50 Dumb Passwords You Should Never Use At All

Post Reply New Topic

Do you agree with this list written back in June of this year?

https://bestlifeonline.com/the-50-most-common-passwords-you-should-never-use/

Always heard that the two worst were "password", and "Letmein".

My typical passwords are passphrases. That is, four or more words that make a nonsensical thought. Often, some words are plays on words but are not themselves words, as far as I know.

For example, "Semi-aquatic Mystics Harboring Tyrotoxic Tendencies"

I usually have at least one rare word (or play on a rare word) to increase the size of the dictionary required for a dictionary attack on a shorter passphrase. I've used passphrases as long as 20 to 25 words. For passphrases that long, not having a rare word in the passphrase is not an issue.

A couple of years ago, I loaned someone a wifi router while they moved their office. For a passphrase to connect to the router, I used "I wish I were an Oscar Mayer weiner". As it turned out, there seems to be a lot of spelling variations of both "Mayer" and "weiner".

This:

The only thing wrong with making a cool and original password is that you can't tell anyone what it is.

Password's would be useless if you had a mac address filter on your router. You wouldn't be able to connect. Unless they knew how to spoof mac addresses. But yeah website passwords are another story, just get lastpass with password generation, for security.

If any one is interested I create passwords all the time for the staff users in the school where I work.
Like it says in all the on-line guidance, in order to defeat attacks passwords need to have a mixture of the four different character forms (lower case, upper case, figures and symbols) and be a reasonable length.
Since I am not creating these passwords for myself I have to come up with something that is not only sufficiently random to make guessing nearly impossible, but also sufficiently memorable for the user to have a chance of retaining it. Something like 22kIox$41 is reasonable complex, but most people would find it hard to learn and difficult to remember. The passwords I come up with all have ordinary words in a simple phrase that the user can remember, but which are still random enough to defeat guessing and make the time to break via other attacks (such as brute force attacks) too long to be useful.

The typical passwords I give to users are like:

f@Lof14? which can be remembered as "fall off 14?"

puL4u$99X (pull for us 99 X)

sinG@SongG6! (sing a song 6!)

You get the idea.

Surprisingly few of the staff I give these passwords to ever ask for them to be changed because they have problems remembering them.

That's not precisely true.

They need to be hard to guess. That means no common passwords and of sufficient length for their complexity to make attacks take a very long time.

For a short password, lower case, upper case, numbers, and punctuation are necessary.

I'm not sure what all punctuation and symbols can be used in a password, but suppose that 18 punctuation symbols could be included. With 10 numbers, 26 upper case, and 26 lower case symbols and 18 punctuation symbles, that would give you 80 different symbols. Then there would be 80^n different passwords of length n. If n=8, an attacker would have 80^8 different passwords to work through. If the attacker knows that there has to be at least one upper case letter, one upper case letter, one number, and one punctuation symbol, then the number of passwords needed in the attack would be reduced.

If, on the other hand, you used just five words randomly selected from a dictionary of just 20,000 words, the would have 20,000^5 passwords to work through, approximately 2,000,000 times as many to have to try. If you try to do like me and include at least one rare or archaic word, it would take a much larger number of attempts to guess the password.

In other words, an attacker would have a far more difficult time trying to guess a password of "teenager grey breakfast tyrotoxism foundation" than he would "f@Lof14?".

The fastest password guessing cluster of computers that I know of can try 350,000,000,000 (350 billion) passwords per second. It could get "f@Lof14?" in a bit more than an hour. (80^8/350000000000 = 4793 seconds).

If your password was made of up 5 words randomly chosen from a dictionary of 20,000 words, it would take nearly 300 years if he used the same technique to create passwords to guess.

Throw in some punctuation and maybe capitalize a word or two or, even better, capitalize a letter or two inside a word and you just made it even harder.

One thing to remember is that it isn't people sitting at a terminal trying to guess passwords that is the problem. It is also not programs connecting across the internet and trying different passwords. It is people breaking into computers to steal the password files and then testing passwords on their own computers against those files.

One other thing. Replacing 'a' with '@', 's' with '$', 'for' with '4', and other such replacements are purely cosmetic. Attackers know these tricks and test for those. They may impress the user, but they are not likely to slow an attacker down much.

There's a very good article at https://www.schneier.com/blog/archives/2014/03/choosing_secure_1.html about creating secure passwords.

From the article:

One benefit for dumb password is that you can easily crack it once you forgot it, lol

Actually, there are precalculated passwords hashes to compare against (Rainbow tables) and that takes seconds at best.

When someone asks me about password security, i usually point at this:

That would depend on a number of factors. If using a salt, Rainbow tables are completely ineffective unless the Rainbow tables were calculated using that salt. The salt wouldn't need to be kept secret since any attacker would have to completely rebuild the table from scratch using the new salt.

It is even better if the system performs the hash some large number of times. My systems generally recompute the hash 2^7 number of times which is far from enough for my tastes. I'd like to see the computation take at least a second for every login. If you have a billion password entries in the table and you have to recompute the table using the system salt and it takes one second of calculation per password, it would take a month to recompute the table. And on another computer with a different salt, another month to recompute the table for that computer.

On my main system, at the highest setting it would take 91 hours to compute the hash for a single password. Obviously I don't use that.

Some systems now us a different random salt for every password. You could have the same password on multiple accounts, but the hash stored in the password table would be entirely different for each.

Rainbow tables can work but are relatively easy to defeat. Of course, if you are using a Microsoft operating system, then all you can do is cross your fingers and hope.



I always like that cartoon. These days, I don't think that four words are enough for anything you want to be really secure. I use six words, some far from common, for my e-mail and am thinking about using two factor authentication for my main e-mail. My main account on my primary workstation is seven words. Also my RSA passwords for ssh are 7 words long.

My longest passphrases are in the 15 to 20 word range.

Sometimes I use one time passwords. For a one time password, you have a different six word password for every login (it used to be four word passwords).

Well, there is a reason why rainbow tables exist... Pentesters use stuff like that successfully all the time. Of course, they don't need to crack passwords, but it's part of the testing i guess.

Wrote my own pw manager that is 100% generative. You enter a password or passphrase, then it runs 1000 iterations with some entropy throw in at a specific round of the iterations so each pw/entropy combo generates a specific resulting password. It's all explained in the PDF.

Unfortunately some sh***y AV did lame ass heuristics on the binary and the sourcecode and apparently classified it as "containing a virus" because of a features i use (hotkey to type the PW into a browser field using GetKeyAsynchState and SendKeys), so now i get a warning for my OWN CODE when i download it off google drive. Fun eh?

They work against Windows machines.

I primarily use OpenBSD.

The following are five entries of the password "foo". It includes an identification of the method to use, the number of rounds, the random salt, and the hashed password.

$2b$12$NtOpBM2s1/k6XQB1BxJgyOe27Jz8NI/11qZ4KRFqQrnplUtqTtw0q
$2b$12$nAy8Vq9PFndaJs7lIuqAG.SbgXOTieQ5PTiCZ47rBRzVsi.WQgCHm
$2b$12$yKPLN2a2XrwORFEjxbrw8O8TaHntVmBFtrbfpDrUnDAU6hrNLXRzm
$2b$12$sJ.5/iV0rqtjxiYX7yL.WuqcQPpbklDylYLf.SRM8I0fU5.5BuzDy
$2b$12$FtVgNyfFZ0AkkvLjqGIjt.EWTxqYzZjFo8Gk6SbPmYRpscTBXKRD2

If I ran that a billion times, it is unlikely that any two hashes would match.

It would be impossible today (it might even be impossible a billion years from now) for anyone to build a Rainbow Table large enough to just pick out the hashes for the password "foo". And correspondingly larger for all passwords one might want to include. The salt is 128 bits. The number of rounds can be from 2^4 to 2^31.

On this computer, it takes approximately .65 seconds to go through 2^12 rounds. Thus, to generate a Rainbow Table for all possible salts for 2^12 rounds on this computer, would require .65 * 2^128 seconds or about 7,013,683,996,023,909,222,830,843,950,743 years just for all possible entries for the password "foo".

To include all possible entries for 2^31 rounds would require another 3,677,190,354,907,383,318,619,537,513,247,446,722 years if my calculation is correct. That would probably be unnecessary since with 2^31 rounds it would take slightly more than 90 hours to log onto the computer if you entered the password correctly.

Also, to store just the complete Rainbow Table for the password 'foo' using just 2^12 rounds would require more storage than the total of all of the computer storage (hard drives, tape drives, drums, solid state, paper tape, and anything else I might have forgotten) than has ever existed.

Rainbow Tables may work against Windows computers, but they are useless against any reasonable password scheme.

Last edited by kokopelli on 15 Dec 2018, 3:15 pm, edited 3 times in total.

Mine isn't on here but I should prob not use it cos I learnt it as a kid from my stepdad who thought it was a great idea if everyone in the family used something he thought was clever.
Never quite sure why mum went along with that. I do now out of habit but need to stop.

Regarding password managers, I'll have to wait for one that is fully distributed and multiplatform. On any given day, I may sign on with either my primary workstation (a desktop computer running OpenBSD), a server running OpenBSD, a laptop running Linux, or a desktop running Linux. And for some things, my Android cell phone as well.

Also, at times I may need it from a computer running FreeBSD or one of several running NetBSD.

And from most of them, it may be from any one of several accounts.

A password manager that can't distribute the passwords to my accounts on the other computers is useless to me.