A Brief Sony Password Analysis

troyhunt writes "With all this [Sony] customer data now unfortunately out there for public viewing, I thought it would be interesting to do some analysis on password practices. There are some rather alarming (although not entirely surprising) findings including: 36% of passwords appear in a common password dictionary. 50% of passwords are 7 characters or less. 67% of accounts on both Sony and Gawker use the same password. 82% of passwords are lowercase alphanumeric of 9 characters or less. 99% of passwords don't contain a single non-alphanumeric character."

Re:Is Sony now in the banking business?

[j00r0m4nc3r]

I guess credit card data is not important to protect

not surprising

it's a pretty big PITA to enter a secure password, or any complex non-alphanumeric mix of characters using an on-screen keyboard.

Re:not surprising

[WuphonsReach]

And if you write the pwd down, it will be lost/stolen anyway...

Do you also leave your wallet, credit-cards or money laying around so that they get lost/stolen all the time?

Writing the password down is fine, as long as it gets stored in a safe place (safe deposit box, home safe, sealed envelope, even tucked in a wallet). The weakness is not that the password is written down, it's that it is not kept secure against the eyes of others. Like putting it on a sticky note attached to the monitor/keyboard.

As someone who probably fell into some of those

[vawwyakr]

My sony account only held the minimal information and some of that not correct. The PW I used was my public throw away password that I only use on sites that require me to register when I just need it to use a basic service and not enter anything not already public knowledge. So I'm not going to burn a good PW or spend my time trying to memorize a new one to use for something I really wouldn't care if they cracked and couldn't use the same PW on a site for which I care about it being cracked.

Re:As someone who probably fell into some of those

[Aladrin]

For a situation such as yours, the website owner actually cares more than you do. If your password gets stolen from another site, the hackers will be able to log into your account on your other throw-away sites. This means they have a new spam account that -looks- like a legit account. That's quite valuable to spammers, and painful for admins.

Re:As someone who probably fell into some of those

[KidPix]

Yeah, I'd like to see a comparison of bank passwords to Sony/Gawker passwords.

Re:As someone who probably fell into some of those

[aliquis]

Personally I don't see the horror in "99% of passwords don't contain a single non-alphanumeric character."

Since then is a 8 character password with non-alphanumerics better than a say 50 character password with only alphanumerics?

Which one is easier to remeber of:

&/fhy47F

or:

"omg leet slashdot password try to crack this one stupid"

and which one is safer?

Also with no password reminder and all these shitty sites which require you to register for no obivous reason or which require it for a reason which matters who's got time for unique passwords?

Guess one could make one:

thisismypassword and then just use it as simple as thisismypasswordSlashdot, atleast that would make it unique.

Or maybe use different e-mail adresses for various seriousness of the account, so then you can have thisismypassword for all but if it's only for junkaccount@gmail.com then people won't crack your forumposts@gmail.com or emailaccount@gmail.com even though they had the same password.

Anyway I think "rules" for passwords are stupid. There are much better and easier ways to improve safety. Sure 50 characters with an occasional & sign is even better.

Re:As someone who probably fell into some of those

[hedwards]

If you add even a single non-alphanumeric key it means that in order to brute force the password, they don't get to stick with the 26 lower case letters, 26 uppercase letters and 10 digits, they also have to deal with the , ; . ! ? @ and probably even more. And they don't know that's the case until they try every combination of alphanumeric characters that is possible within the given length.

Best password practices

[mangu]

I don't think very long passwords are necessary.

My own practices:

No dictionary words, only a string of random letters
No change, memorize and keep the same password forever

I use the same password for all internet sites, slashdot, reddit, throwaway emails, etc. Another one for all my computers, at home and at work. A third one is for my bank account only.

Re:Best password practices

I do somewhat of the same. My letters aren't random though. I typically have a phrase that I remember such as:

jack went to the store to buy some rice.

That would become jwttstbsr

Then append a number n (in this example we'll say n = 3)

Every nth letter in the original sequence becomes uppercase.

So then we get jwTtsTbsR3

Finally, append a single letter suffix designating what it's for. C for computer passwords, F for financial, S for social networking, E for email, W for general websites, etc.

I tend to change which password I'm using every now and then and this lets me keep track of it without having to write anything down (which I'd inevitably have to do for a COMPLETELY random sequence).

Re:Best password practices

[Danny+Rathjens]

I don't know why people think that "leet-ifying" a word makes it a better password. leetspeak modifications of dictionary words is one of the first variations that password cracking software tries after straight dictionary words.

Re:Best password practices

[binkzz]

I use the same password for all internet sites, slashdot, reddit, throwaway emails, etc. Another one for all my computers, at home and at work. A third one is for my bank account only.

Hey! Would you like to sign up to my site? http://dodgysite.com/ . It has tons of cool stuff. Hope to see you there soon!

Re:Is Sony now in the banking business?

[somersault]

Bah! I don't waste good passwords on trivial things like money!

lowercase

[Njovich]

'82% of passwords are lowercase alphanumeric of 9 characters or less.'

So what about lowercase? As long as it's random-ish, it's fine. Good luck brute forcing a 9 character lowercase alphanumeric password... Capitals are overrated anyway, if asked to include an uppercase character, in my experience most people will use exactly 1 uppercase character. So, given a password with length 8, it's only 8 times as many possibilities you would check. However, it is still an extra keypress, so if you went for an extra character it would be a lot more effective. Then there is the point that on many phones it's a nuisance to type capital letters, then there is a problem of readability of for instance I (upper i), or l (lower L). Also, when speaking out a password it is annoying. Then, at least for me, it is hard to remember the location of the capital letters.

Re:lowercase

[chemicaldave]

The point is that it's easier to guess a password when you know it only has 36 possible characters, as opposed to 62.

Re:lowercase

[Kjella]

Apple23
aPple23
apPle23
appLe23
applE23

= about 5 times as difficult. The point is that people don't use combinations like ApPLe23, capitalizing one letter because you must isn't exactly a huge gain. Particularly since most people will capitalize the first, since it's easiest. I do stick to alphanumeric passwords though, everything else always generate so much crap with character sets, keyboard layout etc.

Re:lowercase

[Rich0]

In a way I agree with you, but lets just look at the numbers. A password of n characters long of only lower case letters (in English) is 26^n possible combinations. Adding upper case then give 52^n combinations.

The parent's point was that this isn't actually correct. That is only true if ANY or ALL of those characters could be upper case. Well, they could be, but most likely they aren't. Instead it is probably the case that all but one are lower case. So, the number of possibilities isn't 52^n, but rather n*26^n. That is barely larger than 26^n.

Require 8 characters, of which at least one is upper case and one is a number? Ok, users will go with the minimums on both, so you start with 6 lowercase and 1 uppercase letters, which is 7*26^7. Then you throw in a digit. That could go in 8 positions, and could be any of 10 characters, so multiply that number by 80. If you just check a "1" in the last character position then you don't increase the number of combinations at all and you'll probably nail 80% of the passwords anyway.

If I lose my car keys then a true brute force search would have to cover the entire volume of c * the elapsed time since I last saw them. However, I wouldn't start by searching the moons of Jupiter - the kitchen counter is far more likely to yield dividends.

Re:lowercase

[Rich0]

Your calculations are way off as you don't know in advance where the one capital letter will be, so you are still stuck with all possibilities.

If the password is n characters long, then the capital letter could be in one of n positions. So, the number of possibilities is n*26^n. Basically you take each 8-char lowercase password and then you capitalize each of the 8 letters in turn.

Or you could look at it this way - you have n-1 chars lowercase, which is 26^(n-1). Then you have 26 possible uppercase chars in any of n positions, or 26*n. So, you get 26*n*26^(n-1), which is just another way of saying n*26^n.

As far as your arguments about making the passwords harder to brute force go, clearly that is just good sense. That doesn't change how the time to brute force scales with n, but just the base time per try, and salting also prevents you from being able to divide the time per password by the number of passwords in the database.

Re:Is Sony now in the banking business?

This case underlines the futility of long passwords. Everyone's data was exposed no matter how strong they were.

It does however underline the importance of compartmentalisation. Don't reuse passwords between sites.

Password Requirements Are Inconsistent

The whole point of a password is to have something you can memorize (without writing it down) as a security precaution. The problem is that different websites have different password requirements. For example, one website might require at least 8 characters in your password with at least one numeric and one non-alphanumeric character. But then another website might require at least 6 characters (alphanumeric), but DOES NOT ALLOW non-alphanumeric characters. So now you have two different passwords to remember. On top of that, it is recommended that you have a different password for each account. I don't know about you, but I have probably 100 accounts to various websites, games, etc - and there's no way I could memorize that many different passwords containing a mixture of alphanumeric and non-alphanumeric characters.

Re:Password Requirements Are Inconsistent

[tompaulco]

Mod parent up. Nevermind different sites, we have different password requirements on different systems WITHIN MY OWN COMPANY. Our expense reporting system, bug tracking system, OS login, and intranet login all have different and incompatible password requirements, and some of these also expire, requiring you think of a NEW one that fits the format. So within my own company I have to remember 5 different passwords (plus the other system passwords, some of which I also need to know to perform my job). Then externally, I probably have 30 to 40 sites that I have accounts on that I use on a regular basis. Some of these not only have crazy password requirements, but some have non-choosable usernames, like a number or a name that they assign you. Sometimes they assign you a password as well and won't let you change it.
So it comes down to sticky notes, or a trusted source to keep all your passwords. I have chosen the latter. I have a password file that I keep on my own domain. However, even that is not foolproof, because I don't host the sever myself, so somebody at the host, or somebody that compromised the host could get in and look at that file (I have permissions set to keep the casual viewer out, but these people would obviously have admin permission). I still have security through obscurity, as they would have to recognize the file for what it was, while wading through thousands of uninteresting files, and then figure out what user and password goes with what site, which is somewhat cryptic, but recognizable by me.
As an aside, why does talking about my file which is hosted on a unix based system make me want to use vi editor keys when typing into slashdot?

My Best Practices

[gregarican]

For my passwords I use the keys one-up-and-to-the-right of the "dictionary style" password I have. For example, for password this would come out as -wee305r, making it harder to brute force. Of course if the passwords are all stored plain text by some incompetents what's the point?!

My password is

'); DROP TABLE Password;

Re:My password is

[snookerhog]

Bobby, is that you?

Whats the point ..

[Idimmu+Xul]

of having 100 alphanumeric+special character long passwords when websites just give up the password lists with the magical words 'sql injection'?

Unique passwords at least ensure that once a website you frequent is compromised you don't get further screwed over...

hunter2

[chemicaldave]

There must have been a few dozen.

Bad passwords are not always the user's fault.

[mcmonkey]

The issue is I have, at last count, 13 systems with separate passwords. There's a network account, elevated privileges account for server admin, HR systems, online learning systems, expenses system, which is not the same as the travel booking system, etc.

With the company's computer, I can't just install any software I want, so one of the password tracking programs is not an option. So I use the same password for all 13 systems.

So the next issue, not all those systems have the same password requirements. There is one system which does not allow the use of special characters. So while my password always has lower case, upper case, and numeric, I'm always going to be in that 99% with no non-alphanumeric characters. Oh, and I think the max characters limit is around 12.

Of course, writing down passwords is such a bad practice. But there's no way I can afford to burn the cycles to memorize 13 new passwords every 90 days, so I use the same password for all work systems. The same bad password.

Re:Bad passwords are not always the user's fault.

[KMitchell]

Of course, writing down passwords is such a bad practice. But there's no way I can afford to burn the cycles to memorize 13 new passwords every 90 days, so I use the same password for all work systems. The same bad password.

Nothing inherently wrong with writing down passwords. You move from "something you know" to something you have, As long as you properly secure "what you have", it's still decent single-factor authentication. Just write your passwords on a $100 bill, and you're fine.

Re:Bad passwords are not always the user's fault.

[Mr_Plattz]

Agreed!

I've recently invested time and changed *all* my online passwords. Everything stored inside KeePass with random very strong passwords. Even comparing with the 'core' sites such as Facebook, Twitter, Ebay, Paypal, Gmail --- *ALL* of them have different requirements which I think is unacceptable. Some enforce 14 chars but don't accept alpha-characters while others cap at 20. One big kudos is Facebook was the best and accepted 256 random characters.

So yes, *we* need to agreed on the minimum standard that all passwords can be. I will propose 20 chars, allowing all upper/lowercase alpha-numerics and non-alphanumeric.

Yes I appreciate security isn't just a simple as allowing 256 random chars, but as the above posters suggested, *WE* (customers) should at least be able to expect a certain level of standards.

Re:Bad passwords are not always the user's fault.

[gman003]

I have three different passwords I use for everything. The weakest (8 characters, 2 non-alphanumeric and one uppercase, but I sometimes have to strip the & and @ on things that don't allow it) is used on things where I really don't give a shit if someone hacks it. Want to upload stuff to Imageshack in my name? Who cares? Want to hack my Dropbox? I only use it as free file hosting - everything on it is supposed to be publically-viewed, and I have local copies of all the data. Want my Gawker account? Knock yourself out - I don't even try posting anything there, everyone's too retarded. Hell, some sites email it back to me in plain text.

The next password (9 characters, 2 non-alpha, one uppercase, non-dictionary word (unless someone added Esperanto to their password dictionary)) is used for things I actually care about. Steam. Slashdot. User-level logins. Email. Stuff I would be able to recover, but which would seriously inconvenience me. If I hear that one of the systems I use it on has been compromised, or even "maybe" compromised, I change them all. I do have this one written down in a few places, but always under lock and key.

The highest (20 characters, 3 non-alphanumeric, 4 numbers and 6 uppercase, with nothing at all that would appear in any dictionary) is used on things I need actual security on. Root accounts. Bank accounts (or at least I would, if my bank wasn't retarded). And the only place I have this recorded is in one location, which contains only the instructions I used to generate it, which requires knowledge of hexadecimal, early science-fiction, and the arrangement of my keyboard. I consider this one uncrackable - I would be confident setting it as the launch code to a nuclear missile. If I remember, last I checked it would take several years to crack the password - anyone who cracks it will probably have spent more on electricity for their computer than they'd get out of my bank account.

PS: I know about password management programs. Don't trust them, and I have to use public terminals too often to have passwords I can't remember. I've considered using the postfix system (ie. $kurg^is42 would become $kurg^is42_fb on facebook, $kurg^is42_sd on /., etc), but haven't gotten around to actually doing it yet. Probably should.

PPS: That's not my actual password. And several of my descriptions were deliberately false, just to maintain security.

Re:Bad passwords are not always the user's fault.

[CastrTroy]

Kind of funny, since they are only using a hash, why not just allow any length of password. The hash will always be the same length, regardless of the length of the password. You could even allow users to upload a file as their password, in order to allow for non-typeable byte values in order to increase entropy. If you stored the files for each website on a truecrypt partition that automatically dismounted after a timeout, it would probably be about as secure as using keepass, and the actually password would be very strong.

Re:Is Sony now in the banking business?

[JustOK]

That's the same as I have for my luggage.

Re:And 100%...

[Yvan256]

Of course they're not salted. They're checking their sodium intake!

Re:Other Common Mistakes

[Yvan256]

And, most shockingly, over 99% of passwords are not dead locked, leaving them susceptible to infiltration via sonic technology.

Stop screwing around.

Re:Huh?

[Jim+Hall]

67% of accounts on both Sony and Gawker use the same password.

Without a map of Sony accounts to Gawker accounts I don't know what this means... I take it to mean "The cardinalty of the set that is the union of password sets from Sony and Gawker is 67% of the cardinality of the set of Sony passwords."

IIRC, Gawker had their username/password database stolen a year or so ago? I read the "67%" as: for accounts on both Gawker and Sony, where the email address matched up, 67% of the passwords were also the same.

That is, 2/3 of the people who had accounts on both Gawker and Sony were using the same password, not a different one.

Strong Password Necessity?

[dmatos]

Here's how I look at it:

My PSN account is used purely for entertainment. It is not linked to a credit card. I have made one PSN purchase on my credit card. My credit card company offers fraud protection.

Why should I have a 26-character long UTF-8 password that I'm never going to remember? It's about as useful as having a strong password on the hotmail account I use to sign up to websites. Huge pain in the ass, negligible benefit.

My banking site, my PayPal account, my Canada Revenue Agency account - these are the places that I bother to use strong passwords. Elsewhere, I don't care that much.

Re:Is Sony now in the banking business?

[Lumpy]

Only a fool gives their credit card to everything.

MY Xbox live account is a simple password. and I'm not dumb enough to give them my credit card. I use their prepaid cards to keep their fingers out of my finances.

Here's the Thing

[wbav]

Sit down and think of the number of sites/services/etc. that you access each week.

Pretend for a second your browser doesn't remember a single one of them.

I came up with 34 different sites. 34 different systems with their own rules, regulations and security questions. Some sites only allow alpha numeric, some require the alphabet to be limited to what shows up on a touch tone phone. Others require passwords to change every 30 days with no repeats for the last 5 passwords.

At 9 characters a piece, that would be a string of 306 characters. Hell I'm lucky if I remember my wife's birthday and our anniversary. And those are much more important to me than my slashdot password.

My point is, the current system is BS. Too many sites require logins so they can advertise to you. I don't want your ads, they go directly into the trash. I'd advocate for a single ID across these systems, but the issue is if that's violated everything goes to hell just as fast as if you had the same password for each site. So what to do? Reuse a password that is reasonably secure and risk it across multiple sites? Or do I follow perfect security and ensure no one can get in, including me?

And don't get me started on security questions. If I can't remember the damn password, what hope do I have to remember the question I used?

Re:Is Sony now in the banking business?

[Anubis+IV]

Exactly. I use 1Password to generate and store all of my passwords, and apparently I fell into the 1% that used a non-alphanumeric character in their password. Mine was a 16-character password that mixed caps, numbers, and symbols, and it was unique to PSN, so I've had pretty decent peace of mind when it comes to my password.

Unfortunately, I lacked the forethought to not keep my credit card information on file with them. :/

Re:Is *$#~! allowed?

[BrokenHalo]

It doesn't help when some sites don't even allow non-alphanumeric passwords.

Indeed, and by far the worst culprits I have found for such asinine limitations are banks. I have come across many that impose arbitrarily small password lengths and refuse all non-alphanumeric characters.

Re:Is *$#~! allowed?

[Captain+Centropyge]

Exactly! You'd think a bank would want the most-secure passwords a user can come up with. Why would you ever disallow special characters? And, unlike the other poster who replied, these aren't French banks. They're local American banks. I don't get it...

Re:Is Sony now in the banking business?

[hedwards]

I've found that using non-alphanumeric characters in password fields to be problematic. The main reason being that a lot of sites won't let you use them and that it gets to be a real pain in the ass to fill them in at times. On top of which a lot of companies fail miserably at validating the password fields when they're being entered initially.

In other words, if companies weren't so incompetent when it comes to passwords then we could insist that users enter stronger passwords, as it stands now, if you go for really strong passwords, you're just asking for trouble.