Your Top 20 Most Common Passwords

Page 3 - Seeking answers? Join the Tom's Hardware community: where nearly two million members share solutions and discuss the latest tech.
Toggle sidebar Toggle sidebar
Status
Not open for further replies.
Shadow703793

Shadow703793

Champion
Feb 3, 2007
15,438
0
51,160
[citation][nom]4ILY45[/nom]a GPU accelerated password cracking software would crack these less than a second. Be warned..[/citation]
Agreed a program such as Advanced PDF Recovery can crack these passes in about 30 minutes with a custom list/directory.
 
M

mindless728

Splendid
Jul 15, 2008
4,074
0
22,960
i use a combination of upper case lower case special and number characters for my password, though i usually us a common word, but not from my own language

@randomizer, yeah my memory sucks too
 
T

ta152h

Distinguished
Apr 1, 2009
1,207
2
19,285
[citation][nom]djackson_dba[/nom]That is actually not a fact. Please do not put all Americans in the same pot as this teen beauty pagent participant. While I find it sad that the numbers were not 100%, they certainly were not what you are stating."Miss South Carolina Teen USA was asked recently why one in five Americans can't find the United States on a map. Unfortunately, that statistic is entirely inaccurate. According to the recent National Geographic-Roper Public Affairs 2006 Geographic Literacy Study, “Nearly all (94%) young Americans can find the United States on the world map, and Canada (92%) and Mexico (88%) are nearly as familiar.” The judges of Miss Teen USA should have gotten their facts straight! Only three in fifty Americans can't find the U.S. on a world map."[/citation]

And some of them are immigrants. Someone who was born in another country and comes here, or has spent their entire lives in a sub-culture would still fall into that stat.

What's scary though is, few Americans can identify countries like France or Germany on a map. What's even scarier is, so few Europeans actually know anything about their history. I'm constantly frustrated trying to teach Europeans their history, and shocked at how little they know. Having spoken to people all over, it's scary just how stupid the world has become. Ask people how the Sun produces light. See how many blank faces you get, and how many 'it burns' responses you get.

Ask why we have tides. Good luck. Ask why Jupiter is considered essential to life on the Earth. Good luck. Ask who the Battleship Bismarck was named after, and what his signifance was. Good luck.

Ask about Britney's new boyfriend, or current weight, and you'll get an answer for sure though. It's a dumb world, and getting dumber.
 
A

animal_chin

Distinguished
Sep 19, 2007
35
0
18,530
A good tip is to use type a normal password like Steve1982 but just press shift for every other letter. So Steve1982 would turn into StEvE1(8@. This is a lot easier to remember than some random password and a lot harder to crack than an easy password.
 
neiroatopelcc

neiroatopelcc

Distinguished
Oct 3, 2006
3,078
0
20,810
[citation][nom]the_krasno[/nom]Natural selection I say. People smart enough to have good passwords are less likely to get hacked- they are not worth the effort as it would be easier to hack someone dumber.[/citation]
I think even smart people might be lazy and pick simple passwords for sites that nobody would care about!
I've got a job where I've got to remember a ton of passwords, so privately I've limited myself to 10 or so passwords that I use for stuff depending on how important it is. The most important stuff gets the most secure password - but there are certainly places where I would just use a trivial password - like the vmware site or all the games replated sites where you need to register to download. And I do consider myself smart although not as gifted as a genious.
 
banthracis

banthracis

Distinguished
Oct 13, 2009
3,032
0
21,160
Best idea for passwords I've come up with is chemical formula's. W/ just the essential amino acids you already have 11 PW's that are easy to look up if you ever forget, yet completely meaningless taken out of context.

For added security, come up with 1 term that you'll stick the password in the middle of. Ex. Say your common term is Toms, use Lysine as this websites PW= ToC6H14N2O2ms.

There you have an extremely meaningless, yet easy to remember/lookup password.
 
T

twu

Distinguished
Nov 6, 2007
151
0
18,680
One time, I told user that I created a password for her "icannottellyou". She went to my boss and complaint that I can not tell her the new password. LOL :)...
 
T

twu

Distinguished
Nov 6, 2007
151
0
18,680
[citation][nom]d_kuhn[/nom] I've been using a 5 try/30 minute lockout setup on my SSH server at home and while that port gets "brute force" attacked daily, nobody has ever even tried a username that might be able to log in much less guessed a password.[/citation]

That will not stop SSH brute force attack. You should add these two lines to the IPTABLE to stop the source completely.

-A RH-Firewall-1-INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 2 --name DEFAULT --rsource -j DROP
-A RH-Firewall-1-INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name DEFAULT --rsource

The above example will block the source IP Address when it hits two login attemp failures within 60 second.

:) It's an excellent firewall rule set for SSH daemon.
 
nottheking

nottheking

Distinguished
Jan 5, 2006
1,456
0
19,310
Remember that even with the potential for supposed GPU-acceleration, (which as of yet still remains a pipe dream given the difficulty of programming them even with things like CUDA, though Fermi might change this) you're still looking at testing a LOT of passwords for a brute-force attack. If someone does have both upper/lowercase alphanumeric, and still has no special characters, that means the total combinations will be equal to 62^n, where n is the number of characters; even a "weak" 6-character password would mean 56.8 billion combinations... And remember that it takes far more than one single-precision floating-point operation to test a password.

As for hacking attempts releasing passwords, I still find it deeply disturbing how many (even large) websites still actually store their passwords in an unencrypted form. Most decent sites and services know that such a method will never, EVER be secure, and instead only use hashes; i.e, if you broke into the "password" database, you'd only get bunches of fixed-length binary strings with completely random distribution, from which you would NEVER be able to ascertain the original password, because the hashing process, in effect, is "one-way;" when a user submits their password to log in, the server applies the hash, and sees if the HASHES match. This scheme leaves brute-forcing as the one and only method of cracking them.
 
nottheking

nottheking

Distinguished
Jan 5, 2006
1,456
0
19,310
Actually, thinking on the above, if we assume that it takes, say, 1,000 single-precision floating-point operations to "try" a single password, and if we had a cracker who was using a single, stock-clocked Radeon 5870 that was capable of throwing its ENTIRE weight into the operation, for 2.72 trillon FlOP/s, (i.e, 2.72 billion passwords/second) this is about how long the typical password of each length would last, assuming it contained both upper/lowercase letters and numbers:

*4 letters: ~1/368th of a second (2.7*10^-3 sec)
*5 letters: ~1/6th of a second (1.68*10^-1 sec)
*6 letters: ~1/6th of a minute (10.44 sec)
*7 letters: ~10 minutes (647.36 sec)
*8 letters: ~11 hours (4.01*10^4 sec)
*9 letters: ~28.8 days (2.49*10^6 sec)
*10 letters: ~4.89 years (1.54*10^8 sec)

As you can see, every extra letter provides a big step up in security, increasing the typical cracking time to a factor of 62.
 
joebob2000

joebob2000

Distinguished
Sep 20, 2006
788
0
18,980
[citation][nom]nottheking[/nom]Actually, thinking on the above, if we assume that it takes, say, 1,000 single-precision floating-point operations to "try" a single password[/citation]

You are correct that every single extra letter makes it harder to brute force, but there are a lot of other mechanisms at work preventing brute forces (as part of the authentication process), which are measurably less effective at preventing dictionary attacks than they are brute forces. So for practical purposes, it's better to have a short password that's not based on a dictionary word of any sort, than a long password that is.
 
nottheking

nottheking

Distinguished
Jan 5, 2006
1,456
0
19,310
[citation][nom]joebob2000[/nom]So for practical purposes, it's better to have a short password that's not based on a dictionary word of any sort, than a long password that is.[/citation]
True; I should note a disclaimer that the times I gave would be IDEALIZED survival times; in other words, the time it'd take to attempt half of all possible combinations.

Obviously, anyone trying to crack into accounts does NOT want to spend any more time than possible, so the pure brute-force method will come second, if at all, AFTER the hacker instead runs a dictionary; it makes sense, since in most cases, a hacker isn't after a SINGLE account, and hence even a single second of pure brute-force for one password is too long; if, say, a database of just 272 passwords covers 10% of all accounts on a given website, (fair enough given that the "top 20" cover well over 2%) then that same Radeon 5870 hacker would, if using just that, be cracking a minimum of 1 million accounts per second.
 
C

Camikazi

Distinguished
Jul 20, 2008
1,405
2
19,315
[citation][nom]shadow187[/nom]My password for a lot of things is pneulmolnoultramiscroscopicsilicovocanicaniosisi.Am I good password-er?[/citation]
Dude I am reading that thing and still can't spell it.
 
T

twu

Distinguished
Nov 6, 2007
151
0
18,680
[citation][nom]d_kuhn[/nom]I use Bitvise WinSSHD (running on Win 2008 R2), and it does lockout by IP after x login failures... I was a bit worried about that initially but after talking to the folks at Bitvise I found that by default they track attempts by IP so no worries. An added benefit of running SSH on a Windows box... everyone is trying to hack root.[/citation]

The firewall rules were for Linux IPTABLE.
Thanks, good to know for Wind2k8 SSH server but I wouldn't use Windows for that SSH, asking for trouble.
 
Bruceification73

Bruceification73

Distinguished
Oct 5, 2009
416
0
18,810
My old password was Yg@lona!gal0fTp

I don't use it anymore, but you can be pretty sure no one would remember that but me anyway. By the way, yes it means something to me, that's what made it easy to remember. But no one will ever guess it. I also like using strings of pi.
 
G

Guest

Guest
Whats wrong with these people.. My password takes up an entire 500MB Flash drive, and includes characters not yet invented
 
Bruceification73

Bruceification73

Distinguished
Oct 5, 2009
416
0
18,810


Noob. Hacking is for loosers. You don't need to "guess" the password, or "crack" it. You just need to find it. Piece of cake! No matter how "strong" the password is, I can have it in five seconds, if you give me access either to the network or the computer.
 
G

Guest

Guest
Not a single password had lower and upper case characters without any numbers or special characters?...
 
Status
Not open for further replies.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom