GameBanshee Forums

Found this [url="http://www.tomshardware.com/news/imperva-rockyou-most-common-passwords,9486.html"]article[/url] while browsing around at Tom's Hardware:

Is your password "123456"?

Last year, a major security breach at RockYou.com resulted in the release of 32 million passwords. With such a large data set available, security firm Imperva Application Defense Center (ADC) analyzed and found that, when given the chance, most users will choose a simplistic password.

Imperva found that nearly a third of users chose passwords whose length is equal or below six characters and almost 60 percent of users chose their passwords from a limited set of alpha-numeric characters. Almost half of users used names, slang words, dictionary words or trivial passwords (consecutive digits, adjacent keyboard keys, and so on), with the most common password being "123456".

Scroll a bit more and you'll see a chart from 1-20 listing the passwords these people use. Kind of makes me laugh when I saw them. :laugh:

Shoot, yet another top twenty list that I don't get onto, booo.

When I was an IT manager, convincing people to use obscure passwords was always a top priority, but getting them not to write it down and 'hide' it some where they thought was obscure, like underneath the keyboard(!!!!), now that was almost mission impossible.

I think it's because passwords can be so difficult to remember, so people risk having their security breached by choosing something simple.

When I pick passwords I go for things that are meaningful to me, but wouldn't be to others, or at least, are relatively obscure. That way, I'm less likely to forget my password, but it won't be obvious to anyone attempting to pry.

The randomly generated password for GameBanshee forums were the first passwords that I'd ever use and up until quite recently I used for pretty much everything else.

From a former IT admin point of view. Password1 is a pretty popular...

dragon wench wrote:I think it's because passwords can be so difficult to remember, so people risk having their security breached by choosing something simple.

When I pick passwords I go for things that are meaningful to me, but wouldn't be to others, or at least, are relatively obscure. That way, I'm less likely to forget my password, but it won't be obvious to anyone attempting to pry.

The problem isn't as much that a (single) password is "difficult" to remember ... the problem is that there are so many places you must remember password(s), leading to either reuse (bad) or easy (bad) passwords.

I do this myself, despite I very well know the issue first hand. I think I have about 6 or so passwords I reuse all over the web - although they are all "strong" passwords, it is a bad practice to reuse them so heavily, but otherwise I simply can't remember them and have to write them down (bad)

For trivia sake, the longest password I use currently is 14 characters long, which is for my home bank

But a password only is only a small bump when you count the user's habits, such as not locking their computer when going to the bathroom or not protecting their computer. I believe that social engineering still remains to be one of the leading causes in passwords, codes or numbers being discovered.

While users may not like it, I do think that it's a great practice to have randomly generated daily passwords, after all, wiping one and resetting it is incredibly easy and can be done in about a minute - if their computer is accessible that is.

In fairness, Rockyou seems like a service that, if compromised, would have minor repercussions. I have registered to a ton of sites using fake information and a password of the minimum allowable length consisting of a single repeating character. If somebody compromises the account I use to view youtube videos that require age verification, well, good for them I guess.

edit: I consider that better security practice than using the same password for http://www.picturesofkittens.com and my email account. Most websites don't use any sort of encryption when transmitting passwords, and a frightening number of sites store passwords in plain text on their servers. Every time I request my password from some site, and it just gets emailed to me unencrypted, the paranoiac in me shivers. Anybody serious about password security should be using something like 1Password for OS X, or KeePass for Windows, along with 20+ character alphanumeric strings. I've found out that using acronyms of quotes, with spaces replaced by a non-alphanumeric character, makes for long, easy to remember passwords. The title of this thread can easily become Y;T;20;mc;p which is as fine a password as any.

I'm another that ain't in the top 20.

But I do reuse passwords.

Fljotsdale wrote: But I do reuse passwords.

Honestly, everyone reuses passwords. Human brains aren't equipped well for remembering loads of passwords. The trick is to figure out passwords are important and which ones aren't. Using your online banking password on a site like the aforementioned rockyou.com is bad. Using the rockyou.com password for youtube isn't. Using a long, complex password for youtube is a waste of memory and keystrokes.

I think the most commonly use password are 12345 or 123456

Well that is usually I am using before when I was a newbie but I have change now coz its easily hacked