Here's a hypothesis I've harbored for a decade or two:
People create weak passwords for services which shouldn't be authenticated in the first place.
If you're throwing up a registration requirement just to read public content (say, as the BBC seem to have begun doing in the past month or so), then yes, a large number of people will offer a bogus userID and the password "password", or a semantic equivalent.
(If they bother using the service at all.)
Overauthentication is itself a manifest security problem, because you're now effectively requiring bad keys be used.
See also: Twitter, Quora, and any number of other regwalled services. (I simply avoid using them.)
That said: organisations should reject any of some reasonably large number of well-known passwords. Where large should be well into the thousands if not millions by frequency of noted use.
It's also a bit of a privacy risk to the users - if they use a publicly-known username (email address) with a very low-security password (e.g. 'password') across multiple sites, someone else could log in as them and e.g. track their activity on these sites.
This list doesn't ring true to me, the entries don't seem at all naturally distributed. Why on earth would col123456 be the 9th most popular password in the world, yet not appear in the top 200 of any of the country specific lists, nor any other col1 prefixed variation?
From what I understand the most secure passwords are phrases one can remember but almost all of the places that require passwords don’t support phrases. Almost all of them have some rule close to “password must be 8-15 characters including 1 uppercase, 1 number and 1 special character”. Why aren’t the requirements something like a 24-128 string?
The most curious thing to me is that #96 "unknown" is listed as taking 17 minutes to crack, and yet "princess", "baseball", "juventus " and "qweasdzxc" all take less than 1 second. Ideas?
I make my passwords from letters strictly from the left side of the keyboard. This is so I can keep my mouse hand free. Anyone else cutting corners like this?
Seems like it's a reference to AFU establishing themselves in Liman and 1000s of russian soldiers backing down?
That's all I could find https://theins.ru/en/news/254974
And the table lists a time to crack it of 4 days. I assume that all of these will shortly be crackable in less than 1 second, as they'll be tried first.
How does a password cracker brute force against a password hash (say MD5 or SHA256, I know bcrypt is designed specifically for terrible brute force efficiency) if it has a random salt? Is the salt known and just uselessly stored with the password + easily retrievable during a login attempt or database leak?
The salt is typically stored as a prefix to the hash. Its job is not to be a secret, but to ensure that an individual effort must be made to crack each password. I can’t precompute and store the hashes or otherwise reuse previous work.
Another way to look at this is that the salt prevents information leakage from the hashes. Even if the same password occurs dozens or hundreds of times in the same database, unique salts will ensure that every hash is unique.
People create weak passwords for services which shouldn't be authenticated in the first place.
If you're throwing up a registration requirement just to read public content (say, as the BBC seem to have begun doing in the past month or so), then yes, a large number of people will offer a bogus userID and the password "password", or a semantic equivalent.
(If they bother using the service at all.)
Overauthentication is itself a manifest security problem, because you're now effectively requiring bad keys be used.
See also: Twitter, Quora, and any number of other regwalled services. (I simply avoid using them.)
That said: organisations should reject any of some reasonably large number of well-known passwords. Where large should be well into the thousands if not millions by frequency of noted use.