5 common password mistakes you should avoid – 10 minute mail

Password recycling or using easy-to-guess passwords are just two common mistakes you may be making when protecting your digital accounts

Typing in a password to access one of the tens or hundreds of services that we use has become such an everyday part of our lives that we rarely give it a second thought. Quite often we try to keep our passwords simple and easy to remember so we can move quickly past logging in and get on with what matters. That is just one of the many mistakes we make when it comes to something that we rely on to secure a part of our digital identity.

Since today is World Password Day, there is no better occasion than now to look at the five most common mistakes that you may be making when it comes to passwords.

Password recycling

One of the most common and prevalent mistakes is password recycling. The problem often starts with the creation of the password itself. More often than not, people create passwords that are easy to remember, which usually means that they are short and simple, although now most services have requirements for a minimum length and the types of characters that must be included.

Once we have memorized the password and then sign up for another service, and another, and another, we don’t want to have to remember another one, and another one, and another one, so we reuse the password we have already committed to memory. According to a Google survey, 52% of respondents reuse the same password for multiple accounts, while a surprising 13% use the same password for all their accounts. Substituting letters for numbers or lower case for upper case and vice versa is also considered password recycling, although some might consider it to be a slight improvement.

The gravest problem with password recycling is that it opens you up to credential stuffing. That is an account takeover attack that leverages bots to hammer sites with login attempts using stolen access credentials from data breaches at other sites until they stumble upon the right combination of new site and “old” credentials. As you can see, diversifying your passwords is in your best interest.

Creating simple passwords

As we have already mentioned, a lot of the problems begin when the passwords are created. Simple ones tend to lead the pack. You may have seen the movie Wrongfully Accused, where Leslie Nielsen attempts to hack a computer by guessing the login credentials, which simply turn out to be Login and Password.

If you think that in real-life people are more careful about their choice of passwords, sadly you would be wrong. An annually compiled list goes to show that when it comes to passwords, people make questionable choices, with 12345 and password ranking in the top five most popular passwords.

Aside from simple patterns and obvious words, a frequent mistake you may be making when creating passwords is incorporating details into the password from our personal lives that can be easily guessed or found. Six of ten US adults have incorporated a name (theirs, their spouse’s, children’s or pet’s name) or a birthday into their passwords.

Ideally switching to a strong passphrase is preferable to using a password. Two-factor authentication (2FA) should also be activated when possible, since it adds an extra layer of security against various types of attacks aimed at revealing your login credentials.

Storing passwords in plain text

Another oft-occurring mistake is writing down our passwords. This takes two forms: jotting them down on paper or sticky notes, or saving them in spreadsheets or text documents on our computers or smartphones. In the case of the former: unless the bad actor wants to add breaking and entering onto their record, there is no way to access it.

RELATED READING: How to spot if your password was stolen in a security breach

That’s not saying that you should write them down or have them just lying about; if you actually do (but don’t!), they should be more of hints that help you remember, and should be stored in a place safe from prying eyes. In the case of storing them on your devices, you have a series of challenges you are contending with. If hackers hack your device and rummage through it, they will have access, with little to no effort, to a whole trove of sensitive data, including your passwords that you stored in plain text.

Alternatively, if your device gets compromised by malware that copies your data and sends them to a remote server, a bad actor can access all of your accounts before you have a chance to notice. Or, in some cases, they can just go through your device with a fine-toothed comb to see if they can find any exploitable data on it, including the file with the passwords. It suffices to say that storing passwords in plain text on any connected device is a bad idea.

Sharing passwords

“Sharing is caring” does apply to a lot of areas in life, but passwords are an exception. Yet some would beg to differ, like the 43% of US respondents who admitted to sharing their passwords in the past with someone else. Those included passwords to streaming services, email accounts, social media accounts, and even online shopping accounts. Over half of them said they shared their password with their significant others. While sharing a password to a streaming service account is a widespread phenomenon, it is less dangerous than the rest of the mentioned choices.

Once you share your password with someone else, the security of your account plummets dangerously, since you’ve lost your tight grip on it. You cannot be sure how it will be handled and if the person you trusted with it won’t share it with someone else. A lot rides on how you shared the password: did you type it in for them into your account and save it? Or did you perhaps send it to them by email or through an instant messaging app in plain text form? In the case of the latter, you are at the mercy of their discretion and you have to hope that their devices are secure, since we have discussed the implications of saving a password in plain text form in the previous section.

Another important thing to remember is that if you shared your password to any communication platforms you use, the people you shared them with can wreak havoc on your relationships, be it business or personal, since they can now log in under your identity. If you shared your credentials to any of your online shopping platforms and your payment methods are saved, then the party you shared with can easily rack up a bill on your credit card, which you may live to regret. Even if the person you’re sharing your credentials with is your spouse, keeping all of your eggs in one basket is ill-advised.

Changing passwords periodically (without giving it much thought)

Some organizations force their users to change their passwords every two or three months “for security reasons”. But contrary to popular belief, changing your password regularly – without evidence of a password breach – doesn’t automatically make your account more secure or harder to hack.

Carnegie Mellon computer science Professor Lorrie Cranor says that research shows that when people are forced to change their passwords frequently, they do not put a lot of thought into it. In addition, researchers at the University of North Carolina (UNC) found that users would lean towards creating passwords that followed predictable patterns that they call “transformations”. Professor Cranor lists some examples: “such as incrementing a number, changing a letter to similar-looking symbol (for example changing an S to a $), adding or deleting a special character (for example, going from three exclamation points at the end of a password to two), or switching the order of digits or special characters (for example moving the numbers to the beginning instead of the end).” She went on to add that she heard of examples where users would include the month and on some occasions the year of the password change as an easy fix to remember these frequent changes.

This makes it quite easy for the hackers to do their job since, as the UNC researchers have shown, once hackers know one password, they can guess the next one with little effort. It is also worth noting that once cybercriminals gain access to your device, they can install a keylogger that will allow them to keep track of your passwords whenever you change them. Of course, if you have a top-tier security endpoint solution installed on your device, there’s a far greater chance that the keylogger will be detected and defanged.

Summary

Creating a password that works for you may seem like a daunting task, but there are multiple ways to go about making it easier for yourself. As we’ve mentioned before, creating a passphrase is preferable to a simple password, and adding an extra layer of security by activating 2FA where available should be second nature. If you find remembering all of the unique passwords you’ve come up with tedious, then a password manager could be the answer to your needs: that way you’ll have to remember just one password, but make sure it is one that follows the good advice we’ve given you above.



Amer Owaida


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Microsoft: 99.9 percent of hacked accounts didn’t use MFA – 10 minute mail

Only 11 percent of all enterprise accounts have multi-factor authentication enabled

More than 99.9 percent of Microsoft enterprise accounts that get invaded by attackers didn’t use multi-factor authentication (MFA). This stark, though not entirely surprising, finding comes from a presentation that Alex Weinert, the tech giant’s Director of Identity Security, delivered at the RSA 2020 security conference in San Francisco in late February. Overall, only 11 percent of Microsoft enterprise accounts had MFA enabled.

According to Microsoft, an average of 0.5 percent of all accounts is breached every month; in January of this year, this was equivalent to more than 1.2 million accounts. “If you have an organization of 10,000 users, 50 of them are going to be compromised this month,” said Weinert.

The break-ins were facilitated by two factors. First, it was the lack of MFA deployment in applications using old email protocols that don’t support MFA, such as SMTP, IMAP and POP. The second factor involved people’s poor password hygiene, specifically their penchant for extremely simple passwords and for reusing their passwords across multiple accounts, both company and private.

RELATED READING: 2FA: Double down on your security

Around 480,000 compromised accounts, which represents some 40 percent of the total, fell victim to password spraying. Using this automated method, attackers test some of the most commonly used passwords to see if they work for breaking into large numbers of other accounts.

And work they do, with Weinert noting that password spraying attacks opened the door to 1 percent of the accounts against which they were deployed in January. On average, attackers would try around 15 passwords.

Roughly the same number of accounts fell victim to password replay attacks, also known as breach replay attacks. In these cases, ne’er-do-wells leverage lists of credentials spilled in data incidents and try out the same login combinations at other services.

Almost all password spraying and password replay attacks took aim at common legacy authentication protocols – 99.7 percent and 97 percent, respectively. The probability of a compromise surged to 7.2 percent if SMTP was enabled, to 4.3 percent for IMAP, and to 1.6 percent for POP.

What are the easiest fixes? You guessed it – choosing strong and unique passphrases, enabling MFA (also commonly known as two-factor authentication), and disabling legacy protocols. According to Microsoft, the latter measure slashes the likelihood of an account takeover by two thirds.



Tomáš Foltýn


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Security flaws found in popular password managers – 10 minute mail

Not all they’re cracked up to be? Several password vaults contain vulnerabilities, both new and previously disclosed but never patched, a study says

Several popular password managers contain security vulnerabilities that could be exploited to breach the walls that are supposed to keep your passwords safe, according to researchers from the University of York.

After considering a pool of 19 password managers, the academics chose to test LastPass, Dashlane, Keeper, 1Password, and RoboForm based on their popularity and features. They uncovered a total of four new vulnerabilities, including a flaw both in the 1Password and LastPass Android applications that made them susceptible to phishing attacks. The vulnerability is caused by their use of weak matching criteria for identifying which of the stored credentials should be suggested for autofill.

“Our study shows that a phishing attack from a malicious app is highly feasible – if a victim is tricked into installing a malicious app it will be able to present itself as a legitimate option on the autofill prompt and have a high chance of success,” said Dr. Siamak Shahandashti from the Department of Computer Science at the University of York. He went on to add that, in order to remedy the situation, the password vaults should add stricter matching criteria that aren’t based just on “an app’s purported package name”.

The researchers also discovered that the Android applications of both RoboForm and Dashlane are susceptible to PIN brute force attacks. This flaw allows endless attempts at entering the master PIN that may ultimately unlock the password vaults.

“Through extrapolation of manual testing, it is estimated that even a manual random guessing attack is on average expected to find a randomly selected PIN in 2.5 hours,” the researchers explained, adding that factoring in additional variables can significantly reduce the time it takes to break the PIN.

The tools’ respective vendors were duly notified about the newly discovered vulnerabilities. “Some were fixed immediately while others were deemed low priority,” said Michael Carr, the lead author of the study.

In addition, the password managers also underwent rigorous testing against six previously disclosed vulnerabilities to see if the security holes had been plugged. The test showed that all except one of the password managers were susceptible to URL mismatch, and all of them were vulnerable to Ignoring Subdomains and HTTP(S) Autofill exploits. Dashlane fared the worst, as it was vulnerable to five out of the six vulnerabilities disclosed earlier.

Although the team admitted that “rigorous security models and canonical security tests for password managers” are needed, they still recommend their use to businesses and individuals alike, as they continue to be a more secure and useable option than resorting to password recycling or trying to memorize them all.

Food for thought, since people continue to make questionable choices when choosing passwords to protect their data, as can be evidenced by the fact that “12345” and similarly easy-to-hack passwords remain popular choices for many netizens.



Amer Owaida


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Half a million Zoom accounts for sale on the dark web – 10 minute mail

Even accounts belonging to banks and educational institutions were found on lists plastered across various hacker forums

More than 500,000 Zoom accounts are now up for grabs on hacker forums hosted on the dark web. Some are going for less than a US cent apiece while others are given away for free.

In a statement provided to BleepingComputer, cyber-intelligence company Cybel said that it noticed free Zoom accounts being offered on hacker forums around April 1st as a way for hackers to increase their notoriety. The accounts were posted on text sharing sites where ne’er-do-wells offer lists of email address and password combinations.

Cybel reached out to one of the forums and was able to purchase a large number of accounts so it could warn its clients of potential breaches. The company was able to obtain about 530,000 accounts for about US$0.002 each, with accounts containing victims’ email addresses, passwords, personal meeting URLs and their HostKeys. Accounts belonging to financial institutions, banks, colleges and others were also found in the list.

Since the COVID-19 pandemic has forced many companies to switch to remote working, Zoom and other videoconferencing services have enjoyed a surge in popularity, with its users becoming a favorite target for ne’er-do-wells.

The accounts that are currently either on sale or being given away on hacker forums don’t seem to have been obtained from a cybersecurity attack or any kind of breach of Zoom’s infrastructure. Instead, the credentials are believed to come from credential-stuffing attacks.

During these attacks, bad actors usually use bots to hammer sites with automated login attempts, leveraging credentials from past data breaches. Once the bot hits the right combination, its operators have access to the account. They can use this either to wreak havoc in the form of Zoom-bombing pranks or compile them into a list with other stolen credentials and sell them off on forums.

BleepingComputer went on to verify the veracity of the stolen data by selecting random email addresses and contacting their owners. One of the contacted people said that the posted password was an old one, which provides some credibility to the theory that some of the login details were obtained from old security incidents.

How to stay safe

One way to lower the chances of becoming a victim of a credential-stuffing attack is to refrain from recycling passwords across different services.

“Hackers use very simple tools to re-use passwords that are stolen in separate data breaches – an attack known as ‘password stuffing’. They are then able to quickly attempt to access all accounts with the same email address as the user name,” says ESET security specialist Jake Moore.

Zoom has been thrust into the limelight recently due to the privacy and security challenges as it had difficulties coping with the influx of new users. If you are a Zoom user you might also want to check out our article on how to secure your Zoom account so you are protected from any malicious activities or pranks in the future.



Amer Owaida


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Half a million Zoom accounts for sale on the dark web – 10 minute mail

Even accounts belonging to banks and educational institutions were found on lists plastered across various hacker forums

More than 500,000 Zoom accounts are now up for grabs on hacker forums hosted on the dark web. Some are going for less than a US cent apiece while others are given away for free.

In a statement provided to BleepingComputer, cyber-intelligence company Cybel said that it noticed free Zoom accounts being offered on hacker forums around April 1st as a way for hackers to increase their notoriety. The accounts were posted on text sharing sites where ne’er-do-wells offer lists of email address and password combinations.

Cybel reached out to one of the forums and was able to purchase a large number of accounts so it could warn its clients of potential breaches. The company was able to obtain about 530,000 accounts for about US$0.002 each, with accounts containing victims’ email addresses, passwords, personal meeting URLs and their HostKeys. Accounts belonging to financial institutions, banks, colleges and others were also found in the list.

Since the COVID-19 pandemic has forced many companies to switch to remote working, Zoom and other videoconferencing services have enjoyed a surge in popularity, with its users becoming a favorite target for ne’er-do-wells.

The accounts that are currently either on sale or being given away on hacker forums don’t seem to have been obtained from a cybersecurity attack or any kind of breach of Zoom’s infrastructure. Instead, the credentials are believed to come from credential-stuffing attacks.

During these attacks, bad actors usually use bots to hammer sites with automated login attempts, leveraging credentials from past data breaches. Once the bot hits the right combination, its operators have access to the account. They can use this either to wreak havoc in the form of Zoom-bombing pranks or compile them into a list with other stolen credentials and sell them off on forums.

BleepingComputer went on to verify the veracity of the stolen data by selecting random email addresses and contacting their owners. One of the contacted people said that the posted password was an old one, which provides some credibility to the theory that some of the login details were obtained from old security incidents.

How to stay safe

One way to lower the chances of becoming a victim of a credential-stuffing attack is to refrain from recycling passwords across different services.

“Hackers use very simple tools to re-use passwords that are stolen in separate data breaches – an attack known as ‘password stuffing’. They are then able to quickly attempt to access all accounts with the same email address as the user name,” says ESET security specialist Jake Moore.

Zoom has been thrust into the limelight recently due to the privacy and security challenges as it had difficulties coping with the influx of new users. If you are a Zoom user you might also want to check out our article on how to secure your Zoom account so you are protected from any malicious activities or pranks in the future.



Amer Owaida


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Security flaws found in popular password managers – 10 minute mail

Not all they’re cracked up to be? Several password vaults have been found to contain vulnerabilities, both new and previously disclosed but never patched, a study says

Several popular password managers contain security vulnerabilities that could be exploited to breach the walls that are supposed to keep your passwords safe, according to researchers from the University of York.

After considering a pool of 19 password managers, the academics chose to test LastPass, Dashlane, Keeper, 1Password, and RoboForm based on their popularity and features. They uncovered a total of four new vulnerabilities, including a flaw both in the 1Password and LastPass Android applications that made them susceptible to phishing attacks. The vulnerability is caused by their use of weak matching criteria for identifying which of the stored credentials should be suggested for autofill.

“Our study shows that a phishing attack from a malicious app is highly feasible – if a victim is tricked into installing a malicious app it will be able to present itself as a legitimate option on the autofill prompt and have a high chance of success,” said Dr. Siamak Shahandashti from the Department of Computer Science at the University of York. He went on to add that, in order to remedy the situation, the password vaults should add stricter matching criteria that aren’t based just on “an app’s purported package name”.

The researchers also discovered that the Android applications of both RoboForm and Dashlane are susceptible to PIN brute force attacks. This flaw allows endless attempts at entering the master PIN that may ultimately unlock the password vaults.

“Through extrapolation of manual testing, it is estimated that even a manual random guessing attack is on average expected to find a randomly selected PIN in 2.5 hours,” the researchers explained, adding that factoring in additional variables can significantly reduce the time it takes to break the PIN.

The tools’ respective vendors were duly notified about the newly discovered vulnerabilities. “Some were fixed immediately while others were deemed low priority,” said Michael Carr, the lead author of the study.

In addition, the password managers also underwent rigorous testing against six previously disclosed vulnerabilities to see if the security holes had been plugged. The test showed that all except one of the password managers were susceptible to URL mismatch, and all of them were vulnerable to Ignoring Subdomains and HTTP(S) Autofill exploits. Dashlane fared the worst, as it was vulnerable to five out of the six vulnerabilities disclosed earlier.

Although the team admitted that “rigorous security models and canonical security tests for password managers” are needed, they still recommend their use to businesses and individuals alike, as they continue to be a more secure and useable option than resorting to password recycling or trying to memorize them all.

Food for thought, since people continue to make questionable choices when choosing passwords to protect their data, as can be evidenced by the fact that “12345” and similarly easy-to-hack passwords remain popular choices for many netizens.



Amer Owaida


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Microsoft: 99.9 percent of hacked accounts lacked MFA – 10 minute mail

Only 11 percent of all enterprise accounts have multi-factor authentication enabled

More than 99.9 percent of Microsoft enterprise accounts that get invaded by attackers didn’t use multi-factor authentication (MFA). This stark, though not entirely surprising, finding comes from a presentation that Alex Weinert, the tech giant’s Director of Identity Security, delivered at the RSA 2020 security conference in San Francisco in late February. Overall, only 11 percent of Microsoft enterprise accounts had MFA enabled.

According to Microsoft, an average of 0.5 percent of all accounts is breached every month; in January of this year, this was equivalent to more than 1.2 million accounts. “If you have an organization of 10,000 users, 50 of them are going to be compromised this month,” said Weinert.

The break-ins were facilitated by two factors. First, it was the lack of MFA deployment in applications using old email protocols that don’t support MFA, such as SMTP, IMAP and POP. The second factor involved people’s poor password hygiene, specifically their penchant for extremely simple passwords and for reusing their passwords across multiple accounts, both company and private.

RELATED READING: 2FA: Double down on your security

Around 480,000 compromised accounts, which represents some 40 percent of the total, fell victim to password spraying. Using this automated method, attackers test some of the most commonly used passwords to see if they work for breaking into large numbers of other accounts.

And work they do, with Weinert noting that password spraying attacks opened the door to 1 percent of the accounts against which they were deployed in January. On average, attackers would try around 15 passwords.

Roughly the same number of accounts fell victim to password replay attacks, also known as breach replay attacks. In these cases, ne’er-do-wells leverage lists of credentials spilled in data incidents and try out the same login combinations at other services.

Almost all password spraying and password replay attacks took aim at common legacy authentication protocols – 99.7 percent and 97 percent, respectively. The probability of a compromise surged to 7.2 percent if SMTP was enabled, to 4.3 percent for IMAP, and to 1.6 percent for POP.

What are the easiest fixes? You guessed it – choosing strong and unique passphrases, enabling MFA (also commonly known as two-factor authentication), and disabling legacy protocols. According to Microsoft, the latter measure slashes the likelihood of an account takeover by two thirds.



Tomáš Foltýn


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Chrome now warns you if your password has been stolen – 10 minute mail

The browser’s latest version also aims to up the ante in phishing protection

Google has added a new feature to its Chrome web browser that will alert users if their login credentials have been compromised in a security breach, according to the company’s announcement.

This may sound familiar, and with good reason. The functionality builds on Chrome’s Password Checkup browser extension, which was rolled out in February of this year and has since been downloaded a little over a million times. In October, Google integrated the feature into Google Accounts, giving users an easy way of checking whether their saved passwords may have been leaked or stolen, as well as determine if their login credentials are weak or reused in multiple accounts.

Now, however, the company is making it even easier to find out if your username/password combinations may have been exposed. The feature – which is part of the release of Chrome 79 to the stable channel for Windows, Mac, Linux, Android, and iOS – has been made available for everyone who’s logged into Chrome.

In a separate blog post, Google gave assurances that the usernames and passwords are hashed and encrypted and that nobody, including the company itself, is able to derive the username or password from the encrypted copy.

As an aside, if you don’t use Chrome, there are other ways to find out if your login details have been exposed in a known security incident. Our recent article sums up some of the most common options.

Source: Google

Phish me not

Recognizing an online phishing attack isn’t always easy, and Google has sought to help people stay safe from this pervasive con. Earlier this year, for example, the company rolled out a quiz that, drawing on real-life techniques deployed by scammers, tested users’ phish-spotting prowess.

Coming back to the present, on top of the integrated leaked-password checker, Chrome’s latest update includes real-time phishing protection. This security enhancement also builds on an existing functionality, as the browser has for some time displayed warnings to people when they attempted to navigate to sites known to pilfer logins.

The feature, which can be controlled in the ‘Settings’ tab under ‘Sync and Google services’, relies on Google’s service known as Safe Browsing, which contains a database of unsafe web resources that updates every 30 minutes. According to the company, however, many phishing sites slipped through the time window. Google says that the expansion of its phishing protection and real-time scanning on desktop has been shown to create alerts for an extra 30 percent of phishing sites.

Beyond that, the latest Chrome update also fixes 51 vulnerabilities, including two rated as ‘critical’.



Tomáš Foltýn


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

The worst passwords of 2019: Did yours make the list? – 10 minute mail

These passwords may win the popularity contest but lose flat out in security

Year after year, analyses show that millions of people make, to put it mildly, questionable choices when it comes to the passwords they use to protect their accounts. And fresh statistics for the year that is drawing to a close confirm that bad habits do die hard and many people willingly put themselves in the firing line of account-takeover attacks.

Drawing on an analysis of a total of 500 million passwords that were leaked in various data breaches in 2019, NordPass found that ‘12345’, ‘123456’ and ‘123456789’ reigned supreme in order of frequency. Between them, these numerical strings were used to ‘secure’ a total of 6.3 million accounts. It doesn’t get much more optimistic further down the list, however, as these three choices were followed by ‘test1’ and, the one and only, ‘password’.

Somewhat predictably, the chart is overall replete with many usual suspects among the most common passwords – think ‘asdf’, ‘qwerty’, ‘iloveyou’ and various other stalwart choices. Other supremely hackable passwords – including simple numerical strings, common names, and rows of keys – also abound. Much the same picture is painted annually by SplashData’s lists of the most-used passwords, such as last year, the year before that, and so on.

The entire list of the 200 most popular passwords is available in NordPass’ blog post, but here’s at least the top 25. Let that sink in.

Rank Password
1 12345
2 123456
3 123456789
4 test1
5 password
6 12345678
7 zinch
8 g_czechout
9 asdf
10 qwerty
11 1234567890
12 1234567
13 Aa123456.
14 iloveyou
15 1234
16 abc123
17 111111
18 123123
19 dubsmash
20 test
21 princess
22 qwertyuiop
23 sunshine
24 BvtTest123
25 11111

Eerily familiar?

If you recognize any of the above as your own, then fixing your passwords is almost certainly one of the things that deserve a place on your laundry list of New Year’s resolutions. For starters, fixing here means not having the exact same idea as millions of other people when you’re signing up to a service and are asked to create your password.

One way to go about this is opt for a passphrase, which, if done right, is generally a tougher nut to crack as well as easier to remember. The latter is especially useful if you don’t use password management software, which, somewhat unsurprisingly, has been shown to benefit both password strength and uniqueness. Yes, that passphrase should, of course, be unique for each of your online accounts, as recycling your passwords across various services is tantamount to asking for trouble.

You may also want to watch out for password leaks. There are a number of services these days where you can check if your login credentials may have been caught up in a known breach. Some of them even offer you the option to sign up for alerts if your login information is compromised in a breach.

In fact, as ours is an era where login data are compromised by the millions, why settle for one line of defense if you can have two? At the risk of repeating ourselves, two-factor authentication is a highly valuable way to add an additional layer of security to online accounts on top of your password.



Tomáš Foltýn


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

38,000 people forced to pick up email passwords in person – 10 minute mail

Malware and legal requirements force academics and students to join a near-endless line in order to pick up their passwords

Usually, if you forget your password or need to change it for other reasons, getting a new one is a straightforward process that involves a few clicks. Now imagine you would have to prove your identity and retrieve your password in person. Don’t rush to laugh this off as a bizarre fantasy, as thousands of students and faculty members at the Justus Liebig University Giessen in Germany were unlikely to be laughing when they learned that they would have to do just that.

According to the institution’s statement, 38,000 students and academics now have to stand in line, ID card in hand, so that they can receive new passwords to their university email accounts. The distribution of new passwords was prompted by a malware incident detected last week, with the university’s network being offline since December 8th. As for the unorthodox way of issuing new passwords in person, the staff are citing the legal requirements of the German National Research and Education Network (DFN).

Arguably, in a way the university can be lauded for its incident response. Since the incident was noticed, the servers and machines were taken offline. USB flash drives loaded with security software were handed out to faculty members, institutes and departments to carry out scans of all machines connected to the university’s network. The devices that passed the first wave of checks were labeled with green stickers.

A second wave of scans then followed, and included, to use the university’s own words, a “specialized scan for the new virus type”. A total of 1,200 USBs were prepared for the second wave, which has been underway since December 18th. Computers that passed both scans are immediately cleared for use. Students were assured that their private machines were free of any risks since they use a separate university network to the one that was compromised.

Nevertheless, the university’s IT Service center decided to assign new passwords to everyone since they suspected that the malware hit their e-mail servers as well. The whole process was designed to be as precise and orderly as possible, and the students and faculty were separated into groups based on their date of birth and can pick up their passwords during allotted timeslots.

Prospective students were affected as well. The website through which they could apply is currently offline as well. This means that they will have to apply through more “analog” ways, such as submitting applications in person or sending them by traditional mail.



Amer Owaida


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.