Um, if they were handling passwords correctly, that wouldn't even be possible. I leave the implications to the cloud...

I wonder how many of them will have the username of 123456.

If all their users were following perfect password hygiene and using privacy-considerate nyms for their user names, this wouldn't be a problem.

(May I use this space to complain about the NYT, which limits users to not only one machine but one browser instance at a time?)

Underwear to be worn on the outside.

It's not even decent odds to place bets as to how soon the hackers are going to rip through that site. Masochists much?

Plus, anyone who's been paying attention now has the username/password pairs for any number of people. Particularly of the people they've had disagreements with in the discussion threads.

My daughter, walking by and looking over my shoulder, said "I assume they've been hacked" -- and I agree, and believe this is the hacker's ruse to get people's passwords for the purpose of collecting un/pw combos to try on other sites.

This reminds me of the scene from "Superman Returns" when Lois Lane has gone AWOL (again) and her boyfriend tries to find what she was up to, but her computer is locked. He finally figures out what the password is.

'Superman'

I wonder if that's-so-obvious-nobody-will-think-of-it works in real life.

Rather than just wonder, I've sent an e-mail to their head of IT, easily findable through their "contact us" link (well, two levels down from that, but that's easy enough). I'll let you know if I hear back.

From another site, here's a list of the 500 most common passwords.

Another possibility...an early April 1 joke?

Unless it's just an interface thing where the web designer got the input fields backwards on accident, this seems... implausible. For one, it's highly unlikely that everyone had a unique password before, and unique usernames are usually a requirement in any sort of account system...

Steve, #10: One thing I sort of expected to see on that list but didn't was ETAONRISH, or possibly ETAONSHRDLU. OTOH, I guess the people who would know enough to use either of those would also know enough to know why not to use them!

Steve C. at #10:

Did you notice that "teresa" is password #189?

Proof our Miss Teresa rules.

"teresa" can be typed quickly and easily with the left hand. Of course that means it's easy to watch someone type it and guess what it is, too ...

#239 is 'scooby'.

Nangleator, #4 -- "Bananas" reference FTW!

Lee @ 13 -

I imagine ETAOIN would be a lot more common if our keyboards were laid out like Linotype machines.

Remember that Fredric Brown short story about the demon in the Linotype machine?

Just glancing at the list, first names are common, as are sports cities, with a sprinkling of dirty words and number strings.

I know that a few places have gone to the trouble of having a dirty words filter on the their password input. Spoilsports.

Doctor Science @ #7:

My first thought was that an exceedingly lazy programmer mussed have messed up which field was which, and rather than fix the mistake, convinced management to tell everyone everybody that the mistake was in fact a "SECURITY CHANGE."

But you're right; an attack would make sense too.

Nangleator @ 4: That was my first thought too! Either that or underpants on the head.

Steve @ 2:
<Spartacus>
"Which of you is 123456?"
"I am 123456!" "I am 123456!" "I am 123456!"
</Spartacus>

Steve C @ 18 -- more appropriate, perhaps, of Brown's is "The Angelic Angleworm", in which the Heavenly Records are recorded on a linotype....

Steve, #18: The Frederic Brown story was in fact what I was thinking of; perhaps you didn't notice?

OK, so someone managed to out-fail Etsy. I am impressed.

Ah, there are two different stories involved here -- one has a linotype that becomes self-conscious when it sets a philosophical text (and my mind is blanking on its title, I fear) -- much more about demons entering the linotype. "The Angelic Angleworm" is about typos in the Heavenly Record resulting in someone being able to get up there in order to correct them.

Lee @ 22 - D'oh! I should have noticed; sometimes I don't come to full consciousness until Wednesday. :)

It is a violation of the Sarbanes Oxley act to have a password that is the name of a fantasy character.

Erik@26: And how exactly does the law educate itself about which miscellaneous Unicode strings are names of fantasy characters and which are not? Some of my fantasies can get downright typographic.

I don't see the problem here.

Offhand, I'm having trouble thinking of any standard IT operating procedure that isn't a violation of the Sarbanes-Oxley act.

John @ 11:

No, this is too nitwitted not be real.

Ha ha, joke's on them. My username and password are the same!

3
I have an account at Ancestry.com, which remembers the browser, not to the machine. And it won't allow you to have more than one (or two?) open at at a time, even though they're on the same machine.

(But they do a lot of things that aren't as smart as their programmers think.)

Somehow, this smells like phishbait, to me, and I'm wondering if responses really go back to the newspaper.

If my name were Marx, would it be foolish for my password to be 'swordfish'?

Serge@34
If my name were Marx, would it be foolish for my password to be 'swordfish'?

Depends on whether your first name is Karl or Harpo?

Tom@24: Wasn't the title "ETAOIN SHRDLU"?

I'm with Doctor Science #7. It's only charitable. ;-)

abi @ 23: OK, so someone managed to out-fail Etsy. I am impressed.

I hadn't heard about Etsy. My goodness. I took a look, and found that I had in fact bought some things* on Etsy, but as is my wont, I had left the Profile quite blank. I did find these gems under Your Account > Settings > Privacy:

Favorites
Who can see your favorites?
Everyone (public)
Only you (private)

Findability
Do you want others to be able to find you by your email address? Your email address will not be publicly displayed.
Yes
No

I found these both set to Yes. I assure you that I would never, ever have set those to Yes. Etsy must be opting everyone in on those. I'm tempted to use a Word of Power to describe them, but shall refrain to avoid making work for the moderators. Snarl.

*Chocolates and cross stitch designs. Such wantonness!

David, Tom: Honestly, I'm starting to feel like I'm suffering from invisible woman syndrome here.

janetl, #38: Yes, Etsy has indeed made both of those misfeatures opt-out. That's part of what has people annoyed. The other reason is that they DIDN'T TELL ANYONE what they were doing -- they just did it, quietly, with only a brief announcement on the site forums. The forums are used primarily by sellers, not buyers, and especially not by buyers like you (or me) who have only bought a couple of things over the course of years.

I posted that link to a mailing list for Houston Etsy shop owners... and at least one of THEM hadn't heard about it. That tells you something.

Lee: I think Tom was trying to do what I thought of doing, which is correct the actual list, since as given it was incorrect (says the man who, at one time, ran a Linotype).

Lee - if you want to be properly invisible, you'll need an unmistakably female username. Or, I suppose, password.

Salon gets to the point.

And while we're there, haven't we been here before? I could swear I saw stories to that effect years ago. (It's still utter idiocy, not to mention abusive.)

The one I was surprised to see absent from the list (unless I missed it) was tanstaafl. Or is that too old?

I also suspect a phisher. However, I have seen several business systems where the username and password are both your account number - you know, the one printed on every piece of correspondence mailed or e-mailed to you. They tell everyone to change it after logging in, but how many people do so?

Did someone hear Lee say something? (My previous comment was because I'd misread the response to yours, Lee; rather than continue the weirdness, I just stopped talking....)

And a further indication that this is a result of hacking -- my note to their computer person has been held up because the Caledonia Record website is not responding: "
Technical details of temporary failure:
The recipient server did not accept our requests to connect." I don't say this makes it certain, but it does add a bit of evidence.

The C-R login page seems to have returned to normal. Either they've fixed things or the spammers have gotten sneaky.

Tom, #45: 'sokay. I should have put a smiley on the end of my comment anyhow -- it was meant as a tweak, not a serious complaint. (And David @41, most of the commenters here do know that I'm female.)

Speaking of Etsy, they seem to have backed off. I ran a Google search on my Etsy username, and my purchases didn't come up; apparently I got the permissions reset before the spiders found my account.

Oh, bad password policies are endemic. I just got through the incredibly tiresome registration process for a piece of proprietary financial transaction reporting software at work. This is just for the software itself, not for the account needed to use it, and only a test version. But the process involved one on-line registration (name, address, company name, three phone numbers, dog's hair colour, boss's name, name of company director), one ack to an email, another online registration process, a threefold countersigning and returning of a paper mail by director-level people, then another lengthy online registration process...

... all this to get an account on their site from which we can download the software. When it turned up, the account username was my (at-work) email address: the password was the name of the company making the proprietary financial transaction reporting software (so, by extension, the same for every user). There is no facility to change passwords.

All that bureaucracy, for *that*? I was tempted to walk round the corner (we're both in London's Docklands) and smack whoever thought of that password policy round the head.

Some years ago, when I first went to work at Nike, my first major bit of maintenance work was to figure out how to fix the username field on one of the B2B sites, where shoe stores could order from the factory. For some reason, the original designer had insisted on making usernames be email addresses; the software checked that the username had the form of an email address, and that it was stored in the email field in the database. Then they discovered that there often was more than one user at a store, and sometimes the users at a store all used the same email address (it was a store account nat an individual one). No one had thought of that before.

This is also a story about bad programming practices: the email/username field was hardcoded into the webpages, in, honest to Shiva, more than 500 different places.

Bruce @49: A-grepping through the code; a-grepping through the code! High-oh the Dev was so; we're grepping through the code!