246
submitted 1 year ago by L4s@lemmy.world to c/technology@lemmy.world

The worst passwords of 2023 are also the most common, "123456" comes in first::undefined

top 50 comments
sorted by: hot top controversial new old
[-] brygphilomena@lemmy.world 89 points 1 year ago

only one – "theworldinyourhand" – is virtually uncrackable. It is the number 173 most common password and would take centuries to guess using brute force.

Not anymore. That would get moved towards the top of the rainbow table now.

[-] Toribor@corndog.social 30 points 1 year ago

Pass phrases for the passwords you have to type by hand, automatically generated passwords for the things that can autofill from a password manager, MFA for everything that supports it.

Anything less or any password reuse is just asking for trouble.

[-] JustAnotherRando@lemmy.world 13 points 1 year ago

Yeah, using a pass phrase makes it much easier to remember on top of being more secure. But users should introduce at least a bit more complexity than that example (all lower case letters isn't great). This1sComplexButMemorable! Is an easy example of how you can just make up a relevant sentence to what you're using, include a range of character types for complexity and to meet requirements, and you're good to go. Plus if you make it relevant to what you're logging into, you're less likely to be tempted to reuse the pass.

[-] brygphilomena@lemmy.world 5 points 1 year ago

ThisIsMyMotherfuckingHotmailPassword!

Is an incredibly secure password for Hotmail. And super memorable.

[-] lol@discuss.tchncs.de 23 points 1 year ago

Brute force also doesn't necessarily mean brute forcing each character. If the password consists of relatively few dictionary words like this, it could be brute forced in a matter of minutes (depending on computation power, hash function used etc. of course).

[-] JohnEdwa@sopuli.xyz 7 points 1 year ago* (last edited 1 year ago)

OTOH passphrases are so rarely used that other than a handful of common examples that would already be in a word list such as CorrectHorseBatteryStaple, it would be rather unlikely for anyone to bother even trying unless they are specifically trying to crack a specific password.

So maybe don't use a plain four word english passphrase as the admin login, but if your facebook password is ZuckerbergSucksFlaccidCock, 'tis probably fine.

[-] trk@aussie.zone 3 points 1 year ago

ZuckerbergSucksFlaccidCock

Is that better or worse than an erect one, from an insult point of view?

[-] happilybitchycowboy@lemmy.world 2 points 1 year ago

48736915208 No son, you're not watching YouTube.

load more comments (1 replies)
[-] bigkahuna1986@lemmy.ml 46 points 1 year ago

That's the kind of password an idiot would use on his luggage!

[-] toasteecup@lemmy.world 28 points 1 year ago

123456, that's the same password that I have on my luggage! Set a course for druidia and change the password on my luggage

[-] GuyDudeman@lemmy.world 9 points 1 year ago

Yes, President Scroob!

[-] squaresinger@feddit.de 39 points 1 year ago

They got this data from password leaks. Crappy sites that force you to create an unnecessary account for basic usage are arguebly more often part of password leaks.

So it's not a surprise that a huge amount of leaked accounts have passwords like 123456, because that's exactly the right kind of password for a throwaway account that you'll never need again. In the best case coupled to a trashmail email account.

[-] saltnotsugar@lemm.ee 36 points 1 year ago* (last edited 1 year ago)

Username: admin

Password: admin

[-] tpihkal@lemmy.world 17 points 1 year ago

Username: guest

Password: guest

[-] OfficerBribe@lemm.ee 8 points 1 year ago

I am in! Oh... I do not have any access

[-] bernieecclestoned@sh.itjust.works 27 points 1 year ago* (last edited 1 year ago)

Apparently, people creating new accounts seem to assume the word (password) in the box in light gray font is a suggestion rather than a label.

lol

[-] edgemaster72@lemmy.world 22 points 1 year ago

No mention of descending numbers, looks like 654321 is still safe. Not that uh, I, would have any particular worry about that one, nope.

eyes dart back and forth rapidly

[-] nul@programming.dev 9 points 1 year ago

Just waiting for the day when they start calling out those of us who make all our passwords easy to type with one hand.

[-] AbidanYre@lemmy.world 5 points 1 year ago

All your passwords, or only the ones for certain websites?

[-] taiyang@lemmy.world 3 points 1 year ago

Funny, I thought only I did that. Looks like a boss when you login to a system with just one hand and at lightning fast speeds.

[-] DemBoSain@midwest.social 20 points 1 year ago

Good old ]yèî̾ÌP®åÙyJàºséí³Òò&ÚÀxÁõÝÞ/ÍÔ9~B6Æ¿Üïd`ÛÝm®@. Nobody ever guesses that.

[-] BrianTheeBiscuiteer@lemmy.world 10 points 1 year ago

Sorry. Your password cannot contain proper nouns like the name of Elon Musk's child.

[-] JohnEdwa@sopuli.xyz 5 points 1 year ago

Your password must contain at least one emoji.

load more comments (1 replies)
[-] NOT_RICK@lemmy.world 19 points 1 year ago

Hunter2, still haven’t been hacked (in the past few weeks)

[-] killeronthecorner@lemmy.world 25 points 1 year ago

What hasn't sorry? I can only see *******

[-] negativenull@lemm.ee 12 points 1 year ago
[-] samus12345@lemmy.world 8 points 1 year ago* (last edited 1 year ago)

That's amazing, I've got the same combination in my username!

[-] jballs@sh.itjust.works 11 points 1 year ago
[-] kungen@feddit.nu 8 points 1 year ago

Eliska81

How is this popular?

[-] jballs@sh.itjust.works 13 points 1 year ago

Someone on a different site theorized that password belongs to a bot network. But I haven't seen definitive proof.

[-] MeekerThanBeaker@lemmy.world 11 points 1 year ago

I think most of these are for accounts where people don't care if they are hacked or not.

Regardless, this should not be on the individual. The issue is with the website that allows those types of passwords to begin with. There are sites that don't allow special characters at all. Stupid.

[-] JustAnotherRando@lemmy.world 13 points 1 year ago* (last edited 1 year ago)

The most infuriating thing is websites that actually limit secure passwords (e.g. "password must be between 6 and 12 characters"). Preventing longer passwords makes little sense if they're salting and hashing; and if they're storing the passwords in plain text (which is just about the only reason to limit the max length to anything less than what a person would reasonably remember), that's even worse.

[-] ricecake@sh.itjust.works 8 points 1 year ago

There was a belief, before the advent of ubiquitous password managers, that allowing passwords to be "too long" would result in people forgetting their password more often, entering it wrong, or some combination which would increase reset requests and ultimately cause people to use worse passwords. Basically "you can't remember a 54 character random password, and you're gonna get pissed and switch to a six character predictable word".

This is now obviously a terrible line of reasoning, but it was only middling bad at the time.

[-] JustAnotherRando@lemmy.world 4 points 1 year ago

Oh, i guess that makes some sort of sense - obviously I disagree with the conclusion, but I understand it - but it's beyond frustrating when you think "maybe I'll pay this bill online" and see that limit. And even if that is the reasoning for the limit, if they haven't updated their requirements in all that time, I have little faith that they're storing my sensitive information securely.

load more comments (1 replies)
[-] systemglitch@lemmy.world 4 points 1 year ago

Exactly, I'm not using a real password for a site I don't care about where I have nothing to protect.

I'm using something simple that I can type with one hand.

Something important however? Good luck figuring that out.

[-] kibiz0r@lemmy.world 9 points 1 year ago* (last edited 1 year ago)

Devs out there:

[-] r00ty@kbin.life 6 points 1 year ago

Everyone knows the correct test credentials are test/test. Even then, that's only if they don't allow blank/no password.

[-] ZeroCool@feddit.ch 9 points 1 year ago
[-] tpihkal@lemmy.world 7 points 1 year ago

Whoa, holup. We can use numbers and letters‽

[-] dhork@lemmy.world 9 points 1 year ago

Hey, how did you guess the password on my luggage?

[-] vortexsurfer@lemmy.world 8 points 1 year ago

Just like every year...

[-] tsonfeir@lemm.ee 8 points 1 year ago
[-] splicerslicer@lemmy.world 10 points 1 year ago

Since it is the opposite sequence, it clearly must be the most secure

[-] Waraugh@lemmy.dbzer0.com 5 points 1 year ago

How tf did these guys get my password?

[-] DarylDutch@lemmy.world 5 points 1 year ago

There was a huge adobe breach a while back and they made it into a crossword. https://zed0.co.uk/crossword/

[-] taiyang@lemmy.world 2 points 1 year ago

Welp, there goes a few hours of my life. asdfgh! >:o

load more comments (1 replies)
[-] nyan@lemmy.cafe 2 points 1 year ago

No significant change from the past couple of decades, then.

[-] muntedcrocodile@lemmy.world 2 points 1 year ago

Wheres the list would like to compare to the previouse ones. Is it on github?

load more comments (1 replies)
load more comments
view more: next ›
this post was submitted on 17 Nov 2023
246 points (96.6% liked)

Technology

59440 readers
3470 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS