Slashdot Mirror

← Back to Stories (view on slashdot.org)

MySpace Users Have Stronger Passwords Than Employees

Posted by Zonk on from the hardly-surprising dept.

Ant writes "A Wired News column reports on Bruce Schneier's analysis of data from a successful phishing attack on MySpace, and compares the captured user-passwords to an earlier data-set from a corporation. He concludes that MySpace users are better at coming up with good passwords than corporate drones." From the article: "We used to quip that 'password' is the most common password. Now it's 'password1.' Who said users haven't learned anything about security? But seriously, passwords are getting better. I'm impressed that less than 4 percent were dictionary words and that the great majority were at least alphanumeric. Writing in 1989, Daniel Klein was able to crack (.gz) 24 percent of his sample passwords with a small dictionary of just 63,000 words, and found that the average password was 6.4 characters long."

4 of 263 comments (clear)

  1. Re:why alphanumeric? by TranscendentalAnarch · · Score: 3, Informative

    It depends on length and the character set.  Many cracking programs, brute force cracks, will iterate through all possible combinations of a character set up to a certain length.  This lets the program find simpler passwords faster.

    With just alphabetic characters and a 6 character length you have about 26^6 or about 308 million possibilities

    With alphanumeric characters and a 6 character length you have about 36^6 or about 2.1 billion possibilities

    Extending to common non-alphanumeric characters (using shift+#) adds another 10, 46^6 or 9.4 billion possibilities

    By comparison, changing the length of the previous examples:

    Alpha: 26^7 = 8 billion
    Alphanumeric: 36^7 = 78 billion
    Extended with non-alphanumeric: 435 billion

    So "crackability" as you dub it, is influenced heavily by the length of the password, but it is also greatly influenced by the character set used.

    As for whether "adklfjsldfjsdf" is harder to crack than "adklf123dfjsdf".

    "adklfjsldfjsdf" is 15 in length and alpha characters only (26^15)
    "adklf123dfjsdf" is 15 in length and alphanumeric (36^15)

    1,677,259,342,285,725,925,376 is less than 221,073,919,720,733,357,899,776

    So the alphanumeric one is definitely more secure.

  2. Re:Okay... by h2g2bob · · Score: 5, Informative

    Or maybe it's just the fact that Myspace requires new users to have a number in the password!

  3. Re:Okay... by andreamer · · Score: 5, Informative

    From a link in the article:

    "The attacker had registered a MySpace account named login_home_index_html, meaning that the MySpace page hosting the fake login, looked like a legitimate place where users would sign on to the service."

    So it was just a user page but it DID have myspace.com in the URL. The URL was:

    http://www.myspace.com/login_home_index_html

  4. Re:MOD PARENT INSIGHTFUL by drinkypoo · · Score: 3, Informative

    Not really. Most cracking software knows that a letter k might be k, K, |<, et cetera. It makes things take a little longer but most check for such substitutions by default now.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"