Easy-to-guess words and figures still dominate, alarming cysbersecurity experts and delighting hackers

It is a hacker’s dream. Even in the face of repeated warnings to protect online accounts, a new study reveals that “admin” is the most commonly used password in the UK.

The second most popular, “123456”, is also unlikely to keep hackers at bay.

It’s not just a problem here – Australians, Americans and Germans also use “admin” more than any other password when accessing websites, apps and logging in to their computers. Around the world, “123456” emerges as the most popular.

  • shalafi@lemmy.worldEnglish
    19·
    1 day ago

    Picked up a keyboard at the thrift with a pink sticky note on the bottom:

    user:admin

    pass:password

    Yes, someone had to write that down.

  • Dagnet@lemmy.worldEnglish
    44·
    2 days ago

    Luckily for me my password is ******

    Edit: weird lemmy automatically replaced my password with ‘*’

  • 7U5K3N@lemmy.dbzer0.comEnglish
    30·
    2 days ago

    The second most popular, “123456”, is also unlikely to keep hackers at bay.

    That’s what I use on my luggage

    • Danquebec@sh.itjust.worksEnglish
      1·
      17 hours ago

      I reuse passwords on sites where I don’t care if my account gets breached.

      On sites where it matters, I store them in a password managers.

      On sites where money is managed, I keep the passwords only in my mind.

      • deranger@sh.itjust.worksEnglish
        3·
        1 day ago

        The more factors, the less secure. Each one you add is another potential exploitable authentication method. It’s only as secure as the least secure MFA method you add.

      • jj4211@lemmy.worldEnglish
        1·
        1 day ago

        I mean, how many factors do you advocate for? Two is generally plenty as long as they are good ones.

        E.g a passphrase protected ssh key is solid. Similarly protected passkey is good. A TOTP with password is… Not terrible I suppose… SMS would be pretty bad…

      • Fizz@lemmy.nzEnglish
        2·
        1 day ago

        Either or as long as theyre stored encrypted and decrypted on device.

  • Ex Nummis@lemmy.worldEnglish
    12·
    2 days ago

    I’ve “hacked” web apps by logging in with “user - password” or something equally inane.

  • Jimbabwe@lemmy.worldEnglish
    3·
    2 days ago

    Invent your own hashing algorithm. It’s easy, fool-proof, secure, and reusable without compromising security.

    Here’s a few examples: ebay.com password is moc.y4b3-saltyboi69 lemmy.world password is dlr0w.ymm3l-saltyboi69

    (These aren’t real btw)

      • Zaktor@sopuli.xyzEnglish
        4·
        2 days ago

        Most compromised passwords are used by script kiddies in mass attacks, not targeted attacks by elite hacking squads. If a password fails verbatim, they just move on to the next compromised account of millions, not develop pattern recognition software to try to figure out replacement candidates for each website.

        • Jumuta@sh.itjust.worksEnglish
          1·
          22 hours ago

          Association attacks exist in the wild.

          Let’s say that this is their ebay account. In that case the reward for unlocking each account is very high, so attackers (even in mass attacks) have incentive to put in more work as long as the work cost per account hacked is less than the average reward and there is a net profit.

          I assume in this day and age it’s probably also viable to use LLMs for password guessing, as long as it’s for a high value account. That unlocks a whole another can of worms and if it was me I’d never use low entropy passwords like “moc.y4b3-saltyboi69”

          Perhaps this kind of password is viable if it’s for an online service that implements rate limiting, but you also have to consider the case that a site gets hacked and their encrypted database (encrypted by each user’s password) makes it onto the web. This has happened a lot recently and makes it ridiculously easy for people to throw their GPUs at the task.