Database leak reveals 10 terrible passwords you should avoid

By midian182 · 29 replies
Nov 7, 2016
Post New Reply
  1. There’s been more confirmation that when it comes to online security, some people are just asking to be hacked. By examining accounts from a leaked Yahoo database, featuring obsolete accounts from a 2012 voice calling service, researchers put together a list of the ten most commonly used passwords.

    The most popular password favored by Yahoo users was “123456.” If that isn’t enough to make you facepalm, the second most common was the brilliant “password.” This was followed by “welcome” in third, and, weirdly, “ninja” in fourth position.

    Mixing numbers and letters is often recommended when it comes to creating strong passwords, but “abc123,” which is the fifth most popular entry, is a pretty weak example of this practice. The next two entries are variations of the number one password – “123456789” at six and “12345678” at seven.

    The next two passwords on the list are actual words - “sunshine” (eighth) and “princess” (ninth) – while the final place is occupied by the terrible “qwerty.”

    Dr Jeff Yan, co-author of a paper on password cracking and a senior computing lecturer at Lancaster University in the UK, compiled the list. He told the Daily Mail Online: “Why do [some] use such obvious passwords? A main reason I think is that they’re either unaware of or don’t understand the risks of online security.”

    “Just like everybody knows what one should do when red lights are on in the road, eventually everybody will know 123456 or the like is not a good password choice,” he added.

    Many of the other passwords in the database were made up of simple combinations of users’ names, ages, and birthdates.

    In addition to revealing the commonly-used passwords, the University researchers, along with those from China’s Peking and Fujian Normal Universities, created algorithms that can crack passwords.

    Based on attackers having access to different personal information, they guessed passwords for more than 73 percent of users’ accounts. Even the more tech-savvy weren’t safe; a third of their passwords were cracked within 100 guesses.

    The best advice: use a password manager.

    Permalink to story.

    Last edited by a moderator: Nov 7, 2016
  2. Kibaruk

    Kibaruk TechSpot Paladin Posts: 3,286   +902

    I do like using a password manager, but couldn't bear having it randomly generate my passwords. I do want to try and remember it if I need to, also you could be more lenient with services that have 2 step authentication =)
  3. wiyosaya

    wiyosaya TS Evangelist Posts: 1,923   +756

    Yep. Use a password manager so that when someone hacks the password manager, they have access to all your sensitive passwords. Brilliant advice, just like suggesting that readers get an IoT device is brilliant advice.
  4. Fabio Turati

    Fabio Turati TS Enthusiast Posts: 28   +12

    Since 123456, 123456789 and 12345678 are very common and easy to guess, the obvious conclusion is that to have a really good password one must choose 1234567, which nobody has ever thought of yet. Outsmart them, I say!

    ...Seriously now:

    @Kibaruk, you are doing it wrong. I mean: you are using a password manager, which is great, but then you don't REALLY use it, because you can remember your passwords. As Troy Hunt said, "If it’s not something you need to be a savant to memorise, it’s not secure enough." And even the title of that article is "The only secure password is the one you can’t remember". I am trying LastPass these days, and they are sending emails whose subject is "Go ahead and forget your passwords". If you are afraid of losing all of them, if it is an offline one (like KeePass) make sure you have reliable copies of your safe (on Dropbox, for example), and if you are using an online one (like LastPass) export them and store them to a USB stick that is permanently offline. But do replace your passwords with secure ones! Believe me, the first time you login to some site using a password like #$9A^makRFuJ*dOLg&n$bPD4z94KzdV8 (which you don't even need to type), you will even smile! :)

    @wiyosaya: what is your secure solution then?
  5. Kibaruk

    Kibaruk TechSpot Paladin Posts: 3,286   +902

    There are certain ones you always want to remember, and as I said, you can be more lenient with the added protection of 2 step authentication. Of course, not to everything, I couldn't care less about my forum password.
    It is brilliant advice, specially when you change your password every now and then and have 2 step authentication enabled, it is going to be really hard for someone else to go in there, unless they a) know your password and b) have both physical access to your computer and security key (2SA. Yes, you can setup more security than just 2 step), in which case doesn't matter if they are hackers or not.
  6. Bigtruckseries

    Bigtruckseries TS Evangelist Posts: 583   +318

    The easiest way to stop password crackers is a "cool down period" as seen on FALLOUT 3 and 4.

    If you make it so that the wrong password entered 3 times causes a timeout/ lock or cool down period, you can make it impossible for even the smartest computer to crack the password because:

    #1 It'll literally take forever

    #2 The program would have no way of entering your email account or smartphone to receive a text message/code.

    #3 It could take so long to crack that by the time the program figured it out, the person may have already changed it.

    Even if I had a 2 digit password, a 3-tries and your out system would eliminate you almost immediately.

    I like, for example that Apple has a set number of password tries before the phone erases itself, but I'd also like an auto-erase button for the thumb reader.

    For example: I enter the phone using a thumb, but I can auto-erase it by scanning my pinky.

    Now all I need is a way to erase my browser history if I'm dead.

    Lot of potentially embarrassing data there...
  7. Fabio Turati

    Fabio Turati TS Enthusiast Posts: 28   +12

    You are considering online attacks only, which are just a (small?) part of the story. What about offline ones? Like the one on Yahoo that this article is about. In that case your only hope is that the site did the right thing (unique salt per user and slow hash function like Bcrypt), but then you must also do your part by choosing a good password. Otherwise, even if Yahoo adopted a system like the one you describe, it wouldn't help at all (and your 2-digits password would fall in something like a microsecond).
  8. Bigtruckseries

    Bigtruckseries TS Evangelist Posts: 583   +318

    A cool down period or 3-strikes-your-out would stop online attacks and offline attacks wouldn't even be possible. The server can't authenticate you.

    A cool down period if you try to break into my personal computer - can also make hacking it damn near impossible - if not take forever.
    Last edited: Nov 7, 2016
  9. wiyosaya

    wiyosaya TS Evangelist Posts: 1,923   +756

    Security experts are now arguing against changing passwords because, like the silly passwords that are detailed in the article, people who frequently change passwords usually only do so by changing something like the first few or the last few characters. If your password is compromised in an attack and that attack goes undiscovered for a while during which you changed your password, then the hacker has only a few characters that they need to figure out. Two-step authentication is really all one needs to be highly secure and security experts are routinely recommending two-step authentication these days, but...
    What's my solution? Security experts are also now recommending putting together words in a nonsense phrase that you will remember. Once you get beyond 13 or more characters in the combined phrase, the password becomes almost impossible to hack even by brute force methods. If it is only one word, then yes, it will be vulnerable to a dictionary attack, but several together in a nonsense phrase it becomes very difficult to break.

    Take, for instance, something like this: goGreythenscreW nonsense phrase, several words, 15 characters - nearly impossible to break because it will amount to, essentially, having to wade through the number of different combinations possible with 15 characters, and the number of combinations of words from the English language that one would have to brute force through is literally astronomical.
  10. Bigtruckseries

    Bigtruckseries TS Evangelist Posts: 583   +318

    Combinations of words and letters with capitals makes brute force difficult, but let's face it...experienced hackers and spies can simply use keyloggers.

    I think non-password systems with biometrics that have random quiz challenges or email verifications work best.

    when I log into my Bank, I have to tell it a question to a random answer: favorite TV show, Mom's birthday, my girlfriend's size...etc.
  11. Tommis

    Tommis TS Member

    …and all these funny and easy-to-guess passwords are on the same (leaked-stolen password's) list together with the strongest and uncrackable passwords; so what's the point of having strong (and unmemorable) password if it will be leaked or stolen as easy as '1234' one?
    Tanstar likes this.
  12. cliffordcooley

    cliffordcooley TS Guardian Fighter Posts: 9,724   +3,697

    That is the question right there. Which is why twp-step verification should be used. Two-step verification will keep control in the users hands regardless of leakage.

    What irks me is forced password changes. As if that is supposed to protect a company from lawsuit over their negligence.
    Tanstar likes this.
  13. Kotters

    Kotters TS Maniac Posts: 283   +180

    Why are you sharing your password database with anyone? Or are you using a cloud-based manager?

    'cause Don't Use a Cloud-based Password Manager.
  14. Fabio Turati

    Fabio Turati TS Enthusiast Posts: 28   +12

    By "offline" attacks I mean those where the attackers can exploit some vulnerability of the server and get a full database dump. The protection system that you call "3-strikes-you're-out" is completely bypassed, because you don't break an account, you break the entire server. It's like having a guard at the front door of your house, and then somebody notices that they can break into it by passing through the rear door: the guard won't stop them, the guard won't even see them.

    This is what happened to Yahoo (500 million accounts at risk), Linkedin (117 million), (43 million), Dropbox (68 million) and many more (you can find a list at, and also check whether your account has been compromised). It happens all the time, you have to be prepared for it. And if you use 2-digit passwords, you are not. Moreover, if you reuse the same account (or email address) and password on other sites, you should consider all of them compromised.
  15. Fabio Turati

    Fabio Turati TS Enthusiast Posts: 28   +12

    @wiyosaya: I'm all for two-step authentication, and I have enabled it wherever I can, but not all the websites offer it. Which means it can't be the ultimate solution. And for the passphrase, again, I agree, it's the famous "correct horse battery staple" scheme, or diceware, but how does that scale when you have tens of accounts? You can't remember so many random words! Instead, if you use that technique for your master password you can even afford creating a longer one. My master password, for example, is more than 50 characters long. Sure, it takes 10-15 seconds to type, but then again I have to do it only the first time, and then all the other logins are really fast.
  16. hahahanoobs

    hahahanoobs TS Evangelist Posts: 2,040   +678

    I let LastPass generate 12 character alpha-numeric passwords for websites that have my personal information like card numbers, name and address, and I reuse the same two passwords with two to three slight variations of those two passwords for everything else.
  17. hahahanoobs

    hahahanoobs TS Evangelist Posts: 2,040   +678

    Someone needs to teach you about encryption.
  18. Ascaris

    Ascaris TS Addict Posts: 113   +72

    Why couldn't you bear letting it randomly generate a password? It already has all of your passwords, so if you don't trust it, it's already a bad idea.

    I use a password manager protected by a strong master password (gibberish digits that I memorized) and AES encryption, with each site getting its own random 14-character password consisting of upper and lower case letters, numbers, and symbols (except for those annoying sites that only accept alphanumerics). It will paste the passwords and userids into the fields I specify even if the site attempts to block password auto-entry in a misguided effort to be "secure."
  19. fktech

    fktech TS Addict Posts: 223   +60

    If a site is hacked then any password is vulnerable.
  20. McLovin

    McLovin TS Member

    Why bother with this article, passwords are on their way outanyway. Eventually face and fingerprint scanning will rule over us
  21. Fabio Turati

    Fabio Turati TS Enthusiast Posts: 28   +12

    No, that will never happen. If you consider that an account has a username and a password, biometrics data like your fingerprint can replace your username, not your password. There are many reasons, one being that if the site where you login is compromised and somebody gets hold of your account... You can always change your password, but you can't change your fingerprint. It would be too easy to create a fake fingerprint scanner that, instead of working as a normal one, supplies to the PC the fingerprint of another user (yours, for example), stolen from some server on the web. From that moment on, everybody would have permanent access to your accounts.

    You can find much more here:
  22. ATLVM

    ATLVM TS Member Posts: 64   +7

    Last pass its free and it works exactly as you describe. It will generate a random password for you but if you use touch ID on your phone you can login to get passwords or use a master password for ALL your accounts. There is a form fill, it works great.

    Give lastpass a look.
  23. ATLVM

    ATLVM TS Member Posts: 64   +7

    Uh I think you are missing the point... a password manager isn't ON the Web, its an app, besides if you are afraid if someone can "hack" that's why they have 2 factor authentication. The "brilliant" part about Lastpass is you can have multiple forms of authentication not just password you have to use an authentication app, SMS AND touch ID form your phone for instance.

    So yeah it is brilliant that the device is behind a single master password because its not like anyone can brute force it, its on your phone, how are they going to access it? eh?
  24. ATLVM

    ATLVM TS Member Posts: 64   +7

    So Genius let me ask you, what do you use to track and manage your passwords now huh? You remember EVERY Single password for say 20 different systems, or do you use 1 password for ALL those accounts?

    Huh? So the only "brilliant" part about your remark is that YOU don't even realize what YOU are doing (or not doing) to protect yourself, so your way is better I suppose?

    You better think again.
  25. ATLVM

    ATLVM TS Member Posts: 64   +7

    Technically nothing which is why they say change your passwords often like every 30 days ... but that's too inconvenient for people so they back down and say 90.

    It all comes down to common sense, if a password manager can manage ALL of your important information you can use them to change your passwords automatically, last past can do this.. you just tell it generate a new password for site XYZ,and it does it.. then who cares if you know what it is, you can reveal the password or simply use lastpass to autologin to the site..

    A password manager can make it easy to not only know where and what your passwords are but which sites you visit and does a security check to ensure your passwords are strong and no 2 accounts are the same, lots of good reasons to use lastpass.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...