Slashdot Mirror

← Back to Stories (view on slashdot.org)

75% Use Same Password For Social Media & Email

Posted by CmdrTaco on from the my-password-is-trustno1 dept.

wiredmikey writes "Over 250,000 user names, email addresses, and passwords used for social networking sites can easily be found online. A study of the data collected showed that 75 percent of social networking username and password samples collected online were identical to those used for email accounts. The password data was gathered from blogs, torrents, online collaboration services and other sources. It was found that 43 percent of the data was leaked from online collaboration tools while 21 percent of data was leaked from blog postings. Meanwhile, torrents and users of other social hubs were responsible for leaking 10 percent and 18 percent of user data respectively...."

19 of 278 comments (clear)

  1. Passwords by geek · · Score: 4, Insightful

    As long as passwords remain the central method of authentication, this will continue.

    1. Re:Passwords by Anonymous Coward · · Score: 5, Funny

      My password is IAMGAY. That way, even if it got found out I can be confident no one will want to use it, because that would mean they are gay.

    2. Re:Passwords by Captain+Splendid · · Score: 5, Funny

      Shame this isn't ten years ago. You coulda got some VC funding for that idea.

      --
      Linux, you magnificent bastard, I read the fucking manual!
    3. Re:Passwords by Abstrackt · · Score: 4, Insightful

      My password is IAMGAY. That way, even if it got found out I can be confident no one will want to use it, because that would mean they are gay.

      What if they are gay? ;)

      Your comment reminds me of the best password policy I've ever heard: offensive gibberish. If someone's password is suitably embarrassing odds are quite good that they won't share it with anyone.

      --
      They say a little knowledge is a dangerous thing, but it's not one half so bad as a lot of ignorance. - Terry Pratchett
    4. Re:Passwords by Beardo+the+Bearded · · Score: 4, Funny

      hunter2

      --

      ---
      ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.
  2. "Leaked"? by Pojut · · Score: 4, Interesting

    So wait...how exactly did they get hold of passwords?

    --
    Living With a Nerd
    1. Re:"Leaked"? by KnightBlade · · Score: 5, Interesting

      While I was studying Info. Sec. at my univ, my professor at the time told the class about this research they had about passwords. They were going around gathering statistics by asking random people questions about their passwords- length, number of special characters, if they used the same passwords, the number of times they changed them and so on. He said what amazed him was that one in every 5-6 people would just tell them their password and ask is that good enough?

    2. Re:"Leaked"? by ConceptJunkie · · Score: 5, Insightful

      It's pretty amazing just how much of the world is based on trust isn't it?

      And it's equally tragic that it can't.

      I don't think it's so much that people automatically trust each other, although that's certainly the case sometimes, it's more like it never occurs to too many people, unfortunately, that what they divulge could cause problems in the wrong hands.

      For many years now, when someone asks me for information, my first thought is not to give the information, but to consider why I don't want to give it to that person. And I don't consider myself particularly paranoid with respect to what I share.

      It gets tiring after awhile. Modern life in the 21st century requires a level of vigilance regarding information that probably never existed outside of the military, national security apparatus, law enforcement or some elements of business before a couple decades ago.

      "Loose lips sink ships" was a common saying during World War II, but nowadays everyone must practice that level of vigilance over their own information all the time merely to be safe from criminals.

      --
      You are in a maze of twisty little passages, all alike.
    3. Re:"Leaked"? by plover · · Score: 4, Informative

      It's not so much about trusting a person. Although that's an exploitable component for social engineers, social engineering is fairly rare, and it doesn't scale well. It's really about the machines in which we place that trust, and how those machines can be hacked. That's the easy part to scale up.

      Hackers (specifically criminal types) operate on statistics. They don't care so much "which" websites they break open, they care about breaking into "some" sites and harvesting what can be found there. They also harvest the easy stuff: cleartext passwords, cleartext account numbers, etc. They won't run a deep password cracker on a million accounts, but they might run a simple /usr/dict/words kind of scan.

      Of course once you've broken a thousand passwords on socialsite.com, you can try correlating those to majorbank.com and amazon.com and all the other potential sources of money. Again, you don't care if 900 out of a thousand fail, because you can still effectively steal from the 100 that remain.

      --
      John
  3. Use Password Hasher by mbuimbui · · Score: 5, Informative

    Use firefox extension's password hasher (http://wijjo.com/PasswordHasher). Then you only need to remember one password but can use it for a variety of sites. If any one site's passwords get leaked, you dont have to go around an update your password for all other sites.

    1. Re:Use Password Hasher by Anonymous Coward · · Score: 5, Insightful

      And if you ever need to sign in from a computer that doesn't have firefox, and that extension, installed.....you are stuck.

  4. Password Hashing (pwdhash) by bradgoodman · · Score: 4, Informative
    Password hashing let's you enter the same password for several sites, but changes it (i.e. hashes it) along with the domain name of different web sites - which means you are actually using a different password for every site

    Furthermore, since the passwords are seemingly random characters (not words, or anything sensable) - they are generally quite strong.

    "pwdhash" is the foremost system for doing this - there are several browser extensions and other tools for automating it

    See: http://cynix.org/tools/superpwdhash

  5. As it turns out.... by Abstrackt · · Score: 4, Funny

    Apparently 75% of the passwords tested were hunter2.

    --
    They say a little knowledge is a dangerous thing, but it's not one half so bad as a lot of ignorance. - Terry Pratchett
  6. Dilbert by KnightBlade · · Score: 5, Funny

    When it comes to passwords, this dilbert comic comes to mind- http://dilbert.com/strips/comic/2007-01-17/

  7. The danger of too many password requirements by Kepesk · · Score: 5, Insightful

    Hah, my worst enemy is a system where a password has to have:
    - at least two uppercase letters
    - at least two lowercase letters
    - at least two numbers
    - at least two symbols
    - at least 12 characters
    - no characters that repeat
    - nothing that's in your personal records
    - nothing from the dictionary that's over three characters
    - nothing from a FOREIGN dictionary that's over three characters
    - at least three characters different from your last 10 passwords

    No joke, I used a system for years that had those exact password requirements. Worse yet, I had to SUPPORT this system. Sometimes it would take a half hour for me to help someone figure out a new password.

    There is a danger in creating a password system with two many requirements, because I know very few people who used that system who didn't have their password on a sticky note on their monitor.

    --
    Help me fix my brother's injured butt!
  8. It gets even worse... even different passwords by rsborg · · Score: 5, Interesting
    ... don't necessarily help.

    Facebook's founder knows the importance of social media:

    Mark used his site, TheFacebook.com, to look up members of the site who identified themselves as members of the Crimson. Then he examined a log of failed logins to see if any of the Crimson members had ever entered an incorrect password into TheFacebook.com. If the cases in which they had entered failed logins, Mark tried to use them to access the Crimson members' Harvard email accounts. He successfully accessed two of them.

    So in this case, the victims didn't even have the same password, but accidentally used the email password for Facebook. Combined with a malicious site (which Facebook was for them) this can lead to leaked passwords.

    The best solution to this is to use a password manager like 1password, roboform or KeepassX. I find 1password useful because it matches my password with the domain, preventing inadvertent entries. It's also a boon if you are developing with dozens of test and staging sites which change passwords often.

    --
    Make sure everyone's vote counts: Verified Voting
  9. Re:Problem is lack of importance by jim_v2000 · · Score: 4, Insightful

    That's why I use three different passwords. One is for sites I don't care about...like registering for a forum that I only need once. The second is for things that I'd like to be more secure, like forums I visit often, Facebook, my person blog, etc. The third is for critical things like email, online banking, shopping sites like Newegg and Amazon, etc.

    --
    Don't take life so seriously. No one makes it out alive.
  10. Counterbalance by SuperKendall · · Score: 4, Funny

    What if they are gay? ;)

    That's why his usernames are all something along the lines of "IAM_NOT_GAY"

    It's a sort of psychosexual firewall. Only someone who can embrace being gay and not gay at once may pass.

    Or Pat.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
  11. Re:Same password by SQLGuru · · Score: 4, Insightful

    I use a set of passwords for varying levels of trust.

    Highly secure passwords (usually site specific and follow good password rules) for banking, email, computer accounts, etc.
    Medium secure passwords (usually follow good password rules but passwords may be used for more than one site) for trusted shopping sites (i.e. Amazon, etc.)
    Medium-Low secure passwords (may not follow good password rules but still reasonably secure against dictionary attacks) for social media and for one-off shopping sites.
    Low secure passwords (probably only stops low-motivated hackers, passwords re-used at multiple sites) for throw-away registrations and communities that have very little tie to my personal information

    It's really more for convenience than security, but in areas where I need the security, I'll put up with the hassle.