Slashdot Mirror
Analyzing 20,000 MySpace Passwords
Rub3X writes "Author found 20 thousand MySpace passwords on a phishing site and did some tests on them. They were tested for strength, length and a number of other things. Also tested was the most popular password, and the most popular email service used when registering for myspace."
Slashdotted before we even being. CPU quota exceeded.
"How fine you look when dressed in rage."
Site reports the account has exceeded its CPU quota. Hmmm ... Already ?
So I can filter it out? Reading these stories about it makes me feel dirty.
Site seems dead for know, but the Coral Cache got the text atleast.
Your hair look like poop, Bob! - Wanker.
spent some of that time analyzing the strength of his hosting plan
[place
Most common passwords used:
13 - cookie123
12 - iloveyou
12 - password
11 - abc123
11 - fuckyou
11 - miss4you
Why don't sheep shrink when it rains?
It's a fairly interesting (if not too detailed) analysis. A commenter makes a critical observation, though: these were passwords entered at the phishing site, not MySpace. As such, some people can easily recognize it's not the original site and add such gems as "fuckyou".
Personally, I try to fit the following in every eBay phishing page I see:
Field 1: "just who do you think you're kidding?"
Field 2: "better luck next time, dolt."
Who is to say these people didn't just use bogus passwords?
-Chubbz
Charming man. I wish I had a daughter so I could forbid her to marry one. -Arthur Dent
Say, 10% of passwords contained on a site was obtained using a dictionary attack. Then perform analysis on these password. Conclusion that basing on statistically significant number of passwords (10%, >10000) almost 100% of passwords on the site are vulnerable to dictionary attack is simply wrong - the sample was biased.
Similar about phishing-originated passwords. Phishing is a result of bad practices on user side, and usually clicking attachments in spam, using insecure browser and no antivirus is connected with using poor quality passwords. The results WILL show worse quality of user passwords than real simply because the passwords originate from subset of users who know less of security in general (and as result, got hacked.)
Anagram("United States of America") == "Dine out, taste a Mac, fries"
The analysis is flawed as a general indicator of MySpace passwords because it is only a subset of people who would actually fall for phishing attacks. Of course such people will have horrible password habits
Now, I am changing my password to cookie321, no one will see that coming.
It would be interesting to see how many of the names in that list use the same password for MySpace account as they do in their email account.
http://www.networkmirror.com/pMNGiaubQFpIgJLX/cybe r-knowledge.net/blog/2006/09/16/analyzing-20000-my space-passwords/index.html
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
http://www.mirrordot.org/stories/65dbc3fb38c8508be da018cb179a7607/index.html
I have a few "sets" of passwords that I use. Basically it goes like this:
;)
1) Online banking - Very complex ( as complex as my banking site will allow that is ) / Important work related passwords
2) Unimportant work related passwords (Such as the log in to view the cacti graphs for example) / Public websites that require a password and I care a little bit about
3) Public websites I could give a rats ass about having broken into. Myspace would be listed here. So would my slashdot account.
So my point is just because people use crappy passwords for myspace doesn't nesasarily mean they don't have a clue......but being caught by phishers does.
======== In the future, everything will be artificial. ========
Sorry, you have to have a six digit UID to know what phishing means.
"Really, it should read: the most commonly used passwords, by MySpace users who were targeted by and fell for a phisher" - or by people pretending to be MySpace users when targeted by a phisher - or by people giving a bogus password when targeted by a phisher.
Ben Hocking
Need a professional organizer?
And when you gaze long enough into the code, the code will also gaze into you.
Due diligence would have him write a script to check which user/pass combinations were valid, and then analyze only those.
meh
I think you should take the same advise. I just stole your account and now I'm posting as you Mr. Coward.....HAHAHAHA!
I wonder why "password19" is significantly more popular than password2, password3, ... password18, password20 etc?
While "abc123" is more popular than "abc19" ?
There are publicly-available tools to prevent weak passwords from being used in the first place. OpenBSD has something, and I've compiled the library below and used it to protect ancient Oracle 7 accounts on HP-UX 10.20.
There are a lot of people who don't know or don't care..... If you open a website with registration with asking e-mail and new password. Thousands of people will give you their e-mail and they will pick the same password for your website as their e-mail password. :)
MySpace users actually have passwords? Well, I'm more impressed than I was.
Justin - Don't be afraid of my blog, it won't bite.
BTW: No more Tom Cruise/Katie Holmes/Baby!
MORE: Scientology bashing && Clinton Jokes!
The only thing new in this world is the history that you don't know.[Harry Truman]
I almost sense a disappointment that MySpace users didn't come out looking stupider. Give the MySpace users a break! Their computer illiteracy is made painfully clear, but imagine if Slashdot had a comparable way to highlight its posters social illiteracy. Perhaps there would be MySpacers writing on message boards about how stupid all Slashdot users were for their poor fashion sense. Yes, that would be stupid, but comparably as stupid as the blind, generalizing hate for MySpace users that is prevalent here.
1. Put up a site that claims to have tens of thousands of passwords up.
2. Post news on Slashdot.
3. Users go to site, and SEARCH for their password. Hacker now has REAL passwords thanks to the searches.
this password case not withstanding..myspace generally sucks. Grupus has a much better way of making people socialise. Either form private groups there or public groups which only members can edit.
the world is spherical
There was an MIT study claiming that the strength of passwords was affected by length alone. Because of brute force cracking, the longer the password, the longer it took to break. Consider the three character password where I allowed only numbers, and upper and lower case letters. Each position in the password would have 10 + 26 + 26 = 62 possibilities. A three letter password would have 62 * 62 * 62 combinations. Now, if I required "strength" by requiring the use of a letter, and both upper and lower case, I now have only 10 * 26 * 26 combinations. Requiring "strength" always reduces the set of possible combinations for the password.
I think the analysis is just one-sided, as all the passwords are coming from a phishing site. Thus coming from people who are not really internet savvy and that's why most of them have ridiculous passwords!!
At the bottom of his article it has an add for:
'Need a cheap host that can survive the Digg effect?'
That links to his webhost... Guess it doesn't survive it very well, eh?
LMFAO! I guess im the only one who thinks that's funny, props man.
It's not -1 Flamebait! It's +5 Funny. You just didn't get the joke...
Recently while auditing user accounts this password turned up as one of the top 10 most common passwords - if you don't know, it's Fox Mulder's password in the X-Files. Passwords used in movies and tv are surprisingly common, 'joshua' is pretty common, and quite a few people use 'CPE1704TKS' proving that just because people remember detailed trivia from hacking movies they don't know what makes a good password.
Ok, a number of you have pointed out that this list is not representative of Myspace users because it came from a phishing site.
You make the assumption that there is another class of myspace user that is smart (at least smart enough to recoginze it as a phishing site or to avoid being phished at all).
From the massive amounts of stupid crap I've seen so far on myspace, I would say that you're making a pretty big assumption.
There should be a moderation category "Dumbest Comment EVER"
How many members of a given ethnic minority does it take to change a lightbulb?
N: 1 to change the lightbulb, and N-1 to engage in stereotypical ethnic behavior!
Twenty-two years on, here's my obvous password detector. This is C source code I wrote in 1984. This simple piece of code will prevent the use of passwords that are English words, by requiring that the password have at least two sequences of three letters not found in the dictionary. The "dictionary" is compressed down to a big table of hex constants; it's a 27x27x27 array of bool, with a 1 for each triplet found in the UNIX dictionary. So the code is simple, self-contained, and does no I/O.
Put this in your password-change program and dictionary attacks stop working.
The code is a bit dated; this is original K&R C, not ANSI C.
I should do a Javascript version and give that out. The code is so small that it could easily be executed on user-side password pages.
Does it really matter how secure a password is if the user is susceptible to phishing?
So what if the analysis shows that 99% of MySpace passwords are "very secure" - all of the passwords in question were obtained through phishing so the accounts have been compromised regardless!
It's like forcing people to change their passwords so often that they resort to writing them on post-it notes on their monitor. Security is more than just the strength of your password.
When I'm bored, I look through my spam folder, and put fake data on the phishing websites. Is there any kind of program that automatically does it? Remember Blue Frog? What if there was a program that did the same for phishing websites.
this is not redundant... if you're reading /. oldest first and threaded, you'll come across the same post as this, made 16 minutes AFTER this one... which is currently modded funny.... smarten the fuck up mods.
Go ahead and try, you can log in with any case variation of your password. I suppose they're just storing them in plain text and doing a case insensitive comparison when you login.
It still amazes me how few people can use coral cdn to pull up a slahdotted page http://cyber-knowledge.net.nyud.net:8080/blog/2006 /09/16/analyzing-20000-myspace-passwords/
is the copy of the page before it was slashdotted
It seems pretty obvious to me, the "fuckyou" password people KNEW about the phishing attempt, and thats why they typed in "fuckyou"
If I ever encounter anything like that, that looks a little phishy, you always test the waters by sending a fake "fuckyou" password through and seeing what happens..
but yours is eight...
"My password for the site has no number in it."
Most interesting to me is that despite most of the passwords being decent it makes not a lick of difference in these people being phished. Once again, being sharp and understanding of the big picture is more important than following any isolated rule about security. Good luck getting that out to the masses, though :)
Cheers.
i remember when somebody on the ytmnd irc channel passed out a list of 45 thousand myspace accounts+passwords
The author is saying that a 20 character all lower-case password is no better than a 5 character password that has both upper and lower case characters. That is just plain wrong.
What other significant fallacies are there in the article?
He have "found" 20,000 passwords and wanted to help the people to choose better ones?
I envy him.
I wanted to be a guy like him.
He's my idol.
I use the same password for all 25 of my MySpace accounts whether it is one of my teen male accounts, my horny 18 year female accounts, or one of my faux celebrity pages, so don't be surprised if "teenlover" scores high on password frequency...
Really? Does password strength on a myspace account actually matter? Do we even know how Myspace stores passwords, and if it uses a hash?
What i'm trying to say is, there are 4 ways to get somebody's password. 1: Physically (wether they wrote it down or torture), 2: guessing, 3: phishing, or 4: cracking. 1 and 3 don't matter how complex your password is, and 2 is impossible if your password is even reletivly complex. So let's examine 4, cracking the hash. Of course, they would need to obtain the hash, so they would have to crack/break into the Myspace servers. Of course, when they're there, they would be idiots if they only stole one password, as it would be a waste of time/money/psuedo criminal behavior. So, crackers steal say, 8 billion myspace accounts (roughly 1/2 of the myspace community). What happens? We get a digg/slashdot story telling us of this, you go change your password, and everyone's happy. Oh, and cracking thousands of 6 character lower case/numeric passwords would still take a fucking eternity.
I moved back home to a small country after living abroad for a few years. One of the first things I did was to fix my Internet bank (I had one which I had never used). So I went to the bank to fix the password and the banker asked me to give tell her the password so she could fill in a form. At this point my alarm went off but she told me this was the only way and I could always change it after I logged in so I played along. So I started telling her some default password (note: this is not my password - nice try) Me: "Capital 'A' ..."
Banker: "You should probably know that the passwords aren't case sensitive."
Me (thinking): What? Note to self... complain! until then use special characters!"
Me: "All right then... 'a' '/'"
"Banker: Sorry we can't use special characters."
I became so angry. Now I won't tell you which bank it is (don't want you hacking into my account). But I complained and now they provide a service which sends a five digit number to my mobile phone but I am still angry with the bank (which ironically is now the best security provided by a bank in my country).
My point is: It's not always with the users, it may be with the designers where the problem lies!
Is *******. That way I can always see what I'm typing.
I may be flamed for this, but I'm noticing more and more of the articles here were first posted on Digg by several days. This article is a popular one over there.
It's a girl!
He came up with a rating scheme from 1 to 4, where 4 is the "best" password. And he says "I consider strength two fine for a myspace account." Very good point: Not all websites need the same level of password strength.
My personal pet peeve is websites that probably only require a 2 or 3 (on his scale) but demand strength 99. For example, forum sites that reject passwords that my bank would consider good enough.
My plea to anyone reading this who develops websites: The strength of the password only has to match the importance of the information that it's protecting.
Thus endeth my rant.
Perhaps there would be MySpacers writing on message boards about how stupid all Slashdot users were for their poor fashion sense.
not dressing emo != poor fashion sense
Stop Computers/Cars Analogies on S
Seven characters is not 'decent.' I don't know how MySpace stores their passwords, but I can brute force a raw MD5 hash 7 chars a-zA-Z0-9 in less than five days on my single, three year old desktop. If they're using a salt, and, ideally, anything with better complexity than MD5, then that would be obscenely more difficult. Of course, this is in the instance of an offline attack, but, funnily enough, the article writer didn't even seem to consider an offline attack. However, no matter what the length of these passwords may be, they are largely based upon dictionary words, and that would make any cracking attempt (rainbow table, normal dictionary, hashed or not hashed) significantly easier. While I use a weaker password for my MySpace account (because I hardly value it), for sites of any amount of importance, I use a minimum of 9 chars a-zA-Z0-9. Password complexity does not entail the use of odd characters; length is what makes a password threatening to an attacker - again, though, that also boils down to whether you're using a salt, and what the complexity of the hash function is. Assuming you use a salted hash that's worth its.. salt.., such as brcypt, then a-zA-Z0-9 / 9 chars is a behemoth of a password (for most). Setting up a small cluster at my home, I could, theoretically (based on my MDCrack numbers), crack an 8 char a-zA-Z0-9 in just under half of a year. Nine characters makes this astronomically more difficult (okay, 62 times more--but it's astronomically significant in comparison to actual CPU hours spent). It must be understood, though, that this level of password complexity is *probably not good enough* for your bank or anything of an insubordinate amount of significance to you. Consider that, scaling upward to 131072 based on the specifications of my own comparison desktop (and this isn't a very accurate assessment, but we'll assume that the margin of error is insignificant in the face of money thrown at the problem), BlueGene/L could crack my 9 char a-zA-Z0-9 password in less than four hours. Given that supercomputers are increasing in capability at a pretty impressive rate, it could be said that passwords are probably just an outdated authentication mechanism, but, since password complexity can't keep up with computing power, then (if passwords are necessary) a hash function with variable complexity should be considered (see bcrypt, again). This solves the part of the problem pertaining to offline attacks, and, while online attacks are usually impractical, it would be easier still to crack such a password online--with the assumption that the administrators of the web application are completely retarded (and, in the event of MySpace, I don't doubt that is probable). But, again, there seems to be a very common misconception about how much 'length' translates into strength. I'm sorry, but the 8 char rule is simply ancient. Nine characters won't suffice. I regularly use 15-20 character passwords, and, contrary to what most people say, I have absolutely no problems remembering them. Maybe I just have a knack for remembering things like that (I've been using computers and the obscure passwords that seem to go along with them for ages), but I don't think it's much of a stretch to require an ordinary 'luser' to conjure up the memory capacity for such an astonishingly large password. Passphrases could even be considered as an alternative. So, in the end, your MySpace account probably isn't that important, but, nevertheless, anyone who wants to get into it can. You should consider larger passwords or pass phrases for your bank. You should encourage (educate?) them to enact proper security measures, and dissuade them from using such asinine password policies as the ones most banks do (mine, for one). My bank actually requires a minimum of 8 chars for the username, coupled with a minimum of 6 chars for the password, and a maximum of 8, or something similarly absurd. That doesn't even make any sense. It's harder to crack my username than it is my password. I guess, then, it wouldn't hurt to consider mentally rev
Maybe the author did find the 20,000 passwords, I am guessing most are not MySpace passwords. Myspace requires a number or non-alpha character in the password, but the article lists many that are all alpha.
these folks were stupid enough to give login, passwords to a phishing site.
not exactly rocket scientists
That's the comment id.
Didn't this blogger commit a computer crime (at least in the US) by downloading the password file?
Spent some time putting some ads on the site.
-Michael, AKA Frankie.
But, what about the cross section of people who get spam telling them to enter their MySpace username/password? Per TFA, the author does not have a MySpace account. (Nor do I, but I don't know if I've gotten this spam or not.)
Ben Hocking
Need a professional organizer?
for safety used brute force techinque
which is use character like &,$,%,@,*,+ and etc..
'So the combination is one, two, three, four, five? That's the stupidest combination I've ever heard in my life! The kind of thing an idiot would have on his luggage!'
Never ever use english word as a password... it has very low strength even you include numbers with it, it still not increase the strength.. use random characters as your password... eventhough hard to memorize..
Mainly because so many people pick "common" passwords. If the phrase or word is long enough, the subs should be harmless, especially if lower and upper case are alternated. In general, the longer the password, the better it is. There's also a tip that we should insert any symbol into our password..
try take a look @ http://tehpost.blogspot.com/2006/09/myspace-phishi ng-scam.html/
p/s: Make sure you truly logout after logon to myspace..peace..