Interesting that none of the 200 passwords in this list (that I noticed) contained any uppercase letters or special characters. What sites are still letting people use 123456789 or qwerty as passwords?
posted by xedrik at 7:53 AM on January 7, 2022 [6 favorites]

56: fuckyou
117: love

Then again, who thinks of love when being asked to create another fucking password?
posted by Mr.Know-it-some at 7:53 AM on January 7, 2022 [3 favorites]

I hope my bank password FartSneeze420! isn't on it!
posted by glaucon at 7:54 AM on January 7, 2022 [13 favorites]

I’ll say the occasional place that still restricts passwords to a *maximum* length tends to have me consider options 56 or 131.
posted by heyitsgogi at 7:54 AM on January 7, 2022 [8 favorites]

hunter2 isn't in there but hunter is

myspace1? what year is this?
posted by glonous keming at 7:55 AM on January 7, 2022 [13 favorites]

correcthorsebatterystaple doesn't appear on the list...?!

Maybe I'm reading the wrong web comics.
posted by SunSnork at 7:58 AM on January 7, 2022 [22 favorites]

I suspect there are sites that 'grandfather' weak passwords and don't require changing at regular intervals, which might explain the persistence of some (but not all) of these.
posted by Insert Clever Name Here at 8:00 AM on January 7, 2022 [5 favorites]

I've one or twice resorted to things along the lines of FuckUJustAcc3ptSomething! so I can totally understand #56.
posted by Karmakaze at 8:00 AM on January 7, 2022 [19 favorites]

I had a work where the code to get in was 1234 and I wasn't allowed to change it because no one else would remember it if I did.

There have also been times I've tried to choose good passwords on websites and when I've looked to see what's wrong, found things like, my password is too long or uses too many types of characters. I get that there has to be an end length at all for passwords but some places say it has to be 14 characters long (because longer is better) but not more than 20. Which just feels really arbitrary and squished in between the two.
posted by blueberry monster at 8:02 AM on January 7, 2022 [4 favorites]

I hope my bank password FartSneeze420! isn't on it!

Ugh what a rube. I, a genius, use "F4rt$neeze42O!"
posted by phunniemee at 8:05 AM on January 7, 2022 [16 favorites]

I suspect there are sites that 'grandfather' weak passwords and don't require changing at regular intervals, which might explain the persistence of some (but not all) of these.

I sort of wish I could tell Google / Safari that I don't give a damn about some sites, and that they can stop warning me about the weak passwords they have stored for a site I haven't visited in 15 years. My dudes, I don't really care that the password to my World of Warcraft's Guild forum is insecure. And yeah yeah I know, with poor salting, that weak password is a weak password everywhere, but it was always mentally declared as a weak password for that very purpose.

I mean, these days sure I let my password manager generate something complicated and unmemorable and certain to be steamrollered by someone abusing password recovery mechanisms. But back then? ugh.
posted by Kyol at 8:09 AM on January 7, 2022 [14 favorites]

There is at least one website that has told me more than once that my password is wrong and it has locked me out, with the option to receive an e-mail to reset.

I have done this, and as my new password I have chosen what I thought the old one had been, as clearly that is in my head as the correct password. I have then been told, no, your new password cannot be the same as your old one.

And that is how I wind up with passwords like OhFuckRightOff.
posted by ricochet biscuit at 8:12 AM on January 7, 2022 [64 favorites]

Can any Australian MeFites explain why "lizottes" is number 3 on the Australian list? Googling didn't give me the answer.
posted by Kattullus at 8:12 AM on January 7, 2022 [3 favorites]

...some places say it has to be 14 characters long (because longer is better) but not more than 20. Which just feels really arbitrary and squished in between the two.

On the bright side, "SquishedInBetween" is 17 characters, so that would be fine.

I've never heard a convincing explanation for the short maximum password lengths or character-set restrictions some services implement. The size of the hashes that actually get saved aren't related to the size of the passwords.
posted by Western Infidels at 8:12 AM on January 7, 2022 [2 favorites]

Company I work for has logins for clients. Occasionally a client comes to us to demand that our login system complies with their own very specific rules for passwords, so I had to build in the ability to set custom restrictions for every account.

So if you really insist that all passwords must be between 7 and 12 characters, and include upper- and lower-case characters, but definitely no numbers, special characters or spaces or underscores, and you want your employees to be forced to change their password every 21 days, then I'm happy to set that up for you. I guarantee that your staff will be requesting password resets every second day from the point when I add those rules.

At some point, the password reset system becomes the login system. My kids do it, despite my suggestions to maybe keep a record somewhere.
posted by pipeski at 8:15 AM on January 7, 2022 [36 favorites]

Looking through the most common passwords for countries with non-Latin-based writing systems, they're almost all numbers. Which is terrible for security -- and pretty clearly due to the fact that most systems require Latin-based passwords instead of letting you use other character sets. Most people's keyboards are going to be set to their own, non-Latin keyboard layout. Switching layouts is an inconvenient and un-ergonomic pain, so people just choose numbers. The difficulty of remembering a password in a non-native alphabet might also be a factor.

This sort of bad design is incredibly frustrating and has real-world consequences.
posted by trig at 8:23 AM on January 7, 2022 [38 favorites]

Interesting that the top "random" words in the American ones have such a trochee fixation: sunshine, monkey, princess, baseball, dragon...
posted by little onion at 8:25 AM on January 7, 2022 [18 favorites]

In fairness to this list of deeply stupid passwords--

Eventually there are so many demands for passwords that you just start using dumb, basic ones for everything that does not connect directly to money/work/identity stuff. I'm not storing payment information at Sweaty Betty so if someone wants to hack in, I guess have fun reading about my past activewear purchases...? If you share streaming services with anyone, that's also an argument to keep the password simple! (Though that backfired on me and I DID have to call Netflix for help because a stranger from a different country logged in and changed the password on me, so.)
posted by grandiloquiet at 8:26 AM on January 7, 2022 [7 favorites]

Viewing by country, I was mildly surprised that 'hockey' was only the 11th most common password reported for Canada, while 'tiffany' is the 7th ('canada' is 15th). Also amused that names like 'tiffany', 'matthew', and 'anthony' take 17 minutes to crack (and 3 hours for 'michelle' and 'victoria'), whereas 'mickey' and 'hannah' are cracked in under a second. And I'm betting that the 5762 folks who could be proud that 'ihatethisgame' would take 31 years to crack are about to be pretty damn livid that their secret is out.
posted by hangashore at 8:27 AM on January 7, 2022 [3 favorites]

I am charmed that I only had to make it to No. 11 of my country-specific list to find a recognizably Canadian password:

hockey
posted by fruitslinger at 8:28 AM on January 7, 2022 [1 favorite]

At some point, the password reset system becomes the login system. My kids do it, despite my suggestions to maybe keep a record somewhere.

Yeah, I sort of remember running into a proposal a few years ago to do away with (most) passwords and just use a secure mailbox and recovery for most things that need user accounts if not perfect security. And for at least a few of my accounts I'm pretty sure that's exactly what's happening. Yes, TikTok, confirm I'm me at (111) 222-3333 kthx.
posted by Kyol at 8:28 AM on January 7, 2022 [4 favorites]

I always think about how wrong the movie Hackers was about the most common passwords: "love" (#131), "sex" (not found; [too short?]), "god" (not found; [too short?]), secret (#154). No, it turns out that the movie Spaceballs was much more correct about how people choose passwords all along.

And also if you're wondering about 'x4ivygA51F'.
posted by Alison at 8:33 AM on January 7, 2022 [13 favorites]

Glad to see that the "thinking man's 1234" (8520, of course) isn't on there.
posted by clawsoon at 8:35 AM on January 7, 2022 [8 favorites]

Can any Australian MeFites explain why "lizottes" is number 3 on the Australian list? Googling didn't give me the answer.

It's a popular dinner and show club in Newcastle.
posted by Your Childhood Pet Rock at 8:36 AM on January 7, 2022 [4 favorites]

I hope my bank password FartSneeze420! isn't on it!

Ugh what a rube. I, a genius, use "F4rt$neeze42O!"

i suspect both of you will have a jarring experience soon
posted by pyramid termite at 8:41 AM on January 7, 2022 [12 favorites]

So, we're all having fun here but:

Please, whenever the opportunity presents itself: let your browser or password manager generate a password for you, and let your browser or password manager remember it for you. Please do not pick your own passwords, if that is at all viable. Humans cannot remember passwords of meaningful complexity in modernity, and don't have to.

Right now, the most accessible and high-value security decision a non-specialist human can make about internet security is "set up two-factor authentication, and use a strong password, on the email account you use for password-reset requests. Use a password manager for everything else and let that password manager automatically generate strong passwords you will never need to remember."

Legitimate owners of legitimate systems will never need to know your password, nor will they ever need you to tell them whatever your two-factor authentication system told you.
posted by mhoye at 8:43 AM on January 7, 2022 [24 favorites]

You Childhood Pet Rock: It's a popular dinner and show club in Newcastle.

But why is that club's name such a popular password?
posted by Kattullus at 8:49 AM on January 7, 2022 [3 favorites]

But why is that club's name such a popular password?

If I had to guess it's because live music is a cultural attribute deeply embedded into the Australian psyche. Most of our '80s and '90s music zeitgeist emerged from pubs and clubs.
posted by Your Childhood Pet Rock at 8:55 AM on January 7, 2022 [2 favorites]

How is the time-to-crack determined?

Can someone ELI5 to me why, for example, 'michael1' takes less than a second to crack, 'michael' takes eight, and 'michelle' takes three hours?
posted by box at 8:56 AM on January 7, 2022 [4 favorites]

My company has a 90-day password change policy so, like clockwork, FuckYou3 becomes FuckYou4 because I can't be bothered otherwise and sometimes our Active Directory propagation sucks so I still need FuckYou3 on some servers and FuckYou4 on others.

But what it has really done is mark the time I'm with the company and now I'm up to #9 and maybe it's time to polish off the resume.
posted by JoeZydeco at 8:59 AM on January 7, 2022 [24 favorites]

Password managers have one big flaw. I do music. Music software is authenticated with passwords, the one you use to login to software company website. So password manager is fine as I am in the browser. But to authenticate, I have to log in via a plug-in in a DAW and there is no password manager to remember that insane conglomeration of keystrokes. So back to company website to reset password to something I can remember.
posted by njohnson23 at 9:00 AM on January 7, 2022 [8 favorites]

15 years ago, I worked on the website for a US company whose customer base - though nationwide - leaned a touch southern. Think something like Bass Pro Shops but much smaller.

Thanks to crappy backend design, I could see all of the passwords. A good 1/3 of them were Jesus-themed. "OneForJesus", "JesusLovesMe", and so on. I don't see anything like that on the list here; the closest in the top US passwords list is 'blessed'.
posted by Hatashran at 9:03 AM on January 7, 2022 [6 favorites]

I don’t really know most of the passwords I use! I have a couple in muscle memory. I use this password generator created by Meta’s own nicwolff. I can save the page locally and in various spots so I can always get to it. I get mad when I have to change passwords annually, but I’ll tack ‘+$CURRENT_YEAR’ on the end of site name and I can usually remember that.

I wonder if most of the entries on the list come from ‘OMG i need to make another BS account to isolate a one time access to this thing I won’t use - so ok, ( CarlYazstremski#8, guidovanrossum_Snek, etc. ) it is…’

I would love to get an arg for why good passwords all day, erryday is like a social compact. I admit sometimes being That Guy above. Pretty rare but it is probably not great.
posted by drowsy at 9:09 AM on January 7, 2022 [1 favorite]

I don’t think the “time to crack” column is accurate. It seems unlikely that “jennifer” would take 2 hours to crack while other common words or names or gibberish on the list would take less than a second.
posted by tdismukes at 9:09 AM on January 7, 2022 [2 favorites]

Also amused that names like 'tiffany', 'matthew', and 'anthony' take 17 minutes to crack (and 3 hours for 'michelle' and 'victoria'), whereas 'mickey' and 'hannah' are cracked in under a second.

I would guess that the 'time to crack' is completely made up. I also assume that they are based on already having access to brute-force hack each individual password, which means that the company security protecting your info was terrible which is a bigger deal than you personally having a weak password. Weak passwords have strong 'blame the victim' energy.
posted by The_Vegetables at 9:09 AM on January 7, 2022 [4 favorites]

Heh, I had a similar password reset cycle at my old company. The first suffix was "5s" when I started and was up to at least "7g" when I left.

I was there too long.
posted by whuppy at 9:13 AM on January 7, 2022 [3 favorites]

Thanks to crappy backend design, I could see all of the passwords.

Did you right-click and then View Source?
posted by AlSweigart at 9:13 AM on January 7, 2022 [4 favorites]

My favorite password is **********
posted by Jacen at 9:14 AM on January 7, 2022 [4 favorites]

Please, whenever the opportunity presents itself: let your browser or password manager generate a password for you

Browsers have gotten so much better about this. I've considered ditching LastPass and just letting the browsers handle it. The problem is that I use multiple browsers.

Overall, I've been happy with LastPass but I tried to get a certain luddite in my life to use it -- because he probably used many of the passwords on this list and was constantly getting malware that would do stuff like intercept google searches -- but he couldn't keep track of his master password and got locked out. I don't know of an easy solution to this sort of problem and I think it's a genuine barrier to more widespread adoption.
posted by treepour at 9:15 AM on January 7, 2022 [2 favorites]

Your Childhood Pet Rock: If I had to guess it's because live music is a cultural attribute deeply embedded into the Australian psyche

And is Lizotte’s specifically such a culturally important club that nearly a hundred thousand Australians all chose it when thinking of a password?
posted by Kattullus at 9:15 AM on January 7, 2022 [1 favorite]

It's interesting that the "all countries" list is so overwhelmingly Anglophone.

I am puzzled that "1g2w3e4r" ranks as #103 -- that doesn't quite follow a run of keys on a QWERTY keyboard, or two runs of keys (like "1q2w3e4r" would). Although it takes a somewhat reassuring 3 hours to break. Apparently this is #16 in Germany, which does have a different keyboard layout, but not one that would make this easier to type.
posted by adamrice at 9:16 AM on January 7, 2022 [2 favorites]

I would guess that the 'time to crack' is completely made up.

Yes. It depends on what algorithm the password cracker is using and which password combinations it tries first. And now that these passwords are going to be added to the common password lists that password crackers try, they're all going to be cracked in less than a second.

The Django web framework has a common password list of bout 19,000 passwords so that users can't use them for any Django sites.
posted by AlSweigart at 9:16 AM on January 7, 2022 [2 favorites]

Honestly most companies need to do away with passwords entirely and just make something like the reset be the flow. I have zero faith that most companies can keep hashes stored securely. Just email me and cookie me when I want to log in. It's fine.

A lot of this list screams of "I do not care about this account in particular and this is my basic easy to remember password, which is not used for anything financial"

I use a password manager but still have these throwaway passwords all over the place because it's easier to type in something from muscle memory than it is to have the password manager fill it in in a lot of cases. If someone wants to see my Allbirds purchase history, go for it.
posted by mikesch at 9:17 AM on January 7, 2022 [3 favorites]

And is Lizotte’s specifically such a culturally important club that nearly a hundred thousand Australians all chose it when thinking of a password?

Possibly. East coasters are strange about their institutions. The guy who started it is also the brother of a popular musician from the '80s, Diesel, so it's probably a combined effect of the two.
posted by Your Childhood Pet Rock at 9:20 AM on January 7, 2022 [2 favorites]

I used to make them from the first letter of the words in song lyrics, to remember them - so maybe "You've got a lot of nerve to say you are my friend" would become ygalontsyamf, with some caps and special chars tossed in. Probably not secure at all (it's reminiscent of the "poem codes" that Leo Marks found that SOE was using, to his horror), but, better than "tarheels#1" or whatever.
posted by thelonius at 9:20 AM on January 7, 2022 [3 favorites]

Norway: loving the ‘hemmelig’ choice, we can’t let that or ‘sjokolade’ rank below liverpool though!
posted by drowsy at 9:21 AM on January 7, 2022 [2 favorites]

I set all mine to expiring soon so I'll get a helpful reminder if I ever forget.
posted by emelenjr at 9:25 AM on January 7, 2022 [7 favorites]

Password managers have one big flaw. I do music. Music software is authenticated with passwords, the one you use to login to software company website. So password manager is fine as I am in the browser. But to authenticate, I have to log in via a plug-in in a DAW and there is no password manager to remember that insane conglomeration of keystrokes. So back to company website to reset password to something I can remember.

Use an actual password manager program (LastPass, OnePass, etc.), not your browser. When you need a password, you open up the password manager, double click on the name for the service you need the password for to automatically copy the password, then Ctrl-v copy it into where you need the password to go. The reputable programs manage this in a secure way, where the password doesn’t stay in your computer’s clipboard or anything. I guess browsers have gotten better at storing their passwords securely, but last I heard, this was also better for keeping your passwords secret than using the browser to remember them.
posted by eviemath at 9:41 AM on January 7, 2022 [3 favorites]

Some of the country-specific data seems a bit strange. Taking a look at the German results, what's up with all the "qwerty" and "gwerty" (?) at the top, given that German keyboards are most commonly QWERTZ? There are a few other entries - zag12wsx, the previously mentioned 1g2w3e4r - that also seem to assume a physical GWERTY layout. And why "password" before "passwort"? Why is "tudelft" up there? Or "illinois"? Or "tinkle"??? That's not to say there's no German on there - "schatz", "arschloch", "fussball", "sommer", "schalke", "bayern", "hallo", "ichliebedich" (and their derivatives) all make sense - but the top results look a little odd.

By comparison, the Dutch data seems to have a lot more actual Dutch-language words/locations/etc.s, and the Swedish data is similarly more Swedish.
posted by ASF Tod und Schwerkraft at 9:42 AM on January 7, 2022 [1 favorite]

Classic Michael.
posted by NoThisIsPatrick at 9:44 AM on January 7, 2022 [2 favorites]

If I post all my passwords here, will y'all check 'em to make sure they're secure enough?
posted by DirtyOldTown at 9:44 AM on January 7, 2022 [4 favorites]

eviemath the advantage to using password manager extensions instead of standalone programs is the browser (and thus the extension) know whether they're on the right domain, which users are notoriously bad at.
posted by Xoder at 9:49 AM on January 7, 2022 [2 favorites]

Can someone ELI5 to me why, for example, 'michael1' takes less than a second to crack, 'michael' takes eight, and 'michelle' takes three hours?

I don't know about Michelle but micheal1 is faster than Micheal because the kind of low security sites that would allow an eight character password usually have "include a number" as a rule so micheal1 is higher up the list of a dictionary attack than the version without a number.
posted by Mitheral at 9:52 AM on January 7, 2022 [2 favorites]

Xoder, most of the major password mangers do that through browser extensions. They work better in many cases than the native browser password mangers (better form recognition, more features etc...). This has been handy for me in the past couple of years: our health system needs a number of codes and identifiers (about 4) to fill in the forms necessary to request proof of vaccination. A browser password manger can't do this for me. My password manager can, filling in multiple fields over a couple of web pages.

They have workarounds for mobile apps too. On my phone, my password manager can also log me into any app and can authenticate with my fingerprint. Google or Samsung need never have access to my ID data.
posted by bonehead at 9:56 AM on January 7, 2022 [4 favorites]

I sort of wish I could tell Google / Safari that I don't give a damn about some sites

I keep getting alerts about a password I once used for a restaurant's online ordering system. The restaurant and its website have been defunct for more than 5 years, so it's a little difficult to change it now...
posted by Foosnark at 10:20 AM on January 7, 2022 [2 favorites]

Many password managers will also let you pick passwords that are easy to read (e.g. that don't have l or 1 in them) or easy to pronounce. Lastpass does this, and I use it for the few passwords I have to copy by hand (e.g. for work computers where I have to log into the computer itself and can't copy/paste from my password manager). So, really, I think a modern password manager does everything you need as long as you can have access to your phone at work. I don't know what people in high-security settings do.
posted by nat at 10:23 AM on January 7, 2022 [1 favorite]

Haven't seen anyone mention bitwarden here. I switched from lastpass to bitwarden a while back and I like it so much better. Migration was easy. Works on well on both mobile (I use android...every so often there's a hiccup and I have to manually copy and paste, but usually it works well with apps) and desktop.
posted by msbrauer at 10:26 AM on January 7, 2022 [7 favorites]

The fact that password managers appear to store plain-text versions of passwords (or equivalent-to-plain-text) somewhere, creating the world's juiciest security target, is what has me ready with my not-surprised face for a day when one of them gets cracked and all hell breaks loose.
posted by clawsoon at 10:28 AM on January 7, 2022 [3 favorites]

This is exactly why I am skeptical of them.

I have seen the meme of the handshake icon with the two parties labeled “jazz musician explaining a chord” and “computer generating a password.” Between them, “F#7b9/Db.” I pulled out my (musical) keyboard and spelled out the chord, which is far from lovely on its own, but did have me briefly pondering a system where you would have to get an instrument and actually play this polytonal cluster to check your inbox or whatever.
posted by ricochet biscuit at 10:35 AM on January 7, 2022 [10 favorites]

What clawsoon mentions was at some point true for Chrome's password memory, but (a) I think they fixed that and (b) no other password manager I know of does that. (Here's a random reddit link found with some minimum googling re: how Lastpass actually checks for access to your local vault: https://www.reddit.com/r/Lastpass/comments/gkrrub/is_the_master_password_stored_locally_in_plain/ ).

That having been said, I do not store the password for my 2-factor email inside my password manager, and I turn on 2-factor (using phone when it's an option instead of email) for anything remotely in need of security.
posted by nat at 10:40 AM on January 7, 2022 [4 favorites]

Long ago (1995) the place I worked had a simple password reset policy - they assigned a certain fraction of CPU time (on their new, fancy AIX box) to running a cracker (IIRC the state-of-the-art, get-it-from-ratioed-warez-FTPs password cracker at the time was imaginatively named 'crack'), and when it broke your password you got a reset message. Only good thing about the whole place (apart from getting to spend days in the basement cutting the header fields out of reel-to-reel data tapes for 'secure' disposal - that was pretty slack).
posted by memetoclast at 10:47 AM on January 7, 2022 [13 favorites]

and (b) no other password manager I know of does that.

I think what I mean - and I'm not super-familiar with the terminology - is that passwords must be stored in some sort of two-way hash system, not a one-way hash. The actual text of the password is recoverable. And they must store them on a server somewhere, since they're usable on devices other than where you first enter them. (That's my experience with corporate LastPass, anyway.)
posted by clawsoon at 10:56 AM on January 7, 2022

>The fact that password managers appear to store plain-text versions of passwords
I don't see how they could do anything else - I use PWS, which uses only local files (you can sync with add-ons and drop-box-alikes if you wish) and twofish (which is not AES (although it might have been) which could be a good or bad thing). It seems to my not-a-security-researcher-self to be about as good as you can get; it's certainly really inconvenient (although not so compared to remembering dozens of high-complexity passwords), and makes you hyper-aware of how bad clipboard security is on Android. It also has the great feature that when the bank clerk asks you your security answer over the phone and you have to say your pet's name is "-7_6dx8pBa<t" you get a lesson on exactly how bad people are at taking precise dictation.
posted by memetoclast at 11:01 AM on January 7, 2022 [2 favorites]

Most common single words: password, dragon, monkey, football, princess, sunshine, computer, shadow, killer, master, baseball, soccer, tinkle, love, welcome, hello, Status, hunter, marina, secret, freedom, chocolate, internet, lovely, forever

(maybe tinkle, hunter, and marina are names?)

Most common names: michael, daniel, ashley, charlie, jessica, jordan, thomas, michelle, andrew, justin, jennifer, anthony, andrea, joshua, robert, nicole, nikita

Most common company names: samsung, google

Most common place names: liverpool, pakistan

Most common fictional references: superman, pokemon, naruto, starwars
posted by straight at 11:49 AM on January 7, 2022 [3 favorites]

So if the random xkcd password generator gives you dragonmonkeyfootballprincess, do you stick to your guns and use it or discard it and deviate from true randomness?
posted by straight at 11:50 AM on January 7, 2022 [3 favorites]

This, (linking to this) appears to be apropos, in a particularly jwz kinda way.
posted by memetoclast at 11:53 AM on January 7, 2022 [2 favorites]

A friend in infosec posted something (likely a meme, can't remember) about how as a youth, they assumed hacking would be all cool code exploits and firewall breaks, but really, it's just emailing shit tons of boomers and saying "give me your password" until some of them do. I guess if a person's passwords are this easy to guess, you don't even have to do that much.
posted by DirtyOldTown at 11:59 AM on January 7, 2022 [7 favorites]

I'm surprised by some of this. The New Zealand list includes a heap of passwords that form phrases in Tagalog - but as far as I can tell, no other non-English languages. And there are a reasonable number of Filipinos living here, but they're not the most numerous group. The most common password is mahalkita (mahal kita = I love you in Tagalog) used over 9,000 times - out of a Filipino population of around 72,000. Seems unlikely?
posted by Pink Frost at 12:00 PM on January 7, 2022 [6 favorites]

> Most common place names: liverpool

it is a place but i suspect most of the passwords intend to reference the worlds greatest football club #YNWA
posted by glonous keming at 12:11 PM on January 7, 2022 [4 favorites]

I've never heard a convincing explanation for the short maximum password lengths or character-set restrictions some services implement. The size of the hashes that actually get saved aren't related to the size of the passwords.

The answer is right in front of you. "The hashes that get saved"

I once worked at a place where passwords had to be *exactly* 8 characters, including one (and only one) special character, and one (and only one) uppercase. Because a contractor misread the requirement.
posted by mrgoat at 12:13 PM on January 7, 2022 [3 favorites]

Due to the wonders of bureaucracy, at work I have three passwords with three different complexity requirements that must be changed at either 45 or 90 day intervals, and require three different processes to update them. I had to actually make a document to record how to change the passwords, their complexity requirements (often changing and never explicitly stated), and how to get them reset in case I get locked out / password manager screwed up / was on vacation. Once or twice a year I screw up or forget and I lose a few hours of productive time.

Three passwords is actually an improvement from a previous job, where I had about 12 passwords that I had to update on a regular basis. Many were on legacy systems that had odd requirements like "can't be longer than 12 characters", "will change all upper case characters to lower case and not tell you", or "does not actually support slashes or backslashes". Once you changed your password, some of them said that it might take upwards of a day for the password change to get through the system - and sometimes it really did take that long. During this time you could log in with the old password and not the new one.

I don't know how I could have survived without a password manager. Officially, we're still not supposed to use them.
posted by meowzilla at 12:16 PM on January 7, 2022 [4 favorites]

if you paypal me 1 bytedollar i will send you a list of the top 10000 4-digit PIN ID number codez

Hurry! get(integer.random(9-99)) shoppers have this item in their cart.
posted by glonous keming at 12:22 PM on January 7, 2022 [6 favorites]

It's very obvious from this thread who isn't using a password manager.
posted by escape from the potato planet at 12:28 PM on January 7, 2022 [1 favorite]

DirtyOldTown: "If I post all my passwords here, will y'all check 'em to make sure they're secure enough?"

You have more than one password!?!?!
posted by adamrice at 12:35 PM on January 7, 2022 [4 favorites]

It's even more elegant than that, Mr.Know-it-some:

22 iloveyou
...
56 fuckyou

The complete arc of human reactions. Or a very short story.
posted by doctornemo at 12:36 PM on January 7, 2022 [3 favorites]

NordPass is not clear about how they gathered these passwords, but the fact that they are listing them at all indicates that they're storing them in cleartext, which is a major security red flag. Passwords should always be encrypted at rest.
posted by technodelic at 12:50 PM on January 7, 2022 [4 favorites]

"F#7b9/Db" ... is far from lovely

Joy is in the ear that hears.

BTW that's an F# chord with a dominant 7, not an F chord with a sharp 7: C# F# A# E G♮
Also, it resolves nicely to D9.
posted by Greg_Ace at 12:51 PM on January 7, 2022 [4 favorites]

Update to my earlier comment (d--- editing window...): If they generated the list by running a password cracker on encrypted passwords then it's not an issue. Maybe I missed it when I skimmed the article.
posted by technodelic at 12:59 PM on January 7, 2022 [1 favorite]

NordPass is not clear

Based on no evidence whatsoever, I assume that all the Nord services are CIA fronts.
posted by clawsoon at 1:06 PM on January 7, 2022 [3 favorites]

my primary knock against them is how they advertise all over the place and how their prices reflect that ad spend compared to some of their less adver-spammy competitors
posted by glonous keming at 1:19 PM on January 7, 2022 [1 favorite]

Password managers have one big flaw. I do music. Music software is authenticated with passwords, the one you use to login to software company website. So password manager is fine as I am in the browser. But to authenticate, I have to log in via a plug-in in a DAW and there is no password manager to remember that insane conglomeration of keystrokes.

KeePass and its various forks (I use and recommend KeePassXC) will do that for you; they have an auto-type feature that doesn't care what the username and password are being typed into. If your DAW plugin's authentication dialog can be made to work using keystrokes only (e.g. by using Tab to move from the username box to the password box and Enter to do the actual login) then KeePass will let you log into it. The actual keystrokes you need are completely customizable for each set of credentials if the default {USERNAME}{TAB}{PASSWORD}{ENTER} sequence doesn't work for you.

The fact that password managers appear to store plain-text versions of passwords (or equivalent-to-plain-text) somewhere, creating the world's juiciest security target, is what has me ready with my not-surprised face for a day when one of them gets cracked and all hell breaks loose.

KeePass and descendants go to some lengths to prevent sensitive information being recoverable from RAM for longer than it absolutely must. Password database files that exist on disk, or that are shared using assorted online storage services (I use Dropbox for this) are stored encrypted, and as long as your master password is long and machine-generated (mine is 18 alphanumerics, committed to muscle memory by the fact that I need to use it every day) are completely infeasible to crack.

But I think you're probably right about explicitly cloud-based password management services. I would certainly never trust one.

NordPass is not clear about how they gathered these passwords, but the fact that they are listing them at all indicates that they're storing them in cleartext, which is a major security red flag.

"The list of passwords was compiled in partnership with independent researchers specializing in research of cybersecurity incidents. They evaluated a 4TB database."

That 4TB database will almost certainly have been a compilation of assorted password lists released for sale online by people who have exfiltrated credential databases and run cracking attacks against the password hashes stored in those.
posted by flabdablet at 1:31 PM on January 7, 2022 [5 favorites]

Although I use KeePassXC for everything that requires an actual login, I do use 123456 for nonsense like the myLearners app from VicRoads that insists I enter its own per-app PIN every time I start it up on my phone, the phone's own PIN and inbuilt encrypted credentials keyring apparently being thought inadequate to stop my daughter approving her own learner driver logs without my involvement.

Learning that this is actually the most frequently used password has made me very happy.

It's just so silly. I mean sure, there are going to be a lot of people whose kids know their phone PINs, but by and large those will also be the people who just re-use their phone PIN as their myLearners app PIN and probably their EFTPOS card PIN as well.

Naturally, the actual password for my VicRoads account - the one I had to use Dropbox and KeePassDroid to supply to the myLearners app the first time I logged in with it - is long and machine-generated.
posted by flabdablet at 2:18 PM on January 7, 2022 [1 favorite]

tinkle FTW, obvs
posted by Dr. Wu at 2:55 PM on January 7, 2022 [1 favorite]

These threads are great for reminding me that I’m the only person alive still using RoboForm as my password manager. I like it though.
posted by freecellwizard at 2:58 PM on January 7, 2022 [1 favorite]

at work I have three passwords with three different complexity requirements that must be changed at either 45 or 90 day intervals, and require three different processes to update them. I had to actually make a document to record how to change the passwords, their complexity requirements (often changing and never explicitly stated), and how to get them reset in case I get locked out / password manager screwed up / was on vacation. Once or twice a year I screw up or forget and I lose a few hours of productive time.

KeePassXC lets you set an expiry date on any password, and also lets you include freeform notes with each credentials entry that you could easily use to document the password change and reset processes for those credentials. You can attach completely arbitrary documents to a credentials entry as well. I've got photos of my driver licence stored in my KeePassXC database this way.

It also lets you add a TOTP authenticator to any set of credentials, compatible with Google Authenticator and (with a bit of extra fartarsing about) Symantec VIP and probably others. This is good for people like me who consider that a decent password manager properly used is more than secure enough to give identity thieves the roo fingers and obviates any need for the second factor that e.g. my bank insists I must use for certain operations.

The beauty of using a password manager that relies on a database that you need to maintain and manage explicitly and independently is that because the database file is something you'll use literally every day it becomes super hard to lose, so it's a really good place to keep stuff like password reset procedure notes even for passwords you might not have used in five years. Also, the consequences of having it destroyed are dire enough that even if you never back up anything else you'll religiously back up your passwords database. Dropbox, or some other online storage service that offers access to multiple versions of things, is a good place to keep at least one of those backups.
posted by flabdablet at 2:58 PM on January 7, 2022 [1 favorite]

Over 30 years ago my Linux 0.9x password on my PC was "guess" and my best nerd friend came to visit me and the gag worked perfectly. Good times.

My current wifi password is aaaaaaaa

Good times.
posted by Wood at 3:23 PM on January 7, 2022 [3 favorites]

Just for grins I counted up how many passwords I have in the four password managers I work with on a regular basis, two work team, one work personal, and one home personal. There are close to 400 all told. Password managers are a life saver for me.
posted by calamari kid at 3:57 PM on January 7, 2022 [2 favorites]

it's easier to type in something from muscle memory than it is to have the password manager fill it in in a lot of cases

When I first started using KeePass, I deliberately changed a whole bunch of my low-security passwords exactly in order to force myself to use KeePass instead of muscle memory for exactly this reason.

he couldn't keep track of his master password and got locked out. I don't know of an easy solution to this sort of problem

One good trick for generating a solid master password for this kind of application is picking two or three of the best passwords you can already remember reliably, and just ramming them together. My own master password is made from a couple of randomly generated nine character passwords I'd been using for a few months as my login passwords for the school servers I was responsible for managing at the time; nobody else had ever been told either of them.

The other benefit of deliberately refusing to let myself get away with relying on muscle memory for passwords that "don't matter" was that it also forced me to type that new master password into KeePass the first time I needed to log into anything on any given day. As a consequence, the master password locked itself into muscle memory relatively quickly, and even more solidly than any of the old "easy" passwords ever had.

The easy thing to do is the habitual thing, and I anticipated a lot of benefit from making the use of KeePass the habitual thing, so I wanted to make it habitual as fast as I possibly could. It took about three weeks before I stopped experiencing it as artificially slow and a little frustrating, and I would rate those three weeks as among the best investments of time I have ever made in anything.

Knowing that I never will lose login credentials I might need, even for accounts I literally haven't even thought about in years, even though some of those accounts have still got recovery email addresses I don't have access to any more and every single one of my passwords is now long and machine-generated, feels completely luxurious. Once you're always letting the software type in your passwords for you, there is no point at all in not making every single one of them overcomplicated and unique.

I now have KeePassXC set up to auto-run on login on all my computers, so I have to enter my master password every day as a matter of course, whether I'm going to need to use KeePassXC to log into something or not. I don't think I could forget it now. My fingers just wouldn't let me.
posted by flabdablet at 3:59 PM on January 7, 2022 [2 favorites]

More and a million people used both "Jessica" and "Charlie?" What?

One of the national science agency websites that I log into twice a year requires me to change my password every 90 days, 'cause their threat model is as out of date as their ability to design a website that works. Half the time a uni sponsored-research admin does it for me and inevitably sets it to my last name and a number. Their website happily accepts lastname12 as a secure replacement for the 18 random digits I used 91 days ago. I remain confident that no bad actors will be able to submit a 15 page grant proposal on my behalf.
posted by eotvos at 4:20 PM on January 7, 2022 [3 favorites]

15 years ago, I worked on the website for a US company whose customer base - though nationwide - leaned a touch southern. […] Thanks to crappy backend design, I could see all of the passwords. A good 1/3 of them were Jesus-themed. "OneForJesus", "JesusLovesMe", and so on.

As with the high incidence of football teams in the UK password list, this seems not the most sensible option if you’re concerned about anyone who knows the slightest bit about you trying to guess your password and wreak havoc with your accounts.

I mean, as a Catholic, I’m not daft enough to use “AveMaria” as a password when I can opt for something like “HavaNagila” to throw such people off the scent.
posted by Morfil Ffyrnig at 4:24 PM on January 7, 2022 [1 favorite]

How is qwerty -- which seems to be the same characters, based on my cutting and pasting into a text editor -- at both #4 and #94?
posted by Shepherd at 4:29 PM on January 7, 2022 [1 favorite]

I am puzzled that "1g2w3e4r" ranks as #103 -- that doesn't quite follow a run of keys on a QWERTY keyboard, or two runs of keys (like "1q2w3e4r" would).

I noticed this (and similar passwords), and my guess was just that people are starting with "qwerty" or "1q2w3e4r" and then changing the q to the arguably similar-looking g in an attempt to complexify/strengthen the password without it being too hard to remember. Sort of like "passw0rd" instead of "password".
posted by chaiyai at 4:53 PM on January 7, 2022 [1 favorite]

NordPass is not clear about how they gathered these passwords, but the fact that they are listing them at all indicates that they're storing them in cleartext, which is a major security red flag. Passwords should always be encrypted at rest.

"The list of passwords was compiled in partnership with independent researchers specializing in research of cybersecurity incidents. They evaluated a 4TB database."

my assumption is this isn't the passwords people use for their Nord accounts, but rather an analysis of leaked dumps (the same way eg. HIBP gets its data). I don't work in incident response, hang out in darknet crime forums, or have access to anything but the most widely circulated dumps, but could go and grab <checks the torrents> ~570GB of compressed password databases right now if I wanted to. that probably expands to something in the vicinity of 4TB, though a lot of it is old stuff like the myspace and linkedin leaks from years ago. people in the right parts of the industry will have access to much more current data than I do.
posted by russm at 5:22 PM on January 7, 2022 [3 favorites]

I've been using premium LastPass for many years but it may be time to consider switching.
The Wirecutter recently reviewed password managers and mentioned this about LastPass (which didn't make their final list of recommendations):

"The company that owns LastPass, LogMeIn, was acquired in 2019 by two private-equity firms, which makes us concerned about the future of LastPass. "

It's a fair point. Can't think of many (any?) examples of private equity firms not making stuff worse.
posted by Hairy Lobster at 6:34 PM on January 7, 2022 [4 favorites]

A good 1/3 of them were Jesus-themed

Somewhat ironically Christians (or anyone who'd studied scripture) have a pretty good crutch for a decent master password. EG: say you share a birthday with Elvis (January 8th, 1938). Use 38/1/8 as your base. Pull up your King James (or whatever is your preferred version). Go to Psalms and lookup #38, 1, and 8. Grab the first two words (or last two words, or 1st and 8th words) of the second stanza from each. Smash them together and viola your password "for your not so when i" is easily recreatable, pretty easy to remember and certainly better than anything else not popped out by PRNG. It's not diceware secure but it would be good enough. Write it down a stick it in your passport or something as a backup.

Or you know, spend five minutes with dice ware and get as many bits of entropy as you'd like with easy to enter and remember pass phrases.
posted by Mitheral at 6:50 PM on January 7, 2022 [3 favorites]

It's a fair point. Can't think of many (any?) examples of private equity firms not making stuff worse.

Ugh. Well, that *is* a reason to think about a different password manager. Blegh.
posted by nat at 9:16 PM on January 7, 2022 [3 favorites]

When my cable was installed, the cable guy was training a new younger cable guy. Older cable guy was brilliant, and he asked me for my network password, I said hang on, and got out my book. I thumb through it, and finally find my old network password. The kid asked why I didn't have a password manager, and I told him that is in the computer, which is totally available to anyone who is better at security than I am, which is just about anyone, really. He looked at his trainer who said that a book with the passwords written in it was the best way to do it. I have at least 80 different passwords for different entities, I took it all seriously that you don't use the same password, you don't cut yourself short on creating passwords. I finally dumped my seven letter password I used here for 18 years, and moved on to something more complicated. I know that every day, someone is trying to hack my jello recipes, the secrets to my most inner vices, however, the reality is, just watching my life would be hazardous to most people, confounding, grating, yeah, and the cats...I use email, only online, it is not open in my phone, same with Facebook, Instagram. I got online accounts that I don't use, twitter, a couple of others, just to tie up my name. My big security secret is complete unimportance. Yup, I am just an observer, just passing through. When I have to change a password, I always up the ante, and make them more difficult. The entities which want to "manage your passwords for you," are all vulnerable to the bigger fishers. Most of my passwords aren't even vaguely related to the site I access. The answers to security questions, have no relation to the questions. What was your first car?-d0gh0use, What is your mother's maiden name?-Travail. All of these huge, innocuous surveys on social media, are one by one getting the answers to common security questions.
posted by Oyéah at 10:17 PM on January 7, 2022 [1 favorite]

How is qwerty -- which seems to be the same characters, based on my cutting and pasting into a text editor -- at both #4 and #94?

We promised you Big Data, not Good Data.
posted by flabdablet at 1:43 AM on January 8, 2022 [5 favorites]

He looked at his trainer who said that a book with the passwords written in it was the best way to do it.

Arguable, as is every aspect of security. And, as does every aspect of security, "the best way" depends sensitively on what threats you're trying to mitigate.

A passwords notebook is indeed not at all susceptible to being snarfed up over the network but it offers no protection against local adversaries with physical access to the space where the notebook is kept. It would not, for example, be a good place to store passwords for accounts used to implement parental controls. It might also be the kind of thing a burglar might decide to take with them after casually leafing through it.

It's also subject to physical wear, or even total loss from fire or flood or inattentiveness, and less likely to be reliably backed up than a digital alternative.

The fact that a paper notebook user still has to type each password by hand creates an incentive not to make passwords as stupidly long as their associated sites will allow them to be. And since the association between site address and login credentials is always done manually, a notebook offers no protection against phishing attacks that fool people into entering real credentials on faked sites. It's also no help at all for constructing genuinely strong passwords.

The entities which want to "manage your passwords for you," are all vulnerable to the bigger fishers.

For me, training myself to use reliable, open source password management software whose database consists of a single heavily encrypted file that I can choose where to keep and how to back up involved a much more satisfactory set of tradeoffs than relying on a paper notebook, and is certainly what I recommend to others.

AES256 with a strong key is about as good as modern encryption gets. The only way I can see even a state level actor gaining offline access to the contents of my KeePassXC database file is via rubber hose cryptanalysis, an attack that paper notebooks are also susceptible to.

Paper notebook users might also need to defend against surreptitiously installed hardware keyloggers, which I don't. All that a hardware keylogger would ever pick up from me is many instances of the hotkey sequence that triggers KeePassXC to auto-type a username and password.

Best surreptitious attack against me would involve installing a soft keylogger on one of my personal devices, something capable of picking up simulated keystrokes as well as real ones, and clipboard contents at time of paste as well. Given how phishing-resistant I can be precisely because I only ever use the password manager itself to get to my web login pages, I think actually getting this done would probably be both harder and more expensive than paying somebody to break into my house and steal a little black book.

But here's the thing: unless you're subject to an overtly repressive regime, all such threats will always be essentially hypothetical. The main attack that most people are actually vulnerable to doesn't start with measures directed against them personally. Rather, it starts with exfiltration of an authentication database from an inadequately secured online service, followed by bulk-scale automated cracking to extract passwords from it in weakest-first order, followed by bulk-scale automated login attempts made using the extracted credentials against multiple other online services in order to take advantage of password reuse.

A notebook full of passwords, if conscientiously maintained and used to implement a no-password-reuse policy, is massively better than the far more common practice of recycling a small handful of passwords, all of them weak enough for a human to remember, across every site under the sun. If a little black book has been working for you and you have good ways to deal with its predictable failure modes and good ways to fill it with genuinely strong passwords, great!

And if you want to reduce your risk of being successfully phished or even spearphished as well, and/or would rather that changing a password or making a new one needed only a few clicks in an edit control rather than sustaining the illusion of being able to turn off a human brain's hardwired tendency toward creating exploitable patterns, consider training yourself to use KeePass or one of its descendants instead.
posted by flabdablet at 3:59 AM on January 8, 2022 [8 favorites]

when the bank clerk asks you your security answer over the phone and you have to say your pet's name is "-7_6dx8pBa<t" you get a lesson on exactly how bad people are at taking precise dictation.

That's exactly why I've gravitated toward generating passwords and "security" answers like evhnd.tmrnf.jczqv.wbeke.wzils - long enough to be forever uncrackable, yet easy to dictate and transcribe and verify, and feasible to hand-type error-free even on a moronic little touchscreen fondleslab's horrific soft keyboard if need be.

So I get quite irritated by services that absolutely insist that a "strong" password is anything that meets some totally fucking inadequate minimum length requirement, must contain a mix of uppercase letters, lowercase letters, numbers and "special characters", and usually has to be shorter than 16 characters all up. It's doubly galling given that actually fit for purpose password hashing functions like scrypt and strength estimators like zxcvbn are freely available. Failing to design around both of those just looks like laziness at this point.

Every time I complain about this on MeFi I make a point of opening a private browsing window and trying to set up an Apple Account with the sample password from the comment. I just did it again, and the results are much as ever: my 29 character monster is unacceptable while appleID1 is rated "moderate" (zxcvbn's many-cores offline cracking time estimate: "less than a second"). But Apple makes secure personal devices, I hear.

At least they're rejecting Apple123 these days.
posted by flabdablet at 4:59 AM on January 8, 2022 [2 favorites]

What in this case is the sample password? If it's my example then I'd be willing to suggest zxcvbn's estimate is wrong (or my RNG is badly broken) Yours looks like it might be a keyboard walk, which have much lower entropy than you might think.
posted by memetoclast at 6:46 AM on January 8, 2022 [1 favorite]

re-reading (and diligently not abusing the edit function) I see it was yours - yes, that's a low-entropy password based on the 'uses a qwerty keyboard' prior.
posted by memetoclast at 6:53 AM on January 8, 2022 [1 favorite]

What in this case is the sample password?

evhnd.tmrnf.jczqv.wbeke.wzils

Not a keyboard walk, which I fully agree is a horribly poor way to generate randomness exactly because human beings are so notoriously likely to mistake an exploitable lack of randomness for actual randomness (and, perhaps more surprisingly, vice versa).

The link goes to the page that actually did generate it, from a site that offers some of the finest artisanal randomness available to humanity. The zxcvbn demo page judges this particular sample as requiring of the order of 100 billion billion billion guesses to crack, which is plenty for me.

Although it's completely feasible to abuse random.org in this way, what I use far more often is KeePassXC's inbuilt password generator with only the "a-z" character type enabled and a password length of 25. I insert the dots by hand. This relies on whatever cryptographic randomness mechanisms the user's operating system makes available to applications, which again is more than good enough.

KeePass has a more comprehensive password generator that used to let me get the same kind of result in one step by picking a password generation pattern of lllll.lllll.lllll.lllll.lllll (I would save that pattern as a password creation profile called "iPad friendly" in every instance of KeePass I used) and this is one of the features I do miss, having now moved to KeePassXC. On balance, though, the move was worth it for me.

KeePassXC uses the lightweight Qt windowing toolkit on all platforms. KeePass relies on the .Net or Mono runtimes which are huge and slow by comparison, so KeePassXC starts up much faster on the elderly recycled hardware I favour. Password generator quibbles aside, I find KeePassXC's UI cleaner than KeePass 2.x's. I also like the way KeePassXC keeps an eye on the file you loaded your currently open database from, giving you the option of reloading from it without needing to re-enter the master password (assuming it hasn't been changed) if e.g. Dropbox slips a new file in underneath.

Only the Windows build of KeePass 2.x can import password databases saved in the old .kdb format originally designed for KeePass 1.x, though it can save them only in its own .kdbx format. KeePass 1.x is still available and actively maintained but it's Windows-only. KeePassXC also saves databases only in the newer .kdbx format, but can import old .kdb databases on all platforms. KeePassXC also continuously monitors the file where it got its opened database for changes,

Minor differences aside, both projects do essentially the same job and interoperate smoothly with each other's databases. Both are available on Windows and Mac and Linux, both are free and open source, and I recommend trying them out and using the one that you like better.
posted by flabdablet at 8:48 AM on January 8, 2022 [5 favorites]

I'm not sure I'd call Qt 'lightweight' but ok, there's always a tradeoff between simplicity and functionality and given all the other moving parts that can break your password security I guess there's not much difference between Qt and the other options so may as well go platform-agnostic and open. I accept your example isn't a keyboard walk, but it sure feels like one - I guess that's the the thing about true randomness, sometimes it does just pick 7, I used random.org to generate a PIN the other day and got 9786.
I have time and effort (both immediate and social) invested in passwordsafe, so I'll most likely stick with that.
posted by memetoclast at 10:57 AM on January 8, 2022 [2 favorites]

Also open source, also uses a local file for a database, and designed by a well respected security specialist - what's not to like? KeePass and Password Safe have both existed for about twenty years now and both database formats are widely supported, with compatible managers now available on any OS I'm ever likely to need password management in.

I haven't used Password Safe myself, but if the wx port had been around when I started feeling the need for a password manager ten years ago it would certainly have been on my shortlist of things to try.
posted by flabdablet at 1:23 PM on January 8, 2022 [2 favorites]

Thanks flabdablet for the link to the zxcvbn page! I learned that I wasn't quite as clever as I'd thought (not the first time that's ever happened, I'm sure y'all will be surprised to hear) with my personal password generation technique - it was a good start, but it turns out I just hadn't taken it far enough to hamper thousands+/sec offline attack methods. So I spent an hour giving all my passwords a hefty upgrade. The downside is that they'll be harder to enter manually...I hadn't yet gotten into using a password manager, but I guess it's time to start.
posted by Greg_Ace at 2:31 PM on January 8, 2022 [2 favorites]

Pet peeve is there are so many passwords that list the rules but it’s wrong or incomplete. Yesterday I spent at least 20 minutes trying to create a password that required (minimum 12 letters, 1 upper case, 1 number, 1 symbol (but only certain symbols). I try to use 18-20 digits in my passwords, which is more than 12. Well, finally I figured out by trial and error that it had to be exactly 12 letters. I love rules, I will follow them but tell me what the real rules are, arrrrg!

Bonus pet peeve to Apple’s suggested strong passwords which always include dashes, which very often are not an approved ‘special character.”
posted by Bunglegirl at 4:02 PM on January 8, 2022 [2 favorites]

I don't understand half of the security discussion. So the hidden book, with many changes, works for me. And, I am unimportant and low income. Here is an example of a memorable password.
!Wh3nUN33dWat3r$$ for paying a certain bill.

Bank security question answers don't have to be long, they just have to not relate to the question in any way, and not been answered on some random facebook quiz. And don't respond for an automated New Year's greeting that gives you the opportunity to enter your name, and send it to all your contacts. I just got one of these from an old friend.
posted by Oyéah at 6:38 PM on January 8, 2022 [1 favorite]

there are so many passwords that list the rules but it’s wrong or incomplete

Acer Australia wins my prize for this. For a while there, their account creation page was advising a 16 character password length limit and enforcing that in the password entry text box, but then silently truncating any entered password at 15 characters. The login screen, on the other hand, didn't do the truncation. No 16-character password could ever possibly match.

Having used KeePass to generate a longest allowable password during account creation I was unable to log in. I found out completely by accident that I could log in by pasting in the password and then hitting Backspace just before Enter, and this is what led me to track down and report the account creation bug.

The annoying part is just how pointless this kind of thing is. I can think of absolutely no sound reason why a passphrase shouldn't be allowed to be at least as long as a tweet. It's not like the password hashes are going to be different sizes.

A length limit is just a hint that the back end might be set up to store passwords in some form other than as hashes, which has been well understood as Doing Security Wrong for decades. And don't get me started on services whose account recovery process involves sending you your actual current password in an email. Ugh.
posted by flabdablet at 7:50 AM on January 9, 2022 [2 favorites]

All of these huge, innocuous surveys on social media, are one by one getting the answers to common security questions.

I am always surprised how many people publicly volunteer things like, “The name of a childhood pet you miss dearly,” though when I see family and friends doing so, I am rarely surprised by who does. I usually reminisce about my loyal golden retriever, Password1234.
posted by ricochet biscuit at 7:09 AM on January 10, 2022 [3 favorites]

Several-day-old mefi threads, the new postsecret: I know something y'all probably don't about physical security - if you keep a few liters of old keys then patient application of them each sequentially to a troublesome lock will very likely provide you with new (and permanently functional) access. When presented with a random door in a new city it still takes only a hundred tries or so; I guess you need to accumulate the keys in the local distribution area - if the whole idea of what constitutes a key is different from that upon which you based your collection that'd probably break the system, but I've had it work (largely when bastard landlords would only give me a single 'don't copy' (and don't get me started on soap and solder) key to something) quite widely. Advantage over picking the lock is a) not carrying "thieves tools" and b) similar initial time investment but then it just works immediately after that.

I was reminded because a FoaF gave me a baggy of keys for my birthday, saying "I hear you collect these", which was confounding because yes I do but I can't even remember where my big jar of them is, sedentary life makes you soft.
posted by memetoclast at 10:03 AM on January 10, 2022 [1 favorite]

I hadn't yet gotten into using a password manager, but I guess it's time to start

Starting to manage all your login credentials and other personal identification documents with KeePass, Password Safe or any similar robust, long-established, well-supported, open-source, local file based tool is like planting trees, in that the best time to do it was twenty years ago and the second best time is right now.
posted by flabdablet at 12:20 PM on January 10, 2022 [1 favorite]

How do you use a password manager for stuff like logging in to a Playstation account on your PS4?
posted by straight at 12:25 PM on January 10, 2022

I use Bitwarden for a couple of things like that. What I do is that I open it up on my iPad and have it show me the password. It’s not elegant, but it works.
posted by Kattullus at 12:30 PM on January 10, 2022

> How do you use a password manager for stuff like logging in to a Playstation account on your PS4?

With substantial difficulty - you run said password manger on your PC or other general computing device that you are fairly confident that you have exclusive root access to, then when you need to log into your PS4 and it prompts you for the password you swap your attention to your other device, unlock your password database, find your PS4 password (I guess you'd usually keep this pretty close to the top of whatever your generic sort is if you use your PS4 a lot) then transkey the fucking thing.
Is this good and convenient? Nah. Is it secure - well, kinda. I'm prone to mutter what I'm typing when I'm transkeying and I recently realized that when I do that the 'smart speaker' in my partner's living room can hear me - is /global tech giant likely to bother logging that audio, well maybe not to steal my PS4 password, but they'll likely log it for 'quality assurance' purposes and at some point transcode it, then at some unspecified point in the future they'll have my password in digital form....
Security is all about attack surfaces - if your physical environment is secure then you can just write your passwords in a notepad; if your digital environment is secure then you can store them plaintext, if neither of those things is entirely true then you need to find some sort of compromise.
posted by memetoclast at 8:06 AM on January 11, 2022 [1 favorite]

transkey the fucking thing

using the horrible controller-based PS4 soft keyboard, I expect. Generating a password made of smallish chunks separated by dots will be a help with that but any process involving one of those soft keyboards is always going to be a complete pain in the arse. I would expect the amount of added pain caused by needing to transcribe the password from a phone running Dropbox and KeePassDroid or similar to be quite small.

Hmmm. A Raspberry Pi Pico costs six bucks Australian, and has a USB OTG port that can power it and let it act as any kind of USB device. If I had a PS4 and found myself needing to use that soft keyboard to log into it more than once, I'd be sorely tempted to build a USB dongle that I could preprogram with an arbitrary sequence of controller inputs triggerable by pressing a single button, then write something based on one of the many available KeePass database support libraries that would automatically translate a nominated entry's password into the correct controller sequence to enter it via the soft keyboard.

Double hmmm: TIL that Remote Play is a thing in the PS4 world. If we're all extremely lucky, that might even allow an Android keyboard paste into a PS4 soft keyboard control. And if that works, then it might be that an Android phone with Remote Play, Dropbox and KeePassDroid installed on it would just do the whole thing totally fuss-free.
posted by flabdablet at 10:09 AM on January 11, 2022 [1 favorite]

How do you use a password manager for stuff like logging in to a Playstation account on your PS4?

Which is something that both Microsoft and Sony have kind of realized is a problem in the Xbox Series / PS5 generation, so now they offer a way to do it through a token, so you use your established credentials on your phone or PC (which is easier to use a password manager with) to link a session on your console. I haven't looked for white papers on whether they're just using OAuth or if they came up with something new and unique and vulnerable.

Also, Sony has standard TOTP MFA available, which maybe helps reduce the complexity burden a bit too. I assume MS does as well, but my newest Xbox is a 360, sooooo.
posted by Kyol at 6:14 AM on January 12, 2022