Crummy passwords from Yahoo users


33 Responses to “Crummy passwords from Yahoo users”

  1. Cyran0 says:

     “Password length (length ordered)

    1 = 117 (0.03%)

    2 = 70 (0.02%)

    3 = 302 (0.07%)”

    I’m seriously shocked and appalled that Yahoo! would even allow someone to register using a password that vulnerable.

  2. RedShirt77 says:

    This isn’t really that bad, out of nearly 450,000 there seem to be less than 10,000 moronic passwords.  I would have guess it would be much worse than that.

    Clearly the biggest issue with internet security is not passwords, rather its that hackers keep stealing hundreds of thousands of passwords.    Someone in IT probably couldn’t remember all their incredibly complicated passwords and saved them all in a text file…..

  3. Spocko says:

    If I’m cracking in the field how can I remember all these common passwords. With this mnemonic device.

    My password? First I welcome a qwerty monkey to my home and ask, “Does Jesus love money, freedom, ninjas or writers?” Answer in 1,2,3,4,5,6,7,8,9. Come on Princess, while the sun is shining! It’s as easy as abc123.

  4. ^ Looks like Clifford’s yahoo account was one of those hacked.

  5. Cyran0 says:

     An unsolicited and totally legit work-from-home internet post?

    I smell a Clifford the Big Red Herring . . .

  6. Boundegar says:

    Does this mean “monkey jesus love money” is a bad password?

    • Art says:

      Here’s a better password!

      Heather Dorindens 600 meter race
      Heather Dorindens 600 meter race
      Heather Dorindens 600 meter race
      Heather Dorindens 600 meter race
      Heather Dorindens 600 meter race
      Heather Dorindens 600 meter race

  7. What’s even more shocking is that there are nearly half a million people still using Yahoo!.

    • mintyy says:

      It doesn’t say that these are of current users. They could be accounts inactive since 2003. Maybe even YOUR old account!

    • sigdrifa says:

      For me, not so much shocking (as in: you can only be shocked the first time you hear something) but exasperating — every time I get an e-mail from one of my two friends who don’t want to start over somewhere else. At least the chat situation isn’t too bad — thank you, Pidgin.

  8. Shibi_SF says:

    I thought that this was a dump of just Yahoo Voice users’ passwords.  Is it ALL Yahoo users?  (Mr. Shibi’s Yahoo email addresses were compromised at about 3am this morning — and he is not a Yahoo Voice user, but this could be unrelated to that.)

  9. Seg says:

    Even more interesting is when you cross-reference the leaked PSN accounts from a year ago with the Yahoo leak. Of the 302 accounts with the same usernames, 60% were the same passwords.

    • RedShirt77 says:

      This does at least point at the bigger problem more than the few qwerty users out there.

      Why do we allow the discussion of security to be hijacked by this mocking of people we think are stupid?

      If you started logging into accounts by guessing the common stupid passwords, your rate of success would be well below 1%.  and the act of guessing on so many accounts would probably raise a red flag somewhere.  Meanwhile fishing and large scale theft are common and the reusing the same password everywhere seems to be the result of having ever increasing complexity and rotation of passwords

      • sigdrifa says:

        Unfortunately, that is something it’s particularly hard to convince non tech-savvy people of. Most of my friends fall into that category, and trying to switch them to a solution as simple as, e.g, Keepass — of which there are versions for all major OSes — seems to be an impossible task.

  10. RioMcT says:

    and yet my old Flickr password of 45rpm7″Single! is just as secure as “password” after Yahoo got hacked.

    • Henry Pootel says:

      Yup.  Kinda like, why bother?

    • iondiode says:

      Correct! I mean analyzing this is all very well and good, but these passwords weren’t obtained through brute force.  They were available in the clear. boo.
      I think email is pretty dumb anyway, but it seems to de rigur for provding an identity on the internet. I guess it’s better than facebook, but comeon people there has to be a better way!

  11. John Hickey says:

    What sites lets you use a 0ne character password. something seems wrong here.

  12. nvlady says:

    Yahoo!, that’s cute.
    I have 3 passwords of different levels of complexity I use from everywhere to photobucket, to amazon to my bank and 401k. I change them every 6 months. I know if I cant remember one, then it’s gotta be one of the three. :)

  13. Pirate Jenny says:

    I use my Yahoo email account for shopping, mailing lists, and anything else that’s likely to result in spam (because the spam filter is pretty good, and this keeps my personal email account from being overrun with less important stuff). So this is pretty annoying to me. How many more times does this have to happen before companies learn to lock that shit down?

  14. Dan Baron says:

    I am disappointed that the most common four are not love, secret, sex, and god.

    • Coderjoe says:

       Here are the counts for those as the entire password. (they do occur as part of a more complex password a lot, however)

           52 secret
           46 love
            3 god
            2 sex

  15. LennStar says:

    I always wonder why it is 123456 and not 12345 or 1234567 and why it is not 987654321 which is much easier to type for right hand people (with your left hand running over the keys and hit enter or click with right) than say 123456, the most common one. (And it is “saver” ;))

  16. noah django says:

    where is this list of passwords?  I wanna ctrl-f it and see if I’m on it, but all google gives me is Ars Technica’s coverage and everyone else citing Ars, including BB’s first post.


    • sigdrifa says:

      I was thinking the same thing; when it said in the Ars article that they were not posting the link but that, at the time of writing, it wasn’t too hard to find. I didn’t even bother to search, I went and changed my Yahoo password right away. I only use Yahoo for chat (with some people I can’t convince to switch) and I never used their voice service (not even sure if it’s available in Europe; probably not) but I though it wouldn’t hurt.

  17. Uthor says:

    I’d imagine a lot of the weak passwords come from people treating it as a throw away account.  I have tons of logins in places I don’t care about, usually registered so I could post a single comment on a webpage, that have a weak password that’s probably easy to hack.

  18. Sparrow says:

    Fortunately, I couldn’t find CorrectHorseBatteryStaple on the list, so my password is safe for now.

  19. jrs505050 says:

     i have a yahoo account with the password as “password.” I don’t use it except for when I don’t want to use my real email.

  20. Rossi says:

    I’m gratified that Jesus is just beaten out by monkey.

Leave a Reply