The most common passwords of 2016 have been revealed, and they're terrible

[Yynxs]

We might want to try thinking about the problem differently.

Almost all the code used for the usernames checks the internal database to see if someone else used that name and then rejects it or creates another for the user. Seems particularly trivial to use that rejection algorithm against the internal database of passwords for the purpose of not having even one password duplicate.

This isolates 'stupid' down to the fewest numbers possible.

 

[LNCPapa]

Wait - you want to expose a method of confirming the existence of a particular password in the system? That would be a terrible idea - once you have a password that you know exists it's no big deal to script up regular attempts against each username available using that password. Even rotating IPs would be simple if you block after so many failed attempts.

 

[Yynxs]

Wait - you want to expose a method of confirming the existence of a particular password in the system? That would be a terrible idea - once you have a password that you know exists it's no big deal to script up regular attempts against each username available using that password. Even rotating IPs would be simple if you block after so many failed attempts.

Try it sometime and then match it to the username. If it were that easy, no password would be safe. And if it REALLY bothers you, deny between 2 and 7 of the password creation attempts, number picked at random. This is not the only security measure that should be being used. Just the one for randomizing passwords.

 

[Antykain]

Hold up.. wait. How did TechSpot get all my passwords?

Not cool, man.. Not cool.

 

[cliffordcooley]

Hold up.. wait. How did TechSpot get all my passwords?

Not cool, man.. Not cool.

LOL - That has got to be the best sarcastic remark in this conversation.

 

[Antykain]

Hold up.. wait. How did TechSpot get all my passwords?

Not cool, man.. Not cool.

LOL - That has got to be the best sarcastic remark in this conversation.

I'll be lurking here all night..

Well.. yeah. That's all I got for now.

But in all seriousness, seriously. My wifey, used to use PW's like the ones shown above. I remember her always saying that she'll never forget the PW's that way.. Which never did quite work out for her. She still somehow forgot her PW's all the time.

 

[joe1946]

I wonder what trumps twitter Pw is

grabembythe*****

https://c1.staticflickr.com/9/8137/30268039096_10fab3166a_o.png

 

[EClyde]

Make sure you use a VPN. Although highly unlikely, their email provider might dime you out, and you won't be getting any eChristmas cards... Perhaps even ransomware in your eStocking... (The web equivalent of coal).

But they are my friends...they would not do that to me