Gen Z Officially Worse At Passwords Than 80-Year-Olds

A NordPass analysis found that Gen Z is actually worse at password security than older generations, with "12345" topping their list while "123456" dominates among everyone else. The Register reports: And while there were a few more "skibidis" among the Zoomer dataset compared to those who came before them, the trends were largely similar. Variants on the "123456" were among the most common for all age groups, with that exact string proving to be the most common among all users -- the sixth time in seven years it holds the undesirable crown.

Some of the more adventurous would stretch to "1234567," while budding cryptologists shored up their accounts by adding an 8 or even a 9 to the mix. However, according to Security.org's password security checker, a computer could crack any of these instantly. Most attackers would not even need to expend the resources required to reveal the password, given how commonly used they are. They could just spray a list of known passwords at an authentication API and secure a quick win.

That's amazing

[LindleyF]

I've got the same combination on my luggage!

Re: That's amazing

[devslash0]

That's the point, I think. All Gen Z have to hide is their emotional baggage.

Re:

[mcfatboy93]

There are likely single digit people in Gen-Z who get that reference, unless their parents are massive nerds.

Re: That's amazing

[LindleyF]

I'm disappointed in /. today.

Re:

[thegarbz]

12345? That's the kind of password an idiot who would be too young to understand the joke reference would use on their luggage!

Re: That's amazing

[madbrain]

Presumably TSA approved luggage, then.

Re:

[protopatterns]

https://www.youtube.com/watch?... [youtube.com]

Re:Password Managers and OS's need to check these

[PsychoSlashDot]

And insult the user constantly calling them an idiot in every way imaginable, Loudly, and intrusively every time they use it!

I don't think I'd mind if important sites went:

Requirements are a minimum of ten characters containing two of blah blah categories of characters, AND IT CAN'T BE STUPID.

Then checked against a list of the top couple thousand well-known passwords and just said "no".

But maybe there's a good reason to not do that. Dunno. Designing security isn't my job.

Re:

[N1AK]

We do that for work passwords; there are various tools that can compare hashed passwords against hashes of known compromised passwords and flag accounts. We run these and then get anyone who's password is flagged to reset it. It wouldn't be hard to add it as a signup test on a website either.

Re:

[sabbede]

Especially since so many sites and applications already enforce requirements these passwords would violate. Where the hell is letting someone use 123456 as a password?

Re:

[WidjettyOne]

Our university uses https://github.com/dropbox/zxc... [github.com] , which does that as well as some simple algorithmic transformations (eg: pa$$w0rd). We don't say, "it can't be stupid" but we do say "that password is considered insecure".

That said, MFA almost makes passwords obsolete; the threat landscape for guessing a password online is far wider than the landscape for having access to the student's unlocked phone.

And yes, we support Passkey these days too.

Are we back in the '90s?

[cusco]

I remember a story on Slashdot from around the turn of the century, an audit of servers at the Pentagon found that the most common Admin password was Password, the second-most common was P@ssw0rd.

At my first real IT job in 1996 if you knew the birthdate of of the children of 4/5 of the users you knew their password. I wasn't allowed to insist on a change in the user training.

Re:

[AmiMoJo]

I don't think it's just that people are bad at passwords, it's that they don't care. If their account gets compromised, it will probably hurt the service provider more than it will hurt them.

Gen Z are particularly sensitive to this, because they have noticed that most of the advice they get is bunk. If they are told to protect something like a password, they are more likely to evaluate if it actually matters to them to protect it, rather than just blindly following the advice.

That said it's a little surpris

Re:

[fluffernutter]

All the major browsers offer to create and remember strong passwords for you.

Until you use a different system.

Re:

[AmiMoJo]

They all have cloud sync too, and in a pinch you can look up the password on your phone and type it in.

I get not bothering when it's a throwaway account, using the built in password manager is usually the path of least resistance.

Re:

[fluffernutter]

If the password is 20 random characters it's not very easy to copy from your phone, and seeing up sync to everything you may use gets very torsion. How secure is that anyway? My job won't let me use it.

Re:

[AmiMoJo]

Your job probably has a lot of weak passwords. Humans can remember a small handful of semi-decent ones. Password managers are the way to go.

Re:Are we back in the '90s?

[Rei]

I don't trust single points of failure.

Re:

[nazrhyn]

How many points of failure do you have without a password manager?

Re:

[Rei]

The only single-source point of failure is me.

Re:Are we back in the '90s?

[slacktide]

No, passwords.txt is the way to go.

Re:

[Rei]

Yeah, this. If I have to sign up to some site that I don't care at all if it gets hacked, I use a throwaway password. Oh noez, someone might compromise my WidgetGenerator.foo.bar account and generate some widgets in my name, heavens to betsy!

And now MS has brought in PINs!

[Viol8]

Because obviously having a numeric password for Windows login which has far less entropy than an alphanumeric + punctuation one will obviously improve security wont it?

[crickets]

Re:

[flink]

PINs are only for logging into the terminal, they aren't valid for network logins. You set a numeric PIN for your home PC because it is relatively physically secure. For a laptop you use a fingerprint or a FaceID. You are also free to tell windows you want to use an alphanumeric "PIN", at which point it is just a password.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:No need for security

[ClueHammer]

I strongly disagree with the idea that some accounts “don’t need security.” Attackers don’t care whether an account seems unimportant; they target anything weak because everything is automated. A compromised “low-value” account can still be used to send spam, spread malware, impersonate you, or post junk that gets you banned. The real danger is password reuse: once an attacker gets a password from a trivial site, they immediately try it on your email, cloud accounts, banking, shopping, everything. That’s how most real-world compromises happen. Even an account you don’t care about still reveals useful data like email addresses, usernames, and login patterns, which attackers use for profiling and pivoting. And if someone abuses your account, you’re the one stuck cleaning up the mess. Using unique passwords and a manager takes seconds; cleaning up identity or account compromise takes days. Security isn’t about whether you think the account matters — it’s about removing the weak link that attackers will exploit.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[thegarbz]

or post junk that gets you banned

The point is that a user may not give a shit. If someone breaks into my Slashdot account and takes it over or gets it banned I wouldn't care. It's just not important. Impersonating my pseudonym is also not critical to me. Pretending I am a random nickname online doesn't impact me.

On the flipside personally linked and identifiable information is an issue. Not all accounts are the same, and yes I reuse my Slashdot password for a lot of accounts I don't give a shit about, but you won't get into my bank with it

Re:

[Rei]

1. I got asked once if I played world of warcraft since they say a guy with the name "thegarbz" playing. I said no. By the way I know exactly who that person is because he impersonated me as a joke. I found that flattering and funny, but it has no impact on my life beyond that.

Reminds me of my first email account ;) One of my professors said we all had to register for an email account (this was in the mid-90s) so we could submit our homework to him, so I registered his name at hotmail.com to mess with him

Re:

[sabbede]

Well, from my perspective, Nvida's GeForce Experience application did not require security. It downloaded drivers and game presets, but required a login. This made no sense to me whatsoever, leading to great annoyance and numerous complaints. Their eventual explanation came down to it being a CYA because the software did have to tell their service what GPU and games you had in order to know what to download. I still can't figure out how that information could be meaningfully abused.

I'm not sure if the

Re:

[Tony Isaac]

There are some types of accounts that are very low importance and risk:
- My slashdot account
- Free accounts that allow me to view articles that require an account to view
- A webcam account
- A single-use account required to complete a job application
- My home wifi guest network (you have to be physically present to access it)

Some of these could be arguable, but my point is, there do exist accounts that are of such low importance that the password really doesn't matter.

Re:

[gweihir]

While this is not completely correct, it is also not completely wrong. The thing is that password guessing attacks are generally high effort attacks because they have to be customized. Far easier to wait until Microsoft (or Google or Apple) mess up and then get in with a generic attack. At least Microsoft does it often enough. Or use mass-phishing for another no-password-required attack that works reasonably well in practice.

Re:

[serviscope_minor]

Also I would add that most accounts don't need a password.

Any account that has a "reset by email" option doesn't need a password. It's precisely as secure as your email account so they may as well send a one time token link to authenticate.

Re:

[flink]

I hate sites that do this. Passwordless with an email token to login seems to be the trend for a lot of smaller ecommerce sites. It is so much more of a hassle to check my email, then check my spam folder where the token probably landed rather than just fill int he password from my password manager.

iPhone Unavailable - try again in 1 minute

[Powercntrl]

They could just spray a list of known passwords at an authentication API and secure a quick win.

This is why anyone with half a brain rate limits failed password attempts and then locks the account after too many failures. If your code allows an attacker to just hammer the authentication API, you suck as a programmer and should feel bad.

Re: iPhone Unavailable - try again in 1 minute

[devslash0]

What are you on about? As far as I know, IPhones auto disable the device after 10 attempts by default.

Besides, you're talking about password attempts like you've only just done Cybersecurity 101 at uni. What you said is common knowledge/practice. Stop getting so excited about it, Captain Obvious.

Re:

[Powercntrl]

I realize not reading the article is something of a /. tradition, but I've literally quoted part of the summary where they're pretending that nothing is done to mitigate brute-force attacks (which as you rightfully pointed out, has been recognized as threat for as long as there has been an infosec industry).

I wouldn't be wearing my captain obvious hat if the article hasn't pretended that brute force attacks are some kind of scary new threat, of which there is absolutely no defense besides making your passwo

Re:

[fluffernutter]

You jest, but I would personally rather give a drop of my blood every day than keep thinking of and remembering passwords that fit the requirements.

Re:

[RoccamOccam]

An uppercase letter
A lowercase letter
A special character
...
Cannot reuse a previously used password

Speaking of which, I wish login prompts always listed the required password rules. It would be a huge help for me.

Re:iPhone Unavailable - try again in 1 minute

[jenningsthecat]

If your code allows an attacker to just hammer the authentication API, you suck as a programmer and should feel bad.

If your code allows an attacker to just hammer the authentication API, you suck as a programmer and should be fired. FTFY. ;-)

I'm not even a programmer, but if I was tasked with working on authentication I'd make finding a way to limit failed attempts a high priority.

Re:

[roman_mir]

If you are a programmer and you are given clear instructions on what is expected, then yes. If you are a programmer and you are not given clear instructions, then no. However if you are technical lead/architect then you really should be responsible for it.

OTOH if you are a programmer and you raise these concerns then you are on your way to become a technical lead/architect.

In my systems I insist we keep a database table of various common passwords (tens of thousands of these) and we do not allow people us

Re:

[Anonymous Coward]

we do not allow people using them as well.

Do you warn them first of just straight to unemployment?

Re:

[sabbede]

I worked for a company that used Nfront to enforce password requirements. It just used a plaintext dictionary file with every 4-digit number and every 4 character word, no password including them was allowed. Might be more expensive than how you're doing it, but it's probably a lot easier to manage and enforce. Might be worth looking tools like that to make your life easier.

Who cares if they lock the account?

[robbak]

You just start on a different account. I don't need your account, just someone's. If they lock my IP jump to a different one.

The solution is to never allow a human to generate a password. The computer generates it and informs the user.

Which passwords.

[gurps_npc]

There is a difference between your Bank account password and your Slashdot password. I am perfectly willing to use 123456 as my slashdot password. I don't, but I am willing to use it. But my bank accounts now use two factor authentication.

Frankly, there are a ton of services that ask for a password for the benefit of the SERVICE, not for you. They want their metadata on you to be clean, rather than caring about your privacy.

If the study did not ask what the passwords were for, then the study proved nothing.

Re:

[Anonymous Coward]

I am perfectly willing to use 123456 as my slashdot password. I don't, but I am willing to use it.

Go on then. Change it now.
You won't will you...
I wonder why...

Re:

[gurps_npc]

I won't because I do not give a crap if someone hacks my Slashdot account.

Re:

[nicubunu]

You fell in his trap. The real password was 1234567, we are nerds after all.

Re:

[thegarbz]

There's a difference between not giving something away and being okay with someone taking something from you.

Re:

[redelm]

The most probable answer is: passwds stored in plaintext on the few systems they were able to get /etc/passwd. Only horribly insecure systems. Do you imagine they deSALTd /etc/passwd? Asking people or otherwise surveying will produce unquantifiable error as respondents should lie.

Re:

[Zak3056]

Has anything actually stored hashes in /etc/passwd in the last thirty years?

Re: Which passwords.

[ZERO1ZERO]

All my user passwords are stored there. Shouldnt they be?

Re:

[sabbede]

Yeah, that's just silly. Hashes aren't human readable. That's why I include the user's actual password as a comment next to any hash.

Sanity is for the weak.

Re:

[NotEmmanuelGoldstein]

The government web-site is trying to push everyone to not-portable pass-keys. The bank web-site demands I enable 2FA by purchasing a physical dongle: For some reason, they won't support authenticator applets. They recently installed password rules though.

Re:

[IDemand2HaveSumBooze]

Indeed. There always has to be a compromise between a real but small chance of your account getting broken into and a much larger possibility that you'll simply forget your password. Yes you can reset the password via your email but that needs a password too. And yes, there are password managers but they are not much good if you're accessing a service from different devices and possibly different OSes.

Like many have said, nowadays nearly every site you interact with asks to create an account with a password

Re:

[Drethon]

There is a difference between your Bank account password and your Slashdot password. I am perfectly willing to use 123456 as my slashdot password. I don't, but I am willing to use it. But my bank accounts now use two factor authentication.

Frankly, there are a ton of services that ask for a password for the benefit of the SERVICE, not for you. They want their metadata on you to be clean, rather than caring about your privacy.

If the study did not ask what the passwords were for, then the study proved nothing.

I have a simple word/number password I use for slashdot and websites. Security extensions have told me the password showed up on the darkweb and I need to change it, I really don't care enough.

Re:

[Tony Isaac]

Ha! Now I'm going to post a reply to your message...AS YOU!

Re:

[Retired Chemist]

You are assuming that these people use password managers and do not use 123456 for its password.

Re:

[jason4jas]

Obviously 1234567 is terrible password for a password manager. You have to add different types of characters like mine: Hunter2!

Re:

[93 Escort Wagon]

But that's just a bunch of asterisks?

Re:

[sabbede]

Oh please, nobody would use a password like that. "Hunter1!" is probably it. Unless you've had to change it, in which case it will be "Hunter1!!".

Re:

[sabbede]

I want to know what site/application allows them to use such horribly weak passwords. I'm annoyed by things in my house that won't allow me to manage them without MFA, let alone strong passwords (looking at you unifi).

Why would you care?

[ThumpBzztZoom]

This is proof that too many sites and apps require passwords, not necessarily that they don't understand security. Some don't, obviously, but if it's something I don't care about that I'm not storing a credit card number on, I really don't care if it gets hacked. Stores that I know I'm buying one thing from once, message boards that require a login to download some technical data, and other sites that have insignificant consequences for me if someone impersonates me, none of these deserve better.

My bank account password is secure, and it's not saved anywhere but my head. Email, social media, stores I frequently use, they get good passwords. Not worth worrying about the rest.

Methodology?

[93 Escort Wagon]

Clicking through a few levels, it appears this is based on an analysis of stolen password dumps. It does not say whether they took steps to limit their analysis just to passwords grabbed in bulk as part of data breaches - so, if brute-forced passwords make up a meaningful percentage of the total, it's possible their overall counts are biased and inflated.

Re:

[thegarbz]

You're postulating a scenario where each password was dumped individually after discovery. A large portion of password dumps are actually the result of massive databreaches, this includes cases such as unprotected passwords, or unseeded / non-hashed ones. In many cases these databases have nothing to do with brute forcing or not biasing the results.

People are actually stupid.

Where are five character passwords allowed?

[erice]

I'm surprised they found so many "12345" passwords. Not because it is a dumb password. It doesn't surprise me at all that people would try to use a password like that. It surprises me that, in an age when even useless logins require eight characters including mixed case, a number, and a special, that there were enough systems to allow all numeric five character passwords for "12345" to be popular.

Re:

[aRTeeNLCH]

I think those are just the ones they cracked so far. I'm quite sure once they crack all, correcthorsebatterystaple will float on top of everything else eventually.

Re:

[sabbede]

Yeah. On what the hell did those passwords get created? No website built in the last 20 years and no application released in the same timeframe.

And that's when it hit me. I have seen passwords like 12345 very recently. I've seen user:pass combos like 12345678:87654321. I've seen admin:password, admin:12345, 12345:12345. As default logins on devices. Cameras, printers, APs, routers, etc., etc.

Which would mean the entire premise of the article is wrong. They're just finding default passwords in du

Password requirments

[bradgoodman]

Stop mandating password require ya for thing I do t care about with rules so obscure I will never want to remember them. Support passkeys instead.

hah! idiots!

[cas2000]

They don't know that the ultimate secret password is 0451. Nobody will ever guess that.

Re:

[gweihir]

Best door-code ever!

Skibidi12345

[Tablizer]

in!

Whoops!

[Bu11etmagnet]

That's the password of my luggage. Better change it now.

Ridiculous

[markdavis]

>"12345" topping their list while "123456" dominates among everyone else.

Not a SINGLE system I use, and I use a LOT of systems, would allow such a stupid password. Granted, there are also tons of systems that go extreme in the other direction with requiring FAR too complex (which is also incredibly stupid). And the stupidest of all is password aging.

A reasonable password, coupled with rate limiting and lockouts, is very secure. It will not be broken by brute force on the "outside" of properly-configur

Re:

[sabbede]

I was thinking the same thing until I remembered that I have recently entered 12345 as a password. It was the default on some crap device. It's the default on a lot of crap devices. I don't think they're capturing actual user accounts in this study, I think they're finding defaults.

IMHO gen-z is worse at ...

[MxMatrix]

... anything than any 80 year old. Lazy as hell and not willing to accept the need to make an effort.

Re:

[fluffernutter]

I look around me in this world and making an effort seems to accomplish very little, to be fair. I work around 60 hours a week and do all kinds of extra stuff such as automating the things I am supposed to be doing so they take hours less. I look around me and after years of putting these things in my performance reviews I make no more than people around me that do the minimum. You only seem to get extra credit for anything if you were born into the right family, and then it doesn't matter if you are goo

Too many passwords

[BigTurc]

I think the more interaction you have with the internet the more passwords you collect. I just checked my phone I have something like greater than 200 passwords and I am not genZ so can not imagine how many one of them might have.

Devil's advocate

[zmollusc]

If your hardware, firmware, software, router and ISP are compromised out of the box with taps, telemetry and the like, plus the website you are connected to gets hacked every five minutes, why bother?

I guess

[nospam007]

...they will be the most outraged when their bank accounts are plundered.

7654321

[syntap]

Foil the hax0rs!

Re:

[sabbede]

I forget if it's Konica or Canon where the default admin login is (was?) 12345678:87654321. Might be 1-9:9-1.

Re:

[Tony Isaac]

Even trickier, pa$$w0rd!

What is the problem?

[holostagram]

Sounds like evolution at work to me. Also Google stores your password in plain text. Maybe there are bigger fish to fry than techno ignorant illiterati.

Doesn't really surprise me

[GuB-42]

My 90 year old grandparents take passwords seriously, they have them written on a paper notebook in an obfuscated fashion (like fake contacts or appointments). They learned as adults that their credit card PIN code is important and think the same of passwords, also their online presence is very limited, so they have few of them.

Nowadays, it is as if everything requires an account even when it shouldn't require one, and most accounts involve passwords. I have 350 of them in my password manager! They are an a

I often don't care

[greytree]

Sites often require me to create a login to use them, once, for some trivial thing.

That annoys me.

So I use a made-up ( or failing that, a one-time ) email address and the simplest password they let me get away with.

Any survey of passwords should exclude those passwords where there is no bad outcome if they are discovered.

Useless without knowing what the passwords protect

[Spazmania]

This information is useless without knowing what the passwords were chosen to protect.

Let's face it: the password to my netflix account is not very important to me. If it's hacked I suffer a minor inconvenience at worst. What would be inconvenient for me would be if netflix forced me to do 2FA or some other complicated thing in order to use their service. That inconvenience would drive me toward cancellation.

The password to my bank account IS very important to me. I picked a much better one there. And of co

Gen Z grew up using content consumption devices

[lucifuge31337]

80 year olds didn't grow up with computers, and a lot of them never adapted. We know this, easy answer. Gen Z also did not really "grow up with computers" in the way most of us here did: they grew up using content consumption devices like phones. Gen Z by and large don't even know how a filesystem works because of this. It's worse for them than the 80s year olds because at least the old people remember the thing a file system is based on and know how drawers and folders work.

So it's really not a surp

When the future is bleak why give a damn?

[Fly Swatter]

They are at the age where they realize everything they have is from debt owed to someone else. Any money they do make is worth less each day. Their beloved internet is falling into shit. The advertisements never stop. It's not even their own money. Why bother putting effort into a good password since whatever it protects is either not their money or another data collection fiasco. Or a forum of trolls and scammers.

"They can probably set up a printer faster"...?

[dr_fyzziks]

The sub-heading is "They can probably set up a printer faster..."

Has the author ever asked a Gen Z to set up a printer? Because in my experience, no ... many of them cannot. Even just *using* a printer is arcane dark magic...

Officially?

[Tony Isaac]

There's an "official" arbiter of which generation uses the worst passwords? Who knew!