Posted on 01/21/2014 12:59:32 PM PST by nickcarraway
"123456” is finally getting some time in the spotlight as the world's worst password, after spending years in the shadow of “password.”
Security firm Splashdata, which every year compiles a list of the most common stolen passwords, found that “123456” moved into the number one slot in 2013. Previously, “password” had dominated the rankings.
The change in leadership is largely thanks to Adobe, whose major security breach in October affected upwards of 48 million users. A list of passwords from the Adobe breach had “123456” on top, followed by “123456789” and “password.” The magnitude of the breach had a major impact on Splashdata's results, explaining why “photoshop” and “adobe123” worked their way onto this year's list.
Fans of “password” could reasonably petition for an asterisk, however, given that the stolen Adobe passwords included close to 100 million test accounts and inactive accounts. Counting those passwords on the list is kind of like setting a home run record during batting practice. Don't be surprised if “password” regains the throne in 2014.
Weaker passwords are more susceptible to brute-force attacks, where hackers attempt to access accounts through rapid guessing. And when encrypted passwords are stolen, weaker ones are the first to fall to increasingly sophisticated cracking software.
(Excerpt) Read more at pcworld.com ...
Also something very dumb that many people seem to do when setting up their password backup security questions is select questions that others can fairly easily figure out the answer to. It is relatively easy for someone else to find the answers to many of the personal questions available to chose from. All they need is your e-mail address and your name (to gather the personal info on you from the net and/or elsewhere). Then all they need do is pretend they are you and click “can’t recall my password” (using that e-mail address). This is how that democrat activist’s kid hacked into Palin’s Yahoo account. My advise: don’t answer these simple questions truthfully. Write your answer down somewhere. It doesn’t have to make any sense whatever it is. Nobody checks, or cares. :)
Heh.
I have a fav password creation process that, so far, seems to work.
I start with the designation/name of a weapon I either own or trained on in the military. Add in specs, such as caliber and length of the round fired. Then tac on the end of that the actual price I paid for the weapon if I own it, or the estimated price if I were to purchase.
Easy to remember. Has mix of cap and non cap letters, numbers, and symbols.
And, to beat keyloggers, I can put in the price first, then click back at the beginning and add the cartridge info, then do same to add in the name. Iirc, keyloggers don’t record mouse clicks, usually.
You have to be careful putting that in plaintext. What I do, see, is to conceal it like this: "My password is LIFELOCK".
Like when they decided to email all of my account data to other people; luckily I was cc'd.
I spent HOURS on the phones with Verizon's IT people. Deleting the account(s) and creating a new one(s). Setting new passwords etc.
In the course of four days, they erroneously sent my account, and re-created account(s), info out SIX TIMES!
I have the perfect password. But, of course, I ain’t tellin’.
lol well I am biased as I own a security company.
We had one system for a large govt contractor. We hacked all of their passwords except one in 15 minutes.
Had another one with lots of sensitive data in it. Their network admin when into their IPS to change the configuration. He made his changes, then watched as someone changed them back and then emailed a bunch of data to a china based address.
The security lock helps but is easily defeated.
Different group, same challenges. lol
Most of the time the companies do not know the passwords as they are encrypted before storage in the database(s).
The problem lies in the fact that some companies encryption algorithms do not “salt” the passwords, and therefore they are store is the basic encrypted form.
It is a simple thing for anyone to run hundred of thousands of encrypted passwords against standard libraries of encrypted common words (and numbers), to find a match, in a matter of seconds. If they also have the user’s name (say Joe) then they can run thousands of tests a second against combinations like “Joe123”, “JoeABC”, etc.
“...thanks to Adobe, whose major security breach in October...”
They read the dumped leaked data, that contains hashed passwords, and compare the hashes to hashes of the usual suspects. If the hashes match, it’s as good as if the original pass were that one.
Nobody will ever guess this password: ‘drowssaP’
lol... Once, several years ago, my soon-to-be-ex (who works in IT) and my brother (whom I love dearly, no matter what) were trying to access a software program on a PC. My brother couldn’t remember the password, and they were trying different combinations. Sitting there listening, I suggested they try “password.” They both rolled their eyes at me, laughed, and kept trying other passwords. I started pushing them to try “password,” and they both became annoyed with me, with then-husband stating that I was a PITA and saying, “Oh, just try it, just to shut her up.”
Guess which “password” worked. Hahahahaha
Open the air shield, and change the combination on my luggage!
According to their web page, they let the hackers do the hacking, and then they just scarf down the leaked lists and tabulate them.
Splashdata's business is password management applications.
I don't know whats second...but I do know Obama is #2.
A big, steaming pile of #2.
That, combined with more accounts has finally driven me to write them all down and file them by website.
I should keep them in an Excel file to be able to cut and paste....
You need some punctuation in that and a numeric character.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.