# Most common passwords 2012



## dpeters11

The 2012 edition of most popular (and bad) passwords.

Fortunately none of mine are on the list. Even I wouldn't be able to guess most of my passwords, so not much concern there.

http://news.cnet.com/8301-1009_3-57538774-83/jesus-welcome-join-list-of-worst-passwords/


----------



## jimmie57

I have many accounts online. No way to keep up with the passwords, security questions and answers, etc. for each of them except to write them down. I know you are not supposed to do that, but, when you are 69 you do not have a choice.


----------



## kfcrosby

dpeters11 said:


> The 2012 edition of most popular (and bad) passwords.
> 
> Fortunately none of mine are on the list. Even I wouldn't be able to guess most of my passwords, so not much concern there.
> 
> http://news.cnet.com/8301-1009_3-57538774-83/jesus-welcome-join-list-of-worst-passwords/


Good way to check...

http://howsecureismypassword.net/

tells me it will tak 71 quadrillion years to crack mine open 

Kevin


----------



## kfcrosby

jimmie57 said:


> I have many accounts online. No way to keep up with the passwords, security questions and answers, etc. for each of them except to write them down. I know you are not supposed to do that, but, when you are 69 you do not have a choice.


Or you can always use something like LastPass

https://lastpass.com/


----------



## Earl Bonovich

Good...

Th3s3Rn0tTh3dr0!dsY0urL00k!ng4 is still safe.


----------



## Carl Spock

My password strength varies by the site.

For a site like this, it's easy. I use the same password for all of my forums. Right now it's an unusual, probably not in the dictionary, word but it was a common five letter word for over a decade.

The password to sign onto my Wi-Fi is a similarly easily remembered word that even ties into the network's name. You give that to friends when they come over. It should be easy for everyone to remember. I live in a small enough town where being relaxed isn't a problem. Heck, my neighbor has a wide open network. I could sign onto his today.

My bank ones? Capitals, lower case letters, symbols and numbers. And long. Long is the best bet.


----------



## dmurphy

kfcrosby said:


> Good way to check...
> 
> http://howsecureismypassword.net/
> 
> tells me it will tak 71 quadrillion years to crack mine open
> 
> Kevin


You mean a website where I can enter and transmit my supposedly "secure" password and send it in cleartext?

Sign me up!


----------



## dpeters11

kfcrosby said:


> Good way to check...
> 
> http://howsecureismypassword.net/
> 
> tells me it will tak 71 quadrillion years to crack mine open
> 
> Kevin


Amateur 
My GMail password:
3 quintillion quinquagintillion years

And that's before working on the required two factor.
Of course even one quadrillion years is many many times older than the age of the Universe. I set mine like I did more for fun, not for any real practical reason. And I didn't even set it to GMail's max length. But, since all the other sites have that as my email, any password resets go there, so I wanted to make sure it was one of my most secure. Then I set the recovery address for Gmail to a randomly generated (as much as email addresses can be) address on a different provider, with a random password.

I highly recommend LastPass as well. It really does "set you free." No longer having to remember which password is used where, with the various stupid requirements sites throw at you. "Must be a secure password, but cannot use symbols." "Cannot be more than 8 characters", etc.


----------



## dpeters11

dmurphy said:


> You mean a website where I can enter and transmit my supposedly "secure" password and send it in cleartext?
> 
> Sign me up!


That's not how the site works. Everything is done on the local system in Javascript. They never get the password.

Besides if your password is say: !K8z83l&*XBJ#y, you'd get the same answer as to security if you put !K9zg32&*XnJ#r and there would be too many differences to figure out.


----------



## dpeters11

Carl Spock said:


> My password strength varies by the site.
> 
> For a site like this, it's easy. I use the same password for all of my forums. Right now it's an unusual, probably not in the dictionary, word but it was a common five letter word for over a decade.
> 
> The password to sign onto my Wi-Fi is a similarly easily remembered word that even ties into the network's name. You give that to friends when they come over. It should be easy for everyone to remember. I live in a small enough town where being relaxed isn't a problem. Heck, my neighbor has a wide open network. I could sign onto his today.
> 
> My bank ones? Capitals, lower case letters, symbols and numbers. And long. Long is the best bet.


Keep in mind, these days there are a large number of wi-fi networks that are easy to get into even with WPA2 encryption and no need to figure out the passcode.

As for banks, be careful. I know with Chase, case doesn't matter in the password field. They switch everything to lowercase. So if the password is QweRtY (or at least you think it is), they'll accept qwerty, qWerTY etc all as valid. Guess it's to reduce calls to customer service when someone leaves cap lock on...


----------



## Earl Bonovich

dpeters11 said:


> As for banks, be careful. I know with Chase, case doesn't matter in the password field. They switch everything to lowercase. So if the password is QweRtY (or at least you think it is), they'll accept qwerty, qWerTY etc all as valid. Guess it's to reduce calls to customer service when someone leaves cap lock on...


I bet it had more to do with easier password entry on Mobile Devices...


----------



## dpeters11

Maybe. Still don't like it, or any other restrictions that aren't a minimum requirement. Google's max is 200 characters, that I am fine with.


----------



## Laxguy

kfcrosby said:


> Good way to check...
> 
> http://howsecureismypassword.net/
> 
> tells me it will tak 71 quadrillion years to crack mine open
> 
> Kevin


Hmmmm. Except for the folks who have access to the PW you put in there. Then it'll take about ten seconds...:sure:


----------



## The Merg

Earl Bonovich said:


> Good...
> 
> Th3s3Rn0tTh3dr0!dsY0urL00k!ng4 is still safe.





> It would take a desktop PC about 3 duodecillion years to crack your password


Yeah, that's secure.

- Merg


----------



## Laxguy

dpeters11 said:


> Amateur
> My GMail password:
> 3 quintillion quinquagintillion years


Very impressive!

However, I am at the opposite end of the spectrum. I can't imagine why anyone would want access to my e-mail on Google, and if they did get it, can't imagine what harm they could do with it.


----------



## dpeters11

Laxguy said:


> Hmmmm. Except for the folks who have access to the PW you put in there. Then it'll take about ten seconds...:sure:


How would they? It still works with no connection to the Internet. It's all javascript. That's client side, not server side.

Though I guess they could be hacked themselves, the site changed etc.


----------



## dpeters11

Laxguy said:


> Very impressive!
> 
> However, I am at the opposite end of the spectrum. I can't imagine why anyone would want access to my e-mail on Google, and if they did get it, can't imagine what harm they could do with it.


If it's where sites send the emails when you hit a forgot my password link, it can do quite a bit of harm if they get in, or if it's what you have your primary email recovery address set to.


----------



## Laxguy

7. letmein (up 1)

This puzzled me for a bit, not being a word I knew, and thinking it looked sorta Germanic. Then, duh! it hit me. Or ithitme. :lol:


----------



## Laxguy

dpeters11 said:


> How would they? It still works with no connection to the Internet. It's all javascript. That's client side, not server side.
> 
> Though I guess they could be hacked themselves, the site changed etc.


Yes, I see that the guesstimates can be all client side, but how do we know the site isn't passing on the entry at some point? I have no reason to suspect it, but it's certainly possible to do.


----------



## RunnerFL

jimmie57 said:


> I have many accounts online. No way to keep up with the passwords, security questions and answers, etc. for each of them except to write them down. I know you are not supposed to do that, but, when you are 69 you do not have a choice.


There are apps that can store passwords for you. All you have to remember is the password to the app.


----------



## RunnerFL

kfcrosby said:


> Good way to check...
> 
> http://howsecureismypassword.net/
> 
> tells me it will tak 71 quadrillion years to crack mine open
> 
> Kevin


It tells you that, then it stores it.


----------



## dennisj00

One other thing for most any site that you enter credit card or other financial info, be sure that the login page is already a http*S*: SSL encrypted page.

Never put any critical info in a site that is just HTTP:


----------



## TXD16

kfcrosby said:


> Or you can always use something like LastPass
> 
> https://lastpass.com/


I'd be lost without LastPass (and so would most of my passwords)!


----------



## RunnerFL

dennisj00 said:


> One other thing for most any site that you enter credit card or other financial info, be sure that the login page is already a http*S*: SSL encrypted page.
> 
> Never put any critical info in a site that is just HTTP:


And not just https, https with a trusted certificate.


----------



## dpeters11

"RunnerFL" said:


> And not just https, https with a trusted certificate.


Very true. Fortunately more and more sites are defaulting to https, especially after Firesheep. Unfortunately, it means nothing for how they actually store your password.


----------



## RunnerFL

dpeters11 said:


> Very true. Fortunately more and more sites are defaulting to https, especially after Firesheep. Unfortunately, it means nothing for how they actually store your password.


I can't speak for other packages but I know Apache comes with a self-signed cert. Too many people are happy enough just using that and people who come to their site think that's safe enough. 

I use namecheap.com and get a $10 a year cert for my personal domains and I don't even collect people's info.


----------



## dennisj00

I would expect anyone collecting financial information of any kind to have a valid SSL cert.

However, how they store your password and keep it away from hackers is a different story these days. Never use the same login with the same password for critical sites.


----------



## spartanstew

Carl Spock said:


> For a site like this, it's easy. I use the same password for all of my forums. Right now it's an unusual, probably not in the dictionary, word but it was a common five letter word for over a decade.


Bosco?


----------



## dpeters11

"dennisj00" said:


> I would expect anyone collecting financial information of any kind to have a valid SSL cert.
> 
> However, how they store your password and keep it away from hackers is a different story these days. Never use the same login with the same password for critical sites.


Unfortunately some companies etc are just cheap. I've seen many times, security is not taken seriously until a breach, and sometimes not even then. Or they take it seriously for 6 months etc, then back to the old ways.


----------



## dennisj00

I don't bank or buy from those companies. . .


----------



## dpeters11

But you don't know. Sure they may have a valid signed ssl cert. You have no idea how its stored, some sort of breach due to lax security. 

How long was it before B&N realized they had credit card machines tampered with?


----------



## Drucifer

I have a method for remembering different PW for different sites by matching up the initials of the site with initials of relatives in my family tree and using a date of importance to that relative.

It does help being the family genealogist.


----------



## Davenlr

All this about security, and the banks only allow a 4 number pin...go figure.


----------



## dpeters11

"Davenlr" said:


> All this about security, and the banks only allow a 4 number pin...go figure.


The story goes that the inventor was going to use a 6 digit number, but his wife said she could only remember 4.


----------



## RunnerFL

dennisj00 said:


> I would expect anyone collecting financial information of any kind to have a valid SSL cert.


You would expect it but it isn't always that way.


----------



## yosoyellobo

I was wondering what was the most secure password that could use and not have any trouble remembering. I come up with this.

[email protected]

According to howsecureismypassword.net

It would take a desktop PC about 3 septendecillion years to crack your password.

Damm now I have to change it.


----------



## dpeters11

But most sites wouldn't let you use it. That's the real issue. We need all sites to get rid of their max length and allow all special characters.


----------



## wilbur_the_goose

passwords will be ancient history in 10 years. Biometrics will rule the day. 

Three factor authentication will be commonplace.


----------



## yosoyellobo

wilbur_the_goose said:


> passwords will be ancient history in 10 years. Biometrics will rule the day.
> 
> Three factor authentication will be commonplace.


Until we get to the quantum computer age.


----------



## dpeters11

"wilbur_the_goose" said:


> passwords will be ancient history in 10 years. Biometrics will rule the day.
> 
> Three factor authentication will be commonplace.


Just hoping its good biometric security, not like we got with UPEK. But I don't see that becoming common with online accounts. Maybe OpenID or Steve Kirsch's OneID, but having it controlled by one company is problematic. Liked his mouse though.


----------



## djlong

Any site that lets a 'bot slam an account for a million tries without shutting it off is NOT a secure site.


----------



## AntAltMike

It was just reported on Russia Today that, until 1977, the passcode to launch United States nuclear missles was 00000000.


----------



## AntAltMike

It must be true. it's on the internet.

http://gizmodo.com/for-20-years-the-nuclear-launch-code-at-us-minuteman-si-1473483587

*For 20 Years the Nuclear Launch Code at US Minuteman Silos Was 00000000*









Today I found out that during the height of the Cold War, the US military put such an emphasis on a rapid response to an attack on American soil, that to minimize any foreseeable delay in launching a nuclear missile, for nearly two decades they intentionally set the launch codes at every silo in the US to 8 zeroes.

We guess the first thing we need to address is how this even came to be in the first place. Well, in 1962 JFK signed the National Security Action Memorandum 160, which was supposed to ensure that every nuclear weapon the US had be fitted with a Permissive Action Link (PAL), basically a small device that ensured that the missile could only be launched with the right code and with the right authority.

There was particularly a concern that the nuclear missiles the United States had stationed in other countries, some of which with somewhat unstable leadership, could potentially be seized by those governments and launched. With the PAL system, this became much less of a problem....
To give you an idea of how secure the PAL system was at this time, bypassing one was once described as being "about as complex as performing a tonsillectomy while entering the patient from the wrong end." This system was supposed to be essentially hot-wire proof, making sure only people with the correct codes could activate the nuclear weapons and launch the missiles.

However, though the devices were supposed to be fitted on every nuclear missile after JFK issued his memorandum, the military continually dragged its heels on the matter. In fact, it was noted that a full 20 years after JFK had order PALs be fitted to every nuclear device, half of the missiles in Europe were still protected by simple mechanical locks. Most that did have the new system in place weren't even activated until 1977.

Those in the U.S. that had been fitted with the devices, such as ones in the Minuteman Silos, were installed under the close scrutiny of Robert McNamara, JFK's Secretary of Defence. However, The Strategic Air Command greatly resented McNamara's presence and almost as soon as he left, the code to launch the missile's, all 50 of them, was set to 00000000.

Oh, and in case you actually did forget the code, it was handily written down on a checklist handed out to the soldiers. As Dr. Bruce G. Blair, who was once a Minuteman launch officer, stated:....

This ensured that there was no need to wait for Presidential confirmation that would have just wasted valuable Russian nuking time. To be fair, there was also the possibility that command centers or communication lines could be wiped out, so having a bunch of nuclear missiles sitting around un-launchable because nobody had the code was seen as a greater risk by the military brass than a few soldiers simply deciding to launch the missiles without proper authorization.

Dr. Blair, whose resume to date is far to long to write out here, is the one who broke this "8 zeros" news to the world in his 2004 article "Keeping Presidents in the Nuclear Dark." He also outlined the significant disconnect between the nation's elected leaders and the military when it came to nuclear weapons during the Cold War....


----------



## AntAltMike

The source report that the world ignored was published on February 11, 2004. http://web.archive.org/web/20040404013440/http://www.cdi.org/blair/permissive-action-links.cfm


----------



## yosoyellobo

At least it was not 12345.


----------



## carl6

Having worked with quite a few nuclear weapons in that time frame, some with and some without Permissive Action Link locks, I will assure you that at least part of that report is not accurate. Other parts I do not have first hand knowledge of to comment on, other than to seriously doubt the validity or accuracy of the report.


----------



## AntAltMike

yosoyellobo said:


> At least it was not 12345.


I remember back when vanity plates were uncommon, and a university professor I was with noticed the license plate of the car in front of us, 0 2 4 6 8 0, and said "Look at that! If it wasn't for the "6", they'd be in a pattern."


----------



## Laxguy

Carl Spock said:


> My password strength varies by the site.
> 
> My bank ones? Capitals, lower case letters, symbols and numbers. And long. Long is the best bet.


But, but, that's only four letters!


----------



## dpeters11

I think Fidelity's password policy is the worst I've ever seen. Even to log in online, it's all based on a phone compatible password. So for the letter b in a password, the system will accept a,b, c or the number 2. And of course it's case insensitive.


----------



## dennisj00

But you're always behind a https page even before you login with Fidelity and most banks.(all banks that I use)


----------



## dpeters11

Yes, but if their database is ever hacked, every single Fidelity password would very easily be cracked. Capital One's passwords aren't case sensitive. There is just no good reason for it.


----------



## dennisj00

And I would expect the passwords in the database to be encrypted with additional keys from your information.


----------



## dpeters11

Yeah, that alone just isn't good enough to make me comfortable, but for my HSA, i'm required to use them for pretax deposits from my pay. But then I use two factor whereever I can. No one should be prevented from choosing a random mixed case 20 character password with symbols. If the passwords are hashed and salted properly, there is no reason to not allow it.


----------



## billsharpe

dpeters11 said:


> I think Fidelity's password policy is the worst I've ever seen. Even to log in online, it's all based on a phone compatible password. So for the letter b in a password, the system will accept a,b, c or the number 2. And of course it's case insensitive.


That's enough reason to make your password lengthy and not a combination of real words. First letters of phrases or sentences that you can easily remember (but no one else can) work well. Put in a number 4 instead of an F for "for", as an example.

The sites I dislike are the ones that limit the length of your password to 8 or 10 characters.

And which is the better password -- 00000000, 12345, EGBDF (for a musician), LETMEIN, or PASSWORD?


----------



## dpeters11

billsharpe said:


> That's enough reason to make your password lengthy and not a combination of real words. First letters of phrases or sentences that you can easily remember (but no one else can) work well. Put in a number 4 instead of an F for "for", as an example.
> 
> The sites I dislike are the ones that limit the length of your password to 8 or 10 characters.
> 
> And which is the better password -- 00000000, 12345, EGBDF (for a musician), LETMEIN, or PASSWORD?


But that's the point, it doesn't matter how complex the password is. In Fidelity's case, the max length is 12 characters, minimum 6. Since it accepts 4 different options for each character in the password as valid, that reduces the entropy.

Now, I did just log in and it looks like they added a secret answer portion. Two of the four allow up to 31 characters, one only takes 10, and the last only allows a 4 digit number. :bang


----------



## AntAltMike

Back in the early 1970s, before "control" characters were widely used, if someone entered their system into Dartmouth's time sharing system, the characters would actually get typed on the teletype paper and then the teletype would take over and type maybe half a dozen characters over each. A friend of mine used to be able to evenly erase the overstrikes and retrieve those passwords. He could also end long distance telephone calls by whistling 1,300 cycles into the phone.


----------



## dpeters11

I actually have a Captain Crunch whistle, the one that could be used to get into the system.


----------



## Cyber36

I have the Pierre LaFoote version...... :hurah:


----------



## RasputinAXP

dpeters11 said:


> I actually have a Captain Crunch whistle, the one that could be used to get into the system.


2600!


----------

