2015's worst password was 123456


[Read the post]


Imbeciles. That’s why I’ve always used 654321.


There’s still a system somewhere that allows those passwords? Everything I see demands a number and a symbol, which is why the new worst password is Password1!

A system I use daily requires a symbol, and offers a list of nine to choose from. It neglects to mention it won’t actually accept five of them, so users are limited to !@#$. Okay, that’s still two bits of entropy, right?

I called to complain I was locked out, and tech support said nobody had ever had that problem before. That means nobody ever chose a symbol outside of those four - and I bet every single user puts a ! at the end. That would be zero bits.


If a system restricts the characters you can use in a password, I immediately assume they’re storing the passwords in plaintext.


Yea well, it’s a necessary tool for my work, and complaining never did any good. If we ever get hacked, I hope the HIPAA fines aren’t too severe.


I wonder how many of these may be used for throwaway accounts? you know, like when Boing Boing posts something negative about, say, Sarah Palin and all these new users come here to defend her and then disappear…?


Making secure passwords is trivially easy. A moderately intelligent person can easily dream up a repeatable algorithm that will work for the rest of your life and generate tough passwords for multiple sites. I’ll do it right now, to prove this.

What’s your favorite song? Take the first letter of each word, capitalize the ones that begin a line, and use symbols or numbers for words like “to” and “plus”. So, “Lucy in the sky with diamonds” becomes “Pyiaboarwttams”. Now add three digits which symbolise the site that you need to use the password for - for example, bbs.BoingBoing.Net would be 2, 2, and 14 because “b” is the second letter of the alphabet and “n” is the 14th (count on your fingers). Add up all the digits and you’ve got 2+2+1+4 equals 9. Your password for this site is is Pyiaboarwttams-9 which is very secure*. It contains upper and lower case letters, a number, and a symbol (the dash) so it should be accepted by nearly any site (and you should complain to any site that does not accept it, like tdbank.com for example, and refuse to use that site if possible).

That was easy. And I literally just invented that algorithm! If you can’t remember a song, use your favorite poem.

Somebody had to say it, OK? Secure passwords are not hard. People just don’t care enough to bother thinking about them, which is a separate problem from complexity.

* - or it was, until I posted it here, anyway - don’t use that one, and don’t use BatteryHorseStaple either.


I tried this once on a site, just to see how I liked the idea, and then realized I was avoiding the site because it took too much effort to go through the process of remembering the entire piece so that I could type in the right first letters in order each time.


but my favorite song is the second verse of every anthem

ner ner ner ner ner ner ner ner ner ner ner ner ner ner ner

on a more serious level: did you mean to define one password and use it everywhere?

if so: please don’t do this - password reusing is one of the main reasons for opened important accounts (a shady service is hacked, the same mail address and password can be tried on online banking and BBS [two name two (hopefully) generally secure and important(ish) sites])


The site in question was not worth a very small effort. That’s not a problem with passwords; if anything, it’s a problem with the quality of the site.



I demonstrated the invention of an algorithm that can generate semi-unique passwords for multiple sites without having to write anything down. You’re missing my point if you think I am recommending anyone use that specific algorithm.

People routinely remember things vastly more complex than any password, and think nothing of it. You know the names of hundreds of people - that’s far more data, but we expect children to do that easily, and they do. You know huge taxonomies and vast namespaces already, it’s just a matter of leveraging that memory. So figure out a transform for one of those things; it’s not as hard as learning multiplication or even addition, and you’ll only have to do it once or twice in your whole lifetime. A single memorable password is not really necessary at all! (Although if you find you can remember a strong, complex password without using an algorithm, save that one for your bank account.)

Another approach is to keep a password notebook. Again, this is really easy - and trivial to secure, you just use a private notation (for example, reverse case and always add the page number to the end of each password in the book). It’s just not hard, compared to thousands of things we commonly say are dead easy. I know dozens of security professionals that keep password notebooks, and I would not be able to use their notebooks if I found one.

Pundits and people trying to sell you things will tell you that passwords are hard. They will also tell you that people are shunning you due to your ring-around-the-collar and that sharia law is a clear and present threat to your household. Don’t fall for it! Learning to generate secure passwords is easy, you just have to apply the same level of attention that you applied when you learned how to drive or to learned how to use a kitchen knife properly.


I’m an excellent misser.

But as you described your method based on the favorite song and as modification the favorite poem -> The algorithm creation model you outlined produces one password. This is doubleplusungood.


Note the source of the final digit - the algorithm produces semi-unique passwords, as advertised.


I use semi-unique system that is similar. It is the first letters of a phrase (with specific capitalisation) that I can easily remember, an alphanumeric serial number from a defunct “account” in a past life that I remember easily, some transposition of zeros and Os over the top then a code at the end that is a function of the name of the site/account. It produces passwords that are quite long, but trivially easy for me to remember.

I use much simpler passwords for temporary access to non-secure sites etc.


Suffixes are easy for modern dictionary-based password crackers - the hard part is compiling the word list and your method is a good one to produce hard to find strings*. But using the same pattern all over the place is still risky.

Password management and handling needs thoughtfulness, though.

*) Schneier wrote about this. The essay was first published on Boingboing but I will not give a link. The colour scheme is too horrible : )


I know a system admin who, shortly after joining a company, changed the password requirements to minimum 20 characters, at least two symbols, at least one upper-case and one number, and expiring every 15 days with any previously-used password being disallowed forever afterwards.

Seems like a quick recipe to encourage people to use one fairly simple password that they can just increment one character at each change. Or, create an epidemic of sticky notes with passwords on 'em.


I use a bit more simple algorithm for most of my passwords (with a little added complexity for banking/email/etc).

My biggest problem is when I try to be clever in answering password recovery questions to avoid obvious answers. I almost universally fail at trying to recover/reset a password by answering the challenge questions…


Word, brother. Testify.

For a while I had a system where I gave the same answers regardless of the questions. What is your mother’s maiden name? Fig Jelly. What is your favorite color? Samwise Gamgee. &etc. But then they started mixing up the order of asking the questions at recovery time… so knowing the order I originally answered them didn’t help! I don’t have a good answer for this one yet (by which I mean I don’t have a method that could survive my revealing it). Security questions, as Schneir mentions in the article @renke linked, are typically a horrible gaping security hole.


but especially security questions are kind of easy as they are not needed regularly: Invent some nonsense and write it with the question on a piece of paper