UK 'Admin' and '12345' banned from being used as passwords in UK crackdown on cyber attacks - LMAO

Link | Archive

'Admin' and '12345' banned from being used as passwords in UK crackdown on cyber attacks​

From today, new laws in the UK aim to make it tougher for cyber attacks to succeed and increase consumer confidence in the security of the products they use and buy.

IMG_3983.jpeg
Common and easily guessed passwords like "admin" or "12345" are being banned in the UK as part of world-first laws to protect against cyber attacks.

As well as default passwords, if a user suggests a common password they will be prompted to change it on creation of a new account.

It comes as a home filled with smart devices could be exposed to more than 12,000 hacking attacks from across the world in a single week, with 2,684 attempts to guess weak passwords on five devices, according to an investigation by Which?

Password managing website NordPass found the most commonly used passwords in the UK last year were 123456 and, believe it or not, password.

The new measures come into force in the UK on Monday, making it the first country in the world to introduce the laws.

They are part of the Product Security and Telecommunications Infrastructure (PSTI) regime - designed to improve the UK's resilience from cyber attacks and ensure malign interference does not impact the wider UK and global economy.

Under the law, manufacturers of all internet-connected devices - from mobile phones, smart doorbells and even high-tech fridges - will be required to implement minimum security standards.

They will also have to publish contact details so bugs and issues can be reported and resolved and tell consumers the minimum time they can expect to receive important security updates.

UK'S 10 MOST COMMONLY USED PASSWORDS IN 2023​

  • 123456
  • password
  • qwerty
  • liverpool
  • 123456789
  • arsenal
  • 12345678
  • 12345
  • abc123
  • chelsea
"As everyday life becomes increasingly dependent on connected devices, the threats generated by the internet multiply and become even greater," science and technology minister Viscount Camrose said.

"From today, consumers will have greater peace of mind that their smart devices are protected from cyber criminals... We are committed to making the UK the safest place in the world to be online and these new regulations mark a significant leap towards a more secure digital world."

According to recent figures, 99% of UK adults own at least one smart device and UK households own an average of nine connected devices.
 
In the IT field, it has been said "You cannot make a fool-proof system, God just makes better fools."

Laziness and Naivety is the #1 cause of getting hacked/doxxed in the first place. An unironic good solution to this would be to have a class in Public schooling that teaches you the dangers of the Internet and tech in general but that is something corpos do not want because it would create more people who'd use adblock and in turn make them support anonymity online.

Passwords are getting ridiculous though. They keep lengthening the required characters, demanding more numbers and characters, denying you passwords for arbitrary reasons ("Sorrry this does not meet the requirements but we won't tell you why!"). And more and more are now two factor.

I understand security, but no human can remember 16 individual passwords with 8-12 characters, a number, capitals, lowercase, and a special character and on top of it be expected to have them all be different and change them every 90 days. It basically forces you to write them down on a piece of paper, which is hardly secure, or demands you use some sort of password service. I had it out with my IT dept at work the other day because we have 5 separate passwords and I could just no longer remember all the iterations I'd used and needed everything reset.

I have one hotel points app where every single time I log on it's two factor but only email is an option. Just to look at my points or book a room I have to click the app, put in a password, open my email app, and click a link. It's really annoying.

And try to explain that to an IT person who lives this and thinks it's great and normal.
And that's because IT people are versed in L33T5p3ak. Whereas your normie never makes the connection whatsoever to do the same with passwords. Also, part of the reason why companies beef up their online security for customer services is to reduce liabilities for themselves.

Agreed though that its annoying as Hell and you will need to jot down your password eventually. Personally use Photoshop for my password saving needs in case some hidden program decides to scrub my texts for useable information.
 
I do a lot of "mash letters, remove the easy ones to screw up caps/lowercase, caps a few, add ] or ^ or something easily spotted and number" for my real passwords and just have a big text file with them
at work we have some stuff that uses admin/admin but they're instances where you have to be in the physical building to use them, so there's bigger problems if some rando has broken in and is up to something
 
This is great news! It means I have job security, you can't breed out this sort of retardation. As long as there are humans, I will have a job.
 
  • Like
Reactions: XYZpdq Jr.
I think they're comparing hashes. While you can't get the original password from a hash, you can feed a list of suspected common password into the hash algo (assuming it's not salted with extra random info) and compare the hashes you get to the stored ones.
This would work but we use bcrypt a lot of the time now which is encryption not a hash, and even if using a hash it should be either salted or peppered which ought to prevent easy comparison. Either at scale for salts or at all for peppers.

But we have a user in this thread named @my password is in bcrypt so I'm surprised I'm the first to say this.

It sounds like the headline is misleading though and this is about preventing companies from using a standard password on mass-sold devices.

EDIT: An anecdote and slight PL. I was at a conference where someone was illustrating how easy it was to find vulnerable accounts in a leaked database by searching for md5s of popular passwords. I told him: "Run a hash of 'CorrectHorseBatteryStaple'" He gave me a WTF look and I said "do it!" and repeated exactly the phrase. Low and behold and of no news to cynics anywhere, there were lots. Showing there is no dumber person than the one who thinks they're smart.
 
This would work but we use bcrypt a lot of the time now which is encryption not a hash, and even if using a hash it should be either salted or peppered which ought to prevent easy comparison. Either at scale for salts or at all for peppers.

But we have a user in this thread named @my password is in bcrypt so I'm surprised I'm the first to say this.

It sounds like the headline is misleading though and this is about preventing companies from using a standard password on mass-sold devices.

EDIT: An anecdote and slight PL. I was at a conference where someone was illustrating how easy it was to find vulnerable accounts in a leaked database by searching for md5s of popular passwords. I told him: "Run a hash of 'CorrectHorseBatteryStaple'" He gave me a WTF look and I said "do it!" and repeated exactly the phrase. Low and behold and of no news to cynics anywhere, there were lots. Showing there is no dumber person than the one who thinks they're smart.
bcrypt can be reversed it's just alot more resource-intensive and slower than trying to reverse a simpler algorithm with more issues like MD5, the salts apart of the actual hash for bcrypt. hashing passwords usually doesn't do TOO much to prevent passwords from being leaked though, most bcrypt databases have 20-40% of passwords successfully cracked where MD5 usually has 90+%, and this is for people running entire databases through hashcat, not people targetting 1 specific password

I just think up random shit like TreeBlueDogJumpFoal which would take, literally, trillions of years for a computer to crack (https://www.security.org/how-secure-is-my-password/) . That and two factor authentication I think is secure enough for anything that isn't a national security issue.
Trillions of years for a computer to crack if it doesnt accidentally generate the correct password first try, or the next try, or the next try
 
  • Thunk-Provoking
Reactions: Hitman One
Literally 1984, Ill make the companies financial portfolio password whatever I WANT KAREN!
 
  • Like
Reactions: Slur.EXE
Just use a password manager. There are many local ones that don't require to use a third party """service""".
Spoken like an IT guy. How about I don't want to jump through another hoop?

Theyll just use "aadmin" and "#12345".

Been trying to get Plant Operators to use decent passwords for years, and have had some success (13 characters up from 4) but they will use the laziest passwords possible.
No offense, but I hate you.

There's this battle between IT guys who look down on us dumb proles for not caring about security, which is their job, and us normies who don't live and breathe tech every day. It's like an arms race to create more and more convoluted rules.

I've even tried using phrases with a number, but you still have to change them every few months and suddenly you mix it up and whoops. I also found a bunch of the phrases I used, despite being a sentence with numbers and special characters, was denied as "Too Easily Guessable" by one particular system. I do think a lot of systems forbid offensive words and phrases.

And there's probably realistically like 50 things in my day to day I need pins and passwords for.

In a few years they probably will just mandate password managers, but you'll still need several because "This system or company doesn't recognize X Manager as secure enough." And then the password managers start getting hacked...
 
There's this battle between IT guys who look down on us dumb proles for not caring about security,
I take your point. I'll also take this opportunity to point out I too hate IT people, and I'm OT. Not IT. I'm fighting a constant battle with commercial IT creeping into industrial spaces, aided none by the staggering faggotry known as the Department of Homeland Security that think all IT ills can be solved by throwing things in the cloud.

Having said that, I can't allow operators of critical municipal infrastructure using a 4 digit pin to secure control to laboratory-grade sodium hypochlorite dosing controls. I can not. I will not.

As a halfway meeting point, I do not enforce retarded special/upper case/number rules for the various customer sites I oversee. The general policy is "long is strong".
 
"nigger nigger nigger pussy fuck you eat my shit you suck 0 dicks live it with." is much harder for an automated system to crack than "21941A)@($&^!(%U(.".
 
"nigger nigger nigger pussy fuck you eat my shit you suck 0 dicks live it with." is much harder for an automated system to crack than "21941A)@($&^!(%U(.".
I do legit wonder if throwing gamer words in will be part of the future of defeating AI attacks since they'll be lobotomized to be PC
 
  • Thunk-Provoking
  • Like
Reactions: 12345 and Slur.EXE
I don't think password cracking software will be lobotomized ever. Quotes from Shakespeare will not occur to an average script kiddie and are easy to remember for you. To be extra-secure, write your password on a piece of paper like Eccles and teach it to your grandma who is a reliable password recovery system in case you lose it or your paper.
 
  • Thunk-Provoking
Reactions: XYZpdq Jr.
If I were conspiracy minded, which I'm usually not, I would make one up about how passwords becoming more common, required and onerous are a plot by the government to soften us up for a government sanctioned online ID system. Because even if there is no conspiracy pushing us that way on purpose, it's happening naturally.
This is literally what the "4th Industrial Revolution" and cashless society is all meant for btw. Tony Blair and his institute does consulting for governance and development in shithole countries where they hook them up to Western services, finance and infrastructure to add them to the dragnet his backers use to spy on everyone.
"Governments and the private sector should act now to take advantage of this critical and exciting window of opportunity to bring about the One Shot vision and accelerate digital health more widely. Below, we set out key actions that leaders can take to sustain and advance investments they have already made in digital health during the pandemic. Some of these recommendations are specific to digital health for adult vaccinations and injectables, and others are applicable to digital health in general. (For ease of reference, we have marked with an asterisk those recommendations that are not specific to adult vaccinations and injectables). That said, we recommend undertaking all these actions with a focus on adult vaccinations, injectables and associated health-system capabilities, specifically because of the significant levels of investment in this area over the past three years and the ongoing political momentum to roll out these types of products.
 

Attachments

  • Informative
Reactions: Overly Serious
Escalation is a concern though. If we mandate super strong security everywhere then criminals will become motivated to crack it. It’s better to have low hanging fruit they can feast on while the smart people keep their shit locked up with a reasonably priced key.

It’s like how having an alarm on your car in the 90s made it safe from theft. Now every common thief knows how to disable them.
 
Back