What LulzSec Logins Reveal About Bookworms, and Passwords

← Back to Stories (view on slashdot.org)

What LulzSec Logins Reveal About Bookworms, and Passwords

Posted by timothy on Thursday June 16, 2011 @08:09AM from the keeping-them-straight-does-get-tricky dept.

Barence writes "Today the hacking group LulzSec posted 62,000 hacked email usernames and passwords online. PC Pro's Darien Graham-Smith has analysed the passwords stolen — which are believed to have come from a website for writers — and found some interesting patterns. Aside from 'password' and obvious numerical patterns (i.e. '12345') the most common passwords share a literary theme: 'romance,' 'mystery,' 'shadow' and 'bookworm' are all commonly used passwords. 'Clearly, this is a back-of-an-envelope breakdown of a mixed mass of unverified data,' said Graham-Smith. 'But it gives an interesting insight into the way people choose their passwords: in this case, apparently, on a theme that reflects the nature of the site they're visiting.'"

136 comments

Min score:

Reason:

Sort:

Are you sure? by DanTheStone · 2011-06-16 08:13 · Score: 4, Insightful

Perhaps these are their passwords for every site, and this site just over-represents people interested in books and writing. I certainly don't use custom passwords based on the type of site.
1. Re:Are you sure? by RedACE7500 · 2011-06-16 08:17 · Score: 1
  
  You re-use the same password for multiple sites? Good to know. How would you like to register for a free account on my site?
2. Re:Are you sure? by Stewie241 · 2011-06-16 08:18 · Score: 1
  
  You must be on a netbook. You seem to have missed the last six words of his post.
3. Re:Are you sure? by rap_dot_com · 2011-06-16 08:19 · Score: 1
  
  I doubt those 30 people using the password "writerspace" for writerspace.com use the same password for facebook or their email.
  
  And just because you don't use a custom password based on the type of site doesn't mean that others don't. I've heard of people who have a base key that they use for their passwords - say "Camaro" for simplicity's sake. Then, for slashdot their password may be "Camslasharo" and for facebook "Camfacebookaro" "Camgmailaro" etc.
4. Re:Are you sure? by slackzilly · 2011-06-16 08:20 · Score: 1
  
  Me neither. If it is true, however, the majority of the passwords used here would be "slashdot", "newsfornerds", "linux", "micro$oftsuckz" or "applefanboi".
  
  --
  - "If one man can create that much hate, you can only imagine how much love we as a togetherness can create."
5. Re:Are you sure? by enderjsv · 2011-06-16 08:26 · Score: 1
  
  I thought about doing a mix. Like, I have a series of numbers, symbols and letters that I've memorized. It's a very secure password, and I like using it because I can remember it.
  But of course, using the same password on every site isn't good practice, so I've made various little changes to the series. Only problem is, it gets hard to remember what series fits what site. So I thought of using the same series for every site, and then simply attaching the first and last alphanumeric character of the website address to the password. That way I'll have a secure password on every site that is easy to remember wherever I use it.
6. Re:Are you sure? by _Sprocket_ · 2011-06-16 08:30 · Score: 1
  
  My password is "thatsmyluggagecombination". It's much better than the old standby "wordpassesyou".
7. Re:Are you sure? by citylivin · 2011-06-16 08:33 · Score: 1
  
  Whats wrong with the same throw away password for multiple sites? Personally I usually make new usernames for different sites as well, but does it really matter if you didnt? The best someone could do is get your email address, which assumingly, you havent used a "throw away password".for. Or spam some forum account that by definition of it being "throw away worthy" you do not care about?
  Otherwise you would have hundreds of unique password and usernames combinations that you would obviously need to write down. I would argue that is less secure.
  
  --
  As a potential lottery winner, I totally support tax cuts for the wealthy
8. Re:Are you sure? by mwvdlee · 2011-06-16 08:36 · Score: 4, Funny
  
  My generic password is "iwillnevertellyou".
  They'll never figure that one out, not even if they try to beat it out of me.
  
  --
  Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
9. Re:Are you sure? by slackzilly · 2011-06-16 08:38 · Score: 1
  
  Write that in leet speak and then replace all 4's with @
  :)
  
  --
  - "If one man can create that much hate, you can only imagine how much love we as a togetherness can create."
10. Re:Are you sure? by Eponymous+Coward · 2011-06-16 08:39 · Score: 1
  
  Why not just use LastPass or one of the bookmarklets that make a hash from a master password and the site url?
11. Re:Are you sure? by SilentStaid · 2011-06-16 08:52 · Score: 1
  
  Very true, though I must admit I've a very staunch supporter of different passwords for different sites and the easiest way that I've personally found to do that is to theme them according. For example my WoW password is usually some variation of #W4rCrfT#112 or my credit card is something like $5M0ni35s$$!... it just makes it easier.
12. Re:Are you sure? by Dunbal · 2011-06-16 08:53 · Score: 1
  
  I doubt those 30 people using the password "writerspace" for writerspace.com use the same password for facebook or their email.
  
  No you're right, they probably use "facebook" for facebook, and "hotmail" for hotmail. The whole point is that once you identify a user name that uses this type of weak password, you go from astronomical odds of being able to crack to a few dozen possibilities.
  
  And just because you don't use a custom password based on the type of site doesn't mean that others don't. I've heard of people who have a base key that they use for their passwords - say "Camaro" for simplicity's sake. Then, for slashdot their password may be "Camslasharo" and for facebook "Camfacebookaro" "Camgmailaro" etc.
  Doesn't matter. A "key generation algorithm" simple enough for a person to remember or work out logically is simple enough to guess at - at least far simpler than the number of combinations possible with a truly random password. The point is that if you have identified that person as an algorithm user it will only take a few attempts at brute-forcing the algorithm. What's more, once you've proven that they are consistent and follow a pattern across online services, you suddenly have access to all their online data.
  
  --
  Seven puppies were harmed during the making of this post.
13. Re:Are you sure? by bhcompy · 2011-06-16 08:54 · Score: 1
  
  Exactly. Someone hacks my Slashdot password, maybe gets access to a few other worthless sites, nothing of value was lost. Someone posts impersonating me? Oh noes. Having a worthless password for worthless sites is not a problem. It doesn't make you any closer to having the login credentials for my bank, the online stores I use, and other sources that would have actual personal information.
14. Re:Are you sure? by Anonymous Coward · 2011-06-16 08:55 · Score: 0
  
  I have a throw away password that i use for multiple sites:
  b 'OR''='
15. Re:Are you sure? by enderjsv · 2011-06-16 08:55 · Score: 1
  
  Because it's easier just to have the password in my head. Yup, I'm that lazy
16. Re:Are you sure? by artor3 · 2011-06-16 08:56 · Score: 1
  
  I once changed a friend's BIOS password to 'idunno'. I tried telling him, but he just got increasingly aggravated.
17. Re:Are you sure? by NatasRevol · 2011-06-16 08:59 · Score: 1
  
  Well, see pictures from the riots in Vancouver last night.
  Now imagine someone impersonating you. And posting your info. So that the cops can arrest you. As is happening right now in Vancouver.
  You may not be guilty, but that doesn't mean your life won't be hell for a while.
  
  --
  There are two types of people in the world: Those who crave closure
18. Re:Are you sure? by bhcompy · 2011-06-16 09:06 · Score: 1
  
  And they'll also see me at the baseball field coaching my son's little league team in front of 50 witnesses. And that I was at work 2 hours earlier and it takes more than 2 hours to get to Vancouver from my location. etc
  
  I'm honestly not worried one iota about that type of scenario. Framing someone doesn't just happen on the internet. There are a million reasons why it rarely works, and the internet provides better tracking to prove your whereabouts than analog life.
19. Re:Are you sure? by Anonymous Coward · 2011-06-16 09:18 · Score: 0
  
  Ultimate password even brute force attacks take forever to figure out.
  Z-9_z-9_Z-9
20. Re:Are you sure? by rap_dot_com · 2011-06-16 09:20 · Score: 1
  
  I never said that it was effective, I was just saying that it is a method that I am aware of that is a semi-common practice among people.
21. Re:Are you sure? by gnick · 2011-06-16 09:22 · Score: 1
  
  So I thought of using the same series for every site, and then simply attaching the first and last alphanumeric character of the website address to the password. That way I'll have a secure password on every site that is easy to remember wherever I use it.
  That's what I do, except to be more secure I use the first and last 3 alphanumerics from each site. Conveniently, several of my passwords are identical: "wwwpasswordcom".
  
  --
  He's getting rather old, but he's a good mouse.
22. Re:Are you sure? by Coren22 · 2011-06-16 09:23 · Score: 1
  
  Who's on first?
  
  --
  APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
23. Re:Are you sure? by Hylandr · 2011-06-16 09:24 · Score: 1
  
  Because people that reuse their passwords do so for paypal, ebay, their bank etc.
  And if you get arrested in America on any of these charges expect to sit in Jail for a few years before the committee gets to you. If y ou get that lucky.
  - Dan.
  
  --
  ~ People that think they are better than anyone else for any reason are the cause of all the strife in the world.
24. Re:Are you sure? by bhcompy · 2011-06-16 09:52 · Score: 1
  
  The first was already answered and the second is a bunch of bullshit for the majority of cases.
25. Re:Are you sure? by Hylandr · 2011-06-16 10:36 · Score: 1
  
  http://news.slashdot.org/story/11/06/16/2059204/British-Student-Faces-Extradition-To-US-Over-Copyright
  
  --
  ~ People that think they are better than anyone else for any reason are the cause of all the strife in the world.
26. Re:Are you sure? by hairyfeet · 2011-06-16 13:47 · Score: 1
  
  That is why I tell my customers to have a "bullshit" email address and password for sites they really don't give a crap about. Every damned site nowadays wants details to let you do anything, so I tell them to have a spam dump email (I personally use my Gmail as their excellent spam filters mean if someone actually sends me something worth reading to my spam dump I still see it) and a BS password they only use for crap sites.
  Seriously who cares if they get the bullshit info, or spams some spam dump email address? Join the crowd, have fun. If someone manages to "hack" some forum I occasionally BS on when I'm bored? nothing of value was lost. Cooking up complex passwords to guard worthless crap is like putting laser tripwire alarm systems to guard my garbage can. You want my old packing material and empty milk jugs? Help thyself, try not to make a mess.
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
27. Re:Are you sure? by hairyfeet · 2011-06-16 13:55 · Score: 1
  
  You'll probably laugh at what i tell my customers when they need a really tough password for important sites: flip over your keyboard or look behind your monitor. The serial numbers on plenty of everyday devices around your house make for some pretty tough passwords that aren't tied to anything personally about you like in TFA, and these devices will be with them for years if not forever.
  I personally like the serial numbers on my musical equipment since I never get rid of my basses and if I ever forget its as easy as popping open the case. Makes for an easy source for large password with letters/numbers/upper/lower without being something obvious. I'd personally rather them do that than what sadly I've found way too many people use, which is their SS number.
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
28. Re:Are you sure? by Anonymous Coward · 2011-06-16 15:56 · Score: 0
  
  I like my system. I have a somewhat unique word that is about 8 characters long. I mix that with the domain name of the site I am visiting in the format of an email address (which we all seem to be able to remember).
  So for example: breadloaf@slashdot.com
  A 22 character password that is easy to remember and is reusable with variations.
  Or breadloaf@newyorktimes.com (26) or breadloaf@propublica.org (24)
  In passwords size matters :)
29. Re:Are you sure? by chaos.squirrel · 2011-06-16 17:12 · Score: 1
  
  I like my system. I have a somewhat unique word that is about 8 characters long. I mix that with the domain name of the site I am visiting in the format of an email address (which we all seem to be able to remember).
  The only problem with this is that it is still mostly useless if someone gets one of your passwords.
  For example if newyorktimes.com gets hacked and the login info is published, then it's not a massive intellectual effort to figure out the scheme that you are using and applying it to any other sites that you may be on.
  
  In passwords size matters :)
  Only if you're just brute forcing.
30. Re:Are you sure? by Anonymous Coward · 2011-06-16 21:12 · Score: 0
  
  > Someone posts impersonating me? Oh noes.
  Right. Especially when "YOU" mentioned things like blowing up stuff or sniping away the Prez when he comes to YOUR town in 6 weeks....
  I have a feeling, you won't worry about your Little League stuff while the USSS questions you about the posts "YOU" made.
31. Re:Are you sure? by rohan972 · 2011-06-16 23:03 · Score: 1
  
  My local video store started to requiring a password to rent movies. I tell them "Idontwantapasswordtorentmovies".
  
  --
  http://marriedmansexlife.com/
32. Re:Are you sure? by NatasRevol · 2011-06-17 01:42 · Score: 1
  
  You should be worried. The wheels of justice move slowly. Who knows when the cops will get those pictures of you at the game/work/else where?
  Now imagine that the pictures are of your son - aged 15. You're not always sure where he is. It's not documented. But someone posted a pic of him saying he was in Vancouver, participating in the riot.
  Again, he may not be guilty, but that doesn't mean his and your lives won't be miserable for a while.
  
  --
  There are two types of people in the world: Those who crave closure
33. Re:Are you sure? by Anonymous Coward · 2011-06-17 03:00 · Score: 0
  
  What does a yellow light mean?
34. Re:Are you sure? by CapnStank · 2011-06-17 10:19 · Score: 1
  
  I think this is a *whoosh* moment.... but I can't quite tell.
35. Re:Are you sure? by Anonymous Coward · 2011-06-17 17:13 · Score: 0
  
  You bring up a good point. But I have a question that I hope someone with more of a clue can help me out with. Tonight I fell to the FUD. I changes all my passwords. (i can't remember every sight that I've ever signed up to, so i started with the big ones and as i log into other services i'll change them too.) While thumbing through my rss feeds, I came across a link to google's authenticater. While i love the idea, i don't always have my phone with me... so no dice. However, the article i was reading talked about 1password.com. Then you pointed out LastPass. I hear about keyring for apple. my issue is... if i have the password stored locally on the machine... what about logging in from a friends machine? To keep my passwords mobile, the keyring(?) would need to be in the cloud. wouldn't that be the best starter location for a hacker? i mean one hit results in thousands of users, each with a list of hosts/user/pass?
  What protects those users? how are those not MORE vulnerable than the one password i use, with a domain name based tweek? I'm literally clueless... and while i'm sure there are a bunch of you out there laughing at my ignorance... if you'll pass me a link or two to help me understand better, i would VERY much appreciate it.
36. Re:Are you sure? by txmcse · 2011-06-17 19:12 · Score: 1
  
  I'm not sure what you are asking. Can someone help me help this poor chap?
37. Re:Are you sure? by Anonymous Coward · 2011-06-18 10:30 · Score: 0
  
  I was trying to log in to a clients PC once and had tried a number of passwords without luck. Out of frustration I wrote "justfuckingletmein"... and it worked. The shock took a minute or two to wear off.
38. Re:Are you sure? by Eponymous+Coward · 2011-06-20 09:58 · Score: 1
  
  Because the passwords stored in the cloud are encrypted, they aren't in the clear. A service like LastPass cannot send you your plaintext password. All they have is the encrypted version. If they are hacked, all the hacker will get is a bunch of random looking data.
  The downside is that if you lose your master password, you are screwed.
  The upside is that the passwords that LastPass generates are very strong. Much stronger than what people typically use (like "pa55word"). And because you don't have to remember the password, there's no reason to reuse one password among sites.
  This interview with one of the LastPass guys lays it out fairly well:
  http://www.techrepublic.com/blog/security/lastpass-is-it-the-password-manager-for-you/3291
Hmmm ... by WrongSizeGlass · 2011-06-16 08:17 · Score: 1

So they discovered a shadowy bookworm romance mystery? I'm guessing one participant was a librarian?
1. Re:Hmmm ... by Dunbal · 2011-06-16 08:55 · Score: 1
  
  I'm guessing one participant was a librarian?
  If that was the case, then the password would be "Ook.". Sorry if you're not a Terry Pratchett fan, you just won't get this.
  
  --
  Seven puppies were harmed during the making of this post.
Plaintext by ebs16 · 2011-06-16 08:19 · Score: 2

There should be laws created to impose massive fines for sites storing plaintext passwords. There's absolutely no excuse for this. I understand that you can't govern the entire internet, but I would be content with American laws governing American sites. It would be a nice start.
1. Re:Plaintext by BStroms · 2011-06-16 08:31 · Score: 1
  
  My site uses a simple substitution cipher. With the characters I allow for a password there's over 80! possible keys. I'm confident my users all use sufficiently random passwords that no one would be able to analyze the cipher based on the data they hacked.
2. Re:Plaintext by Anonymous Coward · 2011-06-16 08:32 · Score: 0
  
  Instead of demanding the whole world change to protect your insecure web habits, how about you take the easy solution and just stop using the same password on different sites?
3. Re:Plaintext by Anonymous Coward · 2011-06-16 08:39 · Score: 0
  
  Well, on web sites I could care less about compromise, I do re-use simple passwords. I'm not going to memorize hundreds of passwords when security really doesn't matter 95% of the time.
4. Re:Plaintext by MrEricSir · 2011-06-16 08:43 · Score: 1
  
  Because that only solves half the problem?
  
  --
  There's no -1 for "I don't get it."
5. Re:Plaintext by Anonymous Coward · 2011-06-16 08:55 · Score: 0
  
  So you want to lock up everyone who has a /usr/dict/words file?
  Please tell me that you don't vote or breed.
6. Re:Plaintext by Dunbal · 2011-06-16 08:57 · Score: 1
  
  Until someone post something very incriminating using your account on one of these sites and has the police knocking at your door. For the lulz, of course. Prove your innocence.
  
  --
  Seven puppies were harmed during the making of this post.
7. Re:Plaintext by Anonymous Coward · 2011-06-16 09:16 · Score: 0
  
  Hashing passwords on the sites is only a partial solution. The hackers could modify the Slashdot login code to log the username+password combo; if you log in before this is discovered, they get your password and can use it to get into your bank account or whatever. However, if you just use different passwords on different sites, hackers may get your Slashdot password but it's worthless to them. How is that "solving half the problem" compared to hashing?
8. Re:Plaintext by SheeEttin · 2011-06-16 09:55 · Score: 1
  
  There should be laws created to impose massive fines for sites storing plaintext passwords.
  Be careful what you wish for--if that does happen, you should probably expect a whole lot of ROT13 implementations...
9. Re:Plaintext by Anonymous Coward · 2011-06-16 18:12 · Score: 0
  
  Why go through the trouble of devising a cipher, when you could have a cryptographically secure solution in under a minute?
10. Re:Plaintext by Anonymous Coward · 2011-06-16 19:59 · Score: 0
  
  You're being way too paranoid. First, I never use my real name, birth date, location etc for sites I couldn't give a crap about. Second, most sites log IP addresses for legal purposes. If someone is posting incriminating things about me through my IP address, I have a whole lot more to worry about than an insecure password at some Podunk web site.
11. Re:Plaintext by Anonymous Coward · 2011-06-20 02:08 · Score: 0
  
  And I bet there are enough people using common passwords to work out the cipher through statistical analysis. You want to post your list of passwords and see if anyone can crack it? If you're not that confident then maybe you should try something more secure, like a salted one-way hash.
audit much ? by Anonymous Coward · 2011-06-16 08:21 · Score: 0

Guess admins should check these passwords against their server and then shake a stick at the users using them.
oh noez! by torgis · 2011-06-16 08:21 · Score: 5, Interesting

Easy-to-remember passwords for a site that doesn't matter at all? Color me shocked. When forced to sign up for forums to ask a question about coding or tech troubleshooting, I generally use a pretty basic password and then lie about all of my personal info. That way if someone does acquire this info (and it has happened multiple times) I don't get burned. For important things like banking and gmail, I have 2-step authentication enabled and use a strong password on top of that. Different on every site of course.
But for stuff like writers forums, tech support sites, slashdot (haha!) and the like? I don't use and don't care to use a strong password because, well, what's the point? You don't hear about individuals on these sites being hacked because of the insecure passwords they use. No, you hear about the administrators of these sites having their sites hacked and their userlists and passwords stolen. What good does a strong password serve on a site like this when there are gaping security holes in the OS hosting the forums?
And why, for Xenu's sake, are people still storing passwords in plaintext??
1. Re:oh noez! by networkBoy · 2011-06-16 08:27 · Score: 1, Funny
  
  And why, for Xenu's sake, are people still storing passwords in plaintext??
  because their lazy.
  
  --
  whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
2. Re:oh noez! by networkBoy · 2011-06-16 08:28 · Score: 2
  
  damn.
  they're...
  I'll hand in my spelling/grammer pedant card now.
  
  --
  whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
3. Re:oh noez! by Anonymous Coward · 2011-06-16 08:36 · Score: 0
  
  I called my ISP a few years back, because I'd forgotten an email account password. I asked the customer service person if she could reset the password for me.
  She then TOLD me what my password was.
  Is that scary?
4. Re:oh noez! by Anonymous Coward · 2011-06-16 08:48 · Score: 0
  
  And whatever card you lose for saying "Xenu" (or any other "god"-like word): That one too, please! ;)
5. Re:oh noez! by DMUTPeregrine · 2011-06-16 08:50 · Score: 1
  
  I use "h=6.62606957e-34J*s" as a password in a few places that don't matter (work login at my old job that had to change every month mainly). It fits the most common security requirements (lower case letter, upper case letter, number, special character) is not terribly common (12345) and is easy to remember, after all, it's Plank's Constant. I rotate through universal physical constants for passwords. Of course I don't use it for /., nor do I reuse this username elsewhere. Actually "important" things (e-mail, a few websites, etc) get real passwords stored in KeePass, with a 20-word diceware passpoem. 256 bits of entropy ought to be enough...
  
  --
  Not a sentence!
6. Re:oh noez! by artor3 · 2011-06-16 09:00 · Score: 1
  
  "spelling/grammer"
  I'll assume that was in jest :-P
7. Re:oh noez! by kcitren · 2011-06-16 09:11 · Score: 2
  
  It's wasn't a spelling error, he just got cut off. I'm sure he meant to say:
  
  because their lazy asses can't be bothered to learn how to do things the right way.
  http://en.wikipedia.org/wiki/Principle_of_charity/
8. Re:oh noez! by Tolkien · 2011-06-16 09:32 · Score: 1
  
  Same happened with me in the 90s with AOL.
  
  I'll just let that sink in, for laughs.
  
  AOL.
  
  --
  how is babby formed?
9. Re:oh noez! by interkin3tic · 2011-06-16 10:20 · Score: 1
  
  When forced to sign up for forums to ask a question about coding or tech troubleshooting, I generally use a pretty basic password and then lie about all of my personal info.
  Bonus points for unimportant sites that don't accept mailinator.com e-mail addresses or won't let you set a weak, easy to remember password.
  
  Because, you know, if my "I can haz cheezeburger" account gets compromised, western civilization might end.
10. Re:oh noez! by SETIGuy · 2011-06-16 12:32 · Score: 1
  
  That's when it's time to change ISPs. Especially if you are paying them with a credit card.
  
  --
  Support SETI@home
11. Re:oh noez! by gad_zuki! · 2011-06-16 13:53 · Score: 1
  
  Actually, the article is a little sensationalist. I just looked at the password file. About 2/3rds of the passwords are decent. Long, not 100% obvious, mix of numbers & characters, etc. I was expecting more of an 80/20 ratio of crap vs decent and I was really surprised. Also kudos to the guy who uses "707294en14.SmMeG"
  That said, I see a pattern of lots of numerical 6 and 7 digit passwords. They don't look like phone or postal codes. I'm guessing that their password reset tool picked 6 or 7 random numbers and people never changed them. Still better than 'password' or 'princess.'
12. Re:oh noez! by dadioflex · 2011-06-16 17:51 · Score: 1
  
  When forced to sign up for forums to ask a question about coding or tech troubleshooting, I generally use a pretty basic password and then lie about all of my personal info. That way if someone does acquire this info (and it has happened multiple times) I don't get burned.
  And use guerrillamail.com to get a temporary email if you need to hit a verification link.
13. Re:oh noez! by Anonymous Coward · 2011-06-16 17:54 · Score: 0
  
  It's wasn't a spelling error, he just got cut off. I'm sure he meant to say:
  HE was replying to himself, thanks for playing.
  
  http://en.wikipedia.org/wiki/Principle_of_charity
  You know you're an asshole, right? Unless you did this on purpose, then I'll at least give you troll cred for creativity.
14. Re:oh noez! by Anonymous Coward · 2011-06-16 18:36 · Score: 0
  
  People are still building sites on the assumption they won't ever get hacked. It's tempting to think that if someone breaks into your server, then all bets are off, and your site will be totally trashed, so just cross your fingers and hope it never happens.
  But you can still minimize the damage by establishing layers of security. and one of those layers is NOT storing plain-text passwords, but instead encrypting the password as soon as it arrives from the user. The site then almost never uses, and certainly never stores the plaintext.
  The down-side may be that you can't tell a user what their password is, or send it to them in an email. I say this is a good thing.
  And it's also bad site design to allow plaintext passwords: most of those in the excerpt could be found by a dictionary lookup or simple brute-forcing, and equally could have been rejected by a simple password filter during user registration.
15. Re:oh noez! by gsslay · 2011-06-16 23:23 · Score: 1
  
  And why, for Xenu's sake, are people still storing passwords in plaintext??
  Because, as you've already established, for this website they don't matter.
Gay Girl Blogger from Syria? by Jeremiah+Cornelius · 2011-06-16 08:22 · Score: 2

Do we need to change "her" password? Right now it's "Lezcyclopedia".

--
"Flyin' in just a sweet place,
Never been known to fail..."
1. Re:Gay Girl Blogger from Syria? by tukang · 2011-06-16 09:09 · Score: 1
  
  I hate to admit it but I laughed ... shame on you.
Caution by Anonymous Coward · 2011-06-16 08:24 · Score: 1

I'd always be wary about all these grand "revealings" about passwords from LulzSec.
How many usernames/passwords on an innocent blogging site like that are completely throwaway?
I know that on randomblog.com if I want to make an account on the spot, I'm certianly far more likely to use "asdf123" for a username and "randomblog" as a password than I am a 16 digit alphanumeric/symbol/mixed case password that I will forget in 5 minutes.
Who cares if your blogspot account gets hijacked? What are they going to do, write angry comments using your throwaway username?
Not wanting to write it down by CLaRGe · 2011-06-16 08:24 · Score: 2

Many of these passwords are a consequence of a person not wanting to write down their passwords for fear of the written down password being found. Thus, instead of creating an effective, hard to guess (and hard to remember) password, many people simply come up with a password that is easy to remember, but that they hope is so random, or so obvious, that nobody would guess.
I teach my children, even the little ones, the old trick of coming up with an easy to remember sentence, picking the first letter of each word, and changing one or more characters to a number of symbol. They like the challenge, and create some reasonably tough passwords to guess.

--
http://10CentMail.com - the Amazon SES app.
1. Re:Not wanting to write it down by Anonymous Coward · 2011-06-16 14:49 · Score: 0
  
  I go one step further with this: first I come up with an easy to remember sentence, then I creatively misspell it (to prevent someone overhearing me accidentally mutter it aloud from being able to deduce initialisms from it), then i take the first letter of each word, replace some of these with numbers that bear no relation to the letter they replace, and replace some letters with "mental blanks", in which I think the word as I enter the password, but don't press a key for it.
  So I start with something easy to remember: "Passwords are so stupid! We always write them down!"
  Creatively misspell it (the key here is to not overdo it, because that's very predictable too): "Passwords are so stupid! We always rite them down."
  Convert to initialisms: "PassWartd"
  Substitute in unassociated digits: "PassW0rtd"
  Substitute in mental blanks: "PassW0rd"
  And the result is a password that is so random, no-one would ever possibly guess it!
Noticed similar pattern by Relic+of+the+Future · 2011-06-16 08:26 · Score: 1

I saw a similar pattern several years ago when I was emailed a spreadsheet including forum passwords for a role-playing game company. (I was doing volunteer webwork for a regional part of their official fanclub.) The most popular password there (after "password" and "12345"), was "dragon" (even though it wasn't for D&D, although I'm sure many of their customers/fans were also D&D fans (I know I was.))
And for the record, yes, I told them stop emailing around spreadsheets that included everyone's passwords (this went out to a couple dozen volunteers every few months) but they did it for at least a few years, probably longer.

--
Those who fail to understand communication protocols, are doomed to repeat them over port 80.
Passwords? by metageek · 2011-06-16 08:26 · Score: 0

Why are we still using passwords? They will go away, sooner or later.

--
metageek
the algorithmic approach to passwords by circletimessquare · 2011-06-16 08:27 · Score: 1

i've championed this before, and i don't why it doesn't get more press
instead of the same username pword for every site, make your uname/ pword a derivative of the website name or theme, and your own personal salt
the rules could be as quirky and arcane as you want
for example:
username is the first 3 letters of the website, plus your birthyear, plus the cousin whose name sounds most like the website you're visiting
password is the street you grew up on, minus the last 3 characters and plus the last 3 characters of the website, plus the songtitle from the group you like whose letter starts with the third letter of the website name, rotated 3 characters... blah blah blah
or whatever
the point being, we can't remember all your usernames and passwords, but with a quirky enough personal algorithm combining
1. a characteristic of the website, and
2. some personal arcane trivia,
all you have to do is remember your personal algorithm
and then you can get into every site you've ever visited, not worry about trying to remember anything, and not really worry about being easily tracked or cracked. as long as your personal algorithm is indeed truly quirky and personal enough that even with knowledge of 3 of your username/ passwords from 3 different sites, a potential hacker/ cracker would be utterly mystified as to a pattern
i really don't know why this idea of remembering just one personal quirky algorithm isn't more widespread

--
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
1. Re:the algorithmic approach to passwords by Anonymous Coward · 2011-06-16 08:37 · Score: 0
  
  My method is easier and produces better results:
  I carry a card in my wallet with a grid of random characters. That's it.
  Then, in my e-mail account, I e-mail myself a list of usernames, along with the coordinates of the start of the password, and the length of the password.
  I perform a small transformation to the password before typing it in (ex: swap characters at position 2 and 5).
  If my wallet is stolen, the theif only has a grid of random characters, and has no idea what it is for. Even if they know it's for passwords, they don't know the grid locations, the user names, or the small transformation.
  It cost around $20 to print out a stack of these cards (business card size). I have them at all my computer desks, and in my wallet.
  I plan on generating a new card every 4 years, and updating passwords using the same coordinates.
2. Re:the algorithmic approach to passwords by Anonymous Coward · 2011-06-16 08:52 · Score: 0
  
  username is the first 3 letters of the website, plus your birthyear, plus the cousin whose name sounds most like the website you're visiting
  so in what way does /. spell like circle and which cousin of yours likes sound times square?
  sounds nice in theory, too complicated for most.
3. Re:the algorithmic approach to passwords by circletimessquare · 2011-06-16 09:20 · Score: 1
  
  it's really not complicated. it is no more complicated than using the same username/ pword on every site: an algorithm is just a few small simple steps to remember
  
  --
  intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
4. Re:the algorithmic approach to passwords by AliasMarlowe · 2011-06-16 09:52 · Score: 1
  
  Different username+password per site is good, but as you noticed, it's a drag to remember them all and some algorithmic method and shared knowledge are useful. My method for most sites is to use a handful of usernames, based on class of web site (different on slashdot to banking sites, for instance). Each of these sites then gets a password as a hash of a phrase known to me together with part of the site name. For example:
  echo -n "Shivelights and shadowtackle in long lashes lace lance and pair + slasHdoT" | sha256
  The resulting checksum contains the password I'll use for that site. I'll skip the first M characters of the checksum and use the following N characters. An exception is for noncritical sites which I might want to access from machines I don't control, for which I have a handful of memorized passwords of nontrivial complexity.
  
  --
  Those who can make you believe absurdities can make you commit atrocities. - Voltaire
5. Re:the algorithmic approach to passwords by rsborg · 2011-06-16 10:38 · Score: 2
  
  i really don't know why this idea of remembering just one personal quirky algorithm isn't more widespread
  The problem with algorithms is stupid artificial restrictions on credentials by some sites. For example, I can only choose numbers for my "PIN" on my 401k. Or my password must be all lowercase for my public utilities site or contain no special characters at my bank some other hair-brained restriction.
  Same with user names. Often your username must be your email address. Sometimes they don't allow the @ sign. Other times, it's not modifiable and random characters assigned to you (I have at least one brokerage site where this is the case).
  I've tried the algorithm approach, and eventually all the numerous restrictions lead to a completely insecure result from your algorithm, or the algorithm is too complex to store in wetware, resulting in many "forgot my password" delays. Describing and documenting your algorithm is as silly as writing down your master password, so that's going to work.
  Eventually you must keep track of them all and if you're doing so you should definitely encrypt/secure it. Thus the password manager. If you get a good one, typing in credentials will be automated based on site (this also removes phishing attacks) and it will exist on your smartphone/PDA and can by synced by Dropbox and/or memory stick.
  
  --
  Make sure everyone's vote counts: Verified Voting
6. Re:the algorithmic approach to passwords by circletimessquare · 2011-06-16 10:42 · Score: 1
  
  this is a good criticism. you are correct. different policies and standards complicates the algorithm and is discouraging
  
  --
  intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
7. Re:the algorithmic approach to passwords by circletimessquare · 2011-06-16 10:44 · Score: 1
  
  now that's hot
  your average user isn't going to do sha256 hashes though
  but, skipping that step, it's still a workable framework
  
  --
  intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
"The Pentagon is about to roll out an expanded eff by Anonymous Coward · 2011-06-16 08:27 · Score: 0

(Reuters) - The Pentagon is about to roll out an expanded effort to safeguard its contractors from hackers and is building a virtual firing range in cyberspace to test new technologies, according to officials familiar with the plans, as a recent wave of cyber attacks boosts concerns about U.S. vulnerability to digital warfare. http://www.reuters.com/article/2011/06/16/us-usa-cybersecurity-idUSTRE75F4YG20110616
Let's see, government ready to spend billions (more) on "cyber"-security/Internet-surveillance, intelligence agencies and a ton of private companies set to benefit. LulzSec attacks of course part of justification.
check your passwords by iamhassi · 2011-06-16 08:30 · Score: 3, Informative

Here's a link to the passwords so you can check if your password is on there

Just search the page for your password. Chrome does a great job of this because it starts highlighting matching passwords as you type it. I just checked my passwords, none of them are on this list.

--
my karma will be here long after I'm gone
1. Re:check your passwords by budgenator · 2011-06-16 09:36 · Score: 1
  
  Cool mine aren't on there, a long time ago I was webmaster of poiuyt.com, I was always amazed at the number of people who used a @poiuyt.com as an email address with qwerty as the password on various sites around the web.
  
  --
  Apocalypse Cancelled, Sorry, No Ticket Refunds
2. Re:check your passwords by Ihmhi · 2011-06-16 17:24 · Score: 1
  
  hunter2 isn't on the list, but hunter22 is. Clearly our friend realized he was hacked and upgraded his password strength.
  
  --
  Random Thoughts From A Diseased Mind (Not For Dummies)
Do you like by Anonymous Coward · 2011-06-16 08:30 · Score: 0

Fishsticks?
Well then you're a gay fish
It doesn't follow. by Maltheus · 2011-06-16 08:40 · Score: 1

Not sure I buy the premise. I went to a nerd college with few woman. Back then, before they shadowed PW files, I came across a lot of passwords. The two most common variants I found contained the words 'soccer' or 'jennifer.' Once again, I went to a nerd college with few women.
1. Re:It doesn't follow. by Dunbal · 2011-06-16 09:01 · Score: 0
  
  Judging by your spelling and grammar I would assume that either you are a Korean who studied engineering at MIT or something, or a piece of trailer trash that considers community college to be "nerd college".
  
  --
  Seven puppies were harmed during the making of this post.
2. Re:It doesn't follow. by kcitren · 2011-06-16 09:15 · Score: 1
  
  Few women at a nerd college. I'll bet you one of them was named Jennifer, and I'm sure she was very popular.
3. Re:It doesn't follow. by Anonymous Coward · 2011-06-16 09:23 · Score: 0
  
  Judging by your response or something, I would assume you are bitter about not going to college and having a chance with the young Jennifers, or are a bitter person that went to college and still didn't have a chance with the young Jennifers.
4. Re:It doesn't follow. by idontgno · 2011-06-16 09:30 · Score: 1
  
  Her phone number was 876-5309. She was veeeeery popular, back in the day.
  
  --
  Welcome to the Panopticon. Used to be a prison, now it's your home.
5. Re:It doesn't follow. by WindBourne · 2011-06-16 11:26 · Score: 1
  
  Well, she still might be. Of course, she would likely be a MILF, so just google for porn MILF Jenny.
  
  --
  I prefer the "u" in honour as it seems to be missing these days.
6. Re:It doesn't follow. by Anonymous Coward · 2011-06-16 13:16 · Score: 0
  
  you got the number wrong lol
7. Re:It doesn't follow. by Anonymous Coward · 2011-06-16 17:02 · Score: 0
  
  Damn, that's why nobody actually got hold of her... the 6 and 7 were transposed in the song!
But of course. by Black+Parrot · 2011-06-16 08:46 · Score: 4, Funny

But it gives an interesting insight into the way people choose their passwords: in this case, apparently, on a theme that reflects the nature of the site they're visiting.
The three most popular Slashdot passwords are 'troll', 'slacker', and 'clown'.

--
Sheesh, evil *and* a jerk. -- Jade
1. Re:But of course. by Anonymous Coward · 2011-06-16 10:49 · Score: 0
  
  The fourth one being 'msastroturfer'
Some of the emails are fakes by daveywest · 2011-06-16 08:50 · Score: 2

I work for an ISP that is represented in the list of emails and passwords. We determined all the addresses from domains we control are not, nor have they ever been used, on our system. I'm not saying they are all fakes, but all the addresses I'm able to verify are not legit.
1. Re:Some of the emails are fakes by Anonymous Coward · 2011-06-16 15:36 · Score: 0
  
  I'm guessing the email addresses and passwords leaked are from 3rd party sites where the user is asked to supply their username as an email address and then a password to go with that. I'm sure there's a good number of people who use the same password to access these 3rd party sites as they do to access their email. If the email addresses themselves have never existed, that could be people submitting false addresses as usernames.
they'll never get mine. by nblender · 2011-06-16 08:56 · Score: 1

Mine is all '*'s ...
1. Re:they'll never get mine. by Jumpin'+Jon · 2011-06-17 02:33 · Score: 1
  
  Ironically, there is a password in the file that's "******", on line 795 if my text editor is working correctly. I appreciate you're joking, but it seems gengar@retrohappypeople.com beat you to it!
Mmm, salt. by Tarlus · 2011-06-16 09:02 · Score: 1

Seriously. Hashing. Does nobody practice this for user account databases?

--
/* No Comment */
1. Re:Mmm, salt. by SETIGuy · 2011-06-16 12:59 · Score: 1
  
  Anyone writing code that stores passwords using plaintext or reversible hashes should probably take up a career in quilting.
  As should anyone writing code that can't handle every printable ASCII character in a password. Better yet straight, passwords should allow any string of bytes. Any programmer who limits passwords to alphanumeric is probably writing SQL injection vectors.
  
  --
  Support SETI@home
Ahem by Tolkien · 2011-06-16 09:08 · Score: 1

Adrian Lamo == LulzSec

--
how is babby formed?
1. Re:Ahem by Hatta · 2011-06-16 09:17 · Score: 1
  
  Why would you believe the WHOIS data?
  
  --
  Give me Classic Slashdot or give me death!
2. Re:Ahem by Tolkien · 2011-06-16 09:23 · Score: 1
  
  Good point, but also, why not?
  
  --
  how is babby formed?
3. Re:Ahem by Anonymous Coward · 2011-06-16 09:58 · Score: 1
  
  Adrian Lamo was the guy who turned in Bradley Manning. If you were a wikileaks supporting entity, looking for a random name to blame ...
4. Re:Ahem by Anonymous Coward · 2011-06-16 10:05 · Score: 0
  
  Or, alternatively, if you are an attention-whore, register the domain name for a hack/DDOS group to get people to talk about you.
5. Re:Ahem by Anonymous Coward · 2011-06-16 11:08 · Score: 0
  
  Because as is pointed out within the first couple of comments on your link it might be meant as a "fuck you" to Adrian Lamo which seems reasonable. Plus the idea that Adrian Lamo is Lulzsec is sort of stupid since he's already been in trouble with the Feds before so doing stupid shit like Lulzsec has been doing would be an excellent way for Mr. Lamo to spend the rest of his days in Federal lockup.
6. Re:Ahem by Anonymous Coward · 2011-06-16 12:35 · Score: 0
  
  alternatively, Nakomis == LulzSec[i]; http://pastebin.com/5NJXfbVw
7. Re:Ahem by Anonymous Coward · 2011-06-17 00:15 · Score: 0
  
  Good point, but also, why not?
  Because there is not a good reason to.
  gullible
  Adjective: Easily persuaded to believe something; credulous.
8. Re:Ahem by Tolkien · 2011-06-17 02:39 · Score: 1
  
  Hah. That would indeed be pretty cool.
  
  --
  how is babby formed?
makes sense by Anonymous Coward · 2011-06-16 09:25 · Score: 0

my password for slashdot is "nerdporn"
No reason not to use password manager by rsborg · 2011-06-16 10:25 · Score: 1

Password reuse is a major problem, regardless of site. There is very little excuse not to use tools like 1Password, LastPass or KeePassX.
I've gotten my technophobic parents and wife on the treadmill (all use 1password via a family license).
I've gotten them comfortable ditching their "known good password" on their other sites, learning the strong master password by heart, and got them comortable enough to generate a good-length (default 18 characters) passwords for any site that needs it.
The best part about a password manager is that you can share (Dropbox for now, perhaps iCloud tomorrow) your credential set (which are encrypted, of course) and now you don't get bugged about the Amazon password from your spouse, she just logs in and buys the stuff.

--
Make sure everyone's vote counts: Verified Voting
1. Re:No reason not to use password manager by Anonymous Coward · 2011-06-16 20:08 · Score: 0
  
  So I now need to have this application on every device I use to connect to the internet? I need to log in to it and copy and paste credentials to do something silly for five minutes? And, I really trust the security at Dropbox to protect all my passwords? There is no reason to secure most of the crap on the internet. Use unique, strong security for financial and other critical accounts. For everything else, who cares?
2. Re:No reason not to use password manager by tehcyder · 2011-06-17 00:14 · Score: 1
  
  >quote> There is very little excuse not to use tools like 1Password, LastPass or KeePassX.
  How about "if it's not your bank account who gives a flying fuck about security and strong passwords" as an excuse?
  
  --
  To have a right to do a thing is not at all the same as to be right in doing it
Yawn! by Anonymous Coward · 2011-06-16 10:47 · Score: 1

I am really starting to doubt these stories. Generating usernames and passwords is something that can be down with even a quick script - it is not hard to generate real words using a known dictionary source.
Selection bias, anyone? by bkpark · 2011-06-16 10:53 · Score: 1

We can't know for sure since they aren't divulging their source, but some of the services listed are too sophisticated (esp. Gmail, even if you don't believe in competency of those who run Hotmail) even to store passwords in cleartext anywhere.
If I had to guess at how they obtained these passwords, they did it by actual hacking of the accounts (or somehow got a hold of the password hashes to run faster attacks on), and in that case, the accounts with weak passwords are the low-hanging fruits; of course the list will contain many, many weak passwords subject to various dictionary attacks.
This doesn't explain everything, since looking through the password list, I do see a few that actually look randomly-generated, such as "Zt8bNOI655" (maybe they used keylogger trojans in addition to other methods), but unless use of dictionary attack of any form can be ruled out, statistically, this list is worse than worthless—it's downright misleading, unless the only claim made is that there still exist users who use weak passwords.
1. Re:Selection bias, anyone? by CSMastermind · 2011-06-16 11:00 · Score: 1
  
  They got the passwords by getting into a unknown website's database (obviously smart money is on writerspace.com). The email breakdown at the top of the article corresponds to the email that was associated with the accounts. None of the email services (hotmail or gmail) were actually compromised. Knowing Lulzsec's past work they probably got access via a simple SQL injection.
Did anybody here finish the article? by CSMastermind · 2011-06-16 10:56 · Score: 1

Any /. theories on ajcuivd289 ? I'm stumped, unless one dude has a lot of dupe accounts.
The passwords are likely vision based by WindBourne · 2011-06-16 11:24 · Score: 2

Ever sit and watch average ppl create new passwords at their desk? THey do not look into the air to think about it. Instead, they look at what is around them. I do not watch somebody enter the passwords, but I have noticed the subject's head. I believe that they are looking at the books, artwork, etc that is just around them.

Want to break into their stuff? Simply take a look around the desk and see what is important to them. Simple as that.

--
I prefer the "u" in honour as it seems to be missing these days.
1. Re:The passwords are likely vision based by DigitaLunatiC · 2011-06-17 02:36 · Score: 1
  
  This happens all the time in film, but I've never seen it happen in real life. I know a few people who use passwords that have some sort of personally important bit of information nested in it, but having known the passwords of various friends and family members throughout my life the creation methods have never been related to what's around their desks.
2. Re:The passwords are likely vision based by WindBourne · 2011-06-17 09:19 · Score: 1
  
  Oh, I am amazed at how many ppl have passwords of stuff on their desk. Personally, I have an algorithm and use that. It works great. Prior to GPUs, I would have given mine very little chance of being cracked. At this point, that is gone.
  
  --
  I prefer the "u" in honour as it seems to be missing these days.
most of the emails are from Brazil by tortovroddle · 2011-06-16 11:53 · Score: 1

The original list posted by LulzSec is divided in two parts. The first half has an assortment of emails from many domains. The second half contains emails of brazilians, most of them from hotmail and yahoo (many have .br at the end, or use brazilian names and words). Probably they compromised some windows live server? Looks live many of the are msn logins...
Perfect Paper Passwords by reboot246 · 2011-06-16 12:10 · Score: 2

The best system I've seen is the one Steve Gibson has on his website.

https://www.grc.com/ppp.htm
Guessable passwords. by SETIGuy · 2011-06-16 12:52 · Score: 2

People use guessable passwords because they want to use passwords that they can remember. And people that use passwords they can remember do reuse passwords. Any password I can remember probably isn't very secure. Any password used at more than one site definitely isn't secure.
It's past time that all browsers included a standard password generator with user definable salt set at first invocation, and master password prompting. Web standards should at a minimum specify support for all printable ASCII characters in passwords. If a bank isn't competent enough to hire a programmer that can write code to handle a quote in a password, you probably shouldn't be banking there.
Until then there's still PasswordMaker for which you have to salt each account separately if you not want the default unsalted hash. And there's still the annoyance of "alphanumeric only with at least one uppercase and one number" web sites.

--
Support SETI@home
I don't think the Data is that relevent by Teknikal69 · 2011-06-16 16:45 · Score: 1

If the names and passwords come from someone cracking them on a big scale I think it says more about the pass list it used than what people are actually using as passwords. For a example if I ran a tiny password list with just a few like letmein love dolphin 12345 password peace god sex etc. I'd no doubt crack a lot of accounts but the amount of people using those exact password could be pretty small. Doesn't mean I couldn't assemble a huge amount of cracked accounts but the password data wouldn't reflect the true picture.
Hope that makes sense.
I thought so too until... by LongearedBat · 2011-06-16 17:10 · Score: 1

That was my 1st guess too. However, here's a list of the top 45 most common passwords for that site. I've bolded the obvious literature related passwords. Others may be as well, such as person names that might be references to characters. You may be right, of course, but literature related passwords do seem overrepresented.
0.9231% "123456"
0.3157% "123456789"
0.2142% "password"
0.1417% "romance"
0.1095% "102030"
0.1079% "mystery"
0.0998% "123"
0.0998% "ajcuivd289"
0.0998% "shadow"
0.0998% "tigger"
0.0869% "bookworm"
0.0869% "dragon"
0.0853% "sunshine"
0.0837% "12345"
0.0837% "reader"
0.0805% "purple"
0.0773% "maggie"
0.0757% "reading"
0.0708% "1234"
0.0563% "angels"
0.0547% "peanut"
0.0547% "vampire"
0.0531% "booklover"
0.0515% "12345678"
0.0515% "charlie"
0.0515% "ginger"
0.0515% "michael"
0.0515% "pepper"
0.0515% "unicorn"
0.0499% "princess"
0.0483% "writerspace"
0.0467% "101010"
0.0467% "242424"
0.0467% "1234567"
0.0467% "cookie"
0.0467% "writer"
0.0451% "buster"
0.0451% "hannah"
0.0434% "bailey"
0.0434% "matthew"
0.0418% "123123"
0.0418% "library"
0.0402% "butterfly"
0.0402% "callie"
0.0402% "flower"
passwd file by Anonymous Coward · 2011-06-16 18:42 · Score: 0

Anyone has a working link to the file ?
It reveals by kikito · 2011-06-16 19:05 · Score: 1

that LulzSec are worms.
AjcuiVd289 by Anonymous Coward · 2011-06-16 21:13 · Score: 0

Intrigued by the odd "AjcuiVd289" password, I googled it and some hits down where these kind of pages containing login-information.
http://www.firstsg.com/articles/AdminUser.asp?MemberTblOrder=Sorter_RegisteredOn&MemberTblDir=ASC
It pages belong to "First Security Group" which according to them, "Founded in 2004, First Security Group has established itself as one of the leading security services providers in the UAE with activities spanning professional security, training through to state-of-the-art technology."
The passwords work just fine. Enjoy.