Slashdot Mirror

← Back to Stories (view on slashdot.org)

Analysis of 32 Million Breached Passwords

Posted by CmdrTaco on from the trust-no-1 dept.

An anonymous reader writes "Imperva released a study analyzing 32 million passwords exposed in the Rockyou.com breach. The data provides a unique glimpse into the way that users select passwords and an opportunity to evaluate the true strength of these as a security mechanism. In the past, password studies have focused mostly on surveys. Never before has there been such a high volume of real-world passwords to examine." Most interesting to me was that in the sample, less than 4% used any non alpha-numerics in their #$#%'ing passwords.

14 of 499 comments (clear)

  1. Re:Password strength vs. how often you change it by mrcaseyj · · Score: 4, Funny

    For places that require password changes I'd suggest to take a very long base password with a month appended and hash it, then convert the hex hash into printable characters. Maybe something like this:
    echo -n "LongUnchangingBasePasswordSiteNameJan2009" | sha512sum | xxd -r -p | tr -cd [:print:]
    This has the advantage of being highly secure and easily memorable, but someone shoulder surfing your password wouldn't be able to figure out what your password is next month. People more familiar with windows could suggest a command available on that system. Be careful to do this on a computer where the command will not be stored in a command history.

    I'm planning to go all lower case with my passwords though. I'll have to make my passwords 50% longer, but I think they'll be easier to type and almost as easy to remember as totally random ones. In fact my error rate with the totally random ones is an issue with shoulder surfing because I make mistakes and have to retype it so often, giving shoulder surfers repeated sightings, and because the numbers and symbols and shifts slow me down.

  2. Your account has been breached. by Anonymous Coward · · Score: 1, Funny

    How else do you explain all these people posting as "Anonymous Coward"?

  3. Re:Have they released the list anywhere? by Anonymous Coward · · Score: 1, Funny

    "love", "secret", "sex", not necessarily in that order. And don't forget "god". System operators love to use "god".

  4. 12345? by selven · · Score: 2, Funny

    That sounds like a combination that an idiot would put on his luggage.

  5. Obligatory Spaceballs Reference by Pollux · · Score: 5, Funny

    Roland: One.
    Dark Helmet: One.
    Colonel Sandurz: One.
    Roland: Two.
    Dark Helmet: Two.
    Colonel Sandurz: Two.
    Roland: Three.
    Dark Helmet: Three.
    Colonel Sandurz: Three.
    Roland: Four.
    Dark Helmet: Four.
    Colonel Sandurz: Four.
    Roland: Five.
    Dark Helmet: Five.
    Colonel Sandurz: Five.
    Dark Helmet: So the combination is... one, two, three, four, five? That's the stupidest combination I've ever heard in my life! The kind of thing an idiot would have on his luggage!

    -----

    President Skroob: What's the combination?
    Colonel Sandurz: 1 - 2 - 3 - 4 - 5.
    President Skroob: 1 - 2 - 3 - 4 - 5?
    Colonel Sandurz: Yes.
    President Skroob: That's amazing! I've got the same combination on my luggage!

  6. Re:Have they released the list anywhere? by QuantumRiff · · Score: 5, Funny

    Post it here, I'll check it for you.. Don't worry, Slashdot blanks your password.

    My password is *******

    See, blanked out!

    --

    What are we going to do tonight Brain?
  7. Re:Password strength vs. how often you change it by Anonymous Coward · · Score: 5, Funny

    .., followed by "1111" then "2222" then "3333" and so forth...

    Dont you mean so 4444th.

  8. Re:Password strength vs. how often you change it by Opportunist · · Score: 5, Funny

    Hey, I used to use a password that could be found on my coworker's monitor, in plain view. I had the idea when they required me to come up with a secure, 10-digit-or-more password containing alphanumeric characters and his monitor's serial number fit the bill.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  9. Re:Why does password strength matter? by marcobat · · Score: 3, Funny

    Someone in Russia can just hack into a fbi account using some IE or PDF hole, then send a false subpoena to gain access to my account. The subpoena will never be looked on twice or reviewed by anyone and my provider will promptly comply. There is no escape :-)

  10. Re:Password strength vs. how often you change it by pastafazou · · Score: 3, Funny

    That's nothing. At my job, the passwords are randomly generated, so nobody has any passwords OR smart cards/pins to steal. We have to use a password removal tool to reset the password to "12345" just so we can log on in the morning!

  11. Re:Have they released the list anywhere? by bcmm · · Score: 4, Funny

    hunter2

    --
    # cat /dev/mem | strings | grep -i llama
    Damn, my RAM is full of llamas.
  12. Re:Have they released the list anywhere? by Anonymous Coward · · Score: 3, Funny

    Wonderful, mine is also blanked out: hunter2 :)
    See?

    Obligatory bash.org reference: http://www.bash.org/?244321

  13. Re:Password strength vs. how often you change it by zorg50 · · Score: 2, Funny

    Hopefully he doesn't decide to get a new monitor any time soon.

  14. Re:Password strength vs. how often you change it by Anonymous Coward · · Score: 3, Funny

    Luxury! At my job, every morning we have to beat a confession out of a captive Yorkshireman, and hash that with each employee's ID number.