Analyzing 20,000 MySpace Passwords

Rub3X writes "Author found 20 thousand MySpace passwords on a phishing site and did some tests on them. They were tested for strength, length and a number of other things. Also tested was the most popular password, and the most popular email service used when registering for myspace."

Slashdotted.

[Ashe+Tyrael]

Slashdotted before we even being. CPU quota exceeded.

Re:Slashdotted.

It works fine for me. Post your Slashdot password and someone will login and check that your account isn't broken.

Thanks,

Slashdot Admin

Re:Slashdotted.

[Stephan202]

I made a copy, with images: http://student.science.uva.nl/~sschroev/junk/myspa ce.html
(If the server does not manage I will remove the page)

Re:Slashdotted.

[kripkenstein]

Slashdotted [...] CPU quota exceeded.

Indeed. Yet, just by reading the summary, I can tell it would have been a juicy article:

They were tested for strength, length and a number of other things.

Circumference? Growth ratio?

Re:Slashdotted.

[tomhudson]

How did you get the combination of my luggage?

Re:Slashdotted.

username: CmdrTaco
password: DiggFTW

TIA!

Re:Slashdotted.

[Mateo_LeFou]

My password is: "admin". Thanks for looking into this. (Username is also "admin")

Re:Slashdotted.

[sekunder]

don't forget endurance (:

Re:Slashdotted.

[CodemasterMM]

Amazing! We have the same combination of 1-2-3-4!

Re:Slashdotted.

[Cro+Magnon]

My password is ********

Site Slashdotted

[OverlordQ]

Site seems dead for know, but the Coral Cache got the text atleast.

Re:Site Slashdotted

[GotenXiao]

Oh, the irony. Bottom of the page:

Need a cheap host that can survive the Digg effect?

Links back to that guy's host XD

Re:Site Slashdotted

Need a cheap host that can survive the Digg effect?

Yes.. the Digg effect, not the slashdot effect ;)

Re:Site Slashdotted

[jZnat]

I guess that proves that being slashdotted is far worse than the digg effect. We have way more users! :D

Author should have...

[10sball]

spent some of that time analyzing the strength of his hosting plan

666 - myname

[vrta]

Most common passwords used:
13 - cookie123
12 - iloveyou
12 - password
11 - abc123
11 - fuckyou
11 - miss4you

Re:666 - myname

[BadAnalogyGuy]

That's amazing! I've got the same password on my luggage!

Re:666 - myname

[rednip]

Most common passwords used:

Really, it should read: the most commonly used passwords, by MySpace users who were targeted by and fell for a phisher.

Re:666 - myname

[Deltaspectre]

Pf, that can't be right, everyone knows the most common passwords are:

God
Sex
Love
and Secret

Re:666 - myname

[timeOday]

I have to wonder how many of those top passwords were just the same person repeatedly trying without success to get into a fake site?

Re:666 - myname

[Tanktalus]

It depends on how smart the phisher is. If they take the password then redirect to the real MySpace account (to avoid arousing suspicions among even the gullable) where they can try again, there won't be many second-tries.

If I were of low enough moral character to phish, that'd be what I'd do, anyway.

Re:666 - myname

[Anne_Nonymous]

Interesting. It's only three steps from "I love you to" "Fuck you". That sounds about right.

Re:666 - myname

[jZnat]

You could phish for research purposes...

Re:666 - myname

[sumdumass]

Maybe it was actualy one person trying to cyber squat on 20 thousand myspace names in hopes that one day they would be worth something. he has a bot that auto answers email about them and logs into the site to give them a tour of thier prospective cyber home.

Re:666 - myname

[hkgroove]

"iloveyou"

Damn! Tiger Tanaka has now been compromised! Must alert MI6.

Re:666 - myname

Would that be 'catch and release'?

Re:666 - myname

[ePhil_One]

While I doubt MySpace is using such a service, as a former employee of a firm that did a lot of anti-phising work, we used to identify phishing emails and send the URL's to other companies that specialized in flooding the site with bogus addresses while attempting to tie the site up and DOS just that port/virtual server. So its entirely possible the data being analized is largely bogus. Given that one of the most popular passwords was "fuckyou", I suspect there's at least a vigilante effect going on here...

Re:666 - myname

[NiroZ]

And also, this scam could be targeting certain email domains over others, which means that the email graph is worthless.

Re:666 - myname

[syousef]

1 - Ponies!

Re:666 - myname

[074322]

Never ever use english word as a password...it has very low strength even you include numbers with it, it still not increase the strength.. use random characters with as your password...eventhough hard to memorize..

Re:666 - myname

[TT074307]

I agree with you. Most of the users are using very common password. Their passwords are very easily cracked by crackers sometimes because of their weak password. User's must be aware and careful with the crackers. The users should bear few things in their mind before they create a password. First - The user must make sure that the password doesn't mean anything in any language and cannot be found in any dictionary. Second - The user also should NEVER use blank password. Most of people are using this password because they think it is very safe. Actually it is not. Crackers just can crack this password within few minutes. Crackers are very smart then we thought after all. Third - The user should not use NO NAME as their password. This pasword is already in the diary of a cracker. SO do not ever try to use no name as password. Fourth - Please keep your passwords as secret as possible. Passwords should not be revealed to anyone. There are so many people out there with malicious intention. We never know how bad they can behave. Do not trust anyone. Do not give out your passwords. Fifth - Users should not use vulnerable passwords. Use different type of keys from your keyboard such as $, *, and %. Using these kind of signs together random numbers and alphabets will confuse and frustrate the cracker. Please do create and use a strong password for security. If all the people aware of the tips above, maybe cracker's malicios act will be stopped. I hope the tips above will be useful for the users.

Re:666 - myname

[sii074306]

How come my password be the one of the most common password used founded by you 'abc123'

Re:Already Unreachable

Mirrordot http://www.mirrordot.org/stories/65dbc3fb38c8508be da018cb179a7607/index.html

Interesting analysis, but...

[SilentChris]

It's a fairly interesting (if not too detailed) analysis. A commenter makes a critical observation, though: these were passwords entered at the phishing site, not MySpace. As such, some people can easily recognize it's not the original site and add such gems as "fuckyou".

Personally, I try to fit the following in every eBay phishing page I see:

Field 1: "just who do you think you're kidding?"
Field 2: "better luck next time, dolt."

Re:Interesting analysis, but...

[Daytona955i]

Also people who have stronger password probably would recognize it as a phishing site so the data is pretty much worthless. Also how many people went to the phising site, it's probably a small percentage of users.

While the data is interesting, it really can't be used to determine anything other than the fact that some users have lame passwords.

Re:Interesting analysis, but...

[zlogic]

Hehe...
When I'm asked to enter a credit card number, I usually enter my real one. It only works in Russia, there's no money on it (and the only reason I got it was because it was free) but the bastards may be charged with CC fraud. Hell, I think there are more carders in Russia than legitimate CC owners :-)

Re:Interesting analysis, but...

[setirw]

Also people who have stronger password probably would recognize it as a phishing site so the data is pretty much worthless.

Which excludes 1% of MySpace users, a negligible figure. The data is pretty accurate.

Re:Interesting analysis, but...

[edschurr]

True, although I actually used a long variant of fuckyou for my Windows admin password (I figure Windows is screwed against local attacks and I had its services down and firewalls up).

Re:Interesting analysis, but...

[TheCarp]

ha! true. Or at least people who know how to use a strong password.

Personally, the passowrd that I us for free websites like slashdot and myspace (actually, I am not on myspace anymore, I closed the account because it was worthless at best and didn't like the idea of having my social netowork available publically)
is weak as shit.

Seriously, my unix boxes get strong passwords. My work accounts get strong passwords. Websites? Get a dictionary word that I picked at random 10 years ago. If i particularly think I want a stronger one on a site, then its a permutation of a dictionary word that I picked 8 years ago with a number at the end.

If its a box I care about, it often looks more like line noise (for those who have actually seen line noise)

-Steve

Re:Interesting analysis, but...

[jZnat]

So you generate a random number, encrypt that using your own throwaway key-pair (or one-time pad), and use the base64 output as your password? Actually, that'd be a good idea...

Re:Interesting analysis, but...

[TheCarp]

Nope, I actually use a mnemonic system to hel me remeber them

Its funny how often I have to give someone "the stare" when they ask "whats your password"... but truth is, I couldn't even rattle it off if I tried. I learn the mnemonic and the muscle memory of typing it, but I don't know it character by character.

I have to sit down for a sec and go over the mnemonic to remeber the individual chars.

-Steve

Passwords from hacker site = biased.

[Vo0k]

Say, 10% of passwords contained on a site was obtained using a dictionary attack. Then perform analysis on these password. Conclusion that basing on statistically significant number of passwords (10%, >10000) almost 100% of passwords on the site are vulnerable to dictionary attack is simply wrong - the sample was biased.
Similar about phishing-originated passwords. Phishing is a result of bad practices on user side, and usually clicking attachments in spam, using insecure browser and no antivirus is connected with using poor quality passwords. The results WILL show worse quality of user passwords than real simply because the passwords originate from subset of users who know less of security in general (and as result, got hacked.)

Re:Passwords from hacker site = biased.

[pangu]

This is Myspace we're talking about. How many of their users can come up with a password that's not in the dictionary?

Re:Passwords from hacker site = biased.

[enharmonix]

This is Myspace we're talking about. How many of their users know what a dictionary is?

Re:Passwords from hacker site = biased.

[hashinclude]

Given the number of people on MySpace who can spell properly, I would say quite a large proportion ;)

Re:Passwords from hacker site = biased.

[krunk4ever]

then this study can show the correlation between dumb users and strong passwords. as one might expect, the correlation's rather negative.

Re:Passwords from hacker site = biased.

[GrievousMistake]

Results 1 - 10 of about 365 from myspace.com for propely.
Results 1 - 10 of about 72 from myspace.com for poperly.
Results 1 - 10 of about 44 from myspace.com for proprely.
Results 1 - 10 of about 22 from myspace.com for propelry. ... Heh.

Re:Passwords from hacker site = biased.

[amir074323]

Just out of curiosity how many people here have actually been hacked?? I see all the emphasis on security and passwords but what do we have that a hacker would really want to spend the time trying to figure out a 14 character password?? I could see maybe a bank, business, etc, but the normal person on MYSPACE?? Seems like a big waste of good hacking time to me!!!

Flawed

[schabot]

The analysis is flawed as a general indicator of MySpace passwords because it is only a subset of people who would actually fall for phishing attacks. Of course such people will have horrible password habits

Now, I am changing my password to cookie321, no one will see that coming.

Re:Flawed

[setirw]

Then again, how many MySpace users wouldn't fall for a phishing scheme? :)

It's probably pretty accurate.

Re:Flawed

[tomhudson]

"Now, I am changing my password to cookie321, no one will see that coming."

No, no - you have to change it to "wookie321". The glove won't fit, and Endor something or other ...

Seriously, who even cares about the passwords to myspace. The "numeric strength" so-called "analysis" was screwed up. Since myspace requires a number in the password, a lot of people put their name and a digit or two after it as their account password. They also sometimes screw up their email address info, which is how you can end up suddenly "p0wning" someone else's myspace account (and how the #@%^$ am I supposed to contact them and tell them - "Hey, you have a typo in your email address - I'm getting all these stupid "'I heart cats' would like to be added as one of your friends" messages ...

Yes, its a valid account. but since they changed their email info (must be one letter off from mine or something) they have no way of changing it back ... and I don't know what their email address is.

Re:Flawed

[NexFlamma]

Agreed. One would have to assume that there would be a high likelyhood that people who would fall for a phishing attack would be the same kinds of people who are uneducated about internet security, hence, strong password usage.

Not only that, but in selecting Myspace to study strength of passwords, you're going to come to the conclusion that everyone on the planet is a moron. It would be like judging the intelligence of the average person by giving IQ tests during American Idol.

Re:Flawed

[Tony+Hoyle]

The IQ of the average person is 100, by definition..

The scary thought is that 50% of the population are more stupid than that (and 100 is no rocket scientist - I find I notice the stupidity below the mid 120's.. it makes it hard to have a decent conversation when the other side is a monosyllabic moron..).

Re:Flawed

[senatorpjt]

Then again, why would anyone bother using a strong password on MySpace? I generally use the same weak, easy to remember password on EVERY website. I don't want to remember 10,000 passwords for every site that requires registration. Sure, I use strong, unique passwords for bank accounts and whatnot, but I'm not really concerned about someone stealing my MySpace password and changing my profile.

Re:Flawed

[GC]

Whether "50% of the population are more stupid than that" depends on whether average is defined as median or mean. It's probably close, but then you also need to define what "population" means.

Re:Flawed

[Zapman]

This is what it is. It's an analysis of passwords, obtained by a script kiddie's phishing site. The author makes no claims to 'analysing the strength of every myspace password' or some such. All the information you need to analyze his results are right there.

He didn't 'choose' to study this... the data fell into his hands, and he offered analysis.

This is a great little 'news for nerds' thing. The author says he has this data, he's smart enough not to publish it (just the analysis), he gives some interesting results from raw analysis of the 'data'. Take the story for what it is: Sunday morning on Slashdot.

Re:Flawed

[tomhudson]

My point was (if you had read the article) that his claim that he was able to measure the strength of the passwords was flawed. There were passwords that myspace couldn't have accepted as valid passwords because they require at least one digit (so "fuckyou" couldn't have been a password).

The "known bad" data should have been dropped immediately.

Re:Flawed

[phoenix.bam!]

And then what? Twiddle his thumb? Commission a new phishing scam? It was something to do for this guy which is interesting.

  Myspace only recently started to require stronger passwords. My password for the site has no number in it.

Re:Flawed

[dubonbacon]

and how the #@%^$ am I supposed to contact them and tell them - "Hey, you have a typo in your email address - I'm getting all these stupid "'I heart cats' would like to be added as one of your friends" messages ..
Change their password. delete the account. They had it for only a couple of days anyway if you get their "welcome to myspace" email. They'll just create another one.

Re:Flawed

[tomhudson]

No - this account has been around for quite some time. They just changed their email address, and somehow mixed up some letters, and it ended up going to one of my accounts. For now, I'm just ignoring it. What else is there to do, really. Its just someone's myspace account, and hopefully they've created another one, and the old one will die from being ignored.

If I were the nosy type, I might have snooped through the account and find some personal detail or other that would let me identify the person, but that doesn't feel right.

Re:Flawed

[speculatrix]

They also sometimes screw up their email address info

I have my own domain in .co.uk for which there are some very similar domains in .gov.uk, .ac.uk, and various similar spellings in .co.uk.

I get very fed up with mis-directed emails, and it's quite obvious that many websites don't do any kind of validation before signing people up to mailing lists. The best/worst one recently was from Amazon, and I would have been able to order things using the credit card that someone saved in their account details!!

The best thing to do, if possible, is set their email address to "root@localhost", or "support@" or "postmaster@" if that doesn't work. I used to get pleasure in changing their name to "Complete Loser", so if their username still worked they'd quickly realise someone else had their username/pass... but I got bored of that...

Re:Flawed

[john83]

You also need to remember that having a relatively low IQ doesn't make someone a moron. IQ tests aren't the be all and end all of intelligence. I've a fairly high IQ before anyone thinks I'm saying this out of self-interest!

Email Passwrod

[lobsterGun]

It would be interesting to see how many of the names in that list use the same password for MySpace account as they do in their email account.

mirror

[winkydink]

http://www.networkmirror.com/pMNGiaubQFpIgJLX/cybe r-knowledge.net/blog/2006/09/16/analyzing-20000-my space-passwords/index.html

MirrorDot shows the graphs...

[wo1verin3]

http://www.mirrordot.org/stories/65dbc3fb38c8508be da018cb179a7607/index.html

Who cares about myspace password strength?

[smkndrkn]

I have a few "sets" of passwords that I use. Basically it goes like this:

1) Online banking - Very complex ( as complex as my banking site will allow that is ) / Important work related passwords
2) Unimportant work related passwords (Such as the log in to view the cacti graphs for example) / Public websites that require a password and I care a little bit about
3) Public websites I could give a rats ass about having broken into. Myspace would be listed here. So would my slashdot account.

So my point is just because people use crappy passwords for myspace doesn't nesasarily mean they don't have a clue......but being caught by phishers does. ;)

Re:Who cares about myspace password strength?

[senatorpjt]

Why would it matter? If your karma is Excellent, you probably haven't pissed off anyone to make them want to ruin your karma or reputation. If your karma already sucks, what difference does it make?

Re:Who cares about myspace password strength?

[klenwell]

Warning: website plug (but relevant to the point here)

I use a similar tiered strategy but would still get an uneasy feeling whenever I used a predictable or common password. So now for "public websites I could give a rats ass about having broken into," I use mushpup, which is just a modified SHA-1 hashing function, but allows you to get a secure password wherever you have web access and recover it easily next time you need it.

mushpup suggests a password strategy similar to the parent post:

http://mushpup.org/wiki/wikka.php?wakka=Passwords

(Also, if you fell for a phishing attack on one site, all of your other online accounts wouldn't instantly be compromised.)

Re:How did that happen

[Nimloth]

Sorry, you have to have a six digit UID to know what phishing means.

Almost

[benhocking]

"Really, it should read: the most commonly used passwords, by MySpace users who were targeted by and fell for a phisher" - or by people pretending to be MySpace users when targeted by a phisher - or by people giving a bogus password when targeted by a phisher.

Re:Almost

[flooey]

"Really, it should read: the most commonly used passwords, by MySpace users who were targeted by and fell for a phisher" - or by people pretending to be MySpace users when targeted by a phisher - or by people giving a bogus password when targeted by a phisher.

I'd imagine that's why fuckyou is up there so high. I sort of assume that's a message to the phisher rather than a real password.

Re:Almost

[tsq]

I don't know; fuck_you was my stock password for forums/throwaway accounts for quite a while.

Re:Almost

[Shiny+One]

I'm gonna go out on a limb here and say that the cross section of MySpace users that would fall for a phishing scam would be a fairly accurate representative sample of all MySpace users.

Re:Almost

[LHorstman]

I have two friends that used fuckyou as a password for everything. For places requiring 8-12 characters the choice was almost always fuckyoubitch or fuckyouass. They came up with these ingenious passwords independently. Why these? I think it's just easy for them to remember as they are the most popular words in their vocabularies.

Re:Almost

[jonadab]

> I'd imagine that's why fuckyou is up there so high. I sort of assume
> that's a message to the phisher rather than a real password.

Actually, it's a _very_ common password (right up there with "asdfgh" and "mickey") on systems that expire the user's password and require it to be changed periodically. (I have no idea whether the service in question does that, though.) Also "stupid", for the same reason.

strong passwords?

[nephridium]

Most common passwords used:

13 - cookie123
12 - iloveyou
12 - password
11 - abc123
11 - fuckyou
11 - miss4you
9 - password19
9 - clumsy
8 - sassy
8 - summer06
8 - pablobob
8 - boobie
8 - fuckyou1
8 - iloveyou1
8 - tink69
8 - password1
7 - gospel
7 - terrete
7 - monster7
7 - marlboro1
7 - bitch1
7 - flower
7 - space

Summary:

While the passwords weren't the best, they weren't exactly terrible. [...]

According to TFA it seems most passwords used on myspace are made up of dictionary words (mostly lower case) and a numeric suffix (usually <4 digits). Imho such a password does look horrible, especially after seeing how important some of the myspace pages seem to be for certain people.

Due Diligence

[bigattichouse]

Due diligence would have him write a script to check which user/pass combinations were valid, and then analyze only those.

Re:Due Diligence

[jandrese]

Honestly, most of these pishing operations that I've seen are real lowbrow affairs. Proper engineering isn't exactly a common feature. Most of the time they don't care if 50% of the passwords (or more) don't work, all they need are a few hits to get what they need.

Re:Due Diligence

[TubeSteak]

Due diligence would have him write a script to check which user/pass combinations were valid

I think we would call that "unauthorized access"

Methinks most people would know enough to avoid publicly admitting to testing those l/p's.

Re:Due Diligence

[MadMidnightBomber]

Due diligence would have him write a script to check which user/pass combinations were valid, and then analyze only those.

That could be construed as unauthorised access to a computer system in most jurisdictions. I can understand why they didn't try it.

Re:Due Diligence

[Firehed]

Well, yeah, if you're phishing for bank account info. What the hell is to be gained by hijacking MySpace accounts?

Re:Due Diligence

[kevlarman]

you can offer to remove all the annoying backgrounds, music, movies, and spyware from the profiles of the stolen accounts, and threaten to put up even more of them if they don't pay up. it might work even better than stealing bank accounts

Look! I stole your identity

best change your policy on your slashdot account now, or expect to see bogus postings in your name!! ;-)

I think you should take the same advise. I just stole your account and now I'm posting as you Mr. Coward.....HAHAHAHA!

There really is no excuse for this.

[emil]

There are publicly-available tools to prevent weak passwords from being used in the first place. OpenBSD has something, and I've compiled the library below and used it to protect ancient Oracle 7 accounts on HP-UX 10.20.

$ rpm -qi cracklib
Name : cracklib Relocations: (not relocatable)
Version : 2.7 Vendor: CentOS
Release : 29 Build Date: Mon 21 Feb 2005 01:54:42 PM CST
Install Date: Mon 12 Dec 2005 06:18:57 PM CST Build Host: build2.hughesjr.centos.org
Group : System Environment/Libraries Source RPM: cracklib-2.7-29.src.rpmSize : 46398 License: Artistic
Signature : DSA/SHA1, Sat 26 Feb 2005 02:32:53 PM CST, Key ID a53d0bab443e1821Packager : Johnny Hughes <johnny@centos.org>
URL : http://www.crypticide.org/users/alecm/
Summary : A password-checking library.
Description :
CrackLib tests passwords to determine whether they match certain
security-oriented characteristics, with the purpose of stopping users
from choosing passwords that are easy to guess. CrackLib performs
several tests on passwords: it tries to generate words from a username
and gecos entry and checks those words against the password; it checks
for simplistic patterns in passwords; and it checks for the password
in a dictionary.

CrackLib is actually a library containing a particular C function
which is used to check the password, as well as other C
functions. CrackLib is not a replacement for a passwd program; it must
be used in conjunction with an existing passwd program.

Install the cracklib package if you need a program to check users'
passwords to see if they are at least minimally secure. If you install
CrackLib, you will also want to install the cracklib-dicts package.

Re:There really is no excuse for this.

[jZnat]

And you can use it with PHP to boot.

Easy

[Snipergrunge]

There are a lot of people who don't know or don't care..... If you open a website with registration with asking e-mail and new password. Thousands of people will give you their e-mail and they will pick the same password for your website as their e-mail password. :)

This 'paper' doesn't give MySpace haters much ammo

[erikwestlund]

I almost sense a disappointment that MySpace users didn't come out looking stupider. Give the MySpace users a break! Their computer illiteracy is made painfully clear, but imagine if Slashdot had a comparable way to highlight its posters social illiteracy. Perhaps there would be MySpacers writing on message boards about how stupid all Slashdot users were for their poor fashion sense. Yes, that would be stupid, but comparably as stupid as the blind, generalizing hate for MySpace users that is prevalent here.

How to get a password

1. Put up a site that claims to have tens of thousands of passwords up.
2. Post news on Slashdot.
3. Users go to site, and SEARCH for their password. Hacker now has REAL passwords thanks to the searches.

Re:How to get a password

[HatchedEggs]

How would they actually go about pairing a password to a login then?

Re:How to get a password

[teslar]

I'd be interested in seeing how you would log the searches done using the browser search function as opposed to a hypothetical search box on the website?

Re:How to get a password

[maxwell+demon]

Add a form to your web site:

See if your password was broken, too. Just enter your login data here for searching.
Login: _____________
Password: _____________
[Submit]

strong passwords

[DigitalLifeForm]

There was an MIT study claiming that the strength of passwords was affected by length alone. Because of brute force cracking, the longer the password, the longer it took to break. Consider the three character password where I allowed only numbers, and upper and lower case letters. Each position in the password would have 10 + 26 + 26 = 62 possibilities. A three letter password would have 62 * 62 * 62 combinations. Now, if I required "strength" by requiring the use of a letter, and both upper and lower case, I now have only 10 * 26 * 26 combinations. Requiring "strength" always reduces the set of possible combinations for the password.

Re:strong passwords

[nobodynoone]

Yes, but in the instance of bruteforce, it is all about PERCIEVED strength, in which case the bruteforce attack must include numbers as well as letters, increasing possible combinations from the attack side to 36*36*36. So while the ACTUAL combinations may drop, the POSSIBLE combinations increase.

Re:strong passwords

[vidarh]

The worst case (from a hackers point of view) time to crack a password is reduced if passwords are forced to be "good", assuming the attacker knows the rules (or an approximation) that the users are required to follow.

However the reason "strong" passwords are generally still better is that a large portion of users pick bad passwords if they are not reminded or forced to pick good ones. That leads to a situation where the space of likely passwords is still dramatically smaller than the total space of possible passwords, and adding rules to a password cracker to try a set of common rules first (such as permutations of dictionary words) before resorting to brute force checking all remaining combinations is straightforward.

Re:strong passwords

[mrcaseyj]

The probability calculation is flawed. Although restricting the choices of passwords reduces the number of possibilities it doesn't reduce them all that much. A three character password with an upper, a lower, and a digit, isn't 10*26*26 possibilities. The first char can be any of 62. The next char can be any of at least 36 but could be any of 52 if the first char was a digit. The last char could be any of at least 10. Thus the correct calculation is at LEAST 62*36*10 but is actually more.

More importantly, as you add more characters to the password you only add factors of 62 and you have just one factor of 36 and one of 10. So for an eight char password with at least one digit and one alternate case, you have at LEAST 62*62*62*62*62*62*36*10 possibilities.

Furthermore, attakers never start with a brute force attack except with trivially short passwords. They start with a dictionary attack. Hacker dictionaries contain not just the dictionary but millions of passwords that other people have used. Before they do a full on brute force attack, they do an all lower case brute force. They also try passwords with a beginning upper and ending in a number. Then chars with one number in between the chars. Combinations that include upper and lower and digits are about the last thing they try even if they resort to a full on brute force.

Since all passwords of just a few chars (maybe 8 or so) can be brute forced no matter what they contain, it would make no sense to require certain characters but not have a minimum password length. Just increase the minimum length by one and you've more than made up for any combinations lost to restrictions, while drastically reducing vulnerability to dictionary attacks.

Ironically enough...

[not-admin]

At the bottom of his article it has an add for:
'Need a cheap host that can survive the Digg effect?'

That links to his webhost... Guess it doesn't survive it very well, eh?

Re:Ironically enough...

[WilliamSChips]

It didn't survive the Slashdot effect. It only claims to survive the Digg effect.

Re:Ironically enough...

[Korin43]

Seems fine to me.. of course, it's been a couple hours, but if the server was on fire it wouldn't be back this soon..

trustno1

[illectro]

Recently while auditing user accounts this password turned up as one of the top 10 most common passwords - if you don't know, it's Fox Mulder's password in the X-Files. Passwords used in movies and tv are surprisingly common, 'joshua' is pretty common, and quite a few people use 'CPE1704TKS' proving that just because people remember detailed trivia from hacking movies they don't know what makes a good password.

Obvious password detector

[Animats]

Twenty-two years on, here's my obvous password detector. This is C source code I wrote in 1984. This simple piece of code will prevent the use of passwords that are English words, by requiring that the password have at least two sequences of three letters not found in the dictionary. The "dictionary" is compressed down to a big table of hex constants; it's a 27x27x27 array of bool, with a 1 for each triplet found in the UNIX dictionary. So the code is simple, self-contained, and does no I/O.

Put this in your password-change program and dictionary attacks stop working.

The code is a bit dated; this is original K&R C, not ANSI C.

I should do a Javascript version and give that out. The code is so small that it could easily be executed on user-side password pages.

Re:Obvious password detector

[God+of+Lemmings]

Right, but it prevents passphrases, which are easier to remember and reproduce accurately. Not to mention they can be fashioned to be much much stronger.

Any good detectors that support both out there?

I have to agree...

[RootWind]

When I'm bored, I look through my spam folder, and put fake data on the phishing websites. Is there any kind of program that automatically does it? Remember Blue Frog? What if there was a program that did the same for phishing websites.

Re:I have to agree...

[devilspgd]

It wouldn't do a ton of good since your average phisher has access to a ton of zombies they can verify a password list without triggering any IP:failedlookup ratio and banning themselves from the site.

Re:this password case not withstanding..

[gbickford]

IMHO grupus.com sucks.

Some knew about the phising

[DeadboltX]

It seems pretty obvious to me, the "fuckyou" password people KNEW about the phishing attempt, and thats why they typed in "fuckyou"

If I ever encounter anything like that, that looks a little phishy, you always test the waters by sending a fake "fuckyou" password through and seeing what happens..

Re:How did that happen

[ibjhb]

but yours is eight...

Password Strength

[localman]

Most interesting to me is that despite most of the passwords being decent it makes not a lick of difference in these people being phished. Once again, being sharp and understanding of the big picture is more important than following any isolated rule about security. Good luck getting that out to the masses, though :)

Cheers.

LOL good times

[kungfujesus]

i remember when somebody on the ytmnd irc channel passed out a list of 45 thousand myspace accounts+passwords

How good is the analysis?

[QuietLagoon]

When the author makes statements like, Character length means little if your passwords dont have upper and lower case letters.?

The author is saying that a 20 character all lower-case password is no better than a 5 character password that has both upper and lower case characters. That is just plain wrong.

What other significant fallacies are there in the article?

Re:How good is the analysis?

[iron-kurton]

Consider the most common password length, 7, according to the author.

Mixed case combinations: 52 ^ 7 = 1,028,071,702,528
Lower case combinations: 26 ^ 7 = 8,031,810,176

You would need 8.45 characters (rounded up to 9) to get the similar or better security with just lowercase than with upper and lower case. Of course, this is a logarithmic ratio, so it would grow the more characters you throw in the mix.

This, coupled with the fact that MySpace only allows up to 10 characters, I would say that while your criticism is valid in theory, his statement is correct in practice.

Re:How good is the analysis?

[QuietLagoon]

The author trieds to come across as an authority on security. He should have been more specific, and not leave his opinion open to such a wide interpretation.

My statement is not only valid in theory, it is also valid based upon the erronous information the author asserted.

What a great guy!

[asrail]

He have "found" 20,000 passwords and wanted to help the people to choose better ones?

I envy him.
I wanted to be a guy like him.

He's my idol.

One forgotten factor...

[haggie]

I use the same password for all 25 of my MySpace accounts whether it is one of my teen male accounts, my horny 18 year female accounts, or one of my faux celebrity pages, so don't be surprised if "teenlover" scores high on password frequency...

Does it matter?

[Fullhazard]

Really? Does password strength on a myspace account actually matter? Do we even know how Myspace stores passwords, and if it uses a hash?
        What i'm trying to say is, there are 4 ways to get somebody's password. 1: Physically (wether they wrote it down or torture), 2: guessing, 3: phishing, or 4: cracking. 1 and 3 don't matter how complex your password is, and 2 is impossible if your password is even reletivly complex. So let's examine 4, cracking the hash. Of course, they would need to obtain the hash, so they would have to crack/break into the Myspace servers. Of course, when they're there, they would be idiots if they only stole one password, as it would be a waste of time/money/psuedo criminal behavior. So, crackers steal say, 8 billion myspace accounts (roughly 1/2 of the myspace community). What happens? We get a digg/slashdot story telling us of this, you go change your password, and everyone's happy. Oh, and cracking thousands of 6 character lower case/numeric passwords would still take a fucking eternity.

...on the topic of passwords

[tryggvi]

I moved back home to a small country after living abroad for a few years. One of the first things I did was to fix my Internet bank (I had one which I had never used). So I went to the bank to fix the password and the banker asked me to give tell her the password so she could fill in a form. At this point my alarm went off but she told me this was the only way and I could always change it after I logged in so I played along. So I started telling her some default password (note: this is not my password - nice try) Me: "Capital 'A' ..." Banker: "You should probably know that the passwords aren't case sensitive." Me (thinking): What? Note to self... complain! until then use special characters!" Me: "All right then... 'a' '/'" "Banker: Sorry we can't use special characters." I became so angry. Now I won't tell you which bank it is (don't want you hacking into my account). But I complained and now they provide a service which sends a five digit number to my mobile phone but I am still angry with the bank (which ironically is now the best security provided by a bank in my country). My point is: It's not always with the users, it may be with the designers where the problem lies!

My password....

[CrazyTalk]

Is *******. That way I can always see what I'm typing.

One point deserves emphasis...

[dghcasp]

He came up with a rating scheme from 1 to 4, where 4 is the "best" password. And he says "I consider strength two fine for a myspace account." Very good point: Not all websites need the same level of password strength.

My personal pet peeve is websites that probably only require a 2 or 3 (on his scale) but demand strength 99. For example, forum sites that reject passwords that my bank would consider good enough.

Your password was rejected because it was only seven characters long, does not contain enough characters that are neither letters or numbers, and contains a substring that was found in a dictionary of Croation words. Plus, you used that password three years ago when we forced you to change it with our 30-day password aging policy.

My plea to anyone reading this who develops websites: The strength of the password only has to match the importance of the information that it's protecting.

Thus endeth my rant.

Re:One point deserves emphasis...

[cprior]

Yes, and I'd love to see the primary key on the email adress dropped, too! I mean, if trolls want a 2nd account, they'll invite themselves on gmail. On the other hand, if several usernames could share an email addy, the admin of the page could easily identify his users with a tad of shizophrenia...

Re:One point deserves emphasis...

[onefiddle]

Unless of course the user had only one password for all logins. In that case he better have a good one.

Re:I've been notiving a trend of sorts

[cloricus]

Slashdot and Digg are in a competition now? To be completely blunt I would consider them to be catering to completely different audiences who are interested in two different fields of computing where the only demographic that crosses over are the causal users. Slashdot has the more computer savvy groups and Digg has the gamer and script kiddie groups. Timing for articles can be considered a problem on /. for example a massive tsunami that killed over half a million in thirty minutes on boxing day two years ago took weeks to get a minor mention whereas Steve Erwin's death was up before most Australians knew about it. Then again it is the price we pay for having an editor based system and in one hand we can yell at them for prioritising the news and in the other we can yell at them for posting crap. Or we can ignore both hands as long as it is generally good and let them be.
 
My two cents.

Re:This 'paper' doesn't give MySpace haters much a

[kv9]

Perhaps there would be MySpacers writing on message boards about how stupid all Slashdot users were for their poor fashion sense.

not dressing emo != poor fashion sense

Re:I've been notiving a trend of sorts

[AriaStar]

I read both sites because I like the different articles on each. But lately many of the same articles are on both. I suspect people are seeing articles there and submitting them here. I'd like to see variety again.

Bad Data?

[edibobb]

Maybe the author did find the 20,000 passwords, I am guessing most are not MySpace passwords. Myspace requires a number or non-alpha character in the password, but the article lists many that are all alpha.

Searching the shortbus for the next Einstein

[f0dder]

these folks were stupid enough to give login, passwords to a phishing site.
not exactly rocket scientists

Re:How did that happen

[lachlan76]

That's the comment id.

illegal aquisition of password information

[bad-badtz-maru]

Didn't this blogger commit a computer crime (at least in the US) by downloading the password file?

Author should have...

[breakitdown]

Spent some time putting some ads on the site.

Won't dispute that

[benhocking]

But, what about the cross section of people who get spam telling them to enter their MySpace username/password? Per TFA, the author does not have a MySpace account. (Nor do I, but I don't know if I've gotten this spam or not.)

Re:I've been notiving a trend of sorts

[Dephex+Twin]

In my experience, usually if either site gets an article before the other, it will be at Digg first. However, I am always glad when an interesting article I read at Digg shows up later on Slashdot, because that means I know I will get some great comments and interesting threads.

password

[pk075843]

for safety used brute force techinque
which is use character like &,$,%,@,*,+ and etc..

12345...

[hey0you0guy]

'So the combination is one, two, three, four, five? That's the stupidest combination I've ever heard in my life! The kind of thing an idiot would have on his luggage!'

Re:myname

[074322]

Never ever use english word as a password... it has very low strength even you include numbers with it, it still not increase the strength.. use random characters as your password... eventhough hard to memorize..

common password..what the hell they're thinking?

[amir074323]

Mainly because so many people pick "common" passwords. If the phrase or word is long enough, the subs should be harmless, especially if lower and upper case are alternated. In general, the longer the password, the better it is. There's also a tip that we should insert any symbol into our password..

Myspace phishing scam..

[amir074323]

try take a look @ http://tehpost.blogspot.com/2006/09/myspace-phishi ng-scam.html/ p/s: Make sure you truly logout after logon to myspace..peace..