75% Use Same Password For Social Media & Email

wiredmikey writes "Over 250,000 user names, email addresses, and passwords used for social networking sites can easily be found online. A study of the data collected showed that 75 percent of social networking username and password samples collected online were identical to those used for email accounts. The password data was gathered from blogs, torrents, online collaboration services and other sources. It was found that 43 percent of the data was leaked from online collaboration tools while 21 percent of data was leaked from blog postings. Meanwhile, torrents and users of other social hubs were responsible for leaking 10 percent and 18 percent of user data respectively...."

Passwords

[geek]

As long as passwords remain the central method of authentication, this will continue.

Re:Passwords

My password is IAMGAY. That way, even if it got found out I can be confident no one will want to use it, because that would mean they are gay.

Re:Passwords

[Captain+Splendid]

Shame this isn't ten years ago. You coulda got some VC funding for that idea.

Re:Passwords

[Abstrackt]

My password is IAMGAY. That way, even if it got found out I can be confident no one will want to use it, because that would mean they are gay.

What if they are gay? ;)

Your comment reminds me of the best password policy I've ever heard: offensive gibberish. If someone's password is suitably embarrassing odds are quite good that they won't share it with anyone.

Re:Passwords

[jDeepbeep]

So... being gay is both offensive and embarrassing?

Re:Passwords

[Beardo+the+Bearded]

hunter2

Re:Passwords

[hviniciusg]

See, i only see *******, i love this slashdot security mechanism. you could not see the guy password :D

"Leaked"?

[Pojut]

So wait...how exactly did they get hold of passwords?

Re:"Leaked"?

[KnightBlade]

While I was studying Info. Sec. at my univ, my professor at the time told the class about this research they had about passwords. They were going around gathering statistics by asking random people questions about their passwords- length, number of special characters, if they used the same passwords, the number of times they changed them and so on. He said what amazed him was that one in every 5-6 people would just tell them their password and ask is that good enough?

Re:"Leaked"?

[BergZ]

It's pretty amazing just how much of the world is based on trust isn't it?

Re:"Leaked"?

[ConceptJunkie]

It's pretty amazing just how much of the world is based on trust isn't it?

And it's equally tragic that it can't.

I don't think it's so much that people automatically trust each other, although that's certainly the case sometimes, it's more like it never occurs to too many people, unfortunately, that what they divulge could cause problems in the wrong hands.

For many years now, when someone asks me for information, my first thought is not to give the information, but to consider why I don't want to give it to that person. And I don't consider myself particularly paranoid with respect to what I share.

It gets tiring after awhile. Modern life in the 21st century requires a level of vigilance regarding information that probably never existed outside of the military, national security apparatus, law enforcement or some elements of business before a couple decades ago.

"Loose lips sink ships" was a common saying during World War II, but nowadays everyone must practice that level of vigilance over their own information all the time merely to be safe from criminals.

Re:"Leaked"?

[Securityemo]

Link to full description of the experiment: http://www.malwarecity.com/blog/the-limits-of-privacy-is-this-your-password-865.html

Re:"Leaked"?

[aGuyNamedJoe]

It's pretty amazing just how much of the world is based on trust isn't it?

Especially since, at least in the US, we seem to have been making crime stories the prime entertainment for decades, and there's a lot of money made from fear mongering.

Re:"Leaked"?

[fishbowl]

>"Loose lips sink ships" was a common saying during World War II

And today we know *way* too much, in way too much detail, about the location and movement of troops, their morale, reports of their actions, etc.

Re:"Leaked"?

[e065c8515d206cb0e190]

I think the whole driving/road system is based on trust and it works quite well. It's potentially a very dangerous environment where the penalties for being reckless are not as bad as the potential damage you can cause. And yet it somehow works.

Btw I have to agree with one of the posts above, having your password be very offensive usually prevents you from sharing it at all. I do have such a password somewhere, and was horrified when a friend of mine cracked it.

Re:"Leaked"?

[plover]

It's not so much about trusting a person. Although that's an exploitable component for social engineers, social engineering is fairly rare, and it doesn't scale well. It's really about the machines in which we place that trust, and how those machines can be hacked. That's the easy part to scale up.

Hackers (specifically criminal types) operate on statistics. They don't care so much "which" websites they break open, they care about breaking into "some" sites and harvesting what can be found there. They also harvest the easy stuff: cleartext passwords, cleartext account numbers, etc. They won't run a deep password cracker on a million accounts, but they might run a simple /usr/dict/words kind of scan.

Of course once you've broken a thousand passwords on socialsite.com, you can try correlating those to majorbank.com and amazon.com and all the other potential sources of money. Again, you don't care if 900 out of a thousand fail, because you can still effectively steal from the 100 that remain.

Re:"Leaked"?

[socz]

And today we know *way* too much, in way too much detail, ...

That sounds like an argument for why porn should NOT be put on bluray and in HD!

Re:"Leaked"?

[natehoy]

I suspect it has more to to with the progression of concepts.

Weapons: I had a rock, then I had a sling, then I had a bow-and-arrow, now I have a gun. I'm still hitting a target with a projectile. I take an action, something moves in roughly direction I tell it to, person or thing on other side hopefully develops a hole or wound where I intended. The method of projection and controls have changed, but the concept is the same (ready, aim, fire, yay! hit, shit! miss, target dead, target wounded, target VERY PISSED OFF).

Transportation: I had feet, then I had shoes, then I had a horse, then I had a bicycle, then I had a car. Again, still moving about, going 2 kilometers and turning left just takes less time but is the same concept. I take an action, something moves in roughly direction I tell it to, I hopefully get where I wanted to go. The controls have changed (legs->reins->handlebar->steering wheel) but the concepts aren't different (go, stop, turn left, turn right, etc).

Computers. I "power up" my "PC" and "monitor" and wait for my "desktop" in "Windows" to appear so I can "drag" a "cursor" then "double-click" on an "icon" on my "monitor" with a "mouse" to "open a window" so I can use a "program" called a "word processor" to write a "document" that is "saved" on a "subfolder" on an "external storage device" called "E:\" so I can "eject" the device before I pull it from my "USB port" on the USB "hub" that is plugged into my "case" and give it to a friend who can't read it because he uses "Office" on a "Mac" and my computer runs "Windows" so I needed to save it using a different "format" but I want to make sure not to "format" the "external storage device" to change the "format" but to "reopen" it and save it with a different "extension" and "file type".

That sentence made perfect sense, right? Of course it did. To you. But that's a shitload of novel concepts that someone who hasn't spent at least a few months in front of a computer to absorb in one sitting, yes? And that's all to write one document and save it. Nothing complex at all.

Few of these concepts have a pre-computer meaning, and when they do the analogies are distant and vague. The keyboard is analogous to a typewriter, but lacks the immediacy of space or the tactile "I push a letter, hear a bang, letter is on the paper in front of me".

It's not only that computers are new, but that they are completely new. We're not going from handwritten paper to books. We're going from immediacy to abstraction, and doing different things, and trying to express what those things are with poor analogies to similar things we've done before.

Look at most humans in a court of law. Look at many people when confronted with an engine that needs to be rebuilt, or even oil that needs to be changed. Watchmaking? Woodworking? Carving? Rolling a Kayak? Aviation? Knitting? Skiing? There are a lot of things that look really complex until you take the time to understand them, then you understand that they ARE really complex but not in the ways you imagined, and that "the bits I thought were complex are simple, but the bits I thought didn't exist are fucking complex" feeling will cause your brain to occasionally slide to "OFF".

It's called "being overwhelmed with too much new information all at once, with no way for Ye Olde Monkey Brain to categorize it into the neat little categories it's been using for the last x years."

In the case of computers, particularly if it's something you have no personal interest in but are told by someone else you need to master it.

Use Password Hasher

[mbuimbui]

Use firefox extension's password hasher (http://wijjo.com/PasswordHasher). Then you only need to remember one password but can use it for a variety of sites. If any one site's passwords get leaked, you dont have to go around an update your password for all other sites.

Re:Use Password Hasher

And if you ever need to sign in from a computer that doesn't have firefox, and that extension, installed.....you are stuck.

Re:Use Password Hasher

[tool462]

In Tinfoil Hat Land, if you don't have FF installed, then it's likely not a computer you control*, and if it's a computer you don't control, then should you really be entering your password**?

* It must be a machine at work, friend or family member's house, public terminal like a coffee shop, public library, etc.
** If it's not your computer, you don't know who that computer has "been with". There could be key-loggers, cookie-trackers, syphilis. Who knows!?

Re:Use Password Hasher

[BJ_Covert_Action]

So I guess Chrome, Opera, Iron, Seamonkey, and dozens of other web browsers are completely insecure?

I know IE6 is a nightmare. I don't really pay attention to IE7 or IE8 because I don't use them. I know Chrome involves some privacy issues, and I suppose there is something that has to do with selective script management. From what I hear, however, Opera and Iron are supposed to be pretty damn secure. Also, SeaMonkey is supposed to be pretty decent. I can't talk about Safari because, like IE, I really don't care about it at all.

Of course, you prefixed your post with "In Tinfoil Hat Land..." so I suppose you were being somewhat sarcastic. But I am curious, do you really think FF is the only secure browser out there?

Re:Use Password Hasher

[defaria]

Not necessarily. In a word - LastPass.

Same password

[stewbacca]

I'd use the same password for everything if they all had the same basic requirements.

Re:Same password

[SQLGuru]

I use a set of passwords for varying levels of trust.

Highly secure passwords (usually site specific and follow good password rules) for banking, email, computer accounts, etc.
Medium secure passwords (usually follow good password rules but passwords may be used for more than one site) for trusted shopping sites (i.e. Amazon, etc.)
Medium-Low secure passwords (may not follow good password rules but still reasonably secure against dictionary attacks) for social media and for one-off shopping sites.
Low secure passwords (probably only stops low-motivated hackers, passwords re-used at multiple sites) for throw-away registrations and communities that have very little tie to my personal information

It's really more for convenience than security, but in areas where I need the security, I'll put up with the hassle.

Problem is lack of importance

[sarbonn]

The problem is that a lot of people don't perceive email or social networking sites to be all that important, yet EVERYONE wants you to create a password for practically everything you do. I don't need a password to sign onto a site to look at stereo equipment, yet they force you to create one on some of those sites. On gaming sites where all I do is talk about games, I don't need 50,000 passwords for the different ones cause I don't care if someone steals my password there.

I don't care that I don't have all that much concern for facebook's password. If someone takes my account, it would be unfortunate, but is it really the end of the world?

Places where it might cause me economic misfortunate, well, those I care about, but everyone out there thinks that their site is so important for passwords.

Some places, it's important. Others, not so much.

Re:Problem is lack of importance

[jim_v2000]

That's why I use three different passwords. One is for sites I don't care about...like registering for a forum that I only need once. The second is for things that I'd like to be more secure, like forums I visit often, Facebook, my person blog, etc. The third is for critical things like email, online banking, shopping sites like Newegg and Amazon, etc.

Yup, Probably true

[IndustrialComplex]

I'll give a bit of a hint here, I do the same thing, just with a slight variation:

Mostly-Trusted media sites get the same password (obviously vastly different user names)
Slashdot, Fark, Broadband Reports, etc

Then I have my pseudo-trusted sites with their own password group:
Demonoid, imageshack, probably others.

Non-trusted sites get a random junk password each access = reset password
ie: low accountability not tied to a company name with 2-3 visits/year

My email gets its own password of 10+ characters

Work gets its own password of whatever the hell rules they implement this week. Tech support has to deal with LOTS of reset requests since I don't write it down, but they have a different password for every freaking service and every freaking service has a different password lifetime setting.

So aside from work, I really only have 3 passwords or so, but it helps break up the damage should one be compromised. Compartmentalized is probably the best description.

Re:Yup, Probably true

[Captain+Splendid]

See, this is why math is your friend. All I have to remember is a formula. I apply that formula to whatever it is I'm signing into, which produces a different (and alphanumeric) password for every instance. Complex, unique passwords without having to write anything down anywhere.

Re:Yup, Probably true

[c-reus]

so if someone were to figure out that formula, he'd have access to every account you have created?

Re:Yup, Probably true

[happyslayer]

Same basic process, though different criteria for me:

• Junk sites (one-time login for news, quick downloads, register-to-see, tech mailing lists) get the same low-end password. If I can't foresee any information that I care about going to that site, then it gets a basic throwaway. (I also misspell registration details so i have an idea if advertisers are getting that info).
• Slashdot, forums, etc: Also low-grade. Sorry, but if someone gets their rocks off posting crap as me, I can live with it. I've got enough First Life points to keep me busy.
• Personal email: Since I don't trust the email systems that are in the hands of others, I don't put anything on there I care about. (If someone wants to know that I'm asking my prof how to fix some code, more power to them--it'll bore them to tears.) Hence, it gets a medium-grade password.
• Online stores: Medium grade for one-time purchases, high-grade for repeat business.
• Own email system, bank, etc: High grade password, randomized (at least to the rest of the world) that it passes the basic dictionary-attack. For example, I somehow remember old phone numbers and bank accounts from 20 years ago (none of which are in use); add a couple of 1337-speak letters and you're in business.

Like the parent, it's really a matter of compartmentalization and damage control. If you don't own the system, it's not completely trustworthy. If it's your system, it's only modestly trustworthy. If you're doing something criminal/embarassing/stupid, it's better to leave all notes at the bottom of the Marianas trench.

Paranoia

[deathtopaulw]

This password security paranoia drives me crazy. If someone wants your shit, they're going to get it. I'll tell you all right now, I have maybe 3 online handles that pop up everywhere. I use the same basic password for each (adding a 1 to the end on occasion where it's OMG REQUIRED). I'm sure if someone started googling me, they'd find out a lot. I wouldn't even be surprised if they could manage to dig up something years ago where I may have said something to someone and just given my password because they're a friend, or whatever. It's probably there, and it's probably there for you too. Failing that all they'd have to do is find all the places I exist, and try to find the least secure one/impersonate me/whatever.

I've lived this blasphemous insecure lifestyle on the internet for decades now, and have never once had an account compromised. Whether this is because I'm a worthless peon or because password security is bullshit is yet to be determined.

Moral of the story: be insignificant to the point that you're considered below the bad guys. Failing that, stop fucking worrying.

Password Hashing (pwdhash)

[bradgoodman]

Password hashing let's you enter the same password for several sites, but changes it (i.e. hashes it) along with the domain name of different web sites - which means you are actually using a different password for every site

Furthermore, since the passwords are seemingly random characters (not words, or anything sensable) - they are generally quite strong.

"pwdhash" is the foremost system for doing this - there are several browser extensions and other tools for automating it

See: http://cynix.org/tools/superpwdhash

As it turns out....

[Abstrackt]

Apparently 75% of the passwords tested were hunter2.

I have often wondered that...

[damn_registrars]

I wondered how many people would see a registration form that requires an email address and a password, and interpret that to be asking them for their email password. Considering how many people fall for really atrociously bad phishing scams it wouldn't surprise me that a lot of people would give away their email passwords on registration forms either...

Dilbert

[KnightBlade]

When it comes to passwords, this dilbert comic comes to mind- http://dilbert.com/strips/comic/2007-01-17/

The danger of too many password requirements

[Kepesk]

Hah, my worst enemy is a system where a password has to have:
- at least two uppercase letters
- at least two lowercase letters
- at least two numbers
- at least two symbols
- at least 12 characters
- no characters that repeat
- nothing that's in your personal records
- nothing from the dictionary that's over three characters
- nothing from a FOREIGN dictionary that's over three characters
- at least three characters different from your last 10 passwords

No joke, I used a system for years that had those exact password requirements. Worse yet, I had to SUPPORT this system. Sometimes it would take a half hour for me to help someone figure out a new password.

There is a danger in creating a password system with two many requirements, because I know very few people who used that system who didn't have their password on a sticky note on their monitor.

Re:The danger of too many password requirements

Aa1!Bb2@Cc3#

Next passwords:
a1!Bb2@Cc3#A
1!Bb2@Cc3#Aa
!Bb2@Cc3#Aa1
etc.

Or
Bb2@Cc3#Dd4$
Cc3#Dd4$Ee5%
Dd4$Ee5%Ff6^
etc.

Re:The danger of too many password requirements

Yes, that was sort of the whole point. The stricter you make the password requirements the more likely people are to find a completely insecure way to defeat them.

Re:The danger of too many password requirements

[Abstrackt]

I like Bruce Schneier's take on this problem:

"Simply, people can no longer remember passwords good enough to reliably defend against dictionary attacks, and are much more secure if they choose a password too complicated to remember and then write it down. We're all good at securing small pieces of paper. I recommend that people write their passwords down on a small piece of paper, and keep it with their other valuable small pieces of paper: in their wallet."

Re:The danger of too many password requirements

[John+Hasler]

There is a danger in creating a password system with two many requirements, because I know very few people who used that system who didn't have their password on a sticky note on their monitor.

Whereas they should have it in a little address book that they keep with their cash and credit cards. I mean that seriously. Use strong passwords, use a different password for every account, and write them down. Yes. I said that. Write them down. There is no other way to get ordinary people to use multiple strong passwords.

It gets even worse... even different passwords

[rsborg]

... don't necessarily help.

Facebook's founder knows the importance of social media:

Mark used his site, TheFacebook.com, to look up members of the site who identified themselves as members of the Crimson. Then he examined a log of failed logins to see if any of the Crimson members had ever entered an incorrect password into TheFacebook.com. If the cases in which they had entered failed logins, Mark tried to use them to access the Crimson members' Harvard email accounts. He successfully accessed two of them.

So in this case, the victims didn't even have the same password, but accidentally used the email password for Facebook. Combined with a malicious site (which Facebook was for them) this can lead to leaked passwords.

The best solution to this is to use a password manager like 1password, roboform or KeepassX. I find 1password useful because it matches my password with the domain, preventing inadvertent entries. It's also a boon if you are developing with dozens of test and staging sites which change passwords often.

Well lets just...

[Rivalz]

Password protect our bios
Then our Hard drive
Then our Operating System
Then our router
Then our ISP
Then our Email
Then our website
Then our credit / bank cards (pins and codes)

I'm all for it but the thing that bugs me is why cant we write a paragraph for our passwords or at the very least a full sentence.
usually 8-64 characters is the min max range for a acceptable password. But what If I want my password to be the gettysburg address. Or maybe just the lyrics to a song. Why cant we have insanely complex passwords if we want? So until my password can be pi to the 100th digit dont come complaining to me when my passwords are the same for everything.

Re:Well lets just...

[Nadaka]

4#&7YagoR4fathers...

firefox has that hash function

[circletimessquare]

but there's no reason why you can't have your own hash function in your head

take a root password, say "penguin"

say you are creating a password for slashdot

so your password for slashdot is "penguinslashdot"

but for gmail its "penguingmail"

this is an extremely simplistic algorithm. i'm just using it as an example to show you: remember a PASSWORD GENERATING ALGORITHM, not a password. then you have a unique password for every site, but you don't have to remember 500 different passwords

a REAL algorithm could be something like "the first letter of my root password plus the third letter of the website name's ascii character value plus 3 divided by my home phone number as a kid plus the second letter of my root password plus... etc"

or whatever

the actual password used for each site can be quite variable and the algorithm can still be hard to guess even with a hacker who knows three or four such passwords

the point is: you don't need to remember a password, you need to remember a password creating ALGORITHM, in your head, that only you know, which is infinitely more secure, but no harder to remember

You wonder? I know it happens.

[N0Man74]

I've been involved with tech support, and have been asked for help from family and friends. Many non-computer savvy people see these registrations and think that they are *supposed* to use their email address password there. When people (including my mother) have asked me for help to setup for random online accounts where they give their Yahoo email address (for example), they frequently ask, "so I should put my yahoo password in here?"

Even if they realize it's a second password, they will often use the same one anyway, which is often something as simple as their own first name in all lowercase. I told one family member that this was a very bad idea, and that good passwords are a combination of letters and numbers, so she began adding 123 to the end of her passwords...

These people don't realize how some accounts *can* be abused. Sure, many of us take security for things like social media sites less seriously, but don't forget that having an insecure Facebook account opens the door for someone getting access to your account and bombarding everyone you know with things like porn spam, phishing schemes, links to infect people with malware, people posing as you to commit fraud (such as posing as you to ask people for financial assistance for some personal emergency), or social sabotage.

Passwords are a mess, in general. Only a small minority exercise proper password security practices, there are too many sites that require passwords, and even those that of us that want to practice good password security (and realize the importance of it) are burdened with the mess of having 30 different logins and passwords for different sites.

Counterbalance

[SuperKendall]

What if they are gay? ;)

That's why his usernames are all something along the lines of "IAM_NOT_GAY"

It's a sort of psychosexual firewall. Only someone who can embrace being gay and not gay at once may pass.

Or Pat.

Re:Counterbalance

[WillDraven]

So, as a bisexual I am uniquely suited to compromise this persons account.

Its about convenience

[digitallife]

Many people are going on about how they use a password manager or a hasher or some such which supposedly solves this problem of remebering passwords, but all they've really done is substitute one inconvenience for another. The reason people use one password everywhere is *convenience*. They do not want to remember a bunch of different passwords, or worse, forget them! Sure a password manager prevents that when you are at your computer, but now it's almost impossible to login unless you have your computer in front of you, which could be extremely inconvenient under certain circumstances, for example if you need to access an email while visiting family for dinner and didn't bring your laptop, or if you lose your computer.

People who use one password for everything are not going to stop unless a more convenient option arises, which is unlikely to occur. I guess the people who steal passwords will always have a job!