Slashdot Mirror
Analysis of 32 Million Breached Passwords
An anonymous reader writes "Imperva released a study analyzing 32 million passwords exposed in the Rockyou.com breach. The data provides a unique glimpse into the way that users select passwords and an opportunity to evaluate the true strength of these as a security mechanism. In the past, password studies have focused mostly on surveys. Never before has there been such a high volume of real-world passwords to examine." Most interesting to me was that in the sample, less than 4% used any non alpha-numerics in their #$#%'ing passwords.
Is password. So damn obvious, nobody would think to try it =)
My company wants me to change my pass every 2 months. Guess what happens to the password strength over time.
I think it would be interesting to search the passwords I use against the list. I like to think that my passwords are pretty good, but it would be interesting to see how similar they are to the passwords that were obtained and used in the study.
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
1. 123456
2. 12345
3. 123456789
4. Password
5. iloveyou
6. princess
7. rockyou
8. 1234567
9. 12345678
10. abc123
By a massive coincidence, these happen to be the passwords for their respective /. userids!
...Most interesting to me was that in the sample, less than 4% used any non alpha-numerics in their #$#%'ing passwords.
Er, does it REALLY matter anymore the strength of your password with the FBI using post-it notes as a search warrant? I mean I hate to say that, but seriously.
On a related note, what pisses me off even more is going to a website and trying to use a strong password and their system doesn't allow it.
I can't tell you how frustrating it is to try to keep information secure on various web sites or with companies that still use antiquated password styles. 6-8 chars or numbers only? Really? Still? After all the identity theft you'd think companies would at least step up their need to have users have strong passwords. But nope, places like Earthlink still use limited password capability.
Life takes interesting turns, but the most interest is when you're off the beaten path.
At least in Alaska, ZIP codes seem to be the most popular choice, according to a survey of one known case.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
Adding a special character increases the base. Adding a character - i.e. increasing the length of your password - increases the exponent. Either method helps provide strong passwords. Shoulder surfing special characters is easier, because they are a reach from the home keys, and most pause to hit them.
Does anyone have the list of passwords itself?
:)
It would be fun to perform one's own statistical analysis of the list
Here's the top 20 most common passwords used according to the report:
Rank Password # of Users
1 123456 290731
2 12345 79078
3 123456789 76790
4 Password 61958
5 iloveyou 51622
6 princess 35231
7 rockyou 22588
8 1234567 21726
9 12345678 20553
10 abc123 17542
11 Nicole 17168
12 Daniel 16409
13 babygirl 16094
14 monkey 15294
15 Jessica 15162
16 Lovely 14950
17 michael 14898
18 Ashley 14329
19 654321 13984
20 Qwerty 13856
http://www.object404.com
hunter2
I vary the strength of my passwords based on the importance of them being secure.
More secure passwords are typically harder to remember. My financial related passwords are much more secure than my Facebook password because I really don't give a damn if someone breaks into my facebook account.
I think it would be interesting to search the passwords I use against the list. [...] This year we confirmed that indeed you can buy everything in New York City.
But can you buy a log of searches?
funny - this girl seems to be quite popular *cough* :-)
Anyone has a picture ?
RockYou is a MySpace photo/video sharing site (from what I could gather from googling, never used it myself) and it's certainly no excuse that people implement bone-head password choices such as the 10 shame shame list FTFA. However, I didn't really see the article address or even consider that their target users on the RockYou site aren't generally what geek, wanna-be security folks on /. are security conscious. I'm glad the analysis and study was done, but I'm really not surprised. If people are picking '123456' as the #1 password, as much as we have a PEBKAC situation on our hands, fault RockYou for not implementing some sort of semi-secure password standard.
Is it even worth the effort of coming up with a secure password for that site? If I had for some reason found it necessary to register with such a vapid site I would have just re-used one of my low-security passwords (which many other sites have access to). It isn't too surprising that nobody cares whether someone else is using their account to steal their noisy, eye-burning flash videos. What is far worse is if people are re-using passwords from much more important sites. In this case, it doesn't matter if your password is a random string of letters, numbers and special characters.
pi = 3.141592653589793helpimtrappedinauniversefactory7
Most interesting to me was that in the sample, less than 4% used any non alpha-numerics in their #$#%'ing passwords.
Why is it any surprise that people tend to approach passwords as a pass-WORD? It has to be something they can remember, and remembering a string of characters they can't pronounce is far more difficult than remembering (say) their favorite basketball team and the year they graduated high school.
If a job's not worth doing, it's not worth doing right.
As being a developer I was grown up with US layout which is far the best for coding. But in most countries nowadays you really have to look hard to find such a keyboard. Or not to mention configuring the damn layout on a random OS on a random machine. Everyone around me uses some strange layout I wouldn't find non-alphanumeric characters on. And there are even worst places where even simple digits are hard to be entered, e.g. Belgium.
Most interesting to me was that in the sample, less than 4% used any non alpha-numerics in their #$#%'ing passwords.
but... there's no non Alpha-numericals in 'CowboyNeal'?
~men are from earth. women are from earth. deal with it.~
Since most sites have a bunch of silly restrictions (no special characters, no more than 8, etc) most systems if the don't enforce strength, randomness, etc will degrade down to the lowest level where the password will work on all the systems.
The article says that in 20 years users have not gotten better at creating good passwords.
Logically then the solution is NOT to get users to take "password security seriously". This is like trying to stop VD by convincing teens to abstain from sex - it's in the never-going-to-happen catagory.
The solution is to mitigate the damage of a brute force attack - when bots make password guess attempts, you need counter-"bots" to detect patterns of access and then block IPs, warn users, or disable accounts. This is a form of intrusion
detection.
This is not to mention that for most web accounts, a break in doesn't matter - what damage can the hacker really do? Like post things-you-didn't-say and trash your reputation on www.social-site-for-people-who-spend-to-much-time-online.com? Heck, that's major dude.
Just a wild guess here, but let's ask: Are there web site owners who think the logins they host are way more important to their customers than they actually are?
Hmmm
-paul
My passwords tend to be words that I make up on the spot, with a couple of numbers thrown into the mix. They don't seem too difficult on the surface...but then again it is a word that I make up, some of which don't even have vowels lol. I have a series of seven different ones that I use.
It's worked quite well for me over the years :-)
Living With a Nerd
Does one really need to worry about "brute force" attacks if it's a system that enforces a lock-out of a user account after a set number of incorrect passwords (say, 5 in 10 minutes or so)?
It is by my will alone my thoughts acquire motion; it is by the juice of the coffee bean that the thoughts acquire speed
Surely no one uses God, Sex, Money, or Love as their password! I use my birthday or sometimes my mother's maiden name... no one will ever guess that, right? =X
"Most interesting to me was that in the sample, less than 4% used any non alpha-numerics in their #$#%'ing passwords."
Not surprising at all, because the rules for what you CAN use as passwords are so inconsistent. Some places REQUIRE non alphanumerics, but have a limited choice of what you can use. Some don't accept ANY non alphanumerics, some will accept them but again it's different from site to site.
I don't know about you, but I've probably got 100 different passwords rattling around in my brain. I'd guess most people are like me in that they see passwords as a necessary evil but otherwise a giant pain in the ass, and so accept the slight increase in security risk by using a system that changes predictably (at least for me) from site to site. So I'm not going to use a base-password or base-concept that includes any characters that might be disallowed on some other site.
-Styopa
IIRC it was in the text of TFA last time.
The cost of that cleanup, of course, will be borne by taxpayers, not industry.
I dealt with a bank once that expected its customers to change its passwords every 2 weeks. So obviously what happened is every time a customer needed to check their bank account, probably once a month, they were locked out. Now this isn't necessarily the problem here. The problem is that with people having to call in every time to reset their password, it becomes such a norm that it probably drastically increases the potential for social engineering.
How else do you explain all these people posting as "Anonymous Coward"?
As a simple example, test installing SQL Server 2008 refused to accept an sa password which was highly secure - 11 random lower case alphanumerics - but was quite happy with Micro$0ft. Childish I know, but I wanted to check if they had implemented an algorithm to detect "obvious" password variants.
Perhaps someone is still using MD5 hashes for passwords. Or not using any hashes at all.
From scarped cliff or quarried stone she cries "A thousand types are gone, I care for nothing, no not one."
I have three different "layers" of security. I have my "throwaway" password that gets used for sites I just don't care about. I have my "kind of important" password that gets used for sites that I kind of do care about. And I have regularly changed, per-site passwords for anything that involves my identity, personal information or money--paypal, facebook, etc. And, frankly, the throwaway password ain't much. Posted anonymously for the obvious reason--I'd hate for everyone to be trying to hack my Slashdot account now.
That sounds like a combination that an idiot would put on his luggage.
Strength of a chosen password is a function of information it protects. I am sure most users follow this rule even without specifically identifying it.
In this sense, services like Rockyou are at the very bottom - the only reason users select a password for such a service is because it requires them to. I would bet that if it let users have an optopn of not having a password at all - they would gladly do so.
While I don't have a sample to prove this, it would be interesting to compare these to passwords selected for a major email provider (gmail, yahoo) and an online banking service. I would bet that (even without any specific controls and limits on characters used) these would be quite a bit more complicated, proportionately. I.e. somewhat more difficult to guess for the email, depending on how important the particular mailbox is to its owner, and quite complex for a bank account.
In any case, this selection of users is hardly a random sample and drawing any general conclusions based on it would be premature to say the least.
md5 in my company (very large multinational corp) is a big no-no. We can't use it. SHA1 is what everything had to be hashed with.
SearchIRC - Now with live chat directory!
by the way, i got this idea from a slashdot thread, and it was an eureka moment for me, and i went about resetting all my passwords
i forget the thread or the user id of whoever made the comment, but it was a password related subject matter and i think it was in the last 6 months or so
whoever you are, and i hope you read this: thank you!
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
Roland: One.
Dark Helmet: One.
Colonel Sandurz: One.
Roland: Two.
Dark Helmet: Two.
Colonel Sandurz: Two.
Roland: Three.
Dark Helmet: Three.
Colonel Sandurz: Three.
Roland: Four.
Dark Helmet: Four.
Colonel Sandurz: Four.
Roland: Five.
Dark Helmet: Five.
Colonel Sandurz: Five.
Dark Helmet: So the combination is... one, two, three, four, five? That's the stupidest combination I've ever heard in my life! The kind of thing an idiot would have on his luggage!
-----
President Skroob: What's the combination?
Colonel Sandurz: 1 - 2 - 3 - 4 - 5.
President Skroob: 1 - 2 - 3 - 4 - 5?
Colonel Sandurz: Yes.
President Skroob: That's amazing! I've got the same combination on my luggage!
All this tells us is that the exhortations to choose more secure passwords reaches a certain level and then has no more effect. The implication is that ways of educating users has not improved in the past 20 years.
Let's not blame the users -they are only doing what they're told. The problem is that we (i.e. IT people) are not telling them the right things in a way that they are willing to accept. That's the problem, not laziness, incompetence or ignorance - motivation. The users ARE motivated to choose passwords, but not to go to the inconvenience of choosing complex ones.
In every other area of computer use, the trend has been to making things simpler to use. Maybe it's time this process was applied to passwords. Of course it's possible we don't really want better security - we just want someone to blame for lapses.
politicians are like babies' nappies: they should both be changed regularly and for the same reasons
I don't know about everyone else, but I don't use my work credentials or my root password when I visit sites that look like rockyou.com. They just aren't important enough for me to use secure passwords. Five letters and a digit is more than enough for me to use on most forums, Myspace, and other unimportant sites -- all of whom I don't trust to actually store my passwords in a secure manner. So I am refraining from commenting on the horrible state of passwords when it concerns a horrible state of a website, because I don't think I'm the only one who acts this way.
I went to eat some animal crackers and the box said, "Do not eat if seal is broken." I opened the box and sure enough..
I don't know if anyone bothered to read the full report, but I found this recommendation tucked in at the end of the report:
ast character in the password. (pg. 3)
Allow and encourage passphrases instead of passwords. (pg. 5)
And I say amen, amen to that. I've done quite a bit of personal research in this area, and have found passphrase systems to be far superior in terms of security and ease of use/recall over random combinations of characters. For years I've used the list provided at Diceware to generate my passphrases, and I have no problem still recalling little-used 5- or 6-phrase passphrases years later.
The idea that random sequences of characters is somehow superior to a passphrase of equal entropy is a myth borne of ignorance and a resistance to change. So long as companies that know better keep forcing their minions to adhere to a strict range of letter/number combinations, we'll continue to be saddled with the problem presented by the Rockyou.com crack.
One of the best things the government IT folks have done is the use of the PKI infrastructure. Must have a physical token (smart card) and then an unchanging PIN to access the physical token. The private key never leaves the card itself. And all internal sites are mandated to use that authentication, so no more password hell.
Yes, the cards expire every couple years, but it's about worn out by then anyways.
I don't know about anyone else, but I have accounts on so many sites it would be impossible to use strong passwords without reuse. I really don't see the harm in using the same weak passwords if I don't care if my account on the site's compromised.
I have a number of site-specific strong passwords I use on sites I care about, and a further handful of very strong passwords I use for accounts that have the ability to charge my credit cards. My unix passwords are completely different too, and I run sshd needing key auth. If I have anything worth protecting (personal information more than an email address, an identity within a community, etc) on a website, I'll use a better password, but if I just want to comment on someone's blog or see what a site's about, I don't care - I certainly wouldn't shed a tear if one of my weak passwords were compromised! Boo hoo, someone's pretending to be Asdf Asdf from Qwer (postcode AA1 1AA) over at www.dontcare.com/phpbb/ and www.whogivesarats.as/blog/ and sending me spam on email addresses I'll just blacklist...
I would bet money that if you look at the password complexity of users of a busy registration-required forum both before and after you discount people with less than 5 posts, there'd be a substantial difference. Likewise, it'd be interesting to see the strength distribution of the subset of these "32 million" accounts on rockyou.com that belonged to people that actually used them or had valid personal information attached. Otherwise I think it's a pretty worthless study
People only use letters and numbers because when they thing "word" it implies some meaning or coherence. We all understand what letters and numbers stand for or "mean". Non-alphanumerics? Hell, we can't even decide what to call "#" - is it "hash" or "pound?"
Is "." "dot" or "point?" For that matter, I still associate "$" with "string" in Fortran.
Start calling them security codes, pass codes, mystery keys, whatever.
"As God is my witness, I thought turkeys could fly." A. Carlson
is doing the same thing over and over while expecting different results.
I quote the end of this paper:
He's correct, of course. The problem hasn't changed. That's because the vast majority of people don't care. We've been telling people to use good passwords for 20 years, and it hasn't worked. People don't use good passwords, people have never used good passwords, people never will use good passwords.
Maybe it's time to come up with a solution that may actually work, instead of pushing the same old obviously-failed solution yet again?
Breaking Into the Industry - A development log about starting a game studio.
It is not just the mandatory password changes that increases the mess. It is also that each and every site has different validation rules. If I could use one-and-only strong password for many sites, then I could remember that. However, some sites _require_ special characters, while others _forbid_ it, etc, etc. So each time you end up inventing something on the spot, and then two months down the road you've forgotten it.
I guess that I've 50 passwords to remember, so if I can't do that with just a few (I don't use the same password for my online banking as for my slashdot login :-) then it quickly becomes Post-it time again. Or worse, that little file on the PC desktop with a list of userid/passwd combo's.
Browsers shouldn't have a back button!! It's all about going forward...
I know it's been said around here before, but...
Dropbox + Keepass. It's been working great for me.
I am a viral sig. Please copy me and help me spread. Thank you.
I have a couple questions for some more security minded folks here on slashdot, about the 'conclusions' of the analysis in the linked article. . .
* "The shortness and simplicity of passwords means many users select credentials that will make them susceptible to basic forms of cyber attacks known as 'brute force attacks.'"
Is this really true? Here's why I ask - most websites (though unfortunately not all), seem to lock your account if you don't get the right password in 3-5 attempts. Then, it may stay locked for 15 minutes, or 24 hours, or until you go through a process of some sort to verify the account (such as an automated email to the address on record, with a link you have to click in the email).
If the website takes such measures, doesn't that shut down brute force attacks pretty fast, even with fairly simple passwords? If the website is doing that, and it shuts down brute force attacks, doesn't that mean that even a somewhat weak password can provide 'good enough' protection?
* While I'm sure that adding special symbols does make the password harder to brute force, isn't even an alpha-num password pretty strong if it's about 10-12 characters long and mixes both upper and lower as well as some numbers? Personally, if I was guiding someone about a password, and I know they have a hard time remembering complex passwords, I would urge them to a longer password instead of a more complex one, because the length makes the complexity grow exponentially, right?
* Sort of touching on the parent's point - appropriateness. We can't remember lots of complex long passwords, so I would think that we should get people to concentrate on remembering complex passwords for the things that most need them - particularly things which can be attacked 'offline'? By 'offline', I'm thinking of something like, say, an encrypted file (like a zip file or TrueCrypt volume file), and online passwords which protect truly important stuff like access to your network account at work, your bank account, Tax-site password, etc.
Of course, there are always 'password safe' type applications, but I've never really liked the idea of a password safe, simply because I don't necessarily have access to it whenever I need a password. Take, for example, going to a library, FedexKinkos, or college computer lab, and needing to access a password protected site. Even if you *do* have your password safe file, on a USB key (for example; or maybe you can download your 'safe' from a site online), you may not be able to run the password safe software to decrypt it. Even if you *can* run the password safe file from the USB key, on the public computer, do you really trust that public computer to decrypt all your passwords? I just don't like the concept of password safes, for these reasons.
I looked into KeePass once upon a time, but I ended up avoiding it, simply because I've not figured out a way to get around what seems like a fundamental problem to me. . .
What do you do if you need to use a public computer? A lot of times, computers at places like libraries, college computer labs, etc won't allow you to run any programs which weren't installed by an Admin. If you rely on something like KeePass, don't you run the risk that you won't be able to access one of your passwords when you need to? Also, with KeePass, you run some possibility that once you decrypt the password database, some sort of spyware on the computer might hoover up all your passwords?
I mean, granted, if the computer is compromised, it could snatch your password anyhow when you enter it into the browser to login to a site, but at least in that case, the spyware only steals the password for 1 site, instead of every password you have?
Or worse, that little file on the PC desktop with a list of userid/passwd combo's.
Just use a password store utility instead of a text file. They encrypt a file that stores the passwords.
I have two password styles.
On frivolous sites, like Slashdot or game fan site, I use a dead simple password along the lines of "ilikedogs1" or "iamfrank". Why? Because nothing of interest to me is on those sites. Nothing anyone finds there gives anyone financial or other leverage.
On sites where I need to secure I use complex passwords not related to me or the entity I am using. Keep is simple where it really doesn't matter and password security becomes less of a burden. Still I like the one time keys provided by devices similar to what Blizzard uses for WOW access (authenticators)
* Winners compare their achievements to their goals, losers compare theirs to that of others.
I understand why you don't want to use dictionary words for passwords, too easy to brute-force. Though how likely is it that servers these days would sit still while a single account fails login ten thousand times? I know once the hacker is in, he can then run the hash file against the dictionary and back into the passwords of other accounts. But wouldn't even a dictionary word with a number or two after it be fine? duck1234 should be just as secure as duck!@#$, right?
I'm running through the ways you can get hacked and what a secure password would mean.
1. Guessing by a person sitting at your computer, brute force hacker from outside, running the dictionary against the hash -- strong is good.
2. Your PC gets rooted, your keystrokes are captured -- strength doesn't matter a bit, you typed it in for the hacker and he won't even have to touch the keyboard when his scripts hit your account and drain it.
3. Data breach and your password is stolen -- Why was it stored in plaintext? Regardless, they have it and can copy and paste if they use it.
The consensus on security now was that draconian policies on the part of IT without any seeming rhyme or reason to the employee will simply foster non-compliance and animosity towards IT.
Kwisatz Haderach
Sell the spice to CHOAM
This Mahdi took Shaddam's Throne
For example I use the same password on most forums online. It is short, alpha numeric and so on. Why? Because I really don't give a fuck. They are forums. Oh no, you hacked my forum account, whatever will I do? However it is not the same password as my e-mail, that is longer, and has special characters. My bank password is longer still, used only for my bank, and also requires the use of a physical identification token to get in.
The amount of effort I put in to a password is directly related to what that password protects. For a large amount of stuff on the internet it is one of a couple simple passwords that are reused all over. Reason is that what it protects is just not important. There is no reason to spend time coming up with and memorizing a unique, hard, password for Youtube or something. If it gets found out, oh well, I'll go change it on other sites I use enough to care about. If one of those happens to get owned in the interim, oh well, I'll make a new account.
However something like my bank account, or my admin account at work, yes, those passwords are strong, and they are never reused anywhere. They protect something that matters, so security is taken seriously.
something like "if the website's name begins with the letter m or lower, use the weekday my son was born, if above m, the weekday my daughter was born. plus the last 3 letters of the website name backwards rotated plus 2"
if a hacker gets access to one database they have no idea what your algorithm is
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
so that you don't need to be sitting in from of your own Linux command line to remember your passwords. I use a base of two nonsense pairs (things like AkB and jzQ) and then use positions 4 and 5 in the password as a code for the type of site and "rank" in terms of frequency of use, for example (these aren't mine but you get the idea):
! (shift-1) = social networking
@ (shift-2) = banking
# (shift-3) = utilities / bill payments
1 = site in this category I use most
2 = second most used site
3 = third most used site
and so on. So the base for something like Facebook using a system like this might be A@B!1jzQ, for Twitter maybe AkB!2jzQ, and for my primary bank account AkB@1jzQ (invariant components AkB and jzQ, with @ [for banking] and 1 [for most used] sandwiched in between them).
Then, I postfix the password with the number of the instance of the password.
A = first use
B = first mandated change
C = second mandated change
D = third mandated change
and so on. So after the third change, my primary banking password at a bank might be:
AkB@1jzQD
After they ask me to change it again, it will increment to:
AkB@1jzQE
and so on.
This way, there is always a base of predictability to my passwords (usually enough to get it within three tries) and the variable information is context-based in a way that is only meaningful to me and no two sites will ever share the same password.
The only place this falls down is when sites mandate their own password structure (max or min length, etc.) but it usually works (includes uppercase, lowercase, symbols, and numbers, which is enough to make most of them happy) and the few sites that don't allow such passwords are far enough between to stand out in my memory, meaning that I don't forget the specially-formed exceptions that I created for those sites.
A system like this won't work for everyone, but for most people with a reasonable IQ, it's good enough, once you can get them to buy into the need for password security and for them to design their own system.
STOP . AMERICA . NOW
We use a smartcard/PIN combination to access our systems . . . but some still require at least an 8 digit alphanumeric password. Admins must use at least a 16 digit password, and we must change them every 90 days. I really hope we're able to switch to 100% two-factor authentication soon . . . and that it works.
No "swordfish", huh?
The article states the passwords were obtained through an SQL injection attack. They were stored as plaintext in the database. Having a strong password would have done nothing to prevent this problem. Passwords need to be encrypted during transport and when stored.
you just need a good algorithm
then someone has to hack two databases or more, zero in on the password for the same username, and calculate your algorithm
this is assuming the same username is the same person across websites, and that the hacker has the time or inclination out of millions of passwords to devote the analysis
furthermore, if your algorithm is something like
"if the website's name begins with the letter m or lower, use the weekday my son was born, if above m, the weekday my daughter was born. plus the last 3 letters of the website name backwards rotated plus 2"
then there is still not enough unique information from 2 or maybe even 3 hacks to successfully derive your algorithm
plus, i just thought up this algorithm on the spot. i'm certain there are plenty of clever algorithms out there that you can use to generate your password from the website name on the fly that no hacker could isolate. something like "the second letter of each website name corresponds to someone you know in college. use their room number. then take the last letter of the website, get the ascii value of that, divide by 2, and write the last name of the relative who was born on that day of the month"
the kinds of algorithms you use can be endless, and beyond the time or effort or even possibility (depending up the algorithm) of any hacker deriving it. the last algorithm i just wrote is still kind of hard: your algorithm assumes you are memorizing 26 college names and 13 birthdays. so maybe you only take the last digit of the ascii value of the 4th letter of the website name or whatever, so you only need to memorize 10 birthdays, or whatever: you just need a good algorithm
the point is: a well chosen algorithm can be foolproof from a hacking perspective in terms of generating a complex password, and foolproof in terms of having a unique password for thousands of sites. and all you have to remember is a good creative algorithm only you know
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
KeePass is an excellent utility, available for Windows, Linux, and other platforms. It's simple, quick to use, and configured correctly, you will only have to learn one password the one to unlock the encryption file.
Causing Chaos Everywhere,
Nik J.
The strange world of a loner, in a populous city, drowning in society
Oh but I use a password to open my word document that contains all my passwords. That's pretty secure. /s
It seems that a lot of industry security is a waste for most users, esp those that require password resets every X number of days or months. There is nothing on my pc that anyone, competitors included, would care about. Even if they had access to the numerous systems I use internally.
I remember a Dilbert cartoon about this once (fitting as he came from the same company) where he asked that if he tried, could he ever find anyone that cared about the "proprietary" marking on documents.
And keep the encrypted password store on a USB drive, not a computer's hard disk.
Most interesting to me was that in the sample, less than 4% used any non alpha-numerics in their #$#%'ing passwords.
Most interesting to me was that the chart showing use of case, numbers and special characters is titled "Password Length Distribution"
At every large site that I know of that has tried to implement passphrases, the end result is that the user has to memorize two secrets - the passphrase that works on most systems, and another password for all the legacy systems that don't support long passwords. So users still need a password, but use it less often so it is harder to remember. Heck I still see shit around that has an 8 character password limit.
I worked for a company that ran a birth/death/marriage certificate site. People were having problems logging in, so we kept a log of passwords that did not result in a successful login.
We found that one of the most commonly typed passwords that was denied was "case-sensitive".
Needless to say, we soon took off the "Your password is case-sensitive" text from the login page.
America, Home of the Brave.
A strong passwd is only a small part of the entire security system. It is important to address _all_ parts. One of the most important is to make the cost of guessing passwords high.
A non-shadow /etc/passwd has extremely low guessing costs, just a few CPU cycles. An ATM that eats cards after 3 wrong guesses has an extremely high guessing cost. Account lockouts, timed or manual are somewhere in-between.
The important point is these guessing costs are largely under the control of the admins and not subject to variable user compliance or resentful coersion.
It really bothers me when service people try to blame me for some inefficiency when they are not doing all they can. I'm not supposed to do their job, or even make it easy. They're there to make mine easy.
I wonder how applicable this is for "real" passwords -- the kind of password you'd use to secure your on-line bank account or your personal email, for example? It's generally a good idea not to use the same password you use for your on-line bank account when creating a shopping cart account for every Tom, Dick, and Harry.com website that you happen to buy chotchkies from. I wonder how many of these passwords are weak because of people just really not caring so much about their account on rockyou.com rather than being clueless about creating strong passwords...
I once worked for a company where the server passwords were the names of Inca gods. Just try and remember "Apocatequil" and "Guachmines."
And either require the user to remember - you guessed it - yet another password, or they keep the decrypt key on the hard drive where anyone can can find it.
"But at least the user only has to remember one password, instead of many."
That is an improvement, but god willing they'll also be making good backups and won't suffer catastrophic data loss, else they've lost all their passwords.
I know it's taboo to write passwords on post-its. At an office I'd agree that post-its and the undersides of staplers are the worst places ever to keep passwords. But why is it so bad at home? If someone breaks into your home, wouldn't you try to change as many passwords as you can remember just to be safe anyways?
Many years ago, I worked on a secret DoD project in a room with a cypher lock, which only had digits to choose from. The password was 1234. One day, we came in after a weekend, and discovered that the wall next to the door was missing. When we dutifully reported the problem to security, we learned that contractors had been in over the weekend doing some work that entailed removing the wall, and they didn't replace it when they were done. I suspect that either the construction contract didn't require the replacement of the wall, or the contract was a fixed bid, and they 'ran out of money', like the robocops chasing THX1138.
---
Google returns over 50M results on a search for political short stories. Why is my blog first?
I personally have an alphanumeric password string with the aforementioned coding system that I convert some characters into leet for my password, retaining the alphanumeric as a fallback. The central problem that I now encounter is when several sites fail to accept passwords that are too short or that are too long.
I don't generate a new password for every site, although I have thought about moving to pattern based password for different sites along the lines of taking a password and integrating the first two letters in a non obvious way. Something like 12s34l56 for slashdot and 12a34m56 for amazon (with a real password...not 123456). Don't do it an obvious way...no passslashdot7, passebay7, passamazon7 as it would make it immediately obvious to anyone looking at your password what your google password would then be.
Since I don't do that...I instead use password tranches until I actually make the switch. I've got some crap password that some of my friends even know--easy to type, easy to crack--that gets used for things like the screen lock on my desktop and what are essentially public shares on my home network. As things move up in importance, they get better passwords.
On a side note, whenever a bank or something gives you a login where you have to choose a picture and a phrase to be displayed at login, does anyone else pick something like a picture of a daisy and the most gratuitously awful phrase you can think of? No phisher is ever going to try to fake that and I secretly wonder if the customer service people can see it when I talk to them on the phone.
Bottles.
However, some sites _require_ special characters, while others _forbid_ it, etc, etc.
Indeed. Oddly enough, my WoW account allows for a stronger password than my bank account.
I use passwords from a long-dead language that very few people know, so they are almost as good as a random password, but easy for me to remember.
Many computer keyboards and laptops (even a good enough webcam) can use biometrics to grant access.
The laptops we have here at work all have fingerprint scanners, eliminating the need to remember the password. A webcam can take a picture of the user (not a retinal scan, just a regular picture of the face, though to protect against someone using a photo, a panoramic shot is usually used and the user turns head in left/right directions to snap the sides of head too) and compare that against a database.
Where I work, our signature on paper, and electronic, is very important, so I usually have to type in a password 20 times a day. Having a long and awkward one is great, but I rarely need to type it as I can scan my fingerprint.
Websites should start offering this feature too, though there would be issues regarding who you would trust your one, universal, password with. A PasswordPal (Paypal) service should be created so that you can trust your password with one secure, insured and trustworthy group, and the other sites would operate with some sort of single sign-on. So if you log in to your computer then that IP becomes you wherever you go.
I hope that functionality such as this gets incorporated into the new version of the internet that is in the works.
Some of us want to type our passwords on different language keyboards. #$#% are amongst the first to move (y's and z's are bad too).
something like "rotate the names of the days of the week, plus the last name of the person who lives in the apartment number of the numerical value of the day of the week we are on"
or "the last name of the person in the next cubicle, moving east and north from the southwest corner of my floor plus a numerical value on a scale of 1 to 4 of how much i dislike that person"
or whatever
even if you forget which particular day of the week you or on, or what cubicle you are up to, you still have a pretty good idea of approximately where you left off, so you try a few passwords plus or minus where you think you are in your sequence/ cycle if you can't login. you should get it in 3-4 tries
the number and kinds of algorithms are endless, only your creativity is a hurdle. and it really is easy to remember than dozens of passwords, and just as effective as a unique complicated password for each site/ sequence of changing passwords
you can even remember 3-4 different wacky algorithms. say a weak algorithm for your social networking sites (where a weak algorithm still generates unique, strong passwords for dozens of sites), and some really far out algorithm you rotate for your bank website
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
Which of the following is a better password: "v6@!Tt3#" or "The name of my dog is Spot." ? 8 chars vs 27 chars The *length* of the password is more important than the complexity of the password. And users are more likely remember (and not write down) a pass phrase.
I use 3-4 base passwords that change over time (as I reset passwords I phase in new keywords and remove old ones). To those I add the required symbols, numbers or capital letters that each site requires to get in. Anyone unfamiliar with a site's password option, even if they know my keyword, will struggle with the exact letter/number/symbol combo I used for that particular site. And like the parent I also don't use the same pass for facebook as for my bank. Banking gets one theme, social networking gets another, games get another... I even have a default, less-secure password I use when I need to register for, say, a news site that I want to leave a single comment on, because I'm unlikely to make frequent visits, but if I do come back and attempt to log in I'll remember it.
I'm sure it's not the most secure method, but I rarely log in where someone could shoulder-surf and I don't share passwords, and thus far those basic precautions have served me well. I change my passwords when I feel it is necessary, and dislike forced changes (our school network forced a change every 6 months; I alternated between two basic passwords every time, because the first time I deviated from that I forgot and it took a full 24 hours to re-set through their system).
I often wonder how much stronger passwords could be if the word "password" wasn't used to describe them and wasn't what users thought of when coming up with login credentials. You can solve many weak password issues if you train your users that they are creating a "passphrase" NOT a "password". A way to do this (that's easy for users):
1) Think of a phrase that you can memorise but is unique to you (ie: not common or easily guessable). Bonus if guessing that phrase would require intimate knowledge about you.
2) Take the first letter of each word (bonus points if you take second, or third, etc.)
3) Replace some of the letters with numbers/capitals/symbols (ie: cipher it)
So, for example:
1) "I do two sets of six pushups when I workout"
2) idtsospwiw
3) id2$o6pwiW
It will take entering it several times to develop the coordination until entering this becomes natural, so practising it on the keyboard is a good idea. But "id2$o6pwiW" is MUCH more secure than "workout123" and it is something that can be easily memorised since they're really just memorising "I do two sets of six pushups when I workout" (which is something they already know) plus the minor tweaking of the characters they are entering.
Faith is a willingness to accept something w/o complete proof and to act on it. Reason allows you to correct that faith.
Many years ago, the Amdahl UTS admins sent out an email to all developers, stating "We've changed the admin password for the development machines, and we can't tell you what the new password is because it's a secret." I rushed to try logging in as admin, and sure enough, their new password was "Asecret"!
I've abandoned my search for truth; now I'm just looking for some useful delusions.
I have a credit card with Chase: they don't even allow non alpha-numeric characters in hteir passwords. What possible reason could they have for limiting characters to letters and numbers?
As long as you keep it encrypted with a sufficiently strong key, is it really any different from using "one-and-only strong password for many sites"?
"I'm not sure I like the fugnutish tone you used in your post!" -RogL (608926)-
If you see an access point and running WEP (yes, they are still this retarded) the key is all numbers in the obvious sequence.
Most of the time, I don't care about the supposed security.
You have to create an account for some random forum to read a comment? You'll never probably log in again? Even if you go there once in a while, do I really care if someone discovers what my password is?
Do I have a secure and unique password for my bank account? Sure.
My Facebook account? Yes.
My Slashdot account? Maybe.
My somerandomforumthatmademeregistertoseeapic.com? "password". Or "Password", "password1", "Password1!", if the admin is paranoid.
Is it secure? No.
Who cares?
Utilities (such as the Password Hasher addon for Firefox) neatly sidestep the "catastrophic data loss" problem by using a hashing function to combine the single strong master password with the site's domain name (or other key you choose) to create a different, strong password for every account.
Yo dawg, I heard you like the Ackermann function, so OH GOD OH GOD OH GOD
Your point about the importance of the password seems not to be analyzed much in rockyou.com data. Has anyone gone to rockyou.com to see what it is? If I was a member of that site, my password would be my weak easy throwaway because the site isn't that important. If it was banking, or the password for my encrypted data backups, that's a completely different matter. But junk sites don't require much more than junk passwords.
What changed under Obama? Nothing Good
My favourite algorithm for passwords is the classic first letter of each word in a phrase. My standard example is "Tbontb,Titq!". It looks like garbage if anybody watches over your shoulder while you type it, but you think "To be or not to be, That is the question!". You remember it. They don't.
No, I have never used this as a password on any system.
...laura
that is the one i always try first....
I thought 'god' was the most common password. Stupid Angelina Jolie...
There are 10 types of people in the world. Those that understand this sig, and those that beat up people who do.
I've been playing around with the password file, and there are some gross errors in the report.
First, their top 20 list has many passwords with capital letters, where none actually exist in the 'real' top 20. Also, their numbers are off. I am guess they used a case-insensitive match, which for most passwords will not work. The 'real' top 20, which case respected is:
290729 123456
79076 12345
76789 123456789
59462 password
49952 iloveyou
33291 princess
21725 1234567
20901 rockyou
20553 12345678
16648 abc123
16227 nicole
15308 daniel
15163 babygirl
14726 monkey
14331 lovely
14103 jessica
13984 654321
13981 michael
13488 ashley
13456 qwerty
You can download my list of all common passwords used by more than 1000 people at http://www.secure-computing.net/files/count_gt_1k.txt (1KB file) which maintains case. A file without the counts is at http://www.secure-computing.net/files/gt_1k.txt for use with john, etc.
PC Magazine had a utility called "Password Prompter" that offered this feature; it also has a random password generator, a place to store notes and several other fields. They also included the C++ source. A quick Google search finds it. It doesn't have to be installed, just run it from the folder.
I haven't been interested enough to check the security of it -- it's inside a VM which is only open when I'm at work so I'm not too worried about it. If you don't like that one there are probably hundreds or thousands more, or build your own.
What's wrong with:
gpg -d mypassfile.txt.asc
and
gpg -seao mypassfile.txt.asc -rme -ume mypassfile.txt; shred -uvz mypassfile.txt
provided you don't have ~/.gnupg on an SSD or flashdisk?
I'm not trying to be snarky here. I'm really curious why you'd go to the extra trouble of using something -else-
I use "low security" passwords at multiple sites. /. where in the grand scheme of things it doesn't matter if I'm compromised.
I have 4, to satisfy the most common requirements of pwd utilities. I use these at sites like
Then I have unique passwords for all financial sites like amazon.
Finally I have hard passwords. I only can remember one, and it is to a TC volume on a USB key. I keep the key with me (and have several backups). This is for domain pwds, bank pwds, google account, etc. where there would be real harm possible.
whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
I managed to obtain a copy of the list, and have been doing some analysis on my blog http://reusablesec.blogspot.com/ with more to come. You can find a list of the top 100 passwords from the RockYou disclosure here: http://reusablesec.blogspot.com/2009/12/rockyou-32-million-password-list-top.html I've also been analyzing more lists such as the 10k Hotmail list that was released a couple of months ago. As for the recommendations that Imperva made, I think they are too tough on the users. Let's be honest, someone could have had a 28 character passpharse and it wouldn't have helped them since Rockyou stored all the passwords in plain text. For most people, online password cracking isn't the main problem. Phishing/keystroke loggers are much more prevalent, (due to their low cost to attackers). What this shows though is you really need to have different classes of passwords. You don't have to remember a different password for every site, (which is almost impossible without using some keyvault program), but you should use a different password for your webmail/bank accounts compared to all of the other sites.
I think Shulman is missing his own point.
"The problem has changed very little over the past 20 years, explained Shulman, referring to a 1990 Unix password study that showed a password selection pattern similar to what consumers select today. Its time for everyone to take password security seriously; its an important first step in data security.
So 20 years later we still have all of exact same problem? The lesson here is _not_ that "it's time for _everyone_ to take pw security seriously". The lesson is that the basic mechanic's of passwords doesn't work. I'm sure they tried to take pw security seriously 20 years ago. The average user doesn't understand the math behind making a complex password. Password requirements add to the confusion: one pw changes every 3 months, another 4, some must use mixed case, ohters 2 numbers and a special character, and don't write it down, etc, then throw in some passwords fields that cannot use special characters, my bank pw cannot start with a number, can't reuse a pw for 12 uses and the result is simplified easier to remember passwords. Same as the last but add a '1' at the end, incriment to '2' in 3 months.
Old Dakota wisdom says that if you are riding a dead horse, get off. Shulman seems to think that if we just get serious and dig in our heals we can suddenly get the dead horse to trot. Meanwhile management will ignore Shulman and instead decide to double the horsepower-- by buying another dead horse.
---
If I told you how I make my passwords, I'd have to kill you.
Oh Crap, I'm an optimist.....
Former zipcodes and telephone numbers. Pretty easy to remember 15 digits this way. Some systems wont accept all digits.
Words in obscure languages. They mean something to me, but not to standard dictionary attacks.
I do tech support, the best PW idea I ever heard was from a customer who used ALT key and numeric keypad to get non keyboard characters in his PW.
Pass phrases: Stronger. More easily remembered. Just stop using the word "password" all together. It gives people the wrong idea.
I have asked this a couple times before, but I still have not been able to find a good answer.
What happens with passwords in other languages, and more specifically forcing the use of UTF-8 double bit characters? What about using passwords in multiple languages?
Most brute force password cracking at least uses a dictionary to get at the low hanging fruit, why not increase the size of the dictionary? What are there like million words or something like that in the English language (guess) vs millions Chinese?
It would seem just branching out to Spanish, German, or whatever combinations would greatly decrease the success of brute force attacks.
Living in Chile
However, some sites _require_ special characters, while others _forbid_ it, etc, etc.
Indeed. Oddly enough, my WoW account allows for a stronger password than my bank account.
I no longer play WoW, but I still have an authenticator hanging above my monitor. Wish my bank supported tokens.
Do you Gentoo!?
One of my passwords is 8 characters, all alphanumeric, but completely random (no mnemonic, no word). There's no dictionary to give it to you. Brute force on ~2e14 (26+26+10=62, 62^8) possible passwords? Be my guest.
Even if there were no repeats (and the attacker *knew* there were no repeats), that's still 62!/54! possibilities, ~1e14. If the attacker could guess a *million* every second, that's like three years to search exhaustively (so, given a uniform distribution, the expected time is about a year and a half).
There is a very simple way to prevent 100% of brute force attacks. Permenant/temporary lockout after 3 failed attempts. Its a lot harder to make 100 million guesses when you can only make 3 per day.
"remember only this algorithm except for site xyz and site abc" is still a lot easier than "for 46 different sites, here is what i have remember uniquely for each one..."
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
As long as you keep it encrypted with a sufficiently strong key, is it really any different from using "one-and-only strong password for many sites"?
Yes.
When using one-strong-password for many sites you can't verify the security measures used to protect that password at any given site. They could be storing your password in plain text for all you know. Once one is compromised and linked to your personal information, that could potentially be used by an attacker to access other sites you use.
By using a keyring where only you have access to its password and how it's being treated (ie. not on some remote website), you avoid that problem.
This doesn't tell us anything about how people use passwords in important situations. I use crap passwords for crap sites like rockyou.com. For any site I actually care about (banks, gmail) I use really good passwords (well, as good as they will let me use, some banks still don't allow non-alphanumeric characters). So all this study really tells us is what password people use when they don't give a crap.
That's why I set my driver's license address to a PO Box. It was actually my hemi-geek wife who convinced me to do it; she had been doing it for ages.
When people ask, I say, "Why, yes, I do live in a tiny Post Office box."
I suspect, though, that many jurisdictions will not allow you to have a PO Box as the address on the driver's license.
404555974007725459910684486621289147856453481154 in hex is "You sank my Battleship?"
[GPG key in journal]
I agree about using KeePass. The data file is encrypted, it works on Windows, Linux, OSX (you have to install X) and they are working on a version for the iPhone and some other smart phones. I have been moving to strong passwords on any and all sites I use knowing that I have them all available in KeePass. A reallly great program.
Nothing remains as constant as change.
If your password looks like this sentence, then you should be okay even if you do not include the punctuation.
^^-- do not use this example as your password.
The key to good alpha-only passwords is they have to be long and hard to guess.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
I don't play WoW, but my most recent account that forbids special characters is, surprise, a bank account. :-P
Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
I suspect, though, that many jurisdictions will not allow you to have a PO Box as the address on the driver's license.
If they did before, they probably stopped some time in the last decade.
It is not just the mandatory password changes that increases the mess. It is also that each and every site has different validation rules.
Yes, and some get incredibly arcane and frankly, idiotic. A few years back, I needed to get the password reset on a school email account. I don't know why my old password wouldn't work, and the tech couldn't explain it to me. I went in to reset it manually.
I started entering in one of my rather long (15+ character) passwords that I often use, along with non-alphanumeric characters. (I have variations for generating alphanumerics when I need them for websites, etc.)
But it didn't complain about the non-alphanumerics or the length. It complained that I had some string of three letters in a row that was a "word," and thus was vulnerable to a dictionary attack. Okay, so I tried another long password that I knew didn't have a three-letter actual "word" in it. Again, it complained about this three-letter "word," even though it isn't actually a word... it's simply a three-character string.
While I agree that having a long string of alphabetic characters in the midst of a short password is insecure, it surely doesn't matter within a 15+ character password that includes a bunch of numbers, capitals and lowercase, and non-alphanumerics.
Yet the system wouldn't accept any of my passwords or their variants, even though any password-strength meter would say that they are extremely secure.
So eventually I entered an 8-character alphanumeric password composed of only lowercase letters and numbers that I knew I could remember on the spot, and it said okay, because I didn't have three letters in a row.
Later that evening, I changed my password to something better. But when I looked the online guide to selecting a password for this institution, ALL of the passwords it gave as examples wouldn't actually be accepted by the system.
And this is at one of the best universities in the US....
If this is the case, isn't that sort of similar to the "Chuck Norris" password that Facebook used, only less secure?
wifi is not secure people.
So... Like may people with half a brain I sent different passwords for different things. For my on-line banking I have a solid proper password you *can't* guess or brute-force. For myspace, random sites, occasional web-mail I use different easy to remember passwords because I care less about being compromised and more about being memorable. Unless your baseline assumption is that people use the same passwords for meaningless services as for critical services, this kind of analysis is very hard to draw conclusions from. Now, if this had been an analysis of the same number of passwords from an on-line banking service I'd be *much* more interested...
The problem is compounded by the fact that many sites will force you to use fairly short passwords. Yes, !qAyXsW2 is immune to a naive dictionary attack but so is please turn on your magic beam*. The latter has the advantage of being easy to remember but won't work on many sites with policies that restrict passwords to eight to eleven characters because apparently they don't want to pay for the extra storage space they'll need to store the hash of a longer password.
* Why yes, I do have Mr. Sandman stuck in my head right now.
USE HOT GRITS WITH STATUE OF NATALIE PORTMAN (NAKED AND PETRIFIED)
What do you do if you are at a friend's house and need to check your bank statement?
Do you do your banking at friends house regularly? If you do, having a weak password is the least of your worry ...
I use GPass on ubuntu ( http://projects.netlab.jp/gpass/ ) - I love the way its simple password generator works. Plus its only 1 file I have to keep synced between different computers ...
Less than 4% of my passwords protect anything I care about. Most are to protect sites from spam users or to elicit demographic data from me. They don't protect me. It is no loss to me if someone uses my registration to their system.
Even my ATM card pin, a very uncommon 4 digit number, is of no real need of protection. I've had my accounts hacked in some of the big security leaks and the bank absorbs the loss.
Correctly, that should read "fewer" than 4%. But grammar aside, that's unbelievable. I guess 96% of people just don't care whether they have a secure login or not. My most secure password belongs to my World of Warcraft account. Oh shoot, I'd better go change it. >.>
Not possible here because it's a legal document and such documents require a real address.
Before you ask, yes, in my country you have to register with the government when you're moving and deposit your new permanent address, not doing it violates the law. It didn't occur to me that this is kinda invasive 'til a friend in the US asked how I could live in such a fascist country...
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
I carry a portable version of KeepPass on a USB drive. Of course, I keep the encrypted KeepPass.
Studying users' passwords isn't new, but it might be argued that your password (no matter how strong) is totally useless if a server can just hand it out with 31,000,999 others at the same time to anyone who asks.
I find it easiest to remember a keyboard pattern. Something like every third character on a row of the keyboard. So your password could be something like:
cn,3^9dDHLeyo]
When you need a new password, just shift your pattern over a key.
Barely, remotely similar, yes, but not at all less secure. To begin with, that was a master password into other people's stuff, whereas in this case I have full control over my own password management. And I don't know if they come right out and say it in the instructions, but the idea is that you don't use the name of a celebrity and/or recent internet meme as your "strong master password".
It's no less secure than using OpenID or similar to access many different sites.
Yo dawg, I heard you like the Ackermann function, so OH GOD OH GOD OH GOD