UK 'Admin' and '12345' banned from being used as passwords in UK crackdown on cyber attacks - LMAO

Link | Archive

'Admin' and '12345' banned from being used as passwords in UK crackdown on cyber attacks​

From today, new laws in the UK aim to make it tougher for cyber attacks to succeed and increase consumer confidence in the security of the products they use and buy.​

Common and easily guessed passwords like "admin" or "12345" are being banned in the UK as part of world-first laws to protect against cyber attacks.

As well as default passwords, if a user suggests a common password they will be prompted to change it on creation of a new account.

It comes as a home filled with smart devices could be exposed to more than 12,000 hacking attacks from across the world in a single week, with 2,684 attempts to guess weak passwords on five devices, according to an investigation by Which?

Password managing website NordPass found the most commonly used passwords in the UK last year were 123456 and, believe it or not, password.

The new measures come into force in the UK on Monday, making it the first country in the world to introduce the laws.

They are part of the Product Security and Telecommunications Infrastructure (PSTI) regime - designed to improve the UK's resilience from cyber attacks and ensure malign interference does not impact the wider UK and global economy.

Under the law, manufacturers of all internet-connected devices - from mobile phones, smart doorbells and even high-tech fridges - will be required to implement minimum security standards.

They will also have to publish contact details so bugs and issues can be reported and resolved and tell consumers the minimum time they can expect to receive important security updates.

UK'S 10 MOST COMMONLY USED PASSWORDS IN 2023​

• 123456
• password
• qwerty
• liverpool
• 123456789
• arsenal
• 12345678
• 12345
• abc123
• chelsea

"As everyday life becomes increasingly dependent on connected devices, the threats generated by the internet multiply and become even greater," science and technology minister Viscount Camrose said.

"From today, consumers will have greater peace of mind that their smart devices are protected from cyber criminals... We are committed to making the UK the safest place in the world to be online and these new regulations mark a significant leap towards a more secure digital world."

According to recent figures, 99% of UK adults own at least one smart device and UK households own an average of nine connected devices.

 

[Megaton Punch]

It basically forces you to write them down on a piece of paper, which is hardly secure,

It's the password paradox. As a password becomes more secure, so do the odds that the user will simply write it in a post it note and stick it to the monitor, thereby rendering the password completely useless. So as it gets more secure, it gets less secure.

We have this in our office. One of the machines has a password that consists of an insane maelstrom of numbers, letters, symbols, capital and lowercase, etc. As a result, IT printed us out a handy cheat sheet that has the password on it because they knew nobody would remember it. So they make a password that no human could remember, then immediately defeat it by printing it out. It's baffling behavior.

 

[Gog & Magog]

I had it out with my IT dept at work the other day because we have 5 separate passwords and I could just no longer remember all the iterations I'd used and needed everything reset.

Memorize random sequences of letters, numbers, and other characters each morning and then recite them by day's end. Start out with two and then move onto greater and greater combinations. After half a year you won't be bothered by any password no matter how long.

 

[Harvey Danger]

The real question is, how do they know about all these passwords? System admins aren't supposed to see your passwords, they're supposed to store a hash and have a button to reset it if needed. Password manager software shouldn't keep it in cleartext, it should store it encrypted and only show the cleartext when the user requests it. How does the central company, NordPass, know all these passwords of its customers?

This article should have been impossible to write. The fact that all of this is known is a major security issue in itself.

 

[Pilgrim of Grace]

Theyll just use "aadmin" and "#12345".

Been trying to get Plant Operators to use decent passwords for years, and have had some success (13 characters up from 4) but they will use the laziest passwords possible.

 

[JohnnyG]

The real question is, how do they know about all these passwords? System admins aren't supposed to see your passwords, they're supposed to store a hash and have a button to reset it if needed. Password manager software shouldn't keep it in cleartext, it should store it encrypted and only show the cleartext when the user requests it. How does the central company, NordPass, know all these passwords of its customers?

This article should have been impossible to write. The fact that all of this is known is a major security issue in itself.

I think they're comparing hashes. While you can't get the original password from a hash, you can feed a list of suspected common password into the hash algo (assuming it's not salted with extra random info) and compare the hashes you get to the stored ones.

Theyll just use "aadmin" and "#12345".

And unless the researchers are trying every close variation of every common password, they would have no idea if similar versions are being used widely, because the hash of even a nearly identical password would look unrecognizably different.

 

[frozen_runner]

Just use a password manager. There are many local ones that don't require to use a third party """service""".

And definitely use one of those, not some piece of shit service like LastPass. They were a great service, but they were bought by some other company that didn't even salt their stored hashes, and ALL of it got leaked.

 

[Procopius]

This is just a shittily written article from Sky. The important bit is in the subheading From today, new laws in the UK aim to make it tougher for cyber attacks to succeed and increase consumer confidence in the security of the products they use and buy but they ignore that in the rest of the article. What this law says is that if you buy any device that comes with internet connection, be that a TV, fridge, baby monitor, security camera, or the like, then the manufacturer can't just churn out millions of the same items all with a simple default password and a small footnote in the manual advising you to change it. No-one cares if your KF password is 123456, or if you re-use the same password here, on mumsnet and on pornhub.

 

[Big Brown Schlub]

Mine is still legal: 'Oral Cumshot'

Oral Cumshot? Yeah, that fits.

 

[The best and greatest]

Theyll just use "aadmin" and "#12345".

Been trying to get Plant Operators to use decent passwords for years, and have had some success (13 characters up from 4) but they will use the laziest passwords possible.

The simple solution for me are phrases separated by numbers

Britain02Sucks94Sweaty55Cock1488
You only need to remember the numbers because the phrase is easy

 

[Pilgrim of Grace]

The simple solution for me are phrases separated by numbers

Agreed and this is what I preach, though I recommend phrases from books or movie or TV.

"i shit all over myself because im the best in the sector" is unironically an ironclad password.

 

[Dambusters' Dog II]

arsenal? lol. why arsenal?

Because they're shit and they know they are:

 

[Big Brown Schlub]

Agreed and this is what I preach, though I recommend phrases from books or movie or TV.

"i shit all over myself because im the best in the sector" is unironically an ironclad password.

I do something similar, I just translate some easy to remember phrases into leetspeak.

 

[TyrasGuard]

qwerty

Azerty chads can't stop piling those W's.

 

[Foltest]

RIP to all tech support agents out there who have to guide people.
Powerlevel here, but when I worked tech support, the password for admin acess was nearly always 12345. It was set up like that, so that tech support agents could help them fastar without having to waste time to get the password.

 

[Sic Semper Tyrannosaurus]

be expected to have them all be different and change them every 90 days

NIST guidance has been not to force password changes unless there's a known leak for almost a decade now, anyone still doing so is a retard and should be told so as often as possible.

5.1.1.2 Memorized Secret Verifiers

Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.​

A better law would be to force companies to allow passwords of a decent length, like 32-64 characters (even 16 would be good, I know some banks that limit you to 8 ), and to force them to stop using SMS for two factor. They could also drop the hammer on places that store credentials unencrypted or cell phone companies that allow improperly verified SIM swaps but that might actually be helpful and not whatever this is.

 

[Bland Crumbs]

You know...when I see shit like this I am less confused about why we are where we find ourselves.

People are fucking stupid.

 

[my password is in bcrypt]

atleast my kiwifarms password can still be kiwifarms

Passwords are getting ridiculous though. They keep lengthening the required characters, demanding more numbers and characters, denying you passwords for arbitrary reasons ("Sorrry this does not meet the requirements but we won't tell you why!"). And more and more are now two factor.

I understand security, but no human can remember 16 individual passwords with 8-12 characters, a number, capitals, lowercase, and a special character and on top of it be expected to have them all be different and change them every 90 days. It basically forces you to write them down on a piece of paper, which is hardly secure, or demands you use some sort of password service. I had it out with my IT dept at work the other day because we have 5 separate passwords and I could just no longer remember all the iterations I'd used and needed everything reset.

I have one hotel points app where every single time I log on it's two factor but only email is an option. Just to look at my points or book a room I have to click the app, put in a password, open my email app, and click a link. It's really annoying.

And try to explain that to an IT person who lives this and thinks it's great and normal.

Sadly cybersecurity really is needed, theres people literally everywhere looking for vulnerabilities in your security, all it would take is one website to get hacked(which happens ALOT all websites are vulnerable to attacks in someway) and you reusing one password for all your shit to get stolen. This is why password managers exist, it really isn't that complicated & annoying
The days of 2005 where you could have the password faggot on your email and not get hacked is way over

 

[GamerGateSurvivor]

This deepens my belief that most victims of 'cyberattacks' are just retarded easy targets.

Pretty much. There are entire lists of easy to guess passwords floating around anyone can download and run on a brute force application.

Null mentioned a while back that the best passwords are quotes you can easily remember because depending on their length, it can take a brute force attack hundreds of years to crack. Another way is to set a lockout policy on your computer that locks your shit down after so many failed attempts.

 

[my password is in bcrypt]

This deepens my belief that most victims of 'cyberattacks' are just retarded easy targets.

Reusing passwords is really common, databases can be leaked privately before you even have a chance to change your stuff, even just password rules are really common, so many people just add an exclamation mark or do small changes which could theoretically be enough to make your password not easily "guessable" but a program could easily find that shit. Even though this can be easily prevented it's not, and I bet theres a good 99% chance you've reused passwords before

 

[FILTH Tourist]

It's the password paradox. As a password becomes more secure, so do the odds that the user will simply write it in a post it note and stick it to the monitor, thereby rendering the password completely useless. So as it gets more secure, it gets less secure.

We have this in our office. One of the machines has a password that consists of an insane maelstrom of numbers, letters, symbols, capital and lowercase, etc. As a result, IT printed us out a handy cheat sheet that has the password on it because they knew nobody would remember it. So they make a password that no human could remember, then immediately defeat it by printing it out. It's baffling behavior.

But the nefarious outside "hackers" can't crack it, so management is happy and feeling safe. Never mind that most hacking is just social manipulation to get info.

Null mentioned a while back that the best passwords are quotes you can easily remember because depending on their length, it can take a brute force attack hundreds of years to crack. Another way is to set a lockout policy on your computer that locks your shit down after so many failed attempts.

I had a university professor who's password was some variation of "fucktechsupport" because they would force everyone to change passwords every 6 months or so.

Me personally, I find that Battletech mechs make good passwords. For example Awsome-8Q hits all the popular mandatory requirements for a password. Uppercase lowercase, number, special character, and longer than 8 characters. Mix it in with a extra key word or numbers that are important to you and you have a solid, easy to remember password.