Slashdot Mirror
MySpace Users Have Stronger Passwords Than Employees
Ant writes "A Wired News column reports on Bruce Schneier's analysis of data from a successful phishing attack on MySpace, and compares the captured user-passwords to an earlier data-set from a corporation. He concludes that MySpace users are better at coming up with good passwords than corporate drones." From the article: "We used to quip that 'password' is the most common password. Now it's 'password1.' Who said users haven't learned anything about security? But seriously, passwords are getting better. I'm impressed that less than 4 percent were dictionary words and that the great majority were at least alphanumeric. Writing in 1989, Daniel Klein was able to crack (.gz) 24 percent of his sample passwords with a small dictionary of just 63,000 words, and found that the average password was 6.4 characters long."
So MySpace users are smart enough to pick somewhat secure passwords, but still dumb enough to fall for basic phishing attacks.
It doesn't matter how strong their password is if they are still giving it to whoever asks for it.
This may not mean that "passwords are getting better." It may just prove once again that people care more about their personal things than other people's stuff.
That's the kind of password an idiot would have on his electronic luggage!
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
"Love, Sexxxx, and...GOD. So, would her royal highness care to change her password?"
Living With a Nerd
...found that the average password was 6.4 characters long. What kind of newfangled keyboard do you need to type one of those in?!why? forty-two.
I use this password ;#E4][££2&9a for everything..
Oops?
a 14 year old cares far more about their social life than most adults care about their jobs.
It's because the MySpace users have more to lose. They don't want someone defacing their website. Employees on the other hand probably don't care if someone logs into their computer.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
This shouldn't be groundbreaking news. Myspace accounts deal with personal part of people's lives and they don't want it interfered with. Which individuals have a vested interested in corporate security?
There are no
Oh wait, I guess they were cracked...
It easy to have Strong Passwords when you don't need to change them all the time and can't reuse parts of the old password in the new password.
The corporate drones have to deal with passwords that expire every 30/60/90 days, and once expired those passwords can never be reused. So creating a hard password and then remembering it is not so trivial. The myspace users can come up with one hard password and keep it forever.
People have now demonstrated that we are more willing to change our language and ideas of "spelling", rather than remember obscure passwords. That's what "7337 5p34X" is all about. It's a way of permuting spelling into the larger, ambiguous character set to represent personal phonetics. It makes dictionary attacks much harder. If 2 7337 words are used, the password is probably nearly as tedious to crack as a truly random one.
--
make install -not war
...with my 6.4 character password.
I thought even if they cracked the first 6 characters they'd never guess the last 0.4. I guess I was wrong.
How do you get .4 characters? What's 2/5 of 8 bits? 16/5?
That's so kewel. NO one will guess that.
Draw your own conclusions, but I think there might be something to this.
(and yes I did RTFA+LFA, do I lose my subscription?)
I am billdar, and I approve this message.
> the great majority were at least alphanumeric
Why the great obsession with alphanumeric password? Is adklfjsldfjsdf harder to crack than adklf123dfjsdf? Doesn't the crackability depend on length of the password?
Amazing! That's the same password I have on my luggage!
Slashdot Burying Stories About Slashdot Media Owned
I figure there's two main reasons for this:
1) They're terrified of their peers breaking in and sabotaging their profiles. (I once got assaulted by a drunk girl I knew who thought I hacked her LiveJournal... which I didn't.)
2) They can't spell worth shit, due to netspeak, so typical dictionary approaches aren't going to work.
Also, you have to take into account the basic fact that younger people have grown up around computers, and understand the concept of passwords a bit better than your average middle-aged office worker.
Does it make you happy you're so strange?
Our corporate users are forced to come up with "complex" passwords (well, more complex than some people) because our auditors demanded it - minimum 7 characters, must have mixed case and numeric digits, and I put an easter egg in the code if you try to change your password to anything with the word 'password' in it :-)
The auditors haven't found the egg yet in the last few years, but they're back again in January....
You're assuming that
a) If someone hacked into your company via your PC, you would be held accountable
b) MySpace users have jobs, or are even old enough to do so
Both of those assumptions are incorrect 99% of the time.
Are myspace users really more security consious? Or are the typical demographics those people who tend to use oddball non-English words and text phrases that end up being "good passwords". yourmom69
Engineering is the art of compromise.
None of my passwords mean anything.
All of my passwords are usually numeric patterns (done on the numpad) that form some shape or random pattern that I've come up with. They're not my birthday, my time of birth, SS#, phone number, etc, nothing that actually has any concrete meaning to it. Some are alphanumeric if both are required, but they still lack any concrete meaning.
It's alot harder for someone to guess a password that just looks like a bunch of random numbers with no real meaning, especially when they ARE just a bunch of random numbers with no real meaning.
This is my signature. There are many like it but this one is mine.
So what it's saying is that people who actually want to use a computer and internet are better at creating passwords than people who mostly see computers as something that cuts into profit? Color me shocked. Nothing really new here...passwords are easy to crack, yup. I don't know what the deal is with monkeys. Come on, everyone likes monkeys. Well, except the evil monkeys.
MySpace passwords would fail more often if a l33t dictionary was used instead. Do kids even know words from a plain old dictionary?
A good cryptic username is the best defence anyhow! passwords how needs em!!
How do you get a 6.4 character long password??
Maybe the users just used their usernames as passwords - that would probably be the best way to generate a random sequence of characters.
I'm impressed that less than 4 percent were dictionary words and that the great majority were at least alphanumeric.
I'm not. MySpace users have good passwords because MySpace requires them to, not because they're savvy. "Your password must contain at least one number and one punctuation mark," etc.
Have you seen MySpace posts? I bet half their passwords are "OMGH0ttieL0lz".
prick Guess it diddn't work
Warning: Corny karma killing post above.
Just pick how many digits/letters you want from either the beginning or the end, and pick a passphrase which you can correctly and exactly remember.
Did it work?
Of course dictionary attacks won't work - have you seen the spelling on MySpace?!? It's not that they are trying to be more secure, it's that the users can't spell well enough to get a dictionary match.
Getoffamylawn!
Alex, I'll take keybindings not used by Emacs for $400....
Think about the password suggestions. Longer than 7 character, mixed case, numbers and special characters. Then think about the average MySpacer.
"OMFGLoL1337kiss@$$!!"
Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
It didn't used to be that way on Myspace, but now if you change your password or sign up for a new account, Myspace will force you to use at least an alphanumeric password. So maybe this should be a comparison of corporate IT vs. Myspace IT??
The future isn't here until I can type "car keys" into Google and have it say "You left them in your pants last night."
It sounds like he should've run his dictionary cracker through a l33tsp3@k algorithm or two. He might have gotten far more positive results.
This AC finds the likelyhood that the marjority of the passwords were genuinely alphanumeric (random), to be highly suspect.
I understand the theory that it makes it tough on the crackers, of course, but that theory presumes that all other things are equal. I don't believe they are.
[100% ISO 646 Compliant]
SVM, ERGO MONSTRO.
Our departmental password is Claire1.
When corporate policy stipulates a change, we change it to Claire2, Claire3 etc.
To make sure we remember which Claire we are on, it is written on a sticky note prominently stuck to the access computer.
Regards,
your friendly anonymous employee at a company administrating a couple of tens of billions.
MySpace is voluntary and people are more invested in keeping their content there safe. Work "makes you" use a password, so you slough it off.
Change from 'password1' to 'Password1' - this is now mixed case alphanumeric > 8 chars. How much more secure can you get than that?
I know, I know, I shouldn't have said anything... now there will be a sudden rush to slashdot's 'change password' page since I just exposed half the passwords here.
Am trying it:
-> Phishing -
What does that look like?
HEY!!!!!
Mielipiteet omiani - Opinions personal, facts suspect.
You just cast what might be a secure passphrase into the set of characters [0-9a-f], greatly reducing the time needed to crack it.
Someone cracking a list of alphanumeric passwords where it is known that there is no requirement that the users include at least one numeric digit will (or at least should) assume that most users will be to lazy to include at least one numeric digit. Since this assumption will be true in the majority of cases, they've just reduced the time that it takes to them to use either brute force or a dictionary attack in most cases. Requiring all users to at use at least numeric digit means that the hacker will always fail if this assumption is made. Requiring at least one digit /or/ punctuation symbol is even better.
That's cause they're all kiddie fiddlers!
i couldn't agree more with the fact that people who use myspace are absolutely petrified of their site being defaced, whereas your average corporate rat couldn't care less about the security of their computer...
aparently you are all unaware that myspace actually enforces password strength.
they will not allow you to set your password to password, it must be alpha numeric, or contain special characters.
(is patheticism a word? nevermind...)
When I started at my current place of employment, I was asked to set up a password to get into our company VPN. The rules seemed pretty straightforward, and since I try to be conscientious about good passwords, I didn't think twice about the clause in the policy that said "Your password must be 8 characters in length."
It turns out, they meant it. As in, exactly eight characters. Not nine, not seven. Ten is right out.
For added amusement: one of my company's lines of business is IT security consulting. Ha.
I love when the editors just copy and paste without even reading what they're posting. Which part of that sentence was a
You can't compare the passwords from two different phishing attacks. You only get the passwords from people who fall for the scam. If one scam is easier to detect than the other one, then one sample will contain passwords from dumber people than the other sample.
The quality of passwords has nothing to do with the type of people that where scammed, but with the difficulty of detecting the spam.
I had a modpoint left, but it expired. Seriously, l33t sp33k makes for excellent passwords... weird spelling, dropping vowels, and replacing letters with numbers, along with the either stuff j00 d0 wh3n j00 r ub3r1337 makes for passwords that can withstand a dictionary attack, are stronger against brute force because you have digits in random places (and not just at the end), and more...
My corporate environment is close to implosion from the unending requirements for yet more passwords. You need a password to power up your machine, a password to start Windows, a password for Lotus Notes, a VPN dialer password, an intranet password for web apps, timecard apps, expenses, etc, an IM password (generally the intranet password), a password for HR apps, a password for benefits information. And we check for all of them and they expire but not at the same time and various password delivery subsystems employ different rules with different strengths. So it's almost impossible to keep it all straight without your own database. Once you find a new password that meets a given criterion you really just want to reset all of them to the same password - even though they are on different systems. So you wind up either with a lot of different passwords or exactly the same one. Or some messed up place in between.
I don't suspect MyAss users have more than two passwords to worry about - IM and MyAss. So they can afford to get creative. I don't, if I screw it up it's huge pain in the ass to get a reset.
A lot of companies have systems that don't allow users to change passwords. They're assigned by someone else.
Often, the person assigning them ends up using some easily deciphered pattern out of boredom (or lack of training), like lastname123, or even uses the same password for every person (gobears!).
It's trivial in these cases for inside attacks to occur, at least. And if an external attacker finds a couple of passwords to a system, he can often guess the pattern, also.
No way their passwords are more than something like their pets name or their gay boyfriend's name. I call shenanigans!
This isn't a really great random sampling; it's skewed slightly by the fact that it's about myspace users dumb enough to fall for a phishing attack only.
Cool article though!
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
The only reason MySpace users have stronger passwords is because they're required to. Try signing up to MySpace with a weak password (i.e. without numeric characters) and see what I mean. I signed up for MySpace for a throwaway account with an easy-to-remember password, but couldn't.
maybe they do, a little.
The most common password is now Password1. Uppercase, lowercase and numeric... Who just uses alpha/numeric nowadays??
Computer security is something that kids are learning at younger ages these days. Case in point: My 6-year-old daughter plays a flash game called clubpenguin.com, which is basically a MUD where you're a penguin and you go around playing video games, socializing with other penguins, taking care of your pet, etc. Yesterday at school, her friend asked her for her login info, and she gave it to her. Yesterday evening, my daughter finished her homework, tried to log on, and got a message saying she'd been banned for 24 hours for cussing, and the time when her penguin was cussing was a time when she hadn't been on the computer. No big deal, but at age 6, she's now had a concrete experience that shows her how it's not a good idea to give your password to someone else, even someone you think you can trust.
Find free books.
Is the author asserting that:
(a) myspace users have better passwords than "corporate drones".
(b) in general, user's passwords have gotten better over then past 10 years.
If you answered (a), you may not be able to read, but you can submit to slashdot.
CowboyNealInAThong
Did it work?!? (posted anonymously for obvious reasons)
Which is also an easier command line to remember?
Life has many choices. Eternity has two. What's yours?
the top password was probably p455w0rd
Corporate environs should use passphrases. It's easy to hack a poor password, or forget one that incorporates letters and numbers. It's near impossible to hack through a dictionary attack, and they are easier to remember (often because the phrase is personal in nature). Windows supports passphrases already too. Go ahead and hack "Imaseasicksailoronashipofnoise", doubt you'll be able.
Yes, it's a blatant plug, but if you're trying to show users a way to come up with a complex, yet memorable password, http://www.makemeapassword.com/ can walk them through a short algorithm. The passwords are reasonably complex, but follow a few rules that hopefully people can remember. "Ycagwyw,1983,%" is a bit more hard to brute force attack than "password2". :)
creation science book
So in this case, a company with password-expiration resulting in somewhat crappy easy-to-remember passwords will be immune when their employees fall for an outside phishing scam that would have revealed brilliant passwords that never change.
Of course, if you use expiration AND you don't apply crackability criteria to your passwords then you're just asking for pain.
I feel it has more to do with a (possibly false) feeling on security when you're behind corporate doors. You're on the corporate network which probably has a firewall, virus protection, official administrators, security experts and similar. However misplaced, I think workers are generally more likely to trust other employees rather the whole Internet.
Being on the corporate net they assume they don't need to protect themselves from the Internet attacks. Which is generally true, typically their computers are not accessible from outside the corporate network. Combined that with trusting their fellow worker peers and you get weaker passwords than someone protecting their site from every person on the planet.
The ratio of people to cake is too big
The MySpace user's password protects their own information.
The corporate user's password protects some corporation's information.
And, most passwords protect nothing worth protecting, such as my access to the NY Times.
Talk about misrepresenting what Bruce said! He was comparing password use over time (1989 to today) not comparing MySpace to corporate users.
My Blog
and found that the average password was 6.4 characters long."
Mine is 6.7 characters long, so there.
Please stop stalking me, bro.
It's because
1. They don't need 6 different passwords and logins
2. and they don't have to change it every 45 days.
The spirit of resistance to government is so valuable on certain occasions that I wish it to be always kept alive
"...the four most commonly used passwords are 'Love', 'Sex', 'Secret', and... 'God'. So would Her Holiness mind changing her password?"
N4st0r, trixx0r h0bb1tz0rz! Th3y st0l3 0ur pr3c10uzz!
I don't understand why hard to guess passwords are all that important.
It seems that limiting the number of log-in attempts which fail, or creating an increasing time between failed log-in attempts would totally remove the ability to brute force past a password.
Lets say that I only have an alphanumeric password that's 4 characters long, but uses all 10 digits, and lower and upper case letters. That's (10+26+26)^4 possible combinations, which is over 14.7 million posibilities, unless I botched my math. If you allow 3 logins attempts without any delay between them, then start adding in a delay between allowed attempts are more failures come up, you could make brute forcing a password pretty much impossible while keeping them short enough to remember. Just a 10 second delay between attempts would take over 2 years to exhaust the search space. If you cut off the user at 50 failures in a row and made them confirm their identity to unlock their account, you'd be safe, no?
I had secure passwords until I had to change them so much.
Now they are not that secure and written on sticky pads.
She was like chocolate when she drank... semi-sweet at first and then increasingly bitter.
Corperate worker password: IHATEMYJOB
10 letters all caps
Myspace user password: BritNaYSpeArSiStheBestSengErClasSoF2010RooLES
Longet password mix of alphanumeric and case.
Okay so reading this article tells me that of the corporate people who fell for a phishing attack less had good passwords than those on myspace who fell for a similar attack. So yes, you could draw the conclusion that myspace passwords are better. You're likely wrong though since it's nowhere near a random sample. What I see in this study is that the myspace people who made good passwords fell for the oldest trick in the book whereas in the corporate world only those who don't make good passwords fell for the attack.
So yes, you could say what the article title says, but that's hardly even close to accurate. What's more likely is that myspace users are LESS security conscious and that myspace requires numbers.
There are two kinds of fool One says 'This is old therefore good' Another says 'This is new therefore better'- Dean Ing
found that the average password was 6.4 characters long
6.4 character-long passwords are extremely secure!
Every password-cracking scheme that I've seen goes right from 6 character strings to 7 character strings.
I have two questions that I have been too lazy to work out, so hopefully slashdot can help me.
1) Is it better to add an additional letter, or swap a letter for a number (I always felt adding a letter would yield more combinations)
2) How much does forcing (rather than allowing) numbers *lower* your security (in that the hacker knows that you must have at least one letter and one number in your password making the number of possibilities smaller)
Anyway... if someone wants to reward me for being lazy, thanks in advance.
Wait, what's a dictionary?
The theory is that if I set up a security regime that locks a user out after X consecutive failed login attempts, then the cracker has to try X-1 times, then wait for the user to log in correctly without fail. If the user fat-fingers the password and gets locked out, and has to get an admin to unlock their account, they'll get a new temporary passsword and be forced to change it again.
Better make that X-2 times just to be safe. So X is 5, you get 3 chances per day to guess a password, if the user logs in once a day. And you better not try to log in while that user is on vacation or out sick for a few days. If I make users change their passwords every 3 months, you'll have at most 195 chances to guess the password before it isn't the password anymore.
LIS, that's the theory. In practice, what I do at work is use a 'base' password that includes at least one each of punctuation symbols, capital and lower-case letters, and a numeric portion that increments every time the IT department makes me change the password. Since their system only prevents me from reusing the entire password, I can get away with this, and all I have to write down is the number that changes every few months. Since you don't know if the numeric part is at the beginning, the end, or somewhere in the middle, knowing just that much won't help you, even if you do find where I have it written down.
But the GPP was right that a regime that is so tight that it prevents me from reusing any portion of a prior password would be really bad, especially because to do that they'd either have to store all my old passwords in the clear, or hashes of small enough portions as to make the entire password database particularly vulnerable to the kind of attack you describe above.
[100% ISO 646 Compliant]
SVM, ERGO MONSTRO.
The correct tag for this article is obviously "god"...
It's not exactly rocket surgery.
Note that the only passwords looked at were phished ones, which introduces bias as more security savvy people would be less likely to fall for phishing (and probably more likely to use strong passwords). Of course the article then shows even not-so-security savvy people have good passwords.. but still there is bias whether or not it seems logical :P
The only difference is, you'd use a password to encrypt a private key on the local machine (or flash card, or USB drive, or whatever), but no key would have to be sent over the wire -- thus, even if someone cracked the SSL, or if you fell for a phishing attack, they'd never get anything useful out of you.
I wonder about that. I've come to the conclusion that nobody cares enough, because not enough damage is being caused to justify a perceived cost of implementing a more secure system. You know, kind of how Microsoft doesn't see enough profit in designing the kind of system the end-users want, because they really get their money from Big Business?
Note that I said "perceived" cost. Even if the average amount lost per person using an insecure system is losing 25 cents, try telling that to the one person who just lost their life savings. Try telling them they were the only one hit, and they just made it look like everyone lost a quarter, instead of them losing a quarter of a million dollars. See if it makes them feel any better.
And I don't think the actual cost is that bad.
Don't thank God, thank a doctor!
...welcome our venerable brute-force-attacking social-engineer-overlords.
OK, so this post is definitely vulnerable to being modded 'unfunny'.
... that most of the MySpace users (kids, students, etc.) are tomorrow's corporate drones and the corporate drones of today are on their way out.
Looks like we'll see some improvement in password strength in corporate environments over the next couple of years.
It's pretty common to replace certain characters by numbers these days: A - 4 E - 3 I - 1 O - 0 S - 5 So I guess a lot of MySpace users might be using the password "p455w0rd" these days instead of "password"...
Corporate employees are usually not intrinsically motivated and may be underpaid, demotivated, or lazy. Usually they are forced to go to work and they leave their brains at the gate. This holds true for managers, too. MySpace users, on the other hand, enjoy what they are doing and are very motivated to do it well. I am not surprised, therefore, that MySpacers have stronger passwords than cubicle drones.
You'd probably be better off with a random string generator and a keychain. Here's a simple generator:
#include <stdlib.h>
#include <stdio.h>
int main()
{
unsigned short i;
srandomdev();
for (i = 0; i < 24; i++) {
putchar(random() % 94 + 33);
}
putchar('\n');
return 0;
}
The bits on the bus go on and off... on and off... on and off...