Slashdot Mirror
What LulzSec Logins Reveal About Bookworms, and Passwords
Barence writes "Today the hacking group LulzSec posted 62,000 hacked email usernames and passwords online. PC Pro's Darien Graham-Smith has analysed the passwords stolen — which are believed to have come from a website for writers — and found some interesting patterns. Aside from 'password' and obvious numerical patterns (i.e. '12345') the most common passwords share a literary theme: 'romance,' 'mystery,' 'shadow' and 'bookworm' are all commonly used passwords. 'Clearly, this is a back-of-an-envelope breakdown of a mixed mass of unverified data,' said Graham-Smith. 'But it gives an interesting insight into the way people choose their passwords: in this case, apparently, on a theme that reflects the nature of the site they're visiting.'"
Perhaps these are their passwords for every site, and this site just over-represents people interested in books and writing. I certainly don't use custom passwords based on the type of site.
There should be laws created to impose massive fines for sites storing plaintext passwords. There's absolutely no excuse for this. I understand that you can't govern the entire internet, but I would be content with American laws governing American sites. It would be a nice start.
Easy-to-remember passwords for a site that doesn't matter at all? Color me shocked. When forced to sign up for forums to ask a question about coding or tech troubleshooting, I generally use a pretty basic password and then lie about all of my personal info. That way if someone does acquire this info (and it has happened multiple times) I don't get burned. For important things like banking and gmail, I have 2-step authentication enabled and use a strong password on top of that. Different on every site of course.
But for stuff like writers forums, tech support sites, slashdot (haha!) and the like? I don't use and don't care to use a strong password because, well, what's the point? You don't hear about individuals on these sites being hacked because of the insecure passwords they use. No, you hear about the administrators of these sites having their sites hacked and their userlists and passwords stolen. What good does a strong password serve on a site like this when there are gaping security holes in the OS hosting the forums?
And why, for Xenu's sake, are people still storing passwords in plaintext??
Do we need to change "her" password? Right now it's "Lezcyclopedia".
"Flyin' in just a sweet place,
Never been known to fail..."
Many of these passwords are a consequence of a person not wanting to write down their passwords for fear of the written down password being found. Thus, instead of creating an effective, hard to guess (and hard to remember) password, many people simply come up with a password that is easy to remember, but that they hope is so random, or so obvious, that nobody would guess.
I teach my children, even the little ones, the old trick of coming up with an easy to remember sentence, picking the first letter of each word, and changing one or more characters to a number of symbol. They like the challenge, and create some reasonably tough passwords to guess.
http://10CentMail.com - the Amazon SES app.
Here's a link to the passwords so you can check if your password is on there
Just search the page for your password. Chrome does a great job of this because it starts highlighting matching passwords as you type it. I just checked my passwords, none of them are on this list.
my karma will be here long after I'm gone
But it gives an interesting insight into the way people choose their passwords: in this case, apparently, on a theme that reflects the nature of the site they're visiting.
The three most popular Slashdot passwords are 'troll', 'slacker', and 'clown'.
Sheesh, evil *and* a jerk. -- Jade
I work for an ISP that is represented in the list of emails and passwords. We determined all the addresses from domains we control are not, nor have they ever been used, on our system. I'm not saying they are all fakes, but all the addresses I'm able to verify are not legit.
i really don't know why this idea of remembering just one personal quirky algorithm isn't more widespread
The problem with algorithms is stupid artificial restrictions on credentials by some sites. For example, I can only choose numbers for my "PIN" on my 401k. Or my password must be all lowercase for my public utilities site or contain no special characters at my bank some other hair-brained restriction.
Same with user names. Often your username must be your email address. Sometimes they don't allow the @ sign. Other times, it's not modifiable and random characters assigned to you (I have at least one brokerage site where this is the case).
I've tried the algorithm approach, and eventually all the numerous restrictions lead to a completely insecure result from your algorithm, or the algorithm is too complex to store in wetware, resulting in many "forgot my password" delays. Describing and documenting your algorithm is as silly as writing down your master password, so that's going to work.
Eventually you must keep track of them all and if you're doing so you should definitely encrypt/secure it. Thus the password manager. If you get a good one, typing in credentials will be automated based on site (this also removes phishing attacks) and it will exist on your smartphone/PDA and can by synced by Dropbox and/or memory stick.
Make sure everyone's vote counts: Verified Voting
Ever sit and watch average ppl create new passwords at their desk? THey do not look into the air to think about it. Instead, they look at what is around them. I do not watch somebody enter the passwords, but I have noticed the subject's head. I believe that they are looking at the books, artwork, etc that is just around them.
Want to break into their stuff? Simply take a look around the desk and see what is important to them. Simple as that.
I prefer the "u" in honour as it seems to be missing these days.
The best system I've seen is the one Steve Gibson has on his website.
https://www.grc.com/ppp.htm
People use guessable passwords because they want to use passwords that they can remember. And people that use passwords they can remember do reuse passwords. Any password I can remember probably isn't very secure. Any password used at more than one site definitely isn't secure.
It's past time that all browsers included a standard password generator with user definable salt set at first invocation, and master password prompting. Web standards should at a minimum specify support for all printable ASCII characters in passwords. If a bank isn't competent enough to hire a programmer that can write code to handle a quote in a password, you probably shouldn't be banking there.
Until then there's still PasswordMaker for which you have to salt each account separately if you not want the default unsalted hash. And there's still the annoyance of "alphanumeric only with at least one uppercase and one number" web sites.
Support SETI@home