Which would mitigate a lot of risk.

Come to that how many systems are there that don't implement the ISO standard for authentication ?

Limiting login attempts doesn't help when someone has broken into a system and stolen a hashed password file. You can have as many goes as you like to match the hash, and then use the result to login.

True, but 'broken into a system and stolen a hashed password file' is quite an unusual threat model: if they've broken into the system and exfiltrated something that sensitive, which is generally protected by default much better than people protect important user files, then they've already got enough access to the system that worrying about them pretending to be users is the least of your concerns.

I notice you avoided the point about implementing the ISO standard for authentication ?

My password is Hunter2.

As you can see, when I type Hunter2, you just see *******. That's because I use the latest in SHA-256 fast-hashing software built into a browser add-on that automatically detects when I type any password (including Hunter2) and turns it into *******

That's why I can type Hunter2 as many times as I like and you can't see it.

Hunter2

Hunter2

Hunter2

See?

I would use very long passphrases, if not for the fact that almost all systems demand numbers, mixed case and punctuation at the very least, and some of them have a max password length.

My preference is car number plates, once in lower case & once with the shift key down. It helps that a) I mostly work with full sized keyboards and b) am a raging petrolhead with a gift for remembering car registrations going back decades so don't need to use my current car. Also means I can leave myself a postit note with just "blue maxi" or "white 504 estate" on my monitor and it's still pretty secure.

I used to used a job ref (similar in complexity to a car reg plate) for the monthly password then kept a piece of printout of it on my desk

Except not if you're reusing that password on multiple sites and just one of them gets breached.

That is the correcthorsebatterystaple response.

Mixed case is simple - the first letter will be a capital. Oh yeah, that adds zero entropy. In the same way as people adding !1 at the end is so predictable that it doesn't really add anything.

Mixed case, numbers, symbols, but cannot contain some symbols and no spaces, and must change every month?

Fine: "November2025!" is good for this month.

When will people understand that allowing for a long passphrase with spaces and NOT FORCING CHANGES is the way to have good passwords?

I particularly like 11 for this month.

What could possibly be wrong with this?!

In effect it is as strong as MyPassword# but if you are going to force me to change password every month, not allow me a password manager on my corporate system and not allow me to right it down then I have to have some strategy for remembering it, or I will frequently resetting the password.

Bandname, album, year of release.

Make & model of vehicle & year of manufacture.

UK railway stations.

Special characters substituting regular letters, renewal time I just change where I press the shift key as its all largely muscle memory..

I created an account on the Transport for London web site today. It only allows letters and digits in the password, no symbols, not even punctuation.

-A.

Seriously, how difficult is it to add an extra digit, such as ; 1234567

People are so lazy nowadays.

Come on, everywhere requires 8 characters and punctuation: 1234567!

I thought the correct 8 character password was:

SnowWhiteandthe7Dwarves

How did you get on my wifi?

i2EA567

Forum passwords, often enough with a "Register to read this thread!" requirement, where we the user don't want the account, wish we didn't have to create it at all, and when it *inevitably* leaks, others are harping over just-how-bad those passwords are. Glad they didn't leak my *real* passwords!

Lets face it. These password breaches mostly aren't for things that people care about. People being users or admins. Forums, single-use accounts, throw-aways, etc etc.

With the odd idiot who makes their work password 1234Five, but those are the exceptions.

Where's the breakdown of "Type system from which passwords were leaked" ? Or, "Systems having password hashing, password salting, and separate password storage from data storage"?

This is indeed so much true. If I have to register to do something stupid and one-time, I usually enter a throwaway email and an idiotic password. And who cares if it gets leaked.

Good for a techy user.

What proportion of normal users would even think of this let alone implement it.

Wherever possible avoid giving the user the opportunity to screw up. They will, of course, still screw up, just less frequency.

Seems the Louvre's password was 'Louvre', except for their Thalys systems, which was 'Thalys'.

Well, that still needed a forklift truck to be broken...

So that's 2 factor authentication ?

An easy password but the keypad is out of reach

There's a site I use for work, they force a password change every 60 days.

If that isn't bad enough, I only use the site once a term, so I have to change the password every single time I use the website, and I cant use any previous passwords.

I imagine most people just type something random into the password box, then use the forgotten password routine when they log in again 120 days later...

I left one company, with my current password set to 37. Guess how long I worked there.

But then, I usually use Safari generated passwords for websites. One turned out was used in a breach. So I know one company that most definitely stored my password as clear text.

Or they used reversable encryption, along side the encryption key. While they might have been idiots, they might simply have been stupid.

every **** thing requires logins and complicated passwords and password managers do not really help becasue, if you don't have the password manager handy, you are out of luck.

I have mixed feelings for 2FA with OTP that require an internet connection with the phone.

Sometimes theoretial higher security turns into actual lower security. Force me to write a long passphrase and let me be, the requirement for symbols, numbers etc. is often the reason users picks asdfgh123! as a secure password.

So, I run my own password manager, its a commercial one, and its the free version. I also modified the tomcat configuration to require a client certificate. This means you can't actually connect to it, and I can reach it from anywhere.

"icantbelievewerestilltellingyouthis,"

"icantbelivewerestilltellingy0uthis,"

which of the two changes were you referring to?

"icantbelieveitsnotbutter" - We were told that this password was discussed in the Australian parliament!

--------> Mine's the one covered in a suspiciously yellow, slippery substance!

They say "Comparitech researchers aggregated more than 2 billion real account passwords leaked on data breach forums in 2025". Surely this means that large numbers of systems are still storing passwords in plain text rather that salted/peppered hashes? Is that not the news story, rather than "people are using weak passwords"?

India all out for 123 against England.

England@789

England beating India? That never happens.

Why can't more sites allow logins with non-email usernames? Yes, folks get frustrated by name collisions (I sure do), but my email address is far from secret. About the only place I get to make my username is at financial sites. And I make my usernames as obscure as allowed when given the chance.

I figure it can't hurt to use as many pieces of furniture as I can to block the door.

Seconded, even worse I've got one where I ended up having to set up a second email address for myself just to log in to a support site.

We have an ERP system for one group company, no problem with my main email address for the support site.

We then implemented the same ERP at another group company but with the financials from the same provider. For no reason I could see they couldn't add the financials package onto my original support account so I had no choice but to set up a new one, and it has to be a live email address. It suited me slightly to keep things separate so easy enough to set up a group mailbox but I can see that in a larger environment it might have caused problems.

So now I have to log in to the support with the correct email address depending which company I'm dealing with at the time.

Even more annoying are the sites that require an email for the username ..... and then tell me that I have not entered a valid email address! The most annoying being my local council.

I have a domain in the .email TLD, and generate a unique email address for each site that I login to. That way if I start getting spammed I know who lost or handed out the email address.

But I occasionally run across sites that say that @.email is not a valid email address. Only one of which has actually responded when I sent them a message about the problem.

That's amazing. I've got the same combination on my luggage.

Hail Skroob!

These are the most commonly leaked passwords, not the most common passwords.

A strong password that was users as often as 12345678 wouldn't make the list, because it is leaked less often.

Doesn't matter how strong the password is if the database it's stored in gets hacks.

TL;DR, you're wrong.

I like the sites that review your password and refuse to accept it because it is too simple, wouldn't take much effort to add a database of top 500 common passwords and blacklist them. I get peeved when a site wont let my password manager use a 16 character password that contains uppercase lowercase numerical and special characters and then I have to tell the password manager to dumb it down.

Yes my password manager password is a lonnnggggg passphrase but its muscle memory now and I change it every so often.

"Correct horse battery staple" and variations don't appear in Comparitech's top 100 but they're common enough that they're best avoided.

One of my gripes is that a lot of sites encourage people to register so they can capture personal information and ultimately use it for advertising. Some news sites (present company excepted) are particularly bad for this. Being able to track demographics and page views down to an individual level might be nice to have for the ad tech industry but it can have consequences if it makes people use insecure passwords or could be stolen.

In the Sci-Fi novel "One of us" the point is made that a plain biometric for a passcode is a very, very bad idea. The book plot starts with a small-time criminal suddenly discovering that his bank account is empty and he is effectively penniless. He asks a local fence for a loan, and instead receives a finger.

This is the severed finger of someone with no family and few friends, detached from its original (sadly deceased) owner and attached to a small life support device. Quick, untraceable money for as long as the owner's death remains undiscovered because in this book banks are stupid and allow pure biometric ID.

According to this (and I have no idea of it’s correct) we’re all doing it wrong

https://xkcd.com/936/

I sometimes use 'drowssap' against the more tiresome websites.