Hacker News new | ask | show | jobs
by impendia 5179 days ago
> One in nine people had a password in this top 500 list. These passwords include some real stumpers: password1, compaq, 7777777, merlin, rosebud.

Looks unbelievable at first. How could people be so stupid?

But I use such passwords all the time. I use a variety of websites where I have no need or desire for security. Want to post burrito reviews on burritophile.com as me? I picked something simple and easy to guess, a couple hours and you'll be going to town! (Just promise not to badmouth the Cosmic Cantina.)

My bank accounts? Oops, didn't use the same password.
2 comments
furyofantares 5179 days ago
It always bothers me a bit when I see analysis of password strength for compromised sites without any mention of the possibility that the account might just not be important to users.

But there is a caveat. If the account is somehow identifiable as yours (say, because your friends know it's your account) then suddenly it's a possible social attack vector. Perhaps a weak one, but probably not something to be ignored, either.

link
elithrar 5179 days ago
> It always bothers me a bit when I see analysis of password strength for compromised sites without any mention of the possibility that the account might just not be important to users.

I actually use that as a factor when considering a password. If I think the site isn't going to be the most secure (a phpBB forum, or hand-rolled web-app), then I'm more likely to use a simple (but still relatively decent) password.

link
idupree 5179 days ago
Recently I made a new password for some random site (and keep an encrypted record of it). Then I was relieved I did, because the site turned around and emailed the password right back to me. Unencrypted. In plaintext.

Hmm, that is wrong enough that I'll call them out by name... https://www.nbotickets.com/ (Is it polite and useful to email them how I feel about that? I feel like I'd just be "someone-is-wrong-on-the-internet"-ing. Advice?)

link
vog 5178 days ago
Many mailing lists are doing that by default, too.
link
Groxx 5179 days ago
I'd love to see a set of data that compares weak passwords with used-Mailinator. I only ever use weak ones with Mailinator accounts, and I doubt I'm the only one (though maybe not enough to account for a majority of weak-password users).
link