Schneier on Security
A blog covering security and security technology.
« Highway Honeypot |
| DHS Still Worried About Terrorists Using Internet Surveillance »
September 15, 2010
Popular Usernames and Passwords
Posted on September 15, 2010 at 12:50 PM
• 48 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
>vic victor victoria viktor
interesting to see that "fred" does not appear
My favorite password there is "changeme."
12345 only applies to luggage. What's it doing here?
Yes! "HJohn" isn't on either list! I'm secure!
Just to clarify - these are popular usernames and passwords used by SSH scanner/brute forcers. This doesn't necessarily correlate to popular account credentials actually in use in the wild.
Well, that certainly explains all those ssh connection attempts in my logs.
Where are they getting their data from?
Is there a name for the moving one letter to the right; i.e. my charlie would become "vjst;or"? is that is the dictionaries?
@charlie: "Is there a name for the moving one letter to the right; i.e. my charlie would become "vjst;or"? is that is the dictionaries?"
Not that I'm aware of. But on the flip side, unless the root word has a p, l, or m in it, it would just be an alphabetic password that is pretty vulnerable to a limited character brute force attack.
then again, it wouldn't be too hard to program into a cracker.
Vsm upi trsf yjod?
charlie: Well, I would guess that something like John the Ripper would first blaze through all these combinations in milliseconds, then go through it's entire dictionary and then proceeds with doing simple transformation on such dictionary like p4ssw0rding or p455w0rding, but also knowing the habit of some people to offset by one the entire keyboard.
I consider switching to keepass with generated long passwords and protecting my keepass store with a long passphrase plus keyfile.
I'm shocked, /shocked/ to see that "swordfish" is not on the list of most popular passwords.
Speaking of passwords and their alternatives...
I remember posts about how car alarms increased assaults and car jackings since people because an easier target than the car.
Is this a risk with biometrics, that the person, through force or threats or blackmail, may become an easier target than passwords / PINs / cards, especially when money is involved?
"popular usernames and passwords used by SSH scanner/brute forcers"
reminds me of the popular baby name lists. will they converge? how cool if kids were soon named root or shell. hey postfix!
I don't think the data set is very broad. Why no scott/tiger? That should be way up there.
123456 looks like the most popular password?!
Drop the 6 or add a 7 and your password is markedly less frequent, why?
If you look at the 8 and the 4 then it looks like people really like to end 123... passwords with even numbers!
One should remember that the numbers are cheating because they are "upper case" and the letters are all lower case.
Probably not yet, but I suspect as the practice becomes more widespread password cracking databases will adapt.
There are many places that suggest you build a memorable password by basing it on a song lyric, e.g. the chorus of "Sweet Home Alabama" could be turned into shaWT$A5b. This is better than a dictionary word, but one of the guys at the "Crack me if you can" contest at DEFCON (details at http://contest.korelogic.com/ ) mentioned that they've started using dictionaries that account for this, and gotten almost as good results as with normal dictionaries on normal dictionary-based passwords. I'm sure that as the shifted-typing method becomes more prevalent it too will be added to password cracking dictionaries.
These sorts of obfuscation-while-still-being-memorable techniques do ultimately increase the amount of work password crackers have to do, but at the same time computers are getting faster as well. There's a kind of cat-and-mouse element to this, but remember that password dictionaries are not terribly useful if you have to try them live; if the system is designed properly you get blocked or locked out after a few dozen attempts. The real danger of password cracking and dictionaries is when you have the hashes; e.g. pen-testing company networks.
@Hjohn: "Is this a risk with biometrics, that the person, through force or threats or blackmail, may become an easier target than passwords / PINs / cards, especially when money is involved? "
Only if you're targeting one specific computer/person. If you want to scan millions of computer addresses quickly and automatically looking for an easy weakness this works. Nobody (usually) has access to provide a physical threat to millions of people at once.
@peri: "Drop the 6 or add a 7 and your password is markedly less frequent, why?"
Because a lot of places require a 6-digit minimum on the password, and a lot of people like to do the bare minimum.
@Ross: "Only if you're targeting one specific computer/person. If you want to scan millions of computer addresses quickly and automatically looking for an easy weakness this works. Nobody (usually) has access to provide a physical threat to millions of people at once."
I agree with that from a wide-scale perspective. I was thinking more along the lines of, insofar as individuals are concerned, instead of stealing a card, make them clear out their account at an ATM while you point a gun at them or their child. Sort of like how car thiefs can't steal every car, but they can stab someone after they disarm the alarm.
Of course, if we want to get morbid, one could cut off someone's hand to use their fingerprints (although some readers make sure it is a living hand).
@HJohn: The other side of that coin is that car alarms quickly became largely ineffective, because they tend to generate such a high rate of false alarms that people quickly learned to ignore them as just one more source of noise pollution.
@peri: I'm guessing the "like to end with even numbers" is a simple artifact of six or eight character minimum password lengths.
We may be too stupid to survive as species for much longer.
@jeff: 12345 applies to luggage AND to planetary atmosphere shields.
Speaking of biometrics...
One of the things that has puzzled me for a couple of decades is "duress systems" not migrating into computer security systems.
An early example would have been the British trench code book from WWI which had a code written clearly across the front to be used if the code book was lost or assumed to be lost. The code word was "DAM DAM DAM".
From this we developed in the second world war ciphers duress signals such as simple spelling mistakes (swapping a&e's in say the fith word etc).
In the physical world we have mechanical locks which have two switches in them. One is the "I'm OK" switch the other is "I'm under duress" switch which activates the "silent alarm". If neither switch is activated then opening the lock causes the ordinary alarm to activate.
Now these simple duress alarm ideas do not (as far as I'm aware) make it into everyday password or computer security systems which if you think about it is odd...
If the duress password is weaker than the ok password then a dictionary attack will trip the duress password before it gets to the real password.
But the main point is "how do you implement a reliable duress alarm in a pure Biometric system"...
The simple answer is it is actually difficult to do in a reliable way without a long term observer realising that there is one there (ie the manager always uses his right middle finger in the morning but tries to use another finger with a gun at his head). So we tend to have two factor systems like adding a pin password via a numeric keypad etc.
Just about every way I look at biometric systems they fail to even get close when compared to more conventional systems which is why I've always regarded them as at best a "Gimmicky James Bond style toy" (yes harsh judgment perhaps but when you then consider price...).
1, 2, 3, 4, 5? That's amazing! I've got the same combination on my luggage.
Whew! No jammit on the list. I'm safe.
It's kind of depressing that 123456 and password are the biggest entries.
"Just to clarify - these are popular usernames and passwords used by SSH scanner/brute forcers. This doesn't necessarily correlate to popular account credentials actually in use in the wild."
I didn't see any info on the page about how they collected the passwords. It would be meaningless if they just scanned their own test systems but if they scanned the internet in general then the fact they counted a password means they gained access using it, and hence that it is being used in the wild.
Given the amount of media attention nowadays it's hard to fathom that people actually use these passwords in real life.
Actually, I take that back. This image appears to be based on the results obtained on this parent page,
Which implies all they've done is record what passwords "hackers" are attempting to break in with. Doesn't that make this a useless piece of net trivia?
Incidentally if you look at the list of sources it's interesting what a large portion originate in China. One wonders if they know something we don't or if they're just behind the times and don't realize that admins no longer use such silly passwords.
There are many builtin accounts, but the passwords all seem based on the QWERTY layout or the English language.
There's most certainly more security through the obscurity of systems in Russia, China, the Middle East, et al... ;)
Oh, I remeber those time when the post popular password (10% of all users in our system) was "marvin".
@GCU Prosthetic Conscience: it's always swordfish. ;)
My personal favorite way of constructing passwords is to take the first letter of each word in a phrase (for example, song lyrics), capitalize some, and throw in some numbers and punctuation. It comes out looking like a fairly random group of characters, but it's still easy to remember.
These passwords look very much like they emanate from a technical set of users. Non-techy users tend to have a quite differing bunch of favourites featuring peoples names and sports clubs, as well as "monkey" for some reason I've never fathomed.
1 - 2 - 3 - 4 - 5? That's amazing! I've got the same combination on my planetary atmosphere shield!
@charlie: Moving one letter to the right is a variety of the cesarean cypher, as is rot13.
you mean a simple script like
echo "charlie" | tr "abcdefghijklmnopqrstuvwxyz" "snvfrghjokl;,mp[wtdyibecux"
echo "vjst;or" | tr "snvfrghjokl;,mp[wtdyibecux" "abcdefghijklmnopqrstuvwxyz"
Great my password of ********** didn't make the list.
@Clive: The problem with duress systems is that people tend not to worry about reacting to the duress signal. In WWII, for example, British agents in the Netherlands were supposed to make specific errors when enciphering their reports, to signal that they weren't under duress. When the Germans captured them, they quite properly left the errors out, and were sometimes then chided from Britain for leaving out the authentication code.
With passwords, any password that's dissimilar from the real one can be used as a duress password. Somebody trying "password" on my account when the password is really "123456" is very likely to be attempting a breakin (although "123455" might just be a typing mistake).
However, thank you for adding another argument against biometrics that I had previously not considered.
I think that charlie means that you simply shift your hands on the keyboard one space right (q becomes w, for example). It's a substitution cipher based on a physical object, so you don't need to deal with remembering a chart or alphabetical order or anything but you produce convincingly munged looking passwords.
@charlie,Stephen: "Shifty Passwords" a la http://blog.commandlinekungfu.com/2010/04/...
I am in the middle of performing a password audit and the results in the graphical representation are rather telling of default passwords, but not in actual use. Far more often are password patterns found in derivations of the seasons, months, and company names, at least from my findings.
@Victor, @Stephen; yes, exactly.
Bitte lest die Bücher von Claude Shannon , dann könnt ihr die Entropie eurer Passwörter berechnen.
Entscheidend ist der Erwartungswert.
Und der Erwartungswert ist immer subjektiv.
Dont forget God. System Operators love to use God, its that whole male ego thing.
-Hackers quote(may not be true)
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.