The Most Common Password Is . . . . . seinfeld?



  • In 2011, over 37,000 users of Sony Pictures and Sony Music were hacked.  The alleged perpetrators, LulzSec, published their theft results as a public torrent. Troy Hunt, a software architect, analyzed those hacked accounts, in addition to the December 2010 hack of Gawker Media (where 188,000 accounts were also hacked and published online). Here is a summary of Troy Hunt's findings:

    1. People Reuse Their Passwords for Multiple Systems
    2. Most People Choose Plain Text / Number Passwords, With No Special Characters
    3. The Most Common Password Is "seinfeld"


     

     

     



  •  If they're including Gawker, then I would completely believe that it was a massive collection of bullshit accounts held by one person. The minion accounts would upvote the favored account and troll other accounts. It might be akin to a social botnet.



  •  I wonder how common senfield is?



  • @El_Heffe said:

    The Most Common Password Is "seinfeld"
     

    Or maybe there were a whole ton of null fields, and he did his analysis in VB, and mistook what the most common output meant.



  • @El_Heffe said:

    The Most Common Password Is "seinfeld"
    What is the [i]deal[/i] with [i][b]that[/b][/i]?



  • I bet Sony was heavily promoting Seinfeld when those accounts were created.



  • Now, then, as I so meticulously pointed out, the four most-used passwords are: love, sex, secret, and...seinfeld?



  • The actual article that Troy Hunt wrote is much more interesting, and it's not clear if seinfield was the most popular password, though it's implied. The data actually comes from the Sony breach, since they were entirely plain-text, unlike the slightly hashed Gawker passwords.



  • Agreed. That list is probably in no particular order, especially since 'password' also appears in the list.



  • Tigger is more popular than I realised....



  • @LoremIpsumDolorSitAmet said:

    Agreed. That list is probably in no particular order, especially since 'password' also appears in the list.

    The article specificaly says that seinfeld was the most popular password.  What kind of terrible world are we living in when you can trust something you read on the internet?

     



  • "Thank you for creating an account with us. Your password has been set to 'seinfeld'. Good luck finding the link that lets you change it"



  • @El_Heffe said:

    Most People Choose Plain Text / Number Passwords, With No Special Characters
     

    All my credit cards' online sites require that the password be alphanumeric and no longer than 8 characters.

    Also, one of them requires the username to contain at least one digit. I understood that from reading the validating Javascrip, it wasn't written anywhere on the site. I've no idea how other people create accounts with the site.



  • @levbor said:

    @El_Heffe said:
    Most People Choose Plain Text / Number Passwords, With No Special Characters
     

    All my credit cards' online sites require that the password be alphanumeric and no longer than 8 characters.

    Also, one of them requires the username to contain at least one digit. I understood that from reading the validating Javascrip, it wasn't written anywhere on the site. I've no idea how other people create accounts with the site.

    People use stupid passwords and use the same passwords across multiple sites because they are lazy and stupid.. But, even if you're not lazy and stupid, too many websites make it difficult or impossible to use a "good" password.

    In addition to not allowing long/complex passwords, another problem is websites constantly changing their URLs.  For example, if I wanted to access my credit card online I would go to  <font face="courier new,courier">creditcard.bankname.com</font>,  but then they changed it and that URL now redirects to  <font face="courier new,courier">bankname.com/creditcard</font>,  so the password manager in my web browser doesn't recognize the new URL. That means I have to dig around and find the password so I can enter it manually.

    And just for an extra measure of fake security, they use a bit of code that tells my browser not to save the password. (Sometimes, but not always, I can over-ride that with a bit of Javascript, but seriously WTF, don't go out of your way to make things harder.)

    And of course none of that really matters. Even if you did create a "good" password, it's probably stored somewhere in plain-text and most of these sites can be hacked  by a blind, retarded monkey.

     



  • @SCB said:

    "Thank you for creating an account with us. Your password has been set to 'seinfeld'. Good luck finding the link that lets you change it"

     

    And when you fail to supply good information, the site goes, NO ACCOUNT FOR YOU.

     



  • @El_Heffe said:

    most of these sites can be hacked  by a blind, retarded monkey.
     

    Just imagine.



  • @El_Heffe said:

    @levbor said:

    @El_Heffe said:
    Most People Choose Plain Text / Number Passwords, With No Special Characters
     

    All my credit cards' online sites require that the password be alphanumeric and no longer than 8 characters.

    Also, one of them requires the username to contain at least one digit. I understood that from reading the validating Javascrip, it wasn't written anywhere on the site. I've no idea how other people create accounts with the site.

    People use stupid passwords and use the same passwords across multiple sites because they are lazy and stupid.. But, even if you're not lazy and stupid, too many websites make it difficult or impossible to use a "good" password.

    In addition to not allowing long/complex passwords, another problem is websites constantly changing their URLs.  For example, if I wanted to access my credit card online I would go to  <font face="courier new,courier">creditcard.bankname.com</font>,  but then they changed it and that URL now redirects to  <font face="courier new,courier">bankname.com/creditcard</font>,  so the password manager in my web browser doesn't recognize the new URL. That means I have to dig around and find the password so I can enter it manually.

    And just for an extra measure of fake security, they use a bit of code that tells my browser not to save the password. (Sometimes, but not always, I can over-ride that with a bit of Javascript, but seriously WTF, don't go out of your way to make things harder.)

    And of course none of that really matters. Even if you did create a "good" password, it's probably stored somewhere in plain-text and most of these sites can be hacked  by a blind, retarded monkey.

     

    My university blocks saving of the password for their portal we students have to use. I found a chrome extension to override it (which of course is done through javascript anyways). Now I save on all the sites! meme.jpg



  • @El_Heffe said:

    Even if you did create a "good" password, it's probably stored somewhere in plain-text and most of these sites can be hacked  by a blind, retarded monkey.
    For "somewhere", read "a Post-It note stuck to the monitor frame".



  • @da Doctah said:

    @El_Heffe said:

    Even if you did create a "good" password, it's probably stored somewhere in plain-text and most of these sites can be hacked by a blind, retarded monkey.
    For "somewhere", read "a Post-It note stuck to the monitor frame".

    And I thought those Braille Post-It notes would never catch on



  • @RTapeLoadingError said:

    @da Doctah said:

    @El_Heffe said:

    Even if you did create a "good" password, it's probably stored somewhere in plain-text and most of these sites can be hacked by a blind, retarded monkey.
    For "somewhere", read "a Post-It note stuck to the monitor frame".

    And I thought those Braille Post-It notes would never catch on

    We've taught gorillas sign language. Have we taught monkeys braille?



  • @Ben L. said:

    @RTapeLoadingError said:
    @da Doctah said:

    @El_Heffe said:

    Even if you did create a "good" password, it's probably stored somewhere in plain-text and most of these sites can be hacked by a blind, retarded monkey.
    For "somewhere", read "a Post-It note stuck to the monitor frame".

    And I thought those Braille Post-It notes would never catch on

    We've taught gorillas sign language. Have we taught monkeys braille?

    Yep - even the ones with learning difficulties



  • @El_Heffe said:

    People use stupid passwords and use the same passwords across multiple sites because they are lazy and stupid.. But, even if you're not lazy and stupid, too many websites make it difficult or impossible to use a "good" password.

     

    I have a low sercurity password that I use nearly everywhere. For example, it is my password for thedailywtf. It is also my password for slashdot. What do I care if someone steals that password? Can he cost me money? Can he destroy my (feeble) reputation. Can he cost me my job? FYI my low security password has a special character but no digits.

    The sites I hate are the ones that demand that you have a special format for your password. My low-security password has no digit in it. So if TheDailyWTF demands a digit, I'll just stop going to that site. Why memorize a special password for something so unimportant?

    My most valuable resource is space in my memory. I have no intention of memorizing a different password for every web site. My brain has more useful things to remember than that.

    The administrator accounts on the servers that I manage have a special password that I have told my boss. My personal accounts on these servers have a different password.

    All my bank accounts have a VERY high security password. FYI my high security password was seven characters, and my bank would not accept less than eight. So I added "fy" to the end and the bank would accept more than eight characters. So that's why my high security password ends in "f".

     



  • Didn't recognise you there Andy, had a shave?



  •  A year ago my ex-wife and my mistress ganged up on me and cut it all off. A couple of months ago I grew a trim white beard. So the face keeps changing. Hair on top still short.



  • I was referring to your avatar but...
    @AndyCanfield said:

    my mistress

    This why you have an ex-wife?
    @AndyCanfield said:
    A couple of months ago I grew a trim white beard.

    I still have my Movember mo. It's grown on me...



  • I had a beautiful Thai wife. When we had a kid she went into chastity and I went into shopping. Hooked up with an old friend of hers. For several years I had the wife in one town and the mistress in the other town and spend a few days with each. Then the good-looking wife decided to sell herself on the market, but the ugly mistress is still with me. They are still good friends. Each has a child by me and two boys are good friends too.

    I am a polygamist in the sense that I believe it's OK. I do not have two wives right now, but I have had and I think it's OK as long as there are no secrets. How do you keep two women satisfied? Go learn from the Mormons; I did. They know how. I even own DVD's of "Big Love" season one and have used it as a training film. The key word is "security". I will take care of both of the ladies for as long as I can, as long as they want my care. I still love both of them, even though the pretty one has a new boyfriend.




  • @AndyCanfield said:

    My most valuable resource is space in my memory. I have no intention of memorizing a different password for every web site. My brain has more useful things to remember than that.

    If you need to use your brain to remember more than one strong password - the one that gets you into your password management software (e.g. KeePass) - you're doing it wrong. And once you're comfortable with using KeePass or similar to manage your high-security passwords, there is no longer any reason to avoid using it to manage all your passwords and making them all strong and unique.

    Seven characters, assuming each is drawn randomly from a roughly six-bit alphabet, is under 45 bits of entropy. That's pretty pissweak: anybody with the resources to steal your bank's database of hashed passwords will probably also have access to hardware capable of running hundreds of millions of brute-force crack attempts against them per second.



  • I suppose I should look into KeyPass; it's available for my Linux home system. I suppose there's a way to store the encrypted database on a server so I can use my passwords when I'm on somebody else's computer?

    I do have an encrypted ASCII file holding all my passwords. It can only be decrypted using my PGP private key. I've had that PGP key pair since aboug 1992. Come to think of it, where is my backup of my PGP key pair? Must be somewhere on CD.

     

     

     


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.