Attention Adobe Hack Victims, "123456" is a Terrible Password

13

Comments

+ Add a Comment
avatar

Mark17

123456? Fools! Should have used 654321.

avatar

j_j_montez

And that's #20 on the list. Some of those passwords were so lazy.

avatar

dgrmouse

If the passwords were encrypted, how are we seeing lists of bad passwords? Adobe is sailing high on teh failboat.

avatar

Cregan89

https://crackstation.net/hashing-security.htm

The passwords where encrypted, but with the power of todays hardware, even using off the shelf GPUs and open source software you can calculate billions if not trillions of those hashes in a single second. Now combine that power with shockingly effective dictionary lookup and rainbow tables (I guess it's not that shocking considering that top 10 list) and you can see why we're looking at this list of plain text passwords.

The name of the game when choosing a password is to get your password as low on the list of the passwords to be bruteforced as possible. But many hacking organizations have some serious hashing hardware available, and it's only a matter of time until they bruteforce the entire list of possible alphanumeric combinations. So if you're notified of a password breach, and you use that same password anywhere else, you should change it immediately.

Then consider an entity like the NSA who can literally throw billions of dollars at a password hash. It literally comes down to a mathematical relationship of hardware cost to time, or "dollar-years". I read a paper that said using the most advanced password encryption schemes in the world (specifically, scrypt), using hardware technologies from 2002, it would cost $19 billion to bruteforce every 8 character combination in one year, and $175 trillion for 10 characters. Of course, the chances that these systems don't get your password until their last guess is obviously 0. You would be absolutely AMAZED how effective their dictionary and pattern recognition algorithms are.

https://www.freerainbowtables.com/en/tables2/

A whole list of rainbow tables free to download with over 99.9% success rates...

avatar

Random

Uhmmmm, my Adobe password was very strong using a long, random string of text that was auto-generated by Keypass. And yet my Adobe account was still compromised in this latest breach.

Sorry, but the users are not at fault this time. A weak user password doesn't result in the theft of 38-million user accounts. I don't see the connection between weak individual user passwords vs. a system-wide security failure on the part of the hosting company. In this case, ADOBE.

avatar

Paul_Lilly

No, one didn't lead to the other. The point, however, is that with literally millions of users choosing incredibly weak passwords like "123456," those accounts are already vulnerable. Those individuals are compromising their own security by using common, easy-to-guess passwords.

avatar

fangzter

Can't tell you how many times Marriott employees call in to change their Active Directory or Marriott Global passwords to these.

I warned those users several time of security but then they always demanded to have it changed to those.

avatar

stige

that's AMAZING!

I have the same combination on my LUGGAGE!

avatar

Yoda9864

Just to play devil's advocate here, the "top ten password list" of any site will always be horrible, horrible passwords. Take this list of 10 passwords I just made up:
- siucsi2u
- ivyy384u
- password
- 226dhj7y
- oej4jic8
- WHK93jo
- password
- 9dj23n3fs
- 33hcuchd
- ppo2podsj

OMGZZ!Z!!11! "password" is the most common password, everyone on the site is stupid!!!1!

My point is that once people put some kind of effort in creating a "good" password, the chance of someone else having that exact password goes down. Hence, the easy and stupid passwords will always rise to the top ranks. Do people actually expect a "good" password to be on a top ten most common password list?

I would like to know how many accounts used one of the top 100 passwords.

avatar

j_j_montez

If you want to know how many accounts used one of the top 100, click on the link for the list. 123456 was used almost 2 million times. 123456789 was just under 500,000. This does put it more in perspective. Too many people are still using weak passwords with their accounts.

avatar

Paul_Lilly

I think what's disheartening here is the number of account holders using weak passwords. It wasn't just hundreds or even thousands of users practicing lazy security, but millions. There were over 1.9 million account holders who used "123456" to secure their account.

avatar

Peanut Fox

If you're not using their cloud services, I don't think any password is really needed. Which is strange, because they still want you to setup an account anyway. Makes me wonder if a number of these passwords are intentionally weak.

avatar

LatiosXT

And people wonder why they get their accounts jacked...

On a side note, I wonder if some of these hackers are just doing this to expose how easy people's passwords are.