Gen Z Officially Worse At Passwords Than 80-Year-Olds (theregister.com)
- Reference: 0180131403
- News link: https://it.slashdot.org/story/25/11/18/2341220/gen-z-officially-worse-at-passwords-than-80-year-olds
- Source link: https://www.theregister.com/2025/11/18/zoomer_passwords/
> And while there were a few more "skibidis" among the Zoomer dataset compared to those who came before them, the trends were largely similar. Variants on the "123456" were among the most common for all age groups, with that exact string proving to be the most common among all users -- the sixth time in seven years it holds the undesirable crown.
>
> Some of the more adventurous would stretch to "1234567," while budding cryptologists shored up their accounts by adding an 8 or even a 9 to the mix. However, according to [2]Security.org 's password security checker, a computer could crack any of these instantly. Most attackers would not even need to expend the resources required to reveal the password, given how commonly used they are. They could just spray a list of known passwords at an authentication API and secure a quick win.
[1] https://www.theregister.com/2025/11/18/zoomer_passwords/
[2] http://security.org/
Re:Password Managers and OS's need to check these (Score:4, Interesting)
> And insult the user constantly calling them an idiot in every way imaginable, Loudly, and intrusively every time they use it!
I don't think I'd mind if important sites went:
Requirements are a minimum of ten characters containing two of blah blah categories of characters, AND IT CAN'T BE STUPID.
Then checked against a list of the top couple thousand well-known passwords and just said "no".
But maybe there's a good reason to not do that. Dunno. Designing security isn't my job.
Are we back in the '90s? (Score:3)
I remember a story on Slashdot from around the turn of the century, an audit of servers at the Pentagon found that the most common Admin password was Password, the second-most common was P@ssw0rd.
At my first real IT job in 1996 if you knew the birthdate of of the children of 4/5 of the users you knew their password. I wasn't allowed to insist on a change in the user training.
No need for security (Score:3)
I suspect many/most/all of us have accounts that have no need for security. There is no reason someone would try to use the account and no consequences for us if they do.
Re: (Score:3)
I strongly disagree with the idea that some accounts “don’t need security.” Attackers don’t care whether an account seems unimportant; they target anything weak because everything is automated. A compromised “low-value” account can still be used to send spam, spread malware, impersonate you, or post junk that gets you banned. The real danger is password reuse: once an attacker gets a password from a trivial site, they immediately try it on your email, cloud accounts, bank
iPhone Unavailable - try again in 1 minute (Score:2)
> They could just spray a list of known passwords at an authentication API and secure a quick win.
This is why anyone with half a brain rate limits failed password attempts and then locks the account after too many failures. If your code allows an attacker to just hammer the authentication API, you suck as a programmer and should feel bad.
Re: iPhone Unavailable - try again in 1 minute (Score:2)
What are you on about? As far as I know, IPhones auto disable the device after 10 attempts by default.
Besides, you're talking about password attempts like you've only just done Cybersecurity 101 at uni. What you said is common knowledge/practice. Stop getting so excited about it, Captain Obvious.
Re: (Score:3)
I realize not reading the article is something of a /. tradition, but I've literally quoted part of the summary where they're pretending that nothing is done to mitigate brute-force attacks (which as you rightfully pointed out, has been recognized as threat for as long as there has been an infosec industry).
I wouldn't be wearing my captain obvious hat if the article hasn't pretended that brute force attacks are some kind of scary new threat, of which there is absolutely no defense besides making your passwo
Re:iPhone Unavailable - try again in 1 minute (Score:4, Insightful)
> If your code allows an attacker to just hammer the authentication API, you suck as a programmer and should feel bad.
If your code allows an attacker to just hammer the authentication API, you suck as a programmer and should be fired . FTFY. ;-)
I'm not even a programmer, but if I was tasked with working on authentication I'd make finding a way to limit failed attempts a high priority.
Re: (Score:1)
If you are a programmer and you are given clear instructions on what is expected, then yes. If you are a programmer and you are not given clear instructions, then no. However if you are technical lead/architect then you really should be responsible for it.
OTOH if you are a programmer and you raise these concerns then you are on your way to become a technical lead/architect.
In my systems I insist we keep a database table of various common passwords (tens of thousands of these) and we do not allow people us
Which passwords. (Score:5, Insightful)
There is a difference between your Bank account password and your Slashdot password. I am perfectly willing to use 123456 as my slashdot password. I don't, but I am willing to use it. But my bank accounts now use two factor authentication.
Frankly, there are a ton of services that ask for a password for the benefit of the SERVICE, not for you. They want their metadata on you to be clean, rather than caring about your privacy.
If the study did not ask what the passwords were for, then the study proved nothing.
Re: (Score:1)
> I am perfectly willing to use 123456 as my slashdot password. I don't, but I am willing to use it.
Go on then. Change it now.
You won't will you...
I wonder why...
Re: (Score:2)
I won't because I do not give a crap if someone hacks my Slashdot account.
Re: (Score:2)
The most probable answer is: passwds stored in plaintext on the few systems they were able to get /etc/passwd. Only horribly insecure systems. Do you imagine they deSALTd /etc/passwd? Asking people or otherwise surveying will produce unquantifiable error as respondents should lie.
Re: (Score:2)
You are assuming that these people use password managers and do not use 123456 for its password.
Re: (Score:1)
Obviously 1234567 is terrible password for a password manager. You have to add different types of characters like mine: Hunter2!
Why would you care? (Score:5, Interesting)
This is proof that too many sites and apps require passwords, not necessarily that they don't understand security. Some don't, obviously, but if it's something I don't care about that I'm not storing a credit card number on, I really don't care if it gets hacked. Stores that I know I'm buying one thing from once, message boards that require a login to download some technical data, and other sites that have insignificant consequences for me if someone impersonates me, none of these deserve better.
My bank account password is secure, and it's not saved anywhere but my head. Email, social media, stores I frequently use, they get good passwords. Not worth worrying about the rest.
Methodology? (Score:5, Insightful)
Clicking through a few levels, it appears this is based on an analysis of stolen password dumps. It does not say whether they took steps to limit their analysis just to passwords grabbed in bulk as part of data breaches - so, if brute-forced passwords make up a meaningful percentage of the total, it's possible their overall counts are biased and inflated.
Where are five character passwords allowed? (Score:2)
I'm surprised they found so many "12345" passwords. Not because it is a dumb password. It doesn't surprise me at all that people would try to use a password like that. It surprises me that, in an age when even useless logins require eight characters including mixed case, a number, and a special, that there were enough systems to allow all numeric five character passwords for "12345" to be popular.
Password requirments (Score:2)
Stop mandating password require ya for thing I do t care about with rules so obscure I will never want to remember them. Support passkeys instead.
hah! idiots! (Score:2)
They don't know that the ultimate secret password is 0451. Nobody will ever guess that.
Skibidi12345 (Score:1)
in!
That's amazing (Score:2)
I've got the same combination on my luggage!
Re: That's amazing (Score:2)
That's the point, I think. All Gen Z have to hide is their emotional baggage.
Re: (Score:2)
There are likely single digit people in Gen-Z who get that reference, unless their parents are massive nerds.
Re: That's amazing (Score:2)
I'm disappointed in /. today.