PIN for my bankcard and honeypot passwords for all of the online shopping/bills/finance stuff--ie, the stuff where it's important.

    For those unfamiliar, the idea behind a honeypot password is either

    1. to pick one or many "guessable" passwords like those in the article and use them as honeypot passwords. Allow somebody to log into the system using them but set off a silent alarm. Presumably, any would-be hacker will "crack" the honeypot password before the "real" password and will quit trying to get the real one.
    2. Have one "real looking" password (especially PIN) that you can give out if somebody demands it at gun or knife point (you get the idea). If used, it immediately notifies the authorities (silently) and shuts down the account/card in say 1/2 hour (presumably enough time for you to get away). For the would-be mugger etc there's no way to tell if they got the "real" or the honeypot password.
    • I prefer a 3 strikes and you are out system. It kills a dictionary attack almost everytime. My home safe has it. My ATM uses it. Why doesn't user accounts? My login at work uses it. Why don't more systems use failed login lockout?

      • by stevey ( 64018 )

        Because it's a simple way of locking out other people of their accounts.

        I could go over to a colleagues PC and deliberately enter the wrong password five times when she's away to lunch.

        When she comes back she finds her account has been disabled, and she's locked out until the sysadmin resets it.

        At home this might not be a problem, but allowing people to lockout a remote worker from their VPN connection when they're working on something important isn't a good idea.

        I log failed passwords on our machines s

      • The draft LDAP password policy spec lets you do a lockout after a failed number of attempts, along with an expiration (so the lockout is automatically lifted after a specified idle period). I think that's a decent approach that (a) slows down attackers without (b) making life miserable for users and sysadmins.

        Things get trickier when you have a cluster of machines using a distributed authentication service. E.g., you have a bunch of machines using pam_ldap, so all of them are authenticating against a singl
  • Thank goodness that the password I use for all of my systems and accounts, "thr0bbingl0v3m3at", wasn't on the list!

  • by einTier ( 33752 ) * on Monday May 03, 2004 @09:52PM (#9047790)
    When I was working in IT, I often said, "give me the names of a given person's children, their pets, their significant others, the kind of car they drive, their job title, and any hobbies, and I'll guess 95% of all passwords."

    It's scary how many people think the name of their child makes a great password.

  • Uncanny! (Score:2, Funny)

    by crawdaddy ( 344241 )
    Numeric insecure password list: 0, 1, 1.1, 2, 5, 7, 12, 30, 110, 111, 123, 1111, 1234, 2002, 2003, 2222, 2600, 8429, 12345, 54321, 111111, 121212, 123123, 123456, 166816, 256256, 654321, 1234567, 1322222, 7061992, 11111111, 12345678, 19920706, 22222222, 88888888, 123456789, 1. 1, 1234qwer, 123abc, 123asd, 123qwe, 1RRWTTOOI, 240653C9467E45, 24Banc81, 3098z, 3ep5w2u, 4Dgifts, 4getme2, 4tas, 57gbzb

    12345?! That's incredible! That's the same combination I use on my luggage!
  • by Piquan ( 49943 ) on Monday May 03, 2004 @10:38PM (#9048101)

    MEMORANDUM

    From: Information Services

    To: All personell

    Re: Secure computing practices

    The following, found during a routine review of our authentication system, are insecure and should never be used:

    • accounting
    • admin
    • backup
    • boss
    • cisco
    • congress
    • death
    • engineer
    • ibm
    • internet
    • kiddie
    • love
    • manager
    • sex
    • snake
    • user
    • windows
    • www

    Avoid anything on this list. Any personell using anything on this list will be required to attend a mandatory fnord security training class, and may possibly face reprimands for repeat offenses.

  • Why are we still using passwords for everything? I must sign up for 2 or 3 new websites a week. I've been using the Internet for 32 years now. So that means I've signed up for just over 8388640 passwords.

    Would someone please write a browser plugin that will enable public/private key authentication using my ssh agent [greenend.org.uk]

    . Then I just need to tell them my public key.

    ADV: Get your own 'no password required' virtual private server [rimuhosting.com]

  • no qwerty? (Score:2, Funny)

    by Arngautr ( 745196 )
    Yes!! qwerty wasn't one of 'em that means I'm safe, er... um, yeah....
  • notobvious (Score:4, Funny)

    by richie2000 ( 159732 ) <rickard.olsson@gmail.com> on Tuesday May 04, 2004 @01:08AM (#9048817) Homepage Journal
    The UUCP password for all customers on a certain large american ISP was for a very long time 'notobvious'. I still get a chuckle out of imagining how it came to be:

    Technician: What should we set the password to, boss?

    Boss: I don't care, just pick one that's not obvious.
    Technician: Right, boss.

    To be fair, it was just the password to login to the modem server, every customer had an additional real password to actually access the UUCP box behind it.

  • It's useless (Score:2, Insightful)

    by toshka ( 776698 )
    If you see some guy/gal trying to guess a password you're watching a movie. If someone has your passwd file you've already screwed up. At least that's what my experience as an ISP tech support, a network admin and a web programmer has taught me... In the real world we have security holes and yellow stickers with passwords on the monitors(no, I'm not talking about my workplace:)...
  • Spaceballs (Score:3, Funny)

    by jubitzu ( 750748 ) on Tuesday May 04, 2004 @03:56AM (#9049308)
    Dark Helmet: 1-2-3-4-5? That's the stupidest combination I ever heard in my life. That's the kind of thing an idiot would have on his luggage. President Skroob: 1-2-3-4-5? That's amazing! I've got the same combination on my luggage.
  • I'm thinking that pdp8 and pdp11 are not likely to be that common anymore. Perhaps this list was a bit more accurate 20 years ago.

    Ah, well, now I've got to change all of my root passwords from youwontguessme to p^$$w0rd. Hey, at least it's not on the list.
  • by dspyder ( 563303 ) on Tuesday May 04, 2004 @04:20PM (#9056654)
    I had always recommended and sometimes used passwords written 'leet speak style, with numbers instead of letters.

    I then found out somebody wrote a password cracker that uses those rules... out went that idea!

    I have always suggested the following:
    • non-dictionary words
    • non-related to you words (kids, pets, town, etc.)
    • Combination of numbers, in the middle of a word or 2
    I once worked with a sysadmin who used song titles... I thought he was really clever until I learnt 2atgilb4 was "To All the Girls I Loved Before"... kinda clever... a bitch to type.

    Our current sa password to most of our databases is !myday (not my day).

    --D

Genius is ten percent inspiration and fifty percent capital gains.

Working...