Funny thing at work, I was handling some legacy users - we need to make sure that on the next login, if they have a weak password, they have to change it.
So the whole day I’m typing “123” as a password, 123 123 123 123 all good. So finally I’m done and now I’m testing it, and accidentally I type 1234 instead of just 123. Doesn’t really matter, either is “weak”, so I just click “Login”.
Then goes Chrome, “1234 is known as a weak password, found in breaches, you should change it”.
So TIL 123 is still good.
1234? That’s amazing! I have the same combination on my luggage!
123456? That’s amazing! I have the same combination on my luggage!
6969 ftw
If you’re looking to see how strong a password really is, check it here.
“The roman numerals in your password should multiply to 35.” Ah crap.
Today’s wordle answer killed me
The best move in algebraic chess notation killed me. Maybe some day I will beat this game dammit!
I gave up after the atomic numbers must add up to 200
It’s:
Tap for spoiler
Arrow
Tip: Make it ‘Narrow’ so you also have an atomic symbol (Na)
Just get a V and a VII in there
Weird that it asks for your email before you can test your password
/s
NEAL.FUN*ThePasswordGame1 is a good password.
Nice try…trying to steal my passwords…
Where I work, the infra folks are way overworked. Getting them to do things is impossible given their existing todo list. And when you do get them to do something (by throwing managers at them) they half-ass it.
(I’m not blaming them. I blame the managers. It is frustrating though. Anyway.)
And as a result, there’s one system that I use frequently that they set up, but cut corners and never hooked it up to our single sign-on solution. And so in order to get into this system, everyone has to use a shared username/password. “readonly:readonly”. And every time I log in, my browser nags me about the known weak password.
So, is the account actually read-only?
I’m not sure I’ve ever tried to do any write operations. I’m honestly not even sure the service behind that login page offers any write operations. I might have to check sometime. I’m curious.
No, only the password is.
Everyone post your favorite strong password!
hunter2
I only see ******* ?
hunter2
it doesn’t look like *s to me
Correct house stapler battery
Horse*
Nono, that would be unsafe
I always go with password2 cuz everyone throws a fit about password1 being insecure.
hunter2
3bitswalkintoabarandoneflips
No upper case or special chars? Kinky!
How am I supposed to remember those?
On word boundaries? But that would be way too predictable!
At once point I realised I need to input some Czech-specific characters on a French AZERTY keyboard.
Yeah, I gave up.
What if you made all of the uppercase?
Bananabananabananaterracottabananaterracottaterracottapie
Vicinity of obscenity in your eyes
Longing. Rusted. Seventeen. Daybreak. Furnace. Nine. Benign. Homecoming. One. Freight car.
Correct.staple.horse.battery
Chuck NorrisYou kid but Zxcvbn deems it an OK enough password (3/4):
https://www.youtube.com/watch?v=QpLx_2YiA7Q my personal favorites
asd
Spiderman1, favorite since i was 10
travesty1$urged3$Lofty$Suggest$2doric$altitude3$napping5$herman$1Discuss$alton2$tripe0$Energize$Lumber$yank2$console7
How does the system know that an already-established password is weak if not in plain text? Or are you saying you have a set of passwords, each of which have gone through the same cipher algorithm, and see if there are any matches?
On browser side implementations or extensions, they can see the input into the form field. As for plain text, generally sites will send the plaintext password over HTTPS when logging in, and it’s the server side which hashes/salts, and compares to the value in the DB. Sites can reject or inform users to bad passwords this way, generally when changing the password. Cloudflare does offer a product to do this for sites to add warnings to the user if the credentials were found in a breach. More information on that here: https://blog.cloudflare.com/privacy-preserving-compromised-credential-checking/
You would have the plaintext password at login time based on the users input. I’m guessing that’s why it happens at login time rather than proactively asking people to update their passwords.
I bet that 1234 is used more often because of the 4-character minimum, like PIN codes on debit cards. It’s 4 characters so it’s safe. 123, on the other hand, is not safe, because it is 3 characters. /s
My solar inverter admin interface has a certain 4-digit password. So I wanted to change it to secure it, and found out that it only allows 4-digit passwords. Luckily the access point can be set up with a higher entropy password though (it is constantly advertised and had a very “secure” 8-digit password by default, I think you can guess which one)
55378008?
So my luggage is still safe.
My guess would be that the password checking feature has a minimum character limit of 4 characters, to avoid false positives on things that aren’t actually passwords.
