'Worst passwords of 2014' reveals that people simply don't care about security

By Shawn Knight · 14 replies
Jan 20, 2015
Post New Reply
  1. Exactly one year ago today, SplashData revealed its third annual list of the top 25 worst passwords found on the Internet. Unsurprisingly, things really didn't change all that much in 2014 as people continue to use weak passwords despite the...

    Read more
  2. Craig Herberg

    Craig Herberg TS Rookie

    It is certainly true that too many people consider good security practice a terrible inconvenience. Password managers are a great tool to make password security convenient. If people continue to use easily compromised "passwords," perhaps financial institutions should require smartcards or fingerprint readers. Craig Herberg
  3. Uncle Al

    Uncle Al TS Evangelist Posts: 3,339   +1,986

    After the recent news about fingerprint readers I would think that would be their LAST choice in security!
    stewi0001 likes this.
  4. Grabix

    Grabix TS Rookie

    This is, and probably always will be, my go-to for people talking about passwords and the need for letter substitutions. They're wrong and need to be told they are wrong.

  5. MasterDex

    MasterDex TS Rookie

    I think the best way forward is for web designers and their clients to start insisting on every password using numbers, letters (both upper and lower case) and symbols. The end-user will generally go for the easiest route possible so weak passwords will continue to be chosen. Hell, the fact that some account systems don't even allow the user to use symbols is terrible.
  6. Kibaruk

    Kibaruk TechSpot Paladin Posts: 3,286   +902

    You need words, but then you make them into a sentence, long enough no one could guess it and only use the first, or couple of letters, the first and last, or whatnot, you could also make a small 5 by 5 grid with randomized letter and use a mental algorithm in order to get a password out of that, randomized enough to avoid brute force, or who knows, you could do tons of crazy stuff only you can remember or know how to decypher but no one else could, even if they have the grid of characters.
  7. I would like to thank all the hackers who went through every weak website ( like Sonys :p ) and taking all their unencrypted information like these here passwords. Or maybe these websites admin passwords were just as weak.
    Gives me a few suggestions of ones I can use next though.
  8. MasterDex

    MasterDex TS Rookie

    No, they're not wrong. That strip is right with the maths it uses but that doesn't negate the fact that letter substitution and the use of symbols and numbers increases password security because it does.

    Let's take that example in the strip 'correct horse battery staple' and run a strength test(http://rumkin.com/tools/password/passchk.php):
    correct horse battery staple
    Length: 28
    Strength: Strong - This password is typically good enough to safely guard sensitive information like financial records.
    Entropy: 104.2 bits
    Charset Size: 27 characters

    Now lets do some letter substitution and use a symbol instead of a space:
    Length: 28
    Strength: Very Strong - More often than not, this level of security is overkill.
    Entropy: 136.9 bits
    Charset Size: 72 characters

    Notice the Entropy and Charset Size that the hacker is up against?
    Now lets increase the Charset Size a little bit by adding a pipe to the beginning and end:
    Length: 30
    Strength: Very Strong - More often than not, this level of security is overkill.
    Entropy: 154.5 bits
    Charset Size: 92 characters

    And lets add an accent too:
    Length: 30
    Strength: Very Strong - More often than not, this level of security is overkill.
    Entropy: 188.9 bits
    Charset Size: 252 characters

    Letter substitution and symbol use is better than using just letters and spaces. End of. Longer passwords will always be better but the previous rule still holds true.
    Kibaruk and JohnCB like this.
  9. The thing is the dumbest idea ever heard. The best phrase meaning passphrase. Just because using uppercase letters and lowercase letters it does not make you any's more secure than somebody who uses a passphrase let's say like "Just left over pizza" easy to remember hard to guess. I would you like to be the admin it would change his passwords reset passwords almost a daily basis because people forget it it's too complex to remember
  10. cliffordcooley

    cliffordcooley TS Guardian Fighter Posts: 9,725   +3,699

    If all used passwords can be counted, then whats the point in having security? Using security means they don't know which passwords people use.

    If asked I will likely tell them I use "123456", just to keep from telling them which one I really do use. This research is BS, or we really don't have security no matter how strong our password is.
  11. Everyone's missing the point. The problem these days is account overload. I have 77 different accounts (e-mail, social media, shopping, SSID's etc.) I actually do use a different password for every account. Although I have a system in place for doing that and actually remembering what the damn passwords are, most people don't. So what do they do? They either start using the same password for everything, or they use passwords that are so stupid simple, they won't forget them. I have to "have an account" with every single online vendor I make purchases from, from every online service I use. It's ridiculous - 77 frikken accounts. We need to get rid of passwords altogether and come up with something different, like fingerprint.
  12. Kibaruk

    Kibaruk TechSpot Paladin Posts: 3,286   +902

    This research comes from hacked sites that get their passwords published, it's not like they go on the street and ask "hey good sir, could you please tell me the passwords you use on a daily basis?"............
  13. stewi0001

    stewi0001 TS Evangelist Posts: 1,681   +1,080

    Spaceballs #3
  14. cliffordcooley

    cliffordcooley TS Guardian Fighter Posts: 9,725   +3,699

    OK - Lets ask @Julio Franco if Techspot got hacked how many of our passwords would be revealed. I'm betting the number will be 0, because the passwords are not stored in plain text. And if the top ten are from old accounts, there is no wonder they are staying in the top ten. Wouldn't surprise me because apparently the hacked sites are old and outdated with insecure password listings in plain text.
  15. Julio Franco

    Julio Franco TechSpot Editor Posts: 7,671   +988

    I'm no expert but my understanding is that our backend stores passwords hashed and salted. At the very least, no plain text here :cool:
    slamscaper likes this.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...