Slashdot Mirror

← Back to Stories (view on slashdot.org)

Analyzing 20,000 MySpace Passwords

Posted by ryuzaki0 on from the thats-kinda-scary dept.

Rub3X writes "Author found 20 thousand MySpace passwords on a phishing site and did some tests on them. They were tested for strength, length and a number of other things. Also tested was the most popular password, and the most popular email service used when registering for myspace."

59 of 177 comments (clear)

  1. Author should have... by 10sball · · Score: 5, Funny

    spent some of that time analyzing the strength of his hosting plan

    --
    [place .sig here]
  2. 666 - myname by vrta · · Score: 5, Informative

    Most common passwords used:
    13 - cookie123
    12 - iloveyou
    12 - password
    11 - abc123
    11 - fuckyou
    11 - miss4you

    --
    Why don't sheep shrink when it rains?
    1. Re:666 - myname by BadAnalogyGuy · · Score: 3, Funny

      That's amazing! I've got the same password on my luggage!

    2. Re:666 - myname by rednip · · Score: 5, Insightful
      Most common passwords used:
      Really, it should read: the most commonly used passwords, by MySpace users who were targeted by and fell for a phisher.
      --
      The force that blew the Big Bang continues to accelerate.
    3. Re:666 - myname by Deltaspectre · · Score: 2, Funny

      Pf, that can't be right, everyone knows the most common passwords are:

      God
      Sex
      Love
      and Secret

      --
      My UID is prime... is yours?
    4. Re:666 - myname by Tanktalus · · Score: 4, Insightful

      It depends on how smart the phisher is. If they take the password then redirect to the real MySpace account (to avoid arousing suspicions among even the gullable) where they can try again, there won't be many second-tries.

      If I were of low enough moral character to phish, that'd be what I'd do, anyway.

    5. Re:666 - myname by Anne_Nonymous · · Score: 2, Funny

      Interesting. It's only three steps from "I love you to" "Fuck you". That sounds about right.

    6. Re:666 - myname by hkgroove · · Score: 2, Funny

      "iloveyou"

      Damn! Tiger Tanaka has now been compromised! Must alert MI6.

    7. Re:666 - myname by Anonymous Coward · · Score: 4, Funny

      Would that be 'catch and release'?

  3. Re:Already Unreachable by Anonymous Coward · · Score: 3, Informative

    Mirrordot http://www.mirrordot.org/stories/65dbc3fb38c8508be da018cb179a7607/index.html

  4. Interesting analysis, but... by SilentChris · · Score: 4, Insightful

    It's a fairly interesting (if not too detailed) analysis. A commenter makes a critical observation, though: these were passwords entered at the phishing site, not MySpace. As such, some people can easily recognize it's not the original site and add such gems as "fuckyou".

    Personally, I try to fit the following in every eBay phishing page I see:

    Field 1: "just who do you think you're kidding?"
    Field 2: "better luck next time, dolt."

    1. Re:Interesting analysis, but... by Daytona955i · · Score: 3, Interesting

      Also people who have stronger password probably would recognize it as a phishing site so the data is pretty much worthless. Also how many people went to the phising site, it's probably a small percentage of users.

      While the data is interesting, it really can't be used to determine anything other than the fact that some users have lame passwords.

    2. Re:Interesting analysis, but... by zlogic · · Score: 2, Funny

      Hehe...
      When I'm asked to enter a credit card number, I usually enter my real one. It only works in Russia, there's no money on it (and the only reason I got it was because it was free) but the bastards may be charged with CC fraud. Hell, I think there are more carders in Russia than legitimate CC owners :-)

    3. Re:Interesting analysis, but... by TheCarp · · Score: 2, Interesting

      Nope, I actually use a mnemonic system to hel me remeber them

      Its funny how often I have to give someone "the stare" when they ask "whats your password"... but truth is, I couldn't even rattle it off if I tried. I learn the mnemonic and the muscle memory of typing it, but I don't know it character by character.

      I have to sit down for a sec and go over the mnemonic to remeber the individual chars.

      -Steve

      --
      "I opened my eyes, and everything went dark again"
  5. Passwords from hacker site = biased. by Vo0k · · Score: 5, Interesting

    Say, 10% of passwords contained on a site was obtained using a dictionary attack. Then perform analysis on these password. Conclusion that basing on statistically significant number of passwords (10%, >10000) almost 100% of passwords on the site are vulnerable to dictionary attack is simply wrong - the sample was biased.
    Similar about phishing-originated passwords. Phishing is a result of bad practices on user side, and usually clicking attachments in spam, using insecure browser and no antivirus is connected with using poor quality passwords. The results WILL show worse quality of user passwords than real simply because the passwords originate from subset of users who know less of security in general (and as result, got hacked.)

    --
    Anagram("United States of America") == "Dine out, taste a Mac, fries"
    1. Re:Passwords from hacker site = biased. by hashinclude · · Score: 3, Funny

      Given the number of people on MySpace who can spell properly, I would say quite a large proportion ;)

      --
      US is now divided as the "Red" and "blue" states. Red States = communist countries. Coincidence? I think not
  6. Flawed by schabot · · Score: 4, Insightful

    The analysis is flawed as a general indicator of MySpace passwords because it is only a subset of people who would actually fall for phishing attacks. Of course such people will have horrible password habits

    Now, I am changing my password to cookie321, no one will see that coming.

    1. Re:Flawed by tomhudson · · Score: 2, Informative

      "Now, I am changing my password to cookie321, no one will see that coming."

      No, no - you have to change it to "wookie321". The glove won't fit, and Endor something or other ...

      Seriously, who even cares about the passwords to myspace. The "numeric strength" so-called "analysis" was screwed up. Since myspace requires a number in the password, a lot of people put their name and a digit or two after it as their account password. They also sometimes screw up their email address info, which is how you can end up suddenly "p0wning" someone else's myspace account (and how the #@%^$ am I supposed to contact them and tell them - "Hey, you have a typo in your email address - I'm getting all these stupid "'I heart cats' would like to be added as one of your friends" messages ...

      Yes, its a valid account. but since they changed their email info (must be one letter off from mine or something) they have no way of changing it back ... and I don't know what their email address is.

    2. Re:Flawed by NexFlamma · · Score: 2, Funny

      Agreed. One would have to assume that there would be a high likelyhood that people who would fall for a phishing attack would be the same kinds of people who are uneducated about internet security, hence, strong password usage.

      Not only that, but in selecting Myspace to study strength of passwords, you're going to come to the conclusion that everyone on the planet is a moron. It would be like judging the intelligence of the average person by giving IQ tests during American Idol.

    3. Re:Flawed by Zapman · · Score: 5, Insightful

      This is what it is. It's an analysis of passwords, obtained by a script kiddie's phishing site. The author makes no claims to 'analysing the strength of every myspace password' or some such. All the information you need to analyze his results are right there.

      He didn't 'choose' to study this... the data fell into his hands, and he offered analysis.

      This is a great little 'news for nerds' thing. The author says he has this data, he's smart enough not to publish it (just the analysis), he gives some interesting results from raw analysis of the 'data'. Take the story for what it is: Sunday morning on Slashdot.

      --
      Zapman
    4. Re:Flawed by tomhudson · · Score: 2, Insightful

      My point was (if you had read the article) that his claim that he was able to measure the strength of the passwords was flawed. There were passwords that myspace couldn't have accepted as valid passwords because they require at least one digit (so "fuckyou" couldn't have been a password).

      The "known bad" data should have been dropped immediately.

  7. Re:Slashdotted. by Anonymous Coward · · Score: 5, Funny

    It works fine for me. Post your Slashdot password and someone will login and check that your account isn't broken.

    Thanks,

    Slashdot Admin

  8. Re:Slashdotted. by Stephan202 · · Score: 3, Informative

    I made a copy, with images: http://student.science.uva.nl/~sschroev/junk/myspa ce.html
    (If the server does not manage I will remove the page)

  9. Email Passwrod by lobsterGun · · Score: 4, Interesting

    It would be interesting to see how many of the names in that list use the same password for MySpace account as they do in their email account.

  10. Re:Slashdotted. by kripkenstein · · Score: 4, Funny

    Slashdotted [...] CPU quota exceeded.

    Indeed. Yet, just by reading the summary, I can tell it would have been a juicy article:

    They were tested for strength, length and a number of other things.

    Circumference? Growth ratio?

  11. Re:Site Slashdotted by GotenXiao · · Score: 5, Funny
    Oh, the irony. Bottom of the page:
    Need a cheap host that can survive the Digg effect?

    Links back to that guy's host XD
    --
    Goten Xiao
  12. mirror by winkydink · · Score: 2, Informative

    http://www.networkmirror.com/pMNGiaubQFpIgJLX/cybe r-knowledge.net/blog/2006/09/16/analyzing-20000-my space-passwords/index.html

    --

    "I'd rather be a lightning rod than a seismometer." -Ken Kesey

  13. MirrorDot shows the graphs... by wo1verin3 · · Score: 3, Informative

    http://www.mirrordot.org/stories/65dbc3fb38c8508be da018cb179a7607/index.html

  14. Who cares about myspace password strength? by smkndrkn · · Score: 4, Insightful

    I have a few "sets" of passwords that I use. Basically it goes like this:

    1) Online banking - Very complex ( as complex as my banking site will allow that is ) / Important work related passwords
    2) Unimportant work related passwords (Such as the log in to view the cacti graphs for example) / Public websites that require a password and I care a little bit about
    3) Public websites I could give a rats ass about having broken into. Myspace would be listed here. So would my slashdot account.

    So my point is just because people use crappy passwords for myspace doesn't nesasarily mean they don't have a clue......but being caught by phishers does. ;)

    --
    ======== In the future, everything will be artificial. ========
  15. Re:Slashdotted. by tomhudson · · Score: 5, Funny

    How did you get the combination of my luggage?

  16. Almost by benhocking · · Score: 4, Insightful

    "Really, it should read: the most commonly used passwords, by MySpace users who were targeted by and fell for a phisher" - or by people pretending to be MySpace users when targeted by a phisher - or by people giving a bogus password when targeted by a phisher.

    --
    Ben Hocking
    Need a professional organizer?
    1. Re:Almost by flooey · · Score: 5, Insightful

      "Really, it should read: the most commonly used passwords, by MySpace users who were targeted by and fell for a phisher" - or by people pretending to be MySpace users when targeted by a phisher - or by people giving a bogus password when targeted by a phisher.

      I'd imagine that's why fuckyou is up there so high. I sort of assume that's a message to the phisher rather than a real password.

  17. strong passwords? by nephridium · · Score: 4, Informative
    Most common passwords used:

    13 - cookie123
    12 - iloveyou
    12 - password
    11 - abc123
    11 - fuckyou
    11 - miss4you
    9 - password19
    9 - clumsy
    8 - sassy
    8 - summer06
    8 - pablobob
    8 - boobie
    8 - fuckyou1
    8 - iloveyou1
    8 - tink69
    8 - password1
    7 - gospel
    7 - terrete
    7 - monster7
    7 - marlboro1
    7 - bitch1
    7 - flower
    7 - space

    Summary:

    While the passwords weren't the best, they weren't exactly terrible. [...]
    According to TFA it seems most passwords used on myspace are made up of dictionary words (mostly lower case) and a numeric suffix (usually <4 digits). Imho such a password does look horrible, especially after seeing how important some of the myspace pages seem to be for certain people.
    --


    And when you gaze long enough into the code, the code will also gaze into you.
  18. Due Diligence by bigattichouse · · Score: 2, Insightful

    Due diligence would have him write a script to check which user/pass combinations were valid, and then analyze only those.

    --
    meh
    1. Re:Due Diligence by jandrese · · Score: 2, Interesting

      Honestly, most of these pishing operations that I've seen are real lowbrow affairs. Proper engineering isn't exactly a common feature. Most of the time they don't care if 50% of the passwords (or more) don't work, all they need are a few hits to get what they need.

      --

      I read the internet for the articles.
    2. Re:Due Diligence by TubeSteak · · Score: 2, Insightful
      Due diligence would have him write a script to check which user/pass combinations were valid
      I think we would call that "unauthorized access"

      Methinks most people would know enough to avoid publicly admitting to testing those l/p's.
      --
      [Fuck Beta]
      o0t!
    3. Re:Due Diligence by Firehed · · Score: 2, Funny

      Well, yeah, if you're phishing for bank account info. What the hell is to be gained by hijacking MySpace accounts?

      --
      How are sites slashdotted when nobody reads TFAs?
    4. Re:Due Diligence by kevlarman · · Score: 2, Funny

      you can offer to remove all the annoying backgrounds, music, movies, and spyware from the profiles of the stolen accounts, and threaten to put up even more of them if they don't pay up. it might work even better than stealing bank accounts

      --
      A mouse is a device used to point to the xterm you want to type in
  19. Re:Slashdotted. by Anonymous Coward · · Score: 2, Funny

    username: CmdrTaco
    password: DiggFTW

    TIA!

  20. Look! I stole your identity by Anonymous Coward · · Score: 3, Funny
    best change your policy on your slashdot account now, or expect to see bogus postings in your name!! ;-)


    I think you should take the same advise. I just stole your account and now I'm posting as you Mr. Coward.....HAHAHAHA!
  21. Re:Site Slashdotted by Anonymous Coward · · Score: 5, Funny
    Need a cheap host that can survive the Digg effect?

    Yes.. the Digg effect, not the slashdot effect ;)
  22. This 'paper' doesn't give MySpace haters much ammo by erikwestlund · · Score: 4, Insightful

    I almost sense a disappointment that MySpace users didn't come out looking stupider. Give the MySpace users a break! Their computer illiteracy is made painfully clear, but imagine if Slashdot had a comparable way to highlight its posters social illiteracy. Perhaps there would be MySpacers writing on message boards about how stupid all Slashdot users were for their poor fashion sense. Yes, that would be stupid, but comparably as stupid as the blind, generalizing hate for MySpace users that is prevalent here.

  23. How to get a password by Anonymous Coward · · Score: 2, Interesting

    1. Put up a site that claims to have tens of thousands of passwords up.
    2. Post news on Slashdot.
    3. Users go to site, and SEARCH for their password. Hacker now has REAL passwords thanks to the searches.

    1. Re:How to get a password by maxwell+demon · · Score: 2, Funny
      Add a form to your web site:
      See if your password was broken, too. Just enter your login data here for searching.
      Login: _____________
      Password: _____________
      [Submit]

      --
      The Tao of math: The numbers you can count are not the real numbers.
  24. strong passwords by DigitalLifeForm · · Score: 4, Interesting

    There was an MIT study claiming that the strength of passwords was affected by length alone. Because of brute force cracking, the longer the password, the longer it took to break. Consider the three character password where I allowed only numbers, and upper and lower case letters. Each position in the password would have 10 + 26 + 26 = 62 possibilities. A three letter password would have 62 * 62 * 62 combinations. Now, if I required "strength" by requiring the use of a letter, and both upper and lower case, I now have only 10 * 26 * 26 combinations. Requiring "strength" always reduces the set of possible combinations for the password.

    1. Re:strong passwords by nobodynoone · · Score: 4, Interesting

      Yes, but in the instance of bruteforce, it is all about PERCIEVED strength, in which case the bruteforce attack must include numbers as well as letters, increasing possible combinations from the attack side to 36*36*36. So while the ACTUAL combinations may drop, the POSSIBLE combinations increase.

    2. Re:strong passwords by mrcaseyj · · Score: 2, Insightful
      The probability calculation is flawed. Although restricting the choices of passwords reduces the number of possibilities it doesn't reduce them all that much. A three character password with an upper, a lower, and a digit, isn't 10*26*26 possibilities. The first char can be any of 62. The next char can be any of at least 36 but could be any of 52 if the first char was a digit. The last char could be any of at least 10. Thus the correct calculation is at LEAST 62*36*10 but is actually more.


      More importantly, as you add more characters to the password you only add factors of 62 and you have just one factor of 36 and one of 10. So for an eight char password with at least one digit and one alternate case, you have at LEAST 62*62*62*62*62*62*36*10 possibilities.


      Furthermore, attakers never start with a brute force attack except with trivially short passwords. They start with a dictionary attack. Hacker dictionaries contain not just the dictionary but millions of passwords that other people have used. Before they do a full on brute force attack, they do an all lower case brute force. They also try passwords with a beginning upper and ending in a number. Then chars with one number in between the chars. Combinations that include upper and lower and digits are about the last thing they try even if they resort to a full on brute force.


      Since all passwords of just a few chars (maybe 8 or so) can be brute forced no matter what they contain, it would make no sense to require certain characters but not have a minimum password length. Just increase the minimum length by one and you've more than made up for any combinations lost to restrictions, while drastically reducing vulnerability to dictionary attacks.

  25. Ironically enough... by not-admin · · Score: 5, Funny

    At the bottom of his article it has an add for:
    'Need a cheap host that can survive the Digg effect?'

    That links to his webhost... Guess it doesn't survive it very well, eh?

    1. Re:Ironically enough... by WilliamSChips · · Score: 3, Funny

      It didn't survive the Slashdot effect. It only claims to survive the Digg effect.

      --
      Please, for the good of Humanity, vote Obama.
  26. trustno1 by illectro · · Score: 2, Interesting

    Recently while auditing user accounts this password turned up as one of the top 10 most common passwords - if you don't know, it's Fox Mulder's password in the X-Files. Passwords used in movies and tv are surprisingly common, 'joshua' is pretty common, and quite a few people use 'CPE1704TKS' proving that just because people remember detailed trivia from hacking movies they don't know what makes a good password.

  27. Re:Slashdotted. by Mateo_LeFou · · Score: 3, Funny

    My password is: "admin". Thanks for looking into this. (Username is also "admin")

    --
    My turnips listen for the soft cry of your love
  28. Re:Slashdotted. by sekunder · · Score: 2, Funny

    don't forget endurance (:

    --
    -sekunder
  29. Obvious password detector by Animats · · Score: 4, Interesting

    Twenty-two years on, here's my obvous password detector. This is C source code I wrote in 1984. This simple piece of code will prevent the use of passwords that are English words, by requiring that the password have at least two sequences of three letters not found in the dictionary. The "dictionary" is compressed down to a big table of hex constants; it's a 27x27x27 array of bool, with a 1 for each triplet found in the UNIX dictionary. So the code is simple, self-contained, and does no I/O.

    Put this in your password-change program and dictionary attacks stop working.

    The code is a bit dated; this is original K&R C, not ANSI C.

    I should do a Javascript version and give that out. The code is so small that it could easily be executed on user-side password pages.

  30. Password Strength by localman · · Score: 2, Insightful

    Most interesting to me is that despite most of the passwords being decent it makes not a lick of difference in these people being phished. Once again, being sharp and understanding of the big picture is more important than following any isolated rule about security. Good luck getting that out to the masses, though :)

    Cheers.

  31. Re:I have to agree... by devilspgd · · Score: 2, Informative

    It wouldn't do a ton of good since your average phisher has access to a ton of zombies they can verify a password list without triggering any IP:failedlookup ratio and banning themselves from the site.

    --
    Give a man a fish, he'll eat for a day, but teach a man to phish...
  32. My password.... by CrazyTalk · · Score: 2, Funny

    Is *******. That way I can always see what I'm typing.

  33. One point deserves emphasis... by dghcasp · · Score: 4, Interesting

    He came up with a rating scheme from 1 to 4, where 4 is the "best" password. And he says "I consider strength two fine for a myspace account." Very good point: Not all websites need the same level of password strength.

    My personal pet peeve is websites that probably only require a 2 or 3 (on his scale) but demand strength 99. For example, forum sites that reject passwords that my bank would consider good enough.

    Your password was rejected because it was only seven characters long, does not contain enough characters that are neither letters or numbers, and contains a substring that was found in a dictionary of Croation words. Plus, you used that password three years ago when we forced you to change it with our 30-day password aging policy.

    My plea to anyone reading this who develops websites: The strength of the password only has to match the importance of the information that it's protecting.

    Thus endeth my rant.

  34. Re:I've been notiving a trend of sorts by AriaStar · · Score: 2, Insightful

    I read both sites because I like the different articles on each. But lately many of the same articles are on both. I suspect people are seeing articles there and submitting them here. I'd like to see variety again.

    --
    It's a girl!
  35. Re:Slashdotted. by Cro+Magnon · · Score: 2, Funny

    My password is ********

    --
    Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.