21 Apr 2019

My password is “password”

Every once in a while someone writes a scary article telling us how the most frequent password still is "123456" and how very bad it is.

That's an utter load of crap.

I know a bit or two about computer security. Yet, my most commonly used password is "password". And that's not going to change anytime soon.

Let me explain that. I'll start with an example.

Passwords of Average Joe

Few weeks ago someone on an underground forum shared logs from his password stealers. He had already processed all crypto-currency related information and log files had no other value to him. So, they were released to general public.

Let's see what passwords are used by someone in Indonesia:

  • zipgrade.com - p1806211006
  • qr-code-generator.com - p1806211006
  • ugm.ac.id - p1806211006

And his/her Google password is?.. You guessed it right!

How about Rogerio from Brazil?

  • webzen.com - ro231088
  • d4swing.com - 23101988
  • twitter.com - ro23ge10rio88
  • google.com - ro23ge10rio88

Well, can you guess his 4shared password? And his birthday? Maybe it will take you 3 attempts, but you'll succeed.

Final example - Oleg from Ukraine:

  • moneyveo.ua - BRAZZERSporn2017
  • cash24.com.ua - BRAZZERSporn2017
  • creditup.com.ua - BRAZZERSporn2017
  • paypong.ua - q1w2e3r4t5y6u7i8
  • wargaming.net - q1w2e3r4t5y6u7i8o9
  • google.com - q1w2e3r4t5y6u7i8
  • rabota.ua - q1w2e3r4t5y6u7i8o9p0

Obviously, he's horny. And needs cash. But how hard it is to guess his ask.fm password?

What's my point here?

Point #1 - don't save passwords in the browser

Contrary to what everyone keeps telling you, passwords saved in the browser are not safe from hackers. Yes, it's very convenient for you - you visit a website and browser just magically remembers your password and fills in the form. But it's really not that safe.

All these passwords above were stolen from browsers using a password stealer.

Chrome uses your Windows password as a master password. So, any program that runs under your username can decrypt and steal your passwords. Firefox allows you to set a master password - but it's not enabled by default. And Internet Explorer... Have you heard about NirSoft password recovery tools?

So, please don't do this.

Point #2 - your passwords must be unique

As you can see in the examples, people use several different passwords. But all of them are very very similar. As soon as you know one password, you can guess others.

My solution

There are different types of websites. There's the online banking website, there's your email, your favorite news portal, a Pokemon Encyclopedia and that torrent site from which you can download "things".

Not all of them are equally valuable to you, right?

If someone else gets access to your online bank, it's a disaster. If someone else can read your email, it's really unpleasant - but not the end of the world. If someone gets access to your Pokemon Encyclopedia account... Well, would you really care? And that torrent site run by Russians? You aren't even telling them your real name, right? smile

So, why should you use password like "\ZR3^m__fSJN=ct6" for some website you really don't care about? That's just plain stupid.

Valuable websites

There are some websites which contain your personal data. Name, address, credit card number, private photos, etc. You're probably paying a subscription fee for some websites like Spotify or Netflix. These are valuable websites.

For these websites I use my real email and a strong password. Every site gets a unique password. Something that you can spell and but is really unique. There are websites that can generate such passwords.

Useful websites

Some websites are not valuable yet still useful. You don't have any personal data there, you're not paying for them - but they provide you with some value. Your online cookbook. Schedule for your favorite TV shows. Something.

For these websites I use my real email and a weak password. All websites get the same password. That's simple and easy to remember.

If the password gets leaked or cracked, I don't really care. The hacker will learn that I love Thai green curry and watch "NCIS: Los Angeles". Yes, I have a weird taste, so what?

And I can always reset my password using my email.

Throwaway websites

All other websites are "throwaway websites". If you lose access to them, it doesn't matter. You can just create a new account and life goes on.

For these websites I don't use my real name. I don't use my actual email, either. It's easy to get a throwaway email account in case you need to "activate your account" for whatever reason.

So, for these websites, I use password "password". Because why not? And what if someone guesses my password? Well, I don't give a damn, please feel free to do that!

To make life simpler, I even have all those websites and username/password combinations written down in a TXT file. There goes that "don't write your password down" rule!

Why not use a password manager/2FA?

This post is not about keeping your valuable passwords safe. It's about not giving a damn about silly websites that force you to register. And that it is OK to have a password "123456" for those.

How you keep your valuable passwords safe is entirely up to you. I don't really trust a software password manager, they have vulnerabilities, too. But I am considering getting a Yubico key to use for my most valuable accounts.


I know this post will annoy some people. Please feel free to let your feelings known in the comments - but keep it civil. smile

4 thoughts on “My password is “password”

  1. This is very nice article.
    I'm doing almost the same but...

    In chrome, I only save password of throwaway accounts and don't care about them. I use 2FA which is better than nothing.

    Some throwaway websites ban some or all throwaway email domains so I had to use secmail.pro as a throwaway email

    My throwaway password is always "qwerty123" LOL :D

  2. Nice post. I've set up a generic spam account for the same usage, but I didn't know throwaway email-accounts like the ones you showed us existed. Going to start using that from now on.
    Cheers man,
    -Derpina :D

  3. Yep, Definitely! I didnt save my online banking and email password but still other than that I saved it in the browser.

    I also make sure all passwords are unique and strong.

  4. Somehow you Foregate your mail address's password then use fake email id for that time because {hidden link} is very easy to use.

Leave a Reply

  • Be nice to me and everyone else.
  • If you are reporting a problem in my tool, please upload the file which causes the problem.
    I can`t help you without seeing the file.
  • Links in comments are visible only to me. Other visitors cannot see them.

Your email address will not be published.

8  ×   =  72