Slashdot Mirror
MySpace Users Have Stronger Passwords Than Employees
Ant writes "A Wired News column reports on Bruce Schneier's analysis of data from a successful phishing attack on MySpace, and compares the captured user-passwords to an earlier data-set from a corporation. He concludes that MySpace users are better at coming up with good passwords than corporate drones." From the article: "We used to quip that 'password' is the most common password. Now it's 'password1.' Who said users haven't learned anything about security? But seriously, passwords are getting better. I'm impressed that less than 4 percent were dictionary words and that the great majority were at least alphanumeric. Writing in 1989, Daniel Klein was able to crack (.gz) 24 percent of his sample passwords with a small dictionary of just 63,000 words, and found that the average password was 6.4 characters long."
So MySpace users are smart enough to pick somewhat secure passwords, but still dumb enough to fall for basic phishing attacks.
It doesn't matter how strong their password is if they are still giving it to whoever asks for it.
This may not mean that "passwords are getting better." It may just prove once again that people care more about their personal things than other people's stuff.
That's the kind of password an idiot would have on his electronic luggage!
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
"Love, Sexxxx, and...GOD. So, would her royal highness care to change her password?"
Living With a Nerd
...found that the average password was 6.4 characters long. What kind of newfangled keyboard do you need to type one of those in?!why? forty-two.
I use this password ;#E4][££2&9a for everything..
Oops?
a 14 year old cares far more about their social life than most adults care about their jobs.
It's because the MySpace users have more to lose. They don't want someone defacing their website. Employees on the other hand probably don't care if someone logs into their computer.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
This shouldn't be groundbreaking news. Myspace accounts deal with personal part of people's lives and they don't want it interfered with. Which individuals have a vested interested in corporate security?
It easy to have Strong Passwords when you don't need to change them all the time and can't reuse parts of the old password in the new password.
The corporate drones have to deal with passwords that expire every 30/60/90 days, and once expired those passwords can never be reused. So creating a hard password and then remembering it is not so trivial. The myspace users can come up with one hard password and keep it forever.
People have now demonstrated that we are more willing to change our language and ideas of "spelling", rather than remember obscure passwords. That's what "7337 5p34X" is all about. It's a way of permuting spelling into the larger, ambiguous character set to represent personal phonetics. It makes dictionary attacks much harder. If 2 7337 words are used, the password is probably nearly as tedious to crack as a truly random one.
--
make install -not war
How do you get .4 characters? What's 2/5 of 8 bits? 16/5?
That's so kewel. NO one will guess that.
Draw your own conclusions, but I think there might be something to this.
(and yes I did RTFA+LFA, do I lose my subscription?)
I am billdar, and I approve this message.
Amazing! That's the same password I have on my luggage!
Slashdot Burying Stories About Slashdot Media Owned
I figure there's two main reasons for this:
1) They're terrified of their peers breaking in and sabotaging their profiles. (I once got assaulted by a drunk girl I knew who thought I hacked her LiveJournal... which I didn't.)
2) They can't spell worth shit, due to netspeak, so typical dictionary approaches aren't going to work.
Also, you have to take into account the basic fact that younger people have grown up around computers, and understand the concept of passwords a bit better than your average middle-aged office worker.
Does it make you happy you're so strange?
Our corporate users are forced to come up with "complex" passwords (well, more complex than some people) because our auditors demanded it - minimum 7 characters, must have mixed case and numeric digits, and I put an easter egg in the code if you try to change your password to anything with the word 'password' in it :-)
The auditors haven't found the egg yet in the last few years, but they're back again in January....
You're assuming that
a) If someone hacked into your company via your PC, you would be held accountable
b) MySpace users have jobs, or are even old enough to do so
Both of those assumptions are incorrect 99% of the time.
Are myspace users really more security consious? Or are the typical demographics those people who tend to use oddball non-English words and text phrases that end up being "good passwords". yourmom69
Engineering is the art of compromise.
None of my passwords mean anything.
All of my passwords are usually numeric patterns (done on the numpad) that form some shape or random pattern that I've come up with. They're not my birthday, my time of birth, SS#, phone number, etc, nothing that actually has any concrete meaning to it. Some are alphanumeric if both are required, but they still lack any concrete meaning.
It's alot harder for someone to guess a password that just looks like a bunch of random numbers with no real meaning, especially when they ARE just a bunch of random numbers with no real meaning.
This is my signature. There are many like it but this one is mine.
So what it's saying is that people who actually want to use a computer and internet are better at creating passwords than people who mostly see computers as something that cuts into profit? Color me shocked. Nothing really new here...passwords are easy to crack, yup. I don't know what the deal is with monkeys. Come on, everyone likes monkeys. Well, except the evil monkeys.
MySpace passwords would fail more often if a l33t dictionary was used instead. Do kids even know words from a plain old dictionary?
A good cryptic username is the best defence anyhow! passwords how needs em!!
well it depends on the length of the password times the number of possibilities per character
so alphanumeric is harder than straight alpha
and alphanumeric + special characters is harder than just alphanumeric
Maybe the users just used their usernames as passwords - that would probably be the best way to generate a random sequence of characters.
I'm impressed that less than 4 percent were dictionary words and that the great majority were at least alphanumeric.
I'm not. MySpace users have good passwords because MySpace requires them to, not because they're savvy. "Your password must contain at least one number and one punctuation mark," etc.
Have you seen MySpace posts? I bet half their passwords are "OMGH0ttieL0lz".
prick Guess it diddn't work
Warning: Corny karma killing post above.
Just pick how many digits/letters you want from either the beginning or the end, and pick a passphrase which you can correctly and exactly remember.
Of course dictionary attacks won't work - have you seen the spelling on MySpace?!? It's not that they are trying to be more secure, it's that the users can't spell well enough to get a dictionary match.
Getoffamylawn!
Alex, I'll take keybindings not used by Emacs for $400....
Think about the password suggestions. Longer than 7 character, mixed case, numbers and special characters. Then think about the average MySpacer.
"OMFGLoL1337kiss@$$!!"
Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
with windows stickykeys!!!
It didn't used to be that way on Myspace, but now if you change your password or sign up for a new account, Myspace will force you to use at least an alphanumeric password. So maybe this should be a comparison of corporate IT vs. Myspace IT??
The future isn't here until I can type "car keys" into Google and have it say "You left them in your pants last night."
It depends on length and the character set. Many cracking programs, brute force cracks, will iterate through all possible combinations of a character set up to a certain length. This lets the program find simpler passwords faster.
With just alphabetic characters and a 6 character length you have about 26^6 or about 308 million possibilities
With alphanumeric characters and a 6 character length you have about 36^6 or about 2.1 billion possibilities
Extending to common non-alphanumeric characters (using shift+#) adds another 10, 46^6 or 9.4 billion possibilities
By comparison, changing the length of the previous examples:
Alpha: 26^7 = 8 billion
Alphanumeric: 36^7 = 78 billion
Extended with non-alphanumeric: 435 billion
So "crackability" as you dub it, is influenced heavily by the length of the password, but it is also greatly influenced by the character set used.
As for whether "adklfjsldfjsdf" is harder to crack than "adklf123dfjsdf".
"adklfjsldfjsdf" is 15 in length and alpha characters only (26^15)
"adklf123dfjsdf" is 15 in length and alphanumeric (36^15)
1,677,259,342,285,725,925,376 is less than 221,073,919,720,733,357,899,776
So the alphanumeric one is definitely more secure.
I understand the theory that it makes it tough on the crackers, of course, but that theory presumes that all other things are equal. I don't believe they are.
[100% ISO 646 Compliant]
SVM, ERGO MONSTRO.
Change from 'password1' to 'Password1' - this is now mixed case alphanumeric > 8 chars. How much more secure can you get than that?
I know, I know, I shouldn't have said anything... now there will be a sudden rush to slashdot's 'change password' page since I just exposed half the passwords here.
so alphanumeric is harder than straight alpha
and alphanumeric + special characters is harder than just alphanumeric
Only if they know (or assume) that there are no numeric||special characters in your password.
Am trying it:
-> Phishing -
What does that look like?
HEY!!!!!
Mielipiteet omiani - Opinions personal, facts suspect.
You just cast what might be a secure passphrase into the set of characters [0-9a-f], greatly reducing the time needed to crack it.
Someone cracking a list of alphanumeric passwords where it is known that there is no requirement that the users include at least one numeric digit will (or at least should) assume that most users will be to lazy to include at least one numeric digit. Since this assumption will be true in the majority of cases, they've just reduced the time that it takes to them to use either brute force or a dictionary attack in most cases. Requiring all users to at use at least numeric digit means that the hacker will always fail if this assumption is made. Requiring at least one digit /or/ punctuation symbol is even better.
i couldn't agree more with the fact that people who use myspace are absolutely petrified of their site being defaced, whereas your average corporate rat couldn't care less about the security of their computer...
aparently you are all unaware that myspace actually enforces password strength.
they will not allow you to set your password to password, it must be alpha numeric, or contain special characters.
(is patheticism a word? nevermind...)
When I started at my current place of employment, I was asked to set up a password to get into our company VPN. The rules seemed pretty straightforward, and since I try to be conscientious about good passwords, I didn't think twice about the clause in the policy that said "Your password must be 8 characters in length."
It turns out, they meant it. As in, exactly eight characters. Not nine, not seven. Ten is right out.
For added amusement: one of my company's lines of business is IT security consulting. Ha.
I love when the editors just copy and paste without even reading what they're posting. Which part of that sentence was a
You can't compare the passwords from two different phishing attacks. You only get the passwords from people who fall for the scam. If one scam is easier to detect than the other one, then one sample will contain passwords from dumber people than the other sample.
The quality of passwords has nothing to do with the type of people that where scammed, but with the difficulty of detecting the spam.
Its because generally the routines will try alphas first
a
aa
ab
ac
ad
a.
az
a0
a1
a.
a9
abcd8
But you are right I think.
I wonder if anyone has done an analysis of the password crackers available and see which actual character flows there are (do any use random testing making "999999" just as statistically quick to crack as "aaaaaa"
liqbase
I had a modpoint left, but it expired. Seriously, l33t sp33k makes for excellent passwords... weird spelling, dropping vowels, and replacing letters with numbers, along with the either stuff j00 d0 wh3n j00 r ub3r1337 makes for passwords that can withstand a dictionary attack, are stronger against brute force because you have digits in random places (and not just at the end), and more...
My corporate environment is close to implosion from the unending requirements for yet more passwords. You need a password to power up your machine, a password to start Windows, a password for Lotus Notes, a VPN dialer password, an intranet password for web apps, timecard apps, expenses, etc, an IM password (generally the intranet password), a password for HR apps, a password for benefits information. And we check for all of them and they expire but not at the same time and various password delivery subsystems employ different rules with different strengths. So it's almost impossible to keep it all straight without your own database. Once you find a new password that meets a given criterion you really just want to reset all of them to the same password - even though they are on different systems. So you wind up either with a lot of different passwords or exactly the same one. Or some messed up place in between.
I don't suspect MyAss users have more than two passwords to worry about - IM and MyAss. So they can afford to get creative. I don't, if I screw it up it's huge pain in the ass to get a reset.
A lot of companies have systems that don't allow users to change passwords. They're assigned by someone else.
Often, the person assigning them ends up using some easily deciphered pattern out of boredom (or lack of training), like lastname123, or even uses the same password for every person (gobears!).
It's trivial in these cases for inside attacks to occur, at least. And if an external attacker finds a couple of passwords to a system, he can often guess the pattern, also.
You *kind of* have a point. However, if you consider the possibility that the hacker doesn't *know* that the password is easier to attack because he/she is using a brute force attacker and doesn't know that the password is all alphabetic or alphanumeric. The only thing the hacker knows if doing a blind cracking of the password is the password field's limits. If the password field uses alphanumeric, then if he conducts a search using only alphabetical characters and comes up with no results after the 18,000 hours that takes to run, don't you think he'd be more inclined to use alphanumeric as a character set to attack with to begin with?
You can look at a password and tell it's less secure, but that requires knowledge of the password. Unless it's a dictionary word, how would the hacker know the difference between you choosing alphanumeric or choosing alphabetic characters only? He wouldn't.
Judges and senates have been bought for gold; Esteem and love were never to be sold.
This isn't a really great random sampling; it's skewed slightly by the fact that it's about myspace users dumb enough to fall for a phishing attack only.
Cool article though!
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
If you use both upper and lower case, you have 52 characters, and adding number still only adds 10 more.
So it is significantly more important to use mixed case than to use alphanumerical passwords.
The only reason MySpace users have stronger passwords is because they're required to. Try signing up to MySpace with a weak password (i.e. without numeric characters) and see what I mean. I signed up for MySpace for a throwaway account with an easy-to-remember password, but couldn't.
where i come from, we have this thing called capital letters.
we use them in passwords, but no where else.
Computer security is something that kids are learning at younger ages these days. Case in point: My 6-year-old daughter plays a flash game called clubpenguin.com, which is basically a MUD where you're a penguin and you go around playing video games, socializing with other penguins, taking care of your pet, etc. Yesterday at school, her friend asked her for her login info, and she gave it to her. Yesterday evening, my daughter finished her homework, tried to log on, and got a message saying she'd been banned for 24 hours for cussing, and the time when her penguin was cussing was a time when she hadn't been on the computer. No big deal, but at age 6, she's now had a concrete experience that shows her how it's not a good idea to give your password to someone else, even someone you think you can trust.
Find free books.
What do you think?
Okay, I'll make it easy.
Two possibilities: one password is chosen from all the letters of the alphabet, and is one character long. Another password is chosen from just the letters a, b, and c.. but is TWO letters long (twice as long).
Which is easier to guess?
Answer: The two character password has 3^2 = 9 possibilities: aa, ab, ac, ba, bb, bc, ca, cb, cc.
The one character password has 26 possibilities.
Now you should know whether or not password length or alphabet size dominate brute-force password cracking.
Do daemons dream of electric sleep()?
Which is also an easier command line to remember?
Life has many choices. Eternity has two. What's yours?
the top password was probably p455w0rd
Corporate environs should use passphrases. It's easy to hack a poor password, or forget one that incorporates letters and numbers. It's near impossible to hack through a dictionary attack, and they are easier to remember (often because the phrase is personal in nature). Windows supports passphrases already too. Go ahead and hack "Imaseasicksailoronashipofnoise", doubt you'll be able.
Yes, it's a blatant plug, but if you're trying to show users a way to come up with a complex, yet memorable password, http://www.makemeapassword.com/ can walk them through a short algorithm. The passwords are reasonably complex, but follow a few rules that hopefully people can remember. "Ycagwyw,1983,%" is a bit more hard to brute force attack than "password2". :)
creation science book
So in this case, a company with password-expiration resulting in somewhat crappy easy-to-remember passwords will be immune when their employees fall for an outside phishing scam that would have revealed brilliant passwords that never change.
Of course, if you use expiration AND you don't apply crackability criteria to your passwords then you're just asking for pain.
There are no .4 length characters!
;-)
Which is exactly why my password is so hard to guess.
The truth shall set you free!
I feel it has more to do with a (possibly false) feeling on security when you're behind corporate doors. You're on the corporate network which probably has a firewall, virus protection, official administrators, security experts and similar. However misplaced, I think workers are generally more likely to trust other employees rather the whole Internet.
Being on the corporate net they assume they don't need to protect themselves from the Internet attacks. Which is generally true, typically their computers are not accessible from outside the corporate network. Combined that with trusting their fellow worker peers and you get weaker passwords than someone protecting their site from every person on the planet.
The ratio of people to cake is too big
The MySpace user's password protects their own information.
The corporate user's password protects some corporation's information.
And, most passwords protect nothing worth protecting, such as my access to the NY Times.
Talk about misrepresenting what Bruce said! He was comparing password use over time (1989 to today) not comparing MySpace to corporate users.
My Blog
and found that the average password was 6.4 characters long."
Mine is 6.7 characters long, so there.
Please stop stalking me, bro.
It's because
1. They don't need 6 different passwords and logins
2. and they don't have to change it every 45 days.
The spirit of resistance to government is so valuable on certain occasions that I wish it to be always kept alive
"...the four most commonly used passwords are 'Love', 'Sex', 'Secret', and... 'God'. So would Her Holiness mind changing her password?"
N4st0r, trixx0r h0bb1tz0rz! Th3y st0l3 0ur pr3c10uzz!
I had secure passwords until I had to change them so much.
Now they are not that secure and written on sticky pads.
She was like chocolate when she drank... semi-sweet at first and then increasingly bitter.
Corperate worker password: IHATEMYJOB
10 letters all caps
Myspace user password: BritNaYSpeArSiStheBestSengErClasSoF2010RooLES
Longet password mix of alphanumeric and case.
Okay so reading this article tells me that of the corporate people who fell for a phishing attack less had good passwords than those on myspace who fell for a similar attack. So yes, you could draw the conclusion that myspace passwords are better. You're likely wrong though since it's nowhere near a random sample. What I see in this study is that the myspace people who made good passwords fell for the oldest trick in the book whereas in the corporate world only those who don't make good passwords fell for the attack.
So yes, you could say what the article title says, but that's hardly even close to accurate. What's more likely is that myspace users are LESS security conscious and that myspace requires numbers.
There are two kinds of fool One says 'This is old therefore good' Another says 'This is new therefore better'- Dean Ing
found that the average password was 6.4 characters long
6.4 character-long passwords are extremely secure!
Every password-cracking scheme that I've seen goes right from 6 character strings to 7 character strings.
I have two questions that I have been too lazy to work out, so hopefully slashdot can help me.
1) Is it better to add an additional letter, or swap a letter for a number (I always felt adding a letter would yield more combinations)
2) How much does forcing (rather than allowing) numbers *lower* your security (in that the hacker knows that you must have at least one letter and one number in your password making the number of possibilities smaller)
Anyway... if someone wants to reward me for being lazy, thanks in advance.
Right, but if alphanumeric and stronger passwords weren't so common, then they could more regularly assume alpha and be right more often. Increasing the required character set is always a good thing, even though it doesn't solve the problem of users choosing weak passwords. An enforced strong password policy along with some training on how to create passwords that are easy to remember is a good approach. Untrained users always cringe when they have to come up with a new password that can't contain parts of the old password, must be 8 characters or more, and have maybe three types of characters... but once they get used to the idea that they can put it all together in a way that doesn't make it too hard to come up with a new password and remember it, they usually lighten up.
A big threat, IMO, is users giving their passwords out. Not only is this dangerous for the duration of the current password, but it can also reveal the technique the user is using to create passwords. This happens a lot in the corporate environment... one employee tells a partner in their department their password before they go off on vacation so that the partner can access something they'll need, and nobody bothered to tell IT that this other person was in need of more access (temporarily or permanently). I make it a point to tell people, repeatedly, to never tell their password to anyone, not even me or executive management, for any reason. And boy do they ever want to tell me, especially when I have to make them stick around and log in multiple times while I work on their machine because Windows is a pain in the ass and runas is a half-assed workaround.
It doesn't take long to put together a spreadsheet to illustrate the tradeoffs. But if you'd like to get one ready-made, I'll email you one if you ask at the disposable email address 2024o2a02@sneakemail.notcxnotorgbutcom. It has color-coded strength results and parametrizable assumptions about the speed of the cracking software and the size of the cracker's botnet.
Wait, what's a dictionary?
The theory is that if I set up a security regime that locks a user out after X consecutive failed login attempts, then the cracker has to try X-1 times, then wait for the user to log in correctly without fail. If the user fat-fingers the password and gets locked out, and has to get an admin to unlock their account, they'll get a new temporary passsword and be forced to change it again.
Better make that X-2 times just to be safe. So X is 5, you get 3 chances per day to guess a password, if the user logs in once a day. And you better not try to log in while that user is on vacation or out sick for a few days. If I make users change their passwords every 3 months, you'll have at most 195 chances to guess the password before it isn't the password anymore.
LIS, that's the theory. In practice, what I do at work is use a 'base' password that includes at least one each of punctuation symbols, capital and lower-case letters, and a numeric portion that increments every time the IT department makes me change the password. Since their system only prevents me from reusing the entire password, I can get away with this, and all I have to write down is the number that changes every few months. Since you don't know if the numeric part is at the beginning, the end, or somewhere in the middle, knowing just that much won't help you, even if you do find where I have it written down.
But the GPP was right that a regime that is so tight that it prevents me from reusing any portion of a prior password would be really bad, especially because to do that they'd either have to store all my old passwords in the clear, or hashes of small enough portions as to make the entire password database particularly vulnerable to the kind of attack you describe above.
[100% ISO 646 Compliant]
SVM, ERGO MONSTRO.
There are no .4 length characters!
Oh, you're so going to love it when you discover Unicode.The correct tag for this article is obviously "god"...
It's not exactly rocket surgery.
Note that the only passwords looked at were phished ones, which introduces bias as more security savvy people would be less likely to fall for phishing (and probably more likely to use strong passwords). Of course the article then shows even not-so-security savvy people have good passwords.. but still there is bias whether or not it seems logical :P
The only difference is, you'd use a password to encrypt a private key on the local machine (or flash card, or USB drive, or whatever), but no key would have to be sent over the wire -- thus, even if someone cracked the SSL, or if you fell for a phishing attack, they'd never get anything useful out of you.
I wonder about that. I've come to the conclusion that nobody cares enough, because not enough damage is being caused to justify a perceived cost of implementing a more secure system. You know, kind of how Microsoft doesn't see enough profit in designing the kind of system the end-users want, because they really get their money from Big Business?
Note that I said "perceived" cost. Even if the average amount lost per person using an insecure system is losing 25 cents, try telling that to the one person who just lost their life savings. Try telling them they were the only one hit, and they just made it look like everyone lost a quarter, instead of them losing a quarter of a million dollars. See if it makes them feel any better.
And I don't think the actual cost is that bad.
Don't thank God, thank a doctor!
...welcome our venerable brute-force-attacking social-engineer-overlords.
OK, so this post is definitely vulnerable to being modded 'unfunny'.
... that most of the MySpace users (kids, students, etc.) are tomorrow's corporate drones and the corporate drones of today are on their way out.
Looks like we'll see some improvement in password strength in corporate environments over the next couple of years.
Corporate employees are usually not intrinsically motivated and may be underpaid, demotivated, or lazy. Usually they are forced to go to work and they leave their brains at the gate. This holds true for managers, too. MySpace users, on the other hand, enjoy what they are doing and are very motivated to do it well. I am not surprised, therefore, that MySpacers have stronger passwords than cubicle drones.
This is only true in the weird case where the alphabet size is an exact multiple of the machine byte size.
I know of few users using all 256 characters in their passwords.
And few computers using words shorter than eight bits long.
Do daemons dream of electric sleep()?
You'd probably be better off with a random string generator and a keychain. Here's a simple generator:
#include <stdlib.h>
#include <stdio.h>
int main()
{
unsigned short i;
srandomdev();
for (i = 0; i < 24; i++) {
putchar(random() % 94 + 33);
}
putchar('\n');
return 0;
}
The bits on the bus go on and off... on and off... on and off...