Slashdot Mirror

← Back to Stories (view on slashdot.org)

A Brief Sony Password Analysis

Posted by CmdrTaco on from the change-it-now-people dept.

troyhunt writes "With all this [Sony] customer data now unfortunately out there for public viewing, I thought it would be interesting to do some analysis on password practices. There are some rather alarming (although not entirely surprising) findings including: 36% of passwords appear in a common password dictionary. 50% of passwords are 7 characters or less. 67% of accounts on both Sony and Gawker use the same password. 82% of passwords are lowercase alphanumeric of 9 characters or less. 99% of passwords don't contain a single non-alphanumeric character."

11 of 276 comments (clear)

  1. Re:Is Sony now in the banking business? by j00r0m4nc3r · · Score: 3, Insightful

    I guess credit card data is not important to protect

  2. not surprising by Anonymous Coward · · Score: 2, Insightful

    it's a pretty big PITA to enter a secure password, or any complex non-alphanumeric mix of characters using an on-screen keyboard.

  3. lowercase by Njovich · · Score: 5, Insightful

    '82% of passwords are lowercase alphanumeric of 9 characters or less.'

    So what about lowercase? As long as it's random-ish, it's fine. Good luck brute forcing a 9 character lowercase alphanumeric password... Capitals are overrated anyway, if asked to include an uppercase character, in my experience most people will use exactly 1 uppercase character. So, given a password with length 8, it's only 8 times as many possibilities you would check. However, it is still an extra keypress, so if you went for an extra character it would be a lot more effective. Then there is the point that on many phones it's a nuisance to type capital letters, then there is a problem of readability of for instance I (upper i), or l (lower L). Also, when speaking out a password it is annoying. Then, at least for me, it is hard to remember the location of the capital letters.

    1. Re:lowercase by Rich0 · · Score: 3, Insightful

      In a way I agree with you, but lets just look at the numbers. A password of n characters long of only lower case letters (in English) is 26^n possible combinations. Adding upper case then give 52^n combinations.

      The parent's point was that this isn't actually correct. That is only true if ANY or ALL of those characters could be upper case. Well, they could be, but most likely they aren't. Instead it is probably the case that all but one are lower case. So, the number of possibilities isn't 52^n, but rather n*26^n. That is barely larger than 26^n.

      Require 8 characters, of which at least one is upper case and one is a number? Ok, users will go with the minimums on both, so you start with 6 lowercase and 1 uppercase letters, which is 7*26^7. Then you throw in a digit. That could go in 8 positions, and could be any of 10 characters, so multiply that number by 80. If you just check a "1" in the last character position then you don't increase the number of combinations at all and you'll probably nail 80% of the passwords anyway.

      If I lose my car keys then a true brute force search would have to cover the entire volume of c * the elapsed time since I last saw them. However, I wouldn't start by searching the moons of Jupiter - the kitchen counter is far more likely to yield dividends.

  4. Re:Is Sony now in the banking business? by Anonymous Coward · · Score: 5, Insightful

    This case underlines the futility of long passwords. Everyone's data was exposed no matter how strong they were.

    It does however underline the importance of compartmentalisation. Don't reuse passwords between sites.

  5. Password Requirements Are Inconsistent by Anonymous Coward · · Score: 4, Insightful

    The whole point of a password is to have something you can memorize (without writing it down) as a security precaution. The problem is that different websites have different password requirements. For example, one website might require at least 8 characters in your password with at least one numeric and one non-alphanumeric character. But then another website might require at least 6 characters (alphanumeric), but DOES NOT ALLOW non-alphanumeric characters. So now you have two different passwords to remember. On top of that, it is recommended that you have a different password for each account. I don't know about you, but I have probably 100 accounts to various websites, games, etc - and there's no way I could memorize that many different passwords containing a mixture of alphanumeric and non-alphanumeric characters.

    1. Re:Password Requirements Are Inconsistent by tompaulco · · Score: 3, Insightful

      Mod parent up. Nevermind different sites, we have different password requirements on different systems WITHIN MY OWN COMPANY. Our expense reporting system, bug tracking system, OS login, and intranet login all have different and incompatible password requirements, and some of these also expire, requiring you think of a NEW one that fits the format. So within my own company I have to remember 5 different passwords (plus the other system passwords, some of which I also need to know to perform my job). Then externally, I probably have 30 to 40 sites that I have accounts on that I use on a regular basis. Some of these not only have crazy password requirements, but some have non-choosable usernames, like a number or a name that they assign you. Sometimes they assign you a password as well and won't let you change it.
      So it comes down to sticky notes, or a trusted source to keep all your passwords. I have chosen the latter. I have a password file that I keep on my own domain. However, even that is not foolproof, because I don't host the sever myself, so somebody at the host, or somebody that compromised the host could get in and look at that file (I have permissions set to keep the casual viewer out, but these people would obviously have admin permission). I still have security through obscurity, as they would have to recognize the file for what it was, while wading through thousands of uninteresting files, and then figure out what user and password goes with what site, which is somewhat cryptic, but recognizable by me.
      As an aside, why does talking about my file which is hosted on a unix based system make me want to use vi editor keys when typing into slashdot?

      --
      If you are not allowed to question your government then the government has answered your question.
  6. Re:As someone who probably fell into some of those by Aladrin · · Score: 5, Insightful

    For a situation such as yours, the website owner actually cares more than you do. If your password gets stolen from another site, the hackers will be able to log into your account on your other throw-away sites. This means they have a new spam account that -looks- like a legit account. That's quite valuable to spammers, and painful for admins.

    --
    "If you make people think they're thinking, they'll love you; But if you really make them think, they'll hate you." - DM
  7. Bad passwords are not always the user's fault. by mcmonkey · · Score: 4, Insightful

    The issue is I have, at last count, 13 systems with separate passwords. There's a network account, elevated privileges account for server admin, HR systems, online learning systems, expenses system, which is not the same as the travel booking system, etc.

    With the company's computer, I can't just install any software I want, so one of the password tracking programs is not an option. So I use the same password for all 13 systems.

    So the next issue, not all those systems have the same password requirements. There is one system which does not allow the use of special characters. So while my password always has lower case, upper case, and numeric, I'm always going to be in that 99% with no non-alphanumeric characters. Oh, and I think the max characters limit is around 12.

    Of course, writing down passwords is such a bad practice. But there's no way I can afford to burn the cycles to memorize 13 new passwords every 90 days, so I use the same password for all work systems. The same bad password.

    1. Re:Bad passwords are not always the user's fault. by KMitchell · · Score: 5, Insightful

      Of course, writing down passwords is such a bad practice. But there's no way I can afford to burn the cycles to memorize 13 new passwords every 90 days, so I use the same password for all work systems. The same bad password.

      Nothing inherently wrong with writing down passwords. You move from "something you know" to something you have, As long as you properly secure "what you have", it's still decent single-factor authentication. Just write your passwords on a $100 bill, and you're fine.

  8. Strong Password Necessity? by dmatos · · Score: 3, Insightful

    Here's how I look at it:

    My PSN account is used purely for entertainment. It is not linked to a credit card. I have made one PSN purchase on my credit card. My credit card company offers fraud protection.

    Why should I have a 26-character long UTF-8 password that I'm never going to remember? It's about as useful as having a strong password on the hotmail account I use to sign up to websites. Huge pain in the ass, negligible benefit.

    My banking site, my PayPal account, my Canada Revenue Agency account - these are the places that I bother to use strong passwords. Elsewhere, I don't care that much.

    --

    It may look like I'm doing nothing, but I'm actively waiting for my problems to go away.
    --Scott Adams