The passwords say a lot about each site's userbase.

singles.org users commonly use passwords with religious meaning, like "jesus", "pastor", and so on. Apparently this is a site that appeals to the religious folks.

phpBB has things like "phpbb" and "password". Their forums force people to create an account they don't want, so they pick a dumb password. (I had to ask a phpbb question once. I think I used 1234 as my password.)

Finally, Myspace is Myspace, and has commonly-ocuring gems like "poop" and "nigger1". Ah, high school kids...

I just use the same username and password for all sites I don't care about that much. That way if I ever come back again I can just log in easily, and the process of signing up is so familiar I could do it in my sleep.

No, the real issue is password questions. "What is your mother's maiden name?" "In what city were you born?. Those always seem like a security hole, so I choose a random question and just remember that the answer to all my security questions is "the landed gentry". That's fairly secure, right?

Yeah, I especially like the sites that ask you to make your own security question. Mine is always, "what is your password?"

That's what my XP hint did, and my password contains an accented character (áéíóú/ÁÉÍÓÚ) as I noticed password breakers tend not to use these characters by default, but a lot of programs and services accept them. To say just hitting 'Alt Gr' can prevent any password breaker, I thought it was a pretty good safety measure.

I hope that's not actually the answer you use...

"On Feb 21 2009 it was discovered that singles.org, a christian dating network, did not have any security at all."

Some of the other ones are puzzling. "trustno1" is from the X-Files, but does anyone know where "letmein" came from?

let-me-in

I got that, but is there something that made that a popular password? It seems like too much of a coincidence that so many people use it.

I don't think it's a reference to anything, simply that you're saying to the computer "let me in!"

I'm not sure, but I think it was a movie or something.

It's better to use 123456 at unimportant sites than re-using your e-trade password. Simple good sense.

I have recently started generating all my passwords using a Markov chain script I wrote in Python. They're much more secure and, since they sound very similar to English words, easier to remember than, say, &&364e7forty-two88()l.

I started writing words backwards (among other things). Not as secure but I don't hit myself when cookies expire.

I've been a fan of geometric shapes on the keyboard and number pad.

I knew a guy that didn't even know his password explicitly, all was just a pattern of finger movements stored in muscle memory.

"Don't forget God. System operators love to use God. It's that whole male ego thing."

Haha Hackers...and when you break into a computer system it goes all 3-D too right?

Or for stricter passwords: IamGod (6 characters), IamG0d (characters and numbers), or 1@m&0D (Probably not the best attempt, but you get my point).

Why aren't these sites storing salted hashes? Plain text passwords are bad news...

Where did you get that impression? Not from the linked-to article, from my reading of it.

If a site is storing hashed passwords with salts, you generally don't know what the user's password is and you can't unhash them to find out.

Right, and what does that have to do with this article about lists obtained by phishing and the like?

My mistake, I thought these passwords came straight from the databases.

Good thing that...heh...my password is totally...um...not on that list.....

Yup, I'm also lucky that poiuyt is not on that list.

Might be an interesting white-hat idea to have a service that gets into a social network and spiders out, collecting thousands of user names. Then attempt library login attempts. In the event they are successful, the service contacts the user and warns them that they have a weak password.

Unfortunately this is so similar to standard phishing attacks that I'm afraid the good would be offset by the bad of reinforcing user behaviors that its ok to click through on 3rd party notices like this.

This is also likely illegal (as in: jail-time illegal). Talk to a lawyer before implementing anything like this.

Oh, those silly pious folks and their predictable passwords. Jesus may save, but he certainly doesn't protect very well.

Yeah, thanks to those bad passwords I can totally compromised 100s of accounts! Then I will... uh... oh wait, there is no value in doing that.

The best protection is not a good password. It's having something that's not worth stealing.

Out of interest does anyone attempt to warn their users when they attempt to use a common/easily guessed password?

At the moment all I do is insist on a minimum length but it doesn't seem as though it would be all that difficult to add checks for common passwords.

I like how some people go the extra length, using "12345678" instead of "123456".

Having a closer look at the list shows that password rules like "alpha + numericals" don't add much of security in real world scenarios: In approx 95% people seem to add one or two digits at the end of a string.

I don't like password requirements - It restricts the number of possibilities and for crackers who know the restrictions it makes life a lot easier for them.

Clearly the way to go is the append the number '3' to your password ;)

what the heck is "rotimi" ?

Rotimi is a Nigerian given name. Perhaps it reflects a large number of Nigerian scammers?

I dunno, seems weird. 163k hits on google? Doesn't even seem like a particularly common Nigerian name. And there aren't many other given names on the list.

'volcom1'? (#39 on myspace)

interesting.