Massive Phishing Campaign Hits Multiple Email Services

nandemoari writes "It seems as if the massive phishing campaign reported yesterday was not specific to Hotmail, as was initially believed. According to a report by the BBC, many Gmail and Yahoo Mail accounts have also been compromised. Earthlink, Comcast, and AOL were also affected. While the source of the latest attacks has not been determined, many are pointing to the same bug that claimed at least 10,000 passwords from Microsoft Windows Live Hotmail. Microsoft has done their part in blocking all known hijacked Hotmail accounts and created tools to help users who had lost control of their email. An analysis of the data from Hotmail showed the most common password among the compromised accounts to be '12345.' On their end, Google responded to the attacks by forcing password resets on the affected accounts."

Wow!

An analysis of the data from Hotmail showed the most common password among the compromised accounts to be '12345.'

That's amazing. I've got the same combination on my luggage.

Re:Wow!

[Yvan256]

You destroyed the joke thread by starting at the end.

You should have started with "1-2-3-4-5? That's the stupidest combination I've ever heard of in my life! That's the kinda thing an idiot would have on his luggage!"

Re:Wow!

lol

But seriously, what kind of chickenshit mail server policy even allows that password in the first place?

OH... hotmail.. enough said...

Re:Wow!

Saved by 123456!

Take that haxor!

Re:Wow!

[conureman]

There not being a whole lot to lose (or any porn that would get me in trouble ;), if my shit gets compromised, I use the same password on everything. (eight letter word, YMMV) Of course, I'm not afraid to format the HDD and re-install the OS when my foolishness catches up with me, and I DO protect my router,as well. The only thing I worry about is if my node became a SPAMBot, but I check my traffic periodically to avoid that.(Ain't happened yet, but I've had to fix my friend's boxes a few times). I do have one account that's protected by nine letters and a numeral, but that would be easy to guess as well if one knew my attitude toward complying with security policy. OTOH 12345 is a tad egregious as a password, even by my lax standards.

Re:Wow!

[tomhudson]

My question is "why are they storing email passwords in plaintext"?

Of course, they're probably not, just comparing the hash values of $usr_pw" and "12345", but that is also the most common password on voice email boxes.

One guy up here was convicted - TWICE - for "hacking" into police detectives' voicemail by just randomly dialing extensions, and entering "12345". You'd think after the first conviction, the cops would, you knw, CHANGE THEIR FRIGGING PASSWORDS. Even 38258 (FUCK U) would have been better.

On a side note, try dialing numbers like 1-800-FUCK-OFF. Last time we checked (party, late at night) they were assigned.

Re:Wow!

[zelator29]

Hmm I wonder if people used 3039, which is 12345 in hexadecimal...

Re:Wow!

[Mister+Whirly]

No, real geeks use 11000000111001 (12345 in binary for you non-geeks)



There are 10 types of people in this world - people who use this lame joke, and people who don't.

Re:Wow!

The analysis sounds fishy to me, they say the shortest password is a single character. I don't know an e-mail provider that accepts less than 6 characters.

Re:Wow!

[jpmorgan]

I'm sure most /.ers actually filled that part in mentally when they read the summary.

Re:Wow!

[netsharc]

The passwords are in plain text because the script kiddies phished them, and that's the list that got leaked.

Re:Wow!

[Havokmon]

So he top posted. How appropriate.

Re:Wow!

[Stavr0]

No, I use 74565

Re:Wow!

[shentino]

What I don't like is being forced to jump through hoops to remember a password.

Recently gmail disallowed passwords shorter than 8 characters, and as a result I had to memorize some funky 14-digit number

Re:Wow!

[shentino]

So the empty string wouldn't be valid?

Re:Wow!

[clone53421]

gmail disallowed passwords shorter than 8 characters
and as a result I had to memorize some funky 14-digit number

I fail to see the line of reasoning that prevented you from choosing an 8-character password.

Re:Wow!

[clone53421]

From the blog of the guy who actually did the research, I'm deducing that those probably weren't valid password.

An anonymous user posted usernames and passwords of over 10,000 Windows Live Hotmail accounts to a web site called PasteBin.

...Even more, the phishing kit used most probably was badly designed, since it was one that didnâ(TM)t further authenticated the users to the Hotmail/Live website. I think it just returned an error message after grabbing the credentials.

  * The list initially contained 10,028 entries.
  * After I've cleaned up the list, like removing entries without a password, I had 9843 valid entries (passwords).
  * There are 8931 (90%) unique passwords in the list.
  * The longest password was 30 chars long: lafaroleratropezoooooooooooooo.
  * The shortest password was 1 char long : )

In other words, the phishing scheme didn't bother to verify that the passwords were any good. Heck, it didn't even verify that a password was entered (he did say he cleared out all the username/no password entries). Not surprisingly, it also didn't make sure the password was of the proper length to be valid (this would have kicked out all the empty string passwords anyway).

tl;dr: dumb people clicked the phishing link and entered their passwords. Smart people clicked the link and entered garbage. Garbage = bad data, which is what he ended up finding. (Seriously... I'm sure there are other people here who would knowingly go to the phishing page and deliberately enter garbage just to screw with the dicks who are trying to scam accounts.)

Re:Wow!

There is a friend of mine who shall remain nameless. On Steam you will often get phishing attempts. When I come across one, I forward the link to him. He has a bit of server space and the free-time and inclination to write scripts that load up their forms with tons and tons of junk data. It's basically his hobby.

Re:Wow!

[cinderblock]

Seriously... I'm sure there are other people here who would knowingly go to the phishing page and deliberately enter garbage just to screw with the dicks who are trying to scam accounts.

I do this.

The biggest annoyance with entering bad data is actually Firefox . It makes me click through the phishing warnings before posting my bogus info.

I also usually leave them a message in the bogus data.

PS. How did you guys guess my password!? "lafaroleratropezoooooooooooooo" was picked because I couldn't even remember it!

Re:Wow!

[blackest_k]

problem here is when your account gets hacked your contacts list gets emailed and your contacts get phished. I had two emails the other week supposed to be sent from friends account to see if i was blocked on msn by them. first thing it wanted was my hotmail account and password.

I'm not stupid enough to fall for that but I know people (obviously) who are and might trust an email which appears to come from someone they trust.

Re:Wow!

[bloodhawk]

seriously do people even bother to check their facts anymore. Hotmal doesn't allow the password 12345 as it doesn't even meet there basic length requirement. Seriously what has happened here is people that realise it is a phishing site are putting in garabage details and the people running the site are too stupid to even bother to clean the garbage out of their data.

Re:Wow!

[eihab]

On a side note, try dialing numbers like 1-800-F**K-OFF. Last time we checked (party, late at night) they were assigned.

It could have been any of the following (or more):

1800-dual-Ned
1800-dual-med
1800-dual-nee
1800-dual-odd
1800-dual-ode
1800-dual-off

Courtesy of http://www.phonespell.org/

Re:Wow!

[conureman]

Not that I'm completely antisocial, but I do not and never have had a contacts list. The only email I receive is from my son's school, and I never click on any unsolicited e-mail. I don't frequent commercial websites either, except for news, and if they give me unwanted popunders they get blocked at the router. I mainly surf on USDA and Forest Service sites, and some Canadian and British Columbia government sites. I seldom encounter problems. I actually average about three SPAM E-mails per month, so it's not a lot of work anyway. If I did fall for any attack, fdisk is an old, familiar friend.

Re:Wow!

bullshit. the passwords would have been in plain text because the h4x0rz would have simply recorded the plain text which they were able to log in with. derr. eg try password "iamanidiot" . oh it didn't work. try next password, "idiot123". successfully logged in . record username and password "idiot123"

It sounds like there was no phishing just brute forcing of accounts with stupid-fuckwit passwords.

The people who use passwords like 12345 deserve this. maybe it will finally teach them the lesson that their smarter family members and friends have been trying to get through their thick skulls for years.

Re:Wow!

[thejynxed]

Wow....your internet life must be extremely boring :)

If I want to hear Forest Service stuff, I just ask the girl in the next apartment over, who works for the Forest Service.

Other than that....USDA? For the love of all that is holy, I hope it is work related.

Re:Wow!

[dogeatery]

He also has 500 cable channels. All blocked out, except for the driftwood channel, which he believes is educational

Re:Wow!

[conureman]

I grew up in Livermore, California, and developed a deep appreciation for life-giving shade. I am trying to learn what it takes to create a viable environment for life, in the face of urban obstacles &c. The hippies are calling it "sustainability", I'm just trying to set up an environment for my grandchildren, and the salmon that depend on my little hectare of Canadian watershed. No, it isn't work related, I am a tree geek.

Re:Wow!

[conureman]

There is a friend of mine who shall remain nameless. About ten years ago, he would trace each SPAM that arrived in his mail server, and contact the ISP admin to report the abuse, and demand action to curb it. Ah, the good old days...

Re:Wow!

[blackest_k]

I'm a little puzzled, I think we are perhaps divided by a common language. My contacts list is a list of known email contacts with names and associated email address stored within my email program. I remember my friend and families names not their email address so when I want to email them I use their name and the software offers the email address associated with them.

If there are two or more people you email I would consider that a list , perhaps a short one of contacts.
I think you must be pretty rare as someone who uses the Internet and doesn't ever use email to communicate with friends or family.

I think you might have thought I meant a list of people I mass mail junk to, no I don't do that. However I hope you can see that the list of peoples email addresses stored on my email account could be used as a destination for phishing spam. This would perhaps be taken at face value coming from a trusted source.

Re:Wow!

[conureman]

I read once of a virus using the contacts list to propagate to new victims. Since then, I have not allowed any names to be stored there. I keep email addresses in my wallet, with my phone numbers for my cordless phone. I also don't let my computer save my password, simple as it is.

HA! My password is 123456

[objekt]

With an extra digit for security! ;-)

Re:HA! My password is 123456

[crunch_ca]

From the FA, the longest password hacked was: "lafaroleratropezoooooooooooooo" (30 characters).

This was a phishing attack. The strength of the password didn't matter.

The article talks about analysis of password data and doesn't really point out anything we didn't know already.

Re:HA! My password is 123456

[ballpoint]

Mine is 123455. I have appended a checksum digit to make sure I don't enter a wrong password by mistake.

Re:HA! My password is 123456

[blackfrancis75]

so, our passwords should really be just a long string of 'z' characters, because in the case of a brute-force attack, all-z's be the last combination tried, and therefore give the authorities the maximum amount of time to catch them before they can complete!

12345?

[Zortrium]

That's the kind of thing an idiot would have on his luggage!

Re:12345?

[FJGreer]

But that's what's on my luggage!

Re:12345?

Like it matters. The only people who've ever broken into my luggage were US customs, and they just cut the lock to get in. Damn annoying too: I had to re-iron 2 shirts!

Strong password

[war4peace]

See, that's why they got their accounts hacked. I use 67890 on all my accounts so I'm sure they'll never get hacked :)

much hype on this story

[ei4anb]

for which definition of many?

$ grep gmail pwd.txt | wc -l
25

Re:much hype on this story

Did you try this as well?

$ grep googlemail pwd.txt | wc -l

Re:much hype on this story

[frenchbedroom]

Faster to type :

$ grep -c gmail pwd.txt
25

Re:much hype on this story

[Xtifr]

Yes, but overly specific to grep. "|wc -l" works with all sorts of commands, so it's often easier to stick with the most general solution, rather than trying to learn which specific commands have unnecessary, redundant features, unless performance is actually an issue. I often start with grep, and then realize that I've got to reduce the noise and mis-hits by extracting the fields I need with sed or some other tool, which is why I rarely bother to even remember that grep even has a "-c" option.

I have a real programmer's password

[Biff+Stu]

012345

Re:I have a real programmer's password

11000000111001

Re:I have a real programmer's password

3,I4lSgZG53S8g79EZ38AbZb4E38

Re:I have a real programmer's password

[93+Escort+Wagon]

012345

That's why Microsoft thought "12345" was a reasonably secure password - they figured most hacking and phishing attacks would be coming from Linux or BSD boxes, so those people would never think of starting to count with a "1".

Re:I have a real programmer's password

[DarthVain]

Don't you mean: 11000000111001 or 3039

Re:I have a real programmer's password

012345

Nah, mine is 0x3039

Re:I have a real programmer's password

[baKanale]

I can't read that. If you type in your password, it will show to us as stars. But when I type my password it shows to you as *******. Neat, huh?

Re:I have a real programmer's password

[noidentity]

And I have a real C programmer's password:

012345&*M%HJOJNVFGPLkoPWHJrcp,k0cY$PO JO9 P[-97 YTJJY93528 [SIGSEGV detected]

Re:I have a real programmer's password

I used to use '12345' but I have since applied ROT13 encryption to said password.

Re:I have a real programmer's password

[MentlFlos]

3,I4lSgZG53S8g79EZ38AbZb4E38

mmmmm, pi[e]

Re:I have a real programmer's password

[Bai+jie]

Wow! So I can type 12345 and you don't see anything but stars? Cool!

Re:I have a real programmer's password

Wow! So I can type ***** and you don't see anything but stars? Cool!

Yup, stars. Cool, huh?

Re:I have a real programmer's password

Mine is 11000000111001

I don't know....

[Random2]

This all sounds a bit....phishy to me.

Re:I don't know....

YEEAAAAAH!

Re:Heh

It's actually spelled "knew."

Where are the details?

[Kadin2048]

All of the stories seem to be very short on details. How did the scheme work? How were they getting users to their site instead of Hotmail? Was it something stupid, like a spam email with a link? Or was it DNS forgery or something more subtle?

Everyone is reporting that it was a particularly big haul for a phishing campaign, but nobody seems to be reporting what the deal was, or why this was more successful than your typical, run-of-the-mill phishing attack.

Re:Where are the details?

[royallthefourth]

That's all very interesting stuff, but even more importantly: how do I know if I've been affected?

Re:Where are the details?

[John+Hasler]

> ...how do I know if I've been affected?

Are you a fool? If not you are ok.

Re:Where are the details?

Are you a fool?

Oh boy, he's totally screwed then....

Re:Where are the details?

[royallthefourth]

> ...how do I know if I've been affected?

Are you a fool? If not you are ok.

If the source is something like DNS poisoning, then it's not that simple. I already know my ISP to be a bunch of fools, but I have little choice in that matter.

Re:Where are the details?

[MeBot]

Your advice is not helpful. What percentage of fools think they are fools?

Re:Where are the details?

[Jeng]

It was an email saying that ones inbox was too full and to reply with username and password to have the limit increased.

Re:Where are the details?

[jim_v2000]

Ah, but only a great fool would fall for such an attack, and I am no great fool, so clearly I cannot click the link. But you must know that I am no great fool and thus I cannot not click the link....

Re:Where are the details?

[CrossChris]

How did the scheme work? How were they getting users to their site instead of Hotmail? Was it something stupid, like a spam email with a link?

It's trivially easy - remember, the affected fools were Windows "users". There was a huge spam campaign that sent mails that appeared to a casual glance, to come from Hotmail. The mails asked users to log in to "Hotmail" using a convenient link in the email, because their account would soon "time out" if it was not used. When they logged in to the spurious website, they were thanked for their prompt action, and then advised to log out and restart their browser "for security", and then to log in to Hotmail again (which, of course, would work normally).

There's one born every minute.....

Re:Where are the details?

I don't consider myself a fool, and I'm quite wary of phishing attacks. However, one of my gmail accounts was flagged for a password change on a couple days ago.

They just said 'suspicious activity' and didn't really tell me details.

I would assume it wasn't as simple as a 'Send us your login information so we can see if you won a million dollars' things.

Re:Where are the details?

[maxwells_deamon]

From one article which was poorly written I think the plan was this:

1) From broken email account send to known email connections a note asking to visit cool shopping site
2) Victim goes to site and keylogger is installed
3) Sniff userid/password
4) Go to step 1

Not much actual phishing here but the article was poorly written and there were hints that they did not really know what was going on, they were just looking at list of broken accounts.

Re:Where are the details?

[Magrovsky]

http://www.acunetix.com/blog/websecuritynews/statistics-from-10000-leaked-hotmail-passwords/

According to security research Bogdan Calin, it seems like the passwords were gathered using phising kit, targeting the Latino community

Only 64 out of the 9843 valid passwords leaked were "12345", which indicates that it wasnt a brute force attack on stupid people. Still, the majority of the passwords leaked were weak (lower case or numeral only).

Re:Where are the details?

[swanzilla]

Your advice is not helpful. What percentage of fools think they are fools?

Approximately 12345 out of 123456.

Re:Where are the details?

[John+Hasler]

The articles make it pretty clear that the sources are phishing attacks. In any case, though, the victim has to have used the same password for a Webmail account and a valuable one such as a bank account in order to be at risk of significant loss. In other words, be a fool.

Re:Where are the details?

Are you a fool? If not you are ok.

Fools always answer that with "No." People who aren't fools tend to answer with "Maybe."

But well done -- you've just encapsulated why programmers often do a bad job of developing interfaces.

Re:Where are the details?

[vanyel]

Saturday, the small ISP I work for had about 1000 users targeting with phishing emails. It's becoming a nearly weekly occurrence, though that was the largest so far. I've had to setup scripts to scan the logs to see who got the messages, send them warning messages, then scan the logs again to see who replied and reset their passwords. In one case, we had a spammer using a responder's account to try to send spam within 2 hours of the response. Squirrelmail is the most common vector, with smtp auth not uncommon. I've had to impose strict rate limit controls on squirrelmail to keep from getting blacklisted all the time; I've got monitors to page me when smtp auth rates get too high, but the false positive rate is to high to impose hard limits at the moment, though we're heading in that direction.

BTW, it's not a good idea to respond to phishers with "F! off" etc: more than one responder doing that has found their address used shortly thereafter in the From of the next round of spam...

Re:Where are the details?

[Havokmon]

All of the stories seem to be very short on details. How did the scheme work? How were they getting users to their site instead of Hotmail? Was it something stupid, like a spam email with a link? Or was it DNS forgery or something more subtle?

Everyone is reporting that it was a particularly big haul for a phishing campaign, but nobody seems to be reporting what the deal was, or why this was more successful than your typical, run-of-the-mill phishing attack.

I run an email service, and regularly get emails like this:

From: Support@MyService
Subject: Service Upgrade

Please send your password so we can migrate your account to our new servers..

Everytime it happens I block the sender and recipient addresses, and grep the logs to verify nobody fell for it. If I'm quick enough, it doesn't matter, but people have fallen for it before I see the fake email.

Rick

Re:Where are the details?

[Dragee]

Incorrect. How many banks (and other online services) reset their account passwords by sending a link to your primary email account? 0wn the email, 0wn the person (all too often).

Re:Where are the details?

[John+Hasler]

> How many banks (and other online services) reset their account passwords by
> sending a link to your primary email account?

Only a fool relies on free webmail for important things such as communicating with banks, and only a fool does business over the Net with banks so incompetent as to email such links.

> 0wn the email, 0wn the person (all too often).

Which is why free webmail is not suitable for anything important.

Re:Where are the details?

[Dan541]

Only 8.1% ?

Re:Where are the details?

[Kakao]

Set opendns as your dns server

Re:Where are the details?

[bloodhawk]

Well I am with 2 seperate banks and 3 stock trading organisations and NONE of them would ever get a password reset by email (how do I know? cause I have had to go through the pain of getting them reset as a precaution after I was robbed). They ALL required you to phone them and verify identity before they would send you a letter by snail mail with the details. If you are with a bank that sends out such financially critical information via email I suggest you dump them like the smelly turd they are.

Re:Where are the details?

Truly your intellect is dizzying

Re:Where are the details?

[jc42]

The mails asked users to log in to "Hotmail" using a convenient link in the email, because their account would soon "time out" if it was not used.

Yeah, and I've been getting phishing messages like that for several years now, at all of my email accounts. So why is it suddenly a big story? Did the MSM reporters just now discover this kind of attack? Or maybe there has been a huge increase in the incidence recently? Or maybe someone at /. just learned about what's been going on for years? I haven't noticed any major increase, though I might not because the filters on my accounts are all reasonably good at spotting them and tossing them out.

So why is this a news story? Is it just because some "important" users of hotmail got bitten by it?

Remind me

[Dareth]

"Remind me to change the password on my luggage!"

Re:Heh

*too

Preaching to the church

[HNS-I]

I know I'm preaching to the church but a good way to make a password is to make up a sentence and take each first letter, convert some to capitals and numbers and you will never ever forget it.

It is like a walk in the park. iilawitp iiLawitp iiL4wi7p voila!

Re:Preaching to the church

[TheRaven64]

For your example, you might consider using a park that has some significance to you and capitalise the proper nouns, and numbers that actually make sense, to get something that is easier to remember. For example:

'Ten minutes to Central Park, and eat pretzels' becomes 10mtCP,&ep, which is trivial to remember for you (well, it is if you live ten minutes from Central Park and like pretzels). Keeping the punctuation in doesn't make it any harder to remember but adds another non-alphnumeric character. And, yes, for punctuation nazis there, I realise the comma in that example is superfluous. This short sentence, which anyone can remember, turns in to a ten symbol password, containing letters (upper and lowercase) and punctuation, which is incredibly difficult to brute force.

Re:Preaching to the church

[clone53421]

And, yes, for punctuation nazis there, I realise the comma in that example is superfluous. This short sentence, which anyone can remember,

Real grammar nazis also know that it wasn't a sentence.

Re:Preaching to the church

[Romancer]

This is all well and good until you happen upon a website, network, or system that hasn't thought to allow all special characters in the password field. This is the other side of password theory that admins don't get. If you want really secure passwords, don't limit what they can be made of. Some don't allow or keep uppercase, some don't allow non alphanumeric characters. So your password must be slightly different than you would make by default and therefore remember on the first try after a while not using it.

This is sometimes in the software they use and not even a setting. There have been many examples but I think that one of the best was a website that had a hyphen in the name but did not allow hyphens in the url of an account "website" field when setting it up. They didn't think that anybody would have it, but they themselves did.

No standards are so good that they are not to be followed by those with them in place.

Re:Preaching to the church

[Jaguar777]

If this becomes standard practice I predict the new common password will be "The quick brown fox jumps over the lazy dog".

Re:Preaching to the church

Real grammar nazis also know that it wasn't a sentence.

I love you. Will you marry an anonymous coward?

Re:Preaching to the church

[clone53421]

Your Relationship with Anonymous Coward (666)
Sorry, this is not an option.

Doesn't look like it. Sorry.

Re:Preaching to the church

[TheRaven64]

With the Psion Series 3, you could enter characters by their ASCII code (no unicode, this was 1993) by holding down a modifier. I thought this would be great for a password; no one would ever guess that they had to hold down a modifier while entering some digits in the middle of the password. It turned out that the password entry box in the settings pane did, indeed, allow this kind of thing. Unfortunately, the first time I locked the device afterwards, I discovered that the password entry box for unlocking did not. That said, I haven't come across anything for a long time that didn't allow upper and lower case and numeric fields (although some discarded the case information). A few don't allow non-alphanumerics, but it's easy to just omit them from the passwords for those sites.

Re:Preaching to the church

[ender-]

For some of my passwords I do something similar. I take a line from a song I like and use the first letters of that to create a password. Like one old one I used to use was from a Collin Raye song:

"What if Jesus comes back like that?"

Which became: "WiJcblt?"

Pick a song you like or will remember, and it's almost impossible to forget your password. /Yes I like that song //and yet I'm agnostic ///go figure

Re:Preaching to the church

On the Apple II (yes, I'm old...) you could hold down the control key while typing the alphabet. This would enter the ASCII codes 1-26, corresponding to each lettter. This was legal in filenames, so you could easily protect a file by calling it GO[CTRL-D]AWAY, for example. There were ways that you could get the hidden letters displayed, but it wasn't exactly common knowledge.

The only downside was that CTRL-G = ASCII 7 = beep! so if you used that letter the noise when you displayed a directory would give a hint. Of course, some people used this for the annoyance factor, too.

Re:Preaching to the church

[neurovish]

I know I'm preaching to the church but a good way to make a password is to make up a sentence and take each first letter, convert some to capitals and numbers and you will never ever forget it.

It is like a walk in the park. iilawitp iiLawitp iiL4wi7p voila!

...or you could just use "It is like a walk in the park." and have something that couldn't be bruteforced in a few hours.

Re:Preaching to the church

Or just use the sentence or phrase. It's a lot easier, and even more secure.

No password generator is going to guess:

"At every turn"
"Don't be afraid"
"It's one in a million"

On the other hand, given enough time, a password generator will guess iiL4wi7p (maybe not as likely at 8 characters long, but the idea is still true as we move further into the future).

The dumbest thing is when sites restrict character usage within their password requirements. It is stupid to limit characters, and only aids in making passwords simpler to crack (smaller range of passwords possible) and harder for people accustomed to using those characters (spaces, in my case) from coming up with good passwords.

Re:Preaching to the church

[BassMan449]

Why bother doing that and just use the sentence. One of my favorite suggestions that I heard was to use a line from a song that you like. If you use something that is 4-6 words long there is no way it will guessed. It's also easier to remember because your brain can process actual English easier than it can type gibberish.

Re:Preaching to the church

[Alok]

What happens if you move away from Central Park? ;)

Re:Preaching to the church

[TheRaven64]

Then you change your password, obviously...

Re:Preaching to the church

[maxume]

The #1 reason is that many systems will reject it for being too long...

Re:Preaching to the church

[Bill+Dog]

What sucks is when the web sites don't know that they don't allow for example punctuation characters in passwords. So then they let you create an account that you can't log into!

Re:Preaching to the church

[dr_blurb]

For some of my passwords I do something similar. I take a line from a song I like and use the first letters of that to create a password.

Same here. I pick an easy to remember phrase, and add some digits and a symbol for good measure. FYI, I wrote up some notes on Google gmail security recommendations.

Re:Preaching to the church

[GofG]

I generally have found a much safer method of picking a password. My current password, for instance, is: arthurcclark'); DROP TABLE Users;-- After using that particular password, no one will ever gain unauthorised access to any account on that particular website. I highly recommend it.

Re:Preaching to the church

[Drakkenmensch]

This short sentence, which anyone can remember, turns in to a ten symbol password, containing letters (upper and lowercase) and punctuation, which is incredibly difficult to brute force.

I'm personally a fan of made-up words that have asolutely zero significance to anyone but me.

Re:Preaching to the church

[Bai+jie]

What also sucks is when systems don't allow you to begin and/or end a password with a numeral. I hate restrictive password policies that make lame assumptions about the security of my password based on the fact that the first/last character is a number.

Re:Preaching to the church

[Quirkz]

PhpBB bulletin boards, for the loss on this one. Took me an hour the first time to realize that the admin account I'd created was throwing out a special character in the middle of password and keeping the rest.

Ban them.

[Magrovsky]

People with "12345" or similar passwords should get their own internet, where they would be allowed to share lolcatz and powerpoint chains, play with their purple internet buddy, and zap those cute webmonkeys on banners without hurting themselves. Alternatively, maybe the webmail providers should set more strict rules for the passwords.

Re:Ban them.

[Killer+Orca]

People with "12345" or similar passwords should get their own internet, where they would be allowed to share lolcatz and powerpoint chains, play with their purple internet buddy, and zap those cute webmonkeys on banners without hurting themselves. Alternatively, maybe the webmail providers should set more strict rules for the passwords.

Hey I play with my purple internet buddy each time I go on the computer and have never hurt myself or anyone else!

Re:Ban them.

[ibsteve2u]

People with "12345" or similar passwords should get their own internet, where they would be allowed to share lolcatz and powerpoint chains, play with their purple internet buddy, and zap those cute webmonkeys on banners without hurting themselves.

Didn't they use to call that "AOL"?

Re:Ban them.

[Cocoronixx]

.... Meant to mod this 'Insightful' mouse decieded it was 'Redundant' Cool how slashdot 2.0 has a (mandatory) preview for messages, but not for moderation.

Re:Ban them.

[rocketPack]

Something tells me that the majority of these accounts were probably never really used. They are probably throw-away emails, created to get that "One day free pass" to various porn sites, or as general spam-traps.

I think it ought to be policy that derelict accounts, ESPECIALLY those which have weak passwords, be 'locked' after a period of inactivity. Reactivation could be accomplished with, say, a series of difficult CAPTCHAs so the account is always able to be 'revived' but not hijacked like this.

It just seems irresponsible to have such a lack of control over these kinds of things...

Re:Ban them.

Maybe you just need an idiot-proof mouse (HINT: advertising your clumsiness is a really big clue). We certainly can't expect slashcode to be idiot-proof, since it's actually written by idiots. :P

Re:Ban them.

[fprintf]

If your buddy turns purple, you're doing it wrong.

Re:Ban them.

You know what ph1shing even means?

If these are throwaway accounts (for which all the sane people use dedicated services like slopsbox these days), then why the hell are those users taking ph1shbait? Besides, generally the people who can be ph1shed aren't clever enough to use throwaway accounts to block spam. I guess your pr0n example makes sense, but still leaves wtf they would be reading the ph1shbait if they already tossed the account.

Re:Ban them.

[StDoodle]

Alternatively, maybe the webmail providers should set more strict rules for the passwords.

I'm not a fan of this idea, simply because just about every site I've seen that decides to enforce 'password security' also decides to do stupid crap like disallowing special characters. They won't allow a password such as 'rOf1m@0z' in favor of what they consider 'secure,' such as 'passWord123' -- blargh!

Re:Ban them.

[Jeng]

Which then forces you to make a password specific for that login, which of course will not be remembered.

Re:Ban them.

[CCFreak2K]

As AC put it earlier (and got a 0 for it), phishing means everyone listed actually used their e-mail accounts at the time. What you're thinking of is if the databases of these services were somehow cracked...which is not the case.

Re:Ban them.

[austin987]

I'll defend my right to lolcats to the death!

Re:Ban them.

[ignavus]

But the problem wasn't their passwords. The problem was that they clicked on a bad link, went to a dangerous site, and typed in their password.

Their password could have been the most ueber-elite 32 unicode-character password containing symbols from 5 different writing systems. It wouldn't have mattered.

Give a technological idiot a perfect password, and they will hand it over to the first social engineering attack they meet.

a scary thing of manipulating URL?

[k6mfw]

I get these phishy emails all the time but I look at the actual URL and see it is not actually coming from the service or agency. One time I saw it vectored to a site which I did a whois lookup of the domain name and it listed the name, address, and phone number of someone in southern Calif (not China). However, the scary thing is what happens if these people figure a way to "scoop" or "fraud" (whatever) the URL displayed on bottom of my browser window and in the address bar? But on identity theft they say most of it was done with basic skills like going through someone's trash or bank employees (72% of banks report employees committed fraud).

Re:a scary thing of manipulating URL?

I've adopted the personal policy that I never click on a URL in an email. Go to the site manually if it's something worth viewing.

Re:a scary thing of manipulating URL?

[defaria]

I get these phishy emails all the time but I look at the actual URL and see it is not actually coming from the service or agency. One time I saw it vectored to a site which I did a whois lookup of the domain name and it listed the name, address, and phone number of someone in southern Calif (not China).

At which point you should have called them and informed them of the illegal activity. And if they didn't response with a "Thanks for reporting this and we'll get right on it" but instead hung up then follow up with a call to the FBI. That's how you stop such behavior!

However, the scary thing is what happens if these people figure a way to "scoop" or "fraud" (whatever) the URL displayed on bottom of my browser window and in the address bar?

That's why you "Use the source Luke". Look at the actual source of the message and see in plain text there (well HTML with tags but it's all ASCII and usually not that hard to figure out) what the exact actual URL is. And if you have a mailer that is incapable of showing you the actual source then I suggest to you that you need a better mailer!

But on identity theft they say most of it was done with basic skills like going through someone's trash or bank employees (72% of banks report employees committed fraud).

Exactly, which is why most of the hype about this is just that hype. However when you are dealing with large numbers there will be a percentage of people who really are that stupid. It's why we have spam and why we have phishing in the first place...

Re:a scary thing of manipulating URL?

[clone53421]

However, the scary thing is what happens if these people figure a way to "scoop" or "fraud" (whatever) the URL displayed on bottom of my browser window and in the address bar?

Only if your e-mail reader enables Javascript in HTML e-mails... and if so, GET A DIFFERENT ONE.

Re:Heh

[clone53421]

You caught "knew" but missed "too" and "it's really fucking stupid to post your e-mail address in the clear".

In other words, whoosh.

Re:Am I affected

[flandar]

If your password is even remotely similar to those listed, you should change it.

Top 20 Passwords

[osomoore]

Top 20 most common passwords:
123456 - 64
123456789 - 18
alejandra - 11
111111 - 10
alberto - 9
tequiero - 9
alejandro - 9
12345678 - 9
1234567 - 8
estrella - 7
iloveyou - 7
daniel - 7
000000 - 7
roberto - 7
654321 - 6
bonita - 6
sebastian - 6
beatriz - 6
mariposa - 5
america - 5

From 2 links deep (http://www.acunetix.com/blog/websecuritynews/statistics-from-10000-leaked-hotmail-passwords/)

Re:Top 20 Passwords

[Teun]

Which tells me there is an unusual number of Latino users among the 10K.

Re:Top 20 Passwords

[clone53421]

Baloney. Everyone knows the most commonly used password is "password1".

Re:Top 20 Passwords

[jonbryce]

You should use something like P@55W0rd. Then nobody will guess it.

Re:Top 20 Passwords

[LordAndrewSama]

your post just made me think a scary thought.
to get these statistics, either:
A) hotmail saves your passwords in cleartext at some point, OR
B) people tell anyone who asks their passwords because it's a 'survey'.

I may be missing something obvious, but I don't think it should be possible to get these sorts of statistics about passwords.
Next thought, hopefully they send just an anonymous copy of the password to a random database in no way connected with the running of hotmail and in no way linking passwords to accounts, so maybe it is possible.

This may be covered in TFA or TFS but i'm tired and went straight to the comments looking for the funny.

Re:Top 20 Passwords

[SleazyRidr]

C) Numerous people gave their passwords to a phishing scam and the results from said scam were leaked.

Re:Top 20 Passwords

[am+2k]

D) They only had the hash values and used a dictionary attack on them. That's kinda the point why those passwords are weak after all.

Re:Top 20 Passwords

[El_Oscuro]

That only works if the hash isn't salted. I hope Microsoft isn't dumb enough to use unsalted hashes. If you use the userid or even better, some non-public part of the account as the salt, it is impossible. Of course, if use you a password like "password" or the combination to some idiots luggage like "12345", then one really doesn't need the hash, now do they?

Unencrypted passwords?

[jhumkey]

So Unix is 40 years old, and knew at birth what Microsoft still hasn't figured out. Its a bad idea to store unencrypted passwords. Got it.

Re:Unencrypted passwords?

[4D6963]

Huh??? I thought that was collected by phishing? Yeah, sorry for getting in the way of your ritual MS bashing, but it's something that can affect any service since it's essentially social engineering. Kind of.

Re:Unencrypted passwords?

[operagost]

It's phishing. The passwords weren't stored encrypted; they were collected directly via the fake server. Also, please correct me if necessary, but wasn't the original passwd "encryption" just some kind of weak hash?

Re:Unencrypted passwords?

[SnarfQuest]

Remember, its "I before E, except after C"

there are a lot of really smart people who can't remember this rule. Einstein really had a problem with it.

Re:Unencrypted passwords?

Got it.

The only thing you "got" is laughed at. What an idiot.

Re:Unencrypted passwords?

Remember, its "I before E, except after C"

there are a lot of really smart people who can't remember this rule. Einstein really had a problem with it.

I didn't realize Einstein's name was English and subject to English spelling rules.

Re:Unencrypted passwords?

By modern standards, yes, it was not very good.

Stronger than WfW was using >20 years later, though.

Still, the real difference of modern UNIX passwords isn't the newer hashes, but the shadow passwords, where encrypted passwords aren't stored in a world-readable file, so grabbing the whole file and cracking offline is no longer possible without root. (And if they've got root, they don't need the passwords that bad. Still could be useful if the users they may be using the same passwords elsewhere, of course, but you should be much more concerned about the attacker owning your box _now_ than possibly guessing your users webmail passwords in the future.)

Re:Unencrypted passwords?

[SleazyRidr]

Yeah, my neighbor can't get her head around it either. It's pretty weird.

Re:Unencrypted passwords?

[clone53421]

As AC said, Einstein's name isn't English. It's German, and in German you can have either IE or EI, but either one always sounds like the long vowel sound of the 2nd letter. Thus "Einstein" has a long I sound for both EI sounds (whereas in "Sie", you have the long E sound).

Social Engineering

Whats the fuss here? This sort of social engineering has been going on for a long time whether it is a mail server or ebay. I'm not saying the facts are not true ... but I'd bet this has been going on for years.

Stronger password

[wsanders]

As a hypothetical, since length is really what matters, I wonder how long it would take before something like

01234567890123 or even 0123456789

would get guessed?

My experience is that short passwords (less than 7 chars) are the ones that get guessed, even if they are "good" ones that have a mix of letters, number, and punctuation.

Re:Stronger password

[jonbryce]

If Microsoft use NTLM hashes on their server, then even 14 characters won't be good enough.

Fake URLs, DNS spoofing shouldn't matter

[wsanders]

The point to get across is that no (reputable) service or agency will ever, ever send you an email asking you to fill in and email back ANYTHING anymore.

If I were to ever get a legitimate email from my bank or credit card asking for personal information, I would call them as ask them WTF they were doing.

My estimate is that your average stupid phishing victim is just as likely to reply with their personal information regardless of whether the email is obviously fake.

Re:Fake URLs, DNS spoofing shouldn't matter

[Talennor]

My bank, utility providers, and lots more send me emails with information related to my account in them. They pretend to be more secure by not specifically mentioning the account or asking for my password.

However, they usually provide a link to their website in the email! On the other end of that link they DO ask for your password. I never click that link no matter how legitimate it looks. You should use your own bookmarks to type the URL to their homepage yourself.

Re:Fake URLs, DNS spoofing shouldn't matter

[the_womble]

My wife once got an email from the bank about a credit card fraud, with a number to phone them on.

I told her to phone the number we had and ask to be transfered to the fraud department.

What I don't get...

[mrbene]

Is why it's a "leak" if phishing was the method used to acquire the list. Or why it's still referred to as a "bug". Some sort of bug in the Human OS, right near the gullibility logic loop?

Re:What I don't get...

[gujo-odori]

Completely agree about the gullibility logic loop, but I consider it a (design) bug that such weak passwords are allowed. The fact that it's a free email account shouldn't mean you're allowed to set your password to *anything* you want. If anything, the fact that it's free is a better argument that the users should have to accept setting stronger passwords as a condition. If G/Y/M are worried about driving customers to the competition because the passwords are too hard, it shouldn't be that difficult to come to an agreement amongst themselves to all set the same password standards and implement them at the same time.

And if those 10,000 people should choose to not have an account at any of G/Y/M, it's G/Y/M plus the rest of the Internet that wins.

Re:What I don't get...

[John+Hasler]

> The fact that it's a free email account shouldn't mean you're allowed to set
> your password to *anything* you want.

And one of the things you should not be able to set it to is anything anyone else has already used. In other words, on these systems passwords should be unique.

Re:What I don't get...

[SnowZero]

Completely agree about the gullibility logic loop, but I consider it a (design) bug that such weak passwords are allowed.

If the data is obtained via phishing, it doesn't matter how strong the passwords are.

The fact that it's a free email account shouldn't mean you're allowed to set your password to *anything* you want. If anything, the fact that it's free is a better argument that the users should have to accept setting stronger passwords as a condition.

We don't have evidence that the short passwords are actually valid ones for the email services; the file was just a dump of what people entered into the phishing site. Some entries surely are valid, but some will just be deliberate garbage or accidental; my guess is that ")" falls into the latter category.

It's a Phisher, Not a Bug

[Rary]

...many are pointing to the same bug that claimed at least 10,000 passwords from Microsoft Windows Live Hotmail.

Phishing is not a "bug". A bug would mean this was some Microsoft developer's fault. There is nothing a developer can do to prevent someone from conning someone else into giving up their password.

Re:It's a Phisher, Not a Bug

[jonbryce]

Their spam filter could do a better job of catching emails that puportedly come from Microsoft but didn't go from their servers.

Re:Heh

[trapnest]

"it's really fucking stupid to post your e-mail address in the clear".

janusofzeal@gmail.com

PC Pro Got It Wrong (Slightly)

[Rary]

The PC Pro article linked to in the summary misquoted its own source. It claims that "12345" is the most common password, however the source it links to actually shows "123456" as the most common password. "12345" doesn't even make the list.

There really aren't that many users using those "common" passwords. Only 82 users use the top two passwords, which make up only 0.8% of all the passwords in the list. Only 1.56% of the accounts used a top-10 password.

The rest of the information at the Acunetix link is quite interesting, though. The evaluation determines that only 6% of all the passwords used a combination of alpha, numeric, and other characters.

Re:PC Pro Got It Wrong (Slightly)

[clone53421]

I wonder how many of the phished credentials were users with a clue entering bogus credentials just to fuck with whoever was trying to scam accounts. It doesn't appear that the phishing page tried to verify that the passwords were valid (much less correct).

31415

[bzzfzz]

News Flash: 10,000 Slashdot accounts compromised in phishing scam. Most common passwords were 31415 and 0xdecafbad.

Affected users have been placed on an isolated network where they can't do anything but post whinges about Microsoft and Apple to a web server that runs SSL using a self-signed certificate and actually follows the RFCs.

Re:31415

[neurovish]

News Flash: 10,000 Slashdot accounts compromised in phishing scam. Most common passwords were 31415 and 0xdecafbad.

Affected users have been placed on an isolated network where they can't do anything but post whinges about Microsoft and Apple to a web server that runs SSL using a self-signed certificate and actually follows the RFCs.

The slashdot crowd is supposed to be very US centric though...we would never "whinge" about anything.

Re:31415

[LanMan04]

Don't forget 0xdeadbeef!

Re:31415

[EkriirkE]

That's 0xbadf00d

Re:31415

[Karellen]

There's a version of /. that only contains the interesting stories and actually follows the RFCs?!? How do I sign up without changing my passphrase to something less than 40 characters?

No appreciation for the classics...

[neurovish]

Where are "sex", "secret", and "god"? Even love only makes a cameo at #17 in "iloveyou"

Re:No appreciation for the classics...

[Ksevio]

Probably stopped my minimum password lengths.

Re:No appreciation for the classics...

[SleazyRidr]

That's why I had to change my password to ilovesecretsexwithgod.

Re:No appreciation for the classics...

[carp3_noct3m]

Someones Hacking the Gibson! ---Ok my buddies are gonna hang me for that one...

No asdf, qwerty, 1qaz?

Apparently keyboard pattern passwords hold up better.

Let's over-react, shall we?

[Mesa+MIke]

Perhaps this is the reason that sometime during lunch, my employer (A well known NNSA National Laboratory in New Mexico) blocked access to all things Google, including Gmail, Blogspot, and the Google search engine itself?

Re:Heh

[clone53421]

I know gmail has amazing spam filters, but even I wouldn't tempt fate like that.

Google Services phishing link

[Xelios]

This might be related, seems you can generate emails that appear to come from Google's own mail servers by altering a regular old URL. From there it's a short step to include a phishing site in the body of the email asking the user to verify his account details, or whatever. Maybe other webmail services have similar links.

I saw the Hotmail version of this phishing mail yesterday, it looks like it comes from an @live.ca address and asks the receiver to verify his account details at a link included in the email. The link is disguised to look like a valid mail.live.com link, but of course it goes to a phishing site instead.

Re:Heh

[tanguyr]

I know gmail has amazing spam filters, but even I wouldn't tempt fate like that.

I've had slashdot display my email address in clear text in every comment i've made here for years now. I've never received any mail to tanguyr+slashdot@gmail.com (gmail lets you add a "+whatever" to your email), and i very rarely get a spam message in my inbox. These days, with so much email being spam, i don't think that being coy about your email address is really a valid strategy anymore. You've got to give it out to use it, and who knows what the heck the people you give it out to are doing with it?

Re:Heh

Correct spelling? From GNU-tards who could communicate better with a real life klingon than they could with a fellow human? No wonder gmail got hacked, if you want software that works you have to actually PAY someone for it! Just goes to show that access to the source code gives hackers the ability to find holes and exploit them.

No, _I_ have a real programmer's password

012345

010101

they deserve it

The people who use passwords like 12345 deserve this. maybe it will finally teach them the lesson(s) that their smarter family members and friends have been trying to get through their thick skulls for years.

Re:RTFA

[conureman]

According to TFA,these were collected by phishing. OTOH 12345 could be "brute forced" by mere human guess-work. sheesh. My eight letter password could be brute-forced by machine in very short order, but it's all relative.

$29 www.tntshoes.com.2009 Hot Selling DC Low man S

Http://www.tntshoes.com

Specializing in retro Jordans, Nike SB, Nike Air Force 1.Check out our line at You can check out our FULL line at Sole on Ice 475 W. San Carlos Street in Downtown San Jose, Ca. 95113 Sole on Ice is a Consignment center specializing in bringing you the elite lines through out the past two decades.All shoes are 100% authentic. We do not sell, accept, or deal with fakes or factory variants.If interested in selling through consignment please contact us

  OUR WEBSITE:
                                                        YAHOO:shoppertrade@yahoo.com.cn

                                                                MSN:shoppertrade@hotmail.com

                                                                        Http://www.tntshoes.com

Re:Heh

[trapnest]

Indeed.