Slashdot Mirror

← Back to Stories (view on slashdot.org)

MySpace Users Have Stronger Passwords Than Employees

Posted by Zonk on from the hardly-surprising dept.

Ant writes "A Wired News column reports on Bruce Schneier's analysis of data from a successful phishing attack on MySpace, and compares the captured user-passwords to an earlier data-set from a corporation. He concludes that MySpace users are better at coming up with good passwords than corporate drones." From the article: "We used to quip that 'password' is the most common password. Now it's 'password1.' Who said users haven't learned anything about security? But seriously, passwords are getting better. I'm impressed that less than 4 percent were dictionary words and that the great majority were at least alphanumeric. Writing in 1989, Daniel Klein was able to crack (.gz) 24 percent of his sample passwords with a small dictionary of just 63,000 words, and found that the average password was 6.4 characters long."

9 of 263 comments (clear)

  1. Re:nobody can guess mine by MindStalker · · Score: 2, Informative

    he probably used html codes.
    You can also hold alt while you type numbers on your keypad. like alt(128) = Ç

    Note: most password forms won't allow anything non alphanumeric even slashdot didn't allow alt(127)

  2. Easy way of generating password from passphrase. by Chyeburashka · · Score: 2, Informative

    $ cat passphrase
    Slashdot It is what IT is.
    $ openssl dgst -sha1 <passphrase
    78538e69c508e665ccdbc37c841af2453bb69 035

    Just pick how many digits/letters you want from either the beginning or the end, and pick a passphrase which you can correctly and exactly remember.

  3. Re:why alphanumeric? by TranscendentalAnarch · · Score: 3, Informative

    It depends on length and the character set.  Many cracking programs, brute force cracks, will iterate through all possible combinations of a character set up to a certain length.  This lets the program find simpler passwords faster.

    With just alphabetic characters and a 6 character length you have about 26^6 or about 308 million possibilities

    With alphanumeric characters and a 6 character length you have about 36^6 or about 2.1 billion possibilities

    Extending to common non-alphanumeric characters (using shift+#) adds another 10, 46^6 or 9.4 billion possibilities

    By comparison, changing the length of the previous examples:

    Alpha: 26^7 = 8 billion
    Alphanumeric: 36^7 = 78 billion
    Extended with non-alphanumeric: 435 billion

    So "crackability" as you dub it, is influenced heavily by the length of the password, but it is also greatly influenced by the character set used.

    As for whether "adklfjsldfjsdf" is harder to crack than "adklf123dfjsdf".

    "adklfjsldfjsdf" is 15 in length and alpha characters only (26^15)
    "adklf123dfjsdf" is 15 in length and alphanumeric (36^15)

    1,677,259,342,285,725,925,376 is less than 221,073,919,720,733,357,899,776

    So the alphanumeric one is definitely more secure.

  4. Re:The Lesson? by Vlad_the_Inhaler · · Score: 2, Informative

    Dead on.
    The passwords I use at work are pretty pathetic.

    The first reason is that I have to be able to remember them which is difficult when they have to change every 6 weeks, the second reason is that only people within the company have access to the network anyway.

    In order to get in from outside, I need another (strong, permanent, set by me) password and a 6-digit Tamagotchi code which changes every 60 seconds. If I did not have to change my work password so frequently, it would be a lot stronger.

    --
    Mielipiteet omiani - Opinions personal, facts suspect.
  5. Re:Okay... by h2g2bob · · Score: 5, Informative

    Or maybe it's just the fact that Myspace requires new users to have a number in the password!

  6. Re:Okay... by andreamer · · Score: 5, Informative

    From a link in the article:

    "The attacker had registered a MySpace account named login_home_index_html, meaning that the MySpace page hosting the fake login, looked like a legitimate place where users would sign on to the service."

    So it was just a user page but it DID have myspace.com in the URL. The URL was:

    http://www.myspace.com/login_home_index_html

  7. MySpace requires strong passwords by D+H+NG · · Score: 2, Informative

    The only reason MySpace users have stronger passwords is because they're required to. Try signing up to MySpace with a weak password (i.e. without numeric characters) and see what I mean. I signed up for MySpace for a throwaway account with an easy-to-remember password, but couldn't.

  8. Re:MOD PARENT INSIGHTFUL by drinkypoo · · Score: 3, Informative

    Not really. Most cracking software knows that a letter k might be k, K, |<, et cetera. It makes things take a little longer but most check for such substitutions by default now.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  9. Re:Duh! by silas_moeckel · · Score: 2, Informative

    Might have something to do with the fact that myspace allows users to sign in via http. I see hundreds of myspace passwords going though corporate permimiters any way to many of them match there corporate logins when tested. Yes the fact that people sign into myspace from work is it's own separate issue. Just goes to show that you need more than just passwords, time synced pseudo random number generators for everyone :)

    --
    No sir I dont like it.