Slashdot Mirror
MySpace Users Have Stronger Passwords Than Employees
Ant writes "A Wired News column reports on Bruce Schneier's analysis of data from a successful phishing attack on MySpace, and compares the captured user-passwords to an earlier data-set from a corporation. He concludes that MySpace users are better at coming up with good passwords than corporate drones." From the article: "We used to quip that 'password' is the most common password. Now it's 'password1.' Who said users haven't learned anything about security? But seriously, passwords are getting better. I'm impressed that less than 4 percent were dictionary words and that the great majority were at least alphanumeric. Writing in 1989, Daniel Klein was able to crack (.gz) 24 percent of his sample passwords with a small dictionary of just 63,000 words, and found that the average password was 6.4 characters long."
So MySpace users are smart enough to pick somewhat secure passwords, but still dumb enough to fall for basic phishing attacks.
It doesn't matter how strong their password is if they are still giving it to whoever asks for it.
It's because the MySpace users have more to lose. They don't want someone defacing their website. Employees on the other hand probably don't care if someone logs into their computer.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
I tend to think people come up with a really good password, then they have to come up with 12 others in a row after each expires and disallows reusing an old one.
Two roads diverged in a wood, and I - I took the one the bus load of girls just went down.
This shouldn't be groundbreaking news. Myspace accounts deal with personal part of people's lives and they don't want it interfered with. Which individuals have a vested interested in corporate security?
Only because someone made him use at least one numeral.
I am not a crackpot.
It easy to have Strong Passwords when you don't need to change them all the time and can't reuse parts of the old password in the new password.
The corporate drones have to deal with passwords that expire every 30/60/90 days, and once expired those passwords can never be reused. So creating a hard password and then remembering it is not so trivial. The myspace users can come up with one hard password and keep it forever.
> the great majority were at least alphanumeric
Why the great obsession with alphanumeric password? Is adklfjsldfjsdf harder to crack than adklf123dfjsdf? Doesn't the crackability depend on length of the password?
I figure there's two main reasons for this:
1) They're terrified of their peers breaking in and sabotaging their profiles. (I once got assaulted by a drunk girl I knew who thought I hacked her LiveJournal... which I didn't.)
2) They can't spell worth shit, due to netspeak, so typical dictionary approaches aren't going to work.
Also, you have to take into account the basic fact that younger people have grown up around computers, and understand the concept of passwords a bit better than your average middle-aged office worker.
Does it make you happy you're so strange?
Are myspace users really more security consious? Or are the typical demographics those people who tend to use oddball non-English words and text phrases that end up being "good passwords". yourmom69
Engineering is the art of compromise.
Yeah I agree. The time limits on passwords cause most people to just come up with something easier to remember. Why should I have to change my password every 30 days if it's something like Mxo2s0LLn234aAZSQ If I can't even get it right I'm sure no one else is going to guess it. There shouldn't be a need to change it.
Beer! It's what's for breakfast!
I understand the theory that it makes it tough on the crackers, of course, but that theory presumes that all other things are equal. I don't believe they are.
[100% ISO 646 Compliant]
SVM, ERGO MONSTRO.
You just cast what might be a secure passphrase into the set of characters [0-9a-f], greatly reducing the time needed to crack it.
You can't compare the passwords from two different phishing attacks. You only get the passwords from people who fall for the scam. If one scam is easier to detect than the other one, then one sample will contain passwords from dumber people than the other sample.
The quality of passwords has nothing to do with the type of people that where scammed, but with the difficulty of detecting the spam.
You've been modded 'funny' but you should really be 'insightful' because your comment is TRUE.
Maybe they're just tired of hearing it for the 45765th time on slashdot, therefore making it redundant.
Okay so reading this article tells me that of the corporate people who fell for a phishing attack less had good passwords than those on myspace who fell for a similar attack. So yes, you could draw the conclusion that myspace passwords are better. You're likely wrong though since it's nowhere near a random sample. What I see in this study is that the myspace people who made good passwords fell for the oldest trick in the book whereas in the corporate world only those who don't make good passwords fell for the attack.
So yes, you could say what the article title says, but that's hardly even close to accurate. What's more likely is that myspace users are LESS security conscious and that myspace requires numbers.
There are two kinds of fool One says 'This is old therefore good' Another says 'This is new therefore better'- Dean Ing
Note that the only passwords looked at were phished ones, which introduces bias as more security savvy people would be less likely to fall for phishing (and probably more likely to use strong passwords). Of course the article then shows even not-so-security savvy people have good passwords.. but still there is bias whether or not it seems logical :P