Slashdot Mirror
MySpace Users Have Stronger Passwords Than Employees
Ant writes "A Wired News column reports on Bruce Schneier's analysis of data from a successful phishing attack on MySpace, and compares the captured user-passwords to an earlier data-set from a corporation. He concludes that MySpace users are better at coming up with good passwords than corporate drones." From the article: "We used to quip that 'password' is the most common password. Now it's 'password1.' Who said users haven't learned anything about security? But seriously, passwords are getting better. I'm impressed that less than 4 percent were dictionary words and that the great majority were at least alphanumeric. Writing in 1989, Daniel Klein was able to crack (.gz) 24 percent of his sample passwords with a small dictionary of just 63,000 words, and found that the average password was 6.4 characters long."
So MySpace users are smart enough to pick somewhat secure passwords, but still dumb enough to fall for basic phishing attacks.
It doesn't matter how strong their password is if they are still giving it to whoever asks for it.
This may not mean that "passwords are getting better." It may just prove once again that people care more about their personal things than other people's stuff.
"Love, Sexxxx, and...GOD. So, would her royal highness care to change her password?"
Living With a Nerd
...found that the average password was 6.4 characters long. What kind of newfangled keyboard do you need to type one of those in?!why? forty-two.
I use this password ;#E4][££2&9a for everything..
Oops?
a 14 year old cares far more about their social life than most adults care about their jobs.
It's because the MySpace users have more to lose. They don't want someone defacing their website. Employees on the other hand probably don't care if someone logs into their computer.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
This shouldn't be groundbreaking news. Myspace accounts deal with personal part of people's lives and they don't want it interfered with. Which individuals have a vested interested in corporate security?
It easy to have Strong Passwords when you don't need to change them all the time and can't reuse parts of the old password in the new password.
The corporate drones have to deal with passwords that expire every 30/60/90 days, and once expired those passwords can never be reused. So creating a hard password and then remembering it is not so trivial. The myspace users can come up with one hard password and keep it forever.
Draw your own conclusions, but I think there might be something to this.
(and yes I did RTFA+LFA, do I lose my subscription?)
I am billdar, and I approve this message.
I figure there's two main reasons for this:
1) They're terrified of their peers breaking in and sabotaging their profiles. (I once got assaulted by a drunk girl I knew who thought I hacked her LiveJournal... which I didn't.)
2) They can't spell worth shit, due to netspeak, so typical dictionary approaches aren't going to work.
Also, you have to take into account the basic fact that younger people have grown up around computers, and understand the concept of passwords a bit better than your average middle-aged office worker.
Does it make you happy you're so strange?
Are myspace users really more security consious? Or are the typical demographics those people who tend to use oddball non-English words and text phrases that end up being "good passwords". yourmom69
Engineering is the art of compromise.
MySpace passwords would fail more often if a l33t dictionary was used instead. Do kids even know words from a plain old dictionary?
Maybe the users just used their usernames as passwords - that would probably be the best way to generate a random sequence of characters.
I'm impressed that less than 4 percent were dictionary words and that the great majority were at least alphanumeric.
I'm not. MySpace users have good passwords because MySpace requires them to, not because they're savvy. "Your password must contain at least one number and one punctuation mark," etc.
It depends on length and the character set. Many cracking programs, brute force cracks, will iterate through all possible combinations of a character set up to a certain length. This lets the program find simpler passwords faster.
With just alphabetic characters and a 6 character length you have about 26^6 or about 308 million possibilities
With alphanumeric characters and a 6 character length you have about 36^6 or about 2.1 billion possibilities
Extending to common non-alphanumeric characters (using shift+#) adds another 10, 46^6 or 9.4 billion possibilities
By comparison, changing the length of the previous examples:
Alpha: 26^7 = 8 billion
Alphanumeric: 36^7 = 78 billion
Extended with non-alphanumeric: 435 billion
So "crackability" as you dub it, is influenced heavily by the length of the password, but it is also greatly influenced by the character set used.
As for whether "adklfjsldfjsdf" is harder to crack than "adklf123dfjsdf".
"adklfjsldfjsdf" is 15 in length and alpha characters only (26^15)
"adklf123dfjsdf" is 15 in length and alphanumeric (36^15)
1,677,259,342,285,725,925,376 is less than 221,073,919,720,733,357,899,776
So the alphanumeric one is definitely more secure.
You can't compare the passwords from two different phishing attacks. You only get the passwords from people who fall for the scam. If one scam is easier to detect than the other one, then one sample will contain passwords from dumber people than the other sample.
The quality of passwords has nothing to do with the type of people that where scammed, but with the difficulty of detecting the spam.
Computer security is something that kids are learning at younger ages these days. Case in point: My 6-year-old daughter plays a flash game called clubpenguin.com, which is basically a MUD where you're a penguin and you go around playing video games, socializing with other penguins, taking care of your pet, etc. Yesterday at school, her friend asked her for her login info, and she gave it to her. Yesterday evening, my daughter finished her homework, tried to log on, and got a message saying she'd been banned for 24 hours for cussing, and the time when her penguin was cussing was a time when she hadn't been on the computer. No big deal, but at age 6, she's now had a concrete experience that shows her how it's not a good idea to give your password to someone else, even someone you think you can trust.
Find free books.
Not really. Most cracking software knows that a letter k might be k, K, |<, et cetera. It makes things take a little longer but most check for such substitutions by default now.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
I never worry about passwords. I would not worry if someone else knew my password for slashdot. What would they do with it? The only thing they could do it make comments in my name. Even with my bank accounts the only thing they can do it to see how much money I have and transfer money between two of my accounts. If someone wanted to be super mean they could transfer all my checking account money into my savings account and thus cause any checks I write to bounce. They still would not get any personal gain from it. If passwords are such a problem let me suggest a hardware fix. Let there be two passwords. A local password that the user would remember and a password that would be sent out. There would be a table on either the hard drive or a usb flash memory card for the lookup of the secondary password. Since no one would have to memorize or even know the secondary password it could be a 100 randomly generated characters and could be changed every time the user access the account. If one uses the usb flash memory than one could take it with them for use on another computer and by removing it from the computer prevent any other user on that computer from accessing their account. If it is that big a problem than a fix like that would have been used a long time ago.