Analyzing 20,000 MySpace Passwords

Rub3X writes "Author found 20 thousand MySpace passwords on a phishing site and did some tests on them. They were tested for strength, length and a number of other things. Also tested was the most popular password, and the most popular email service used when registering for myspace."

Interesting analysis, but...

[SilentChris]

It's a fairly interesting (if not too detailed) analysis. A commenter makes a critical observation, though: these were passwords entered at the phishing site, not MySpace. As such, some people can easily recognize it's not the original site and add such gems as "fuckyou".

Personally, I try to fit the following in every eBay phishing page I see:

Field 1: "just who do you think you're kidding?"
Field 2: "better luck next time, dolt."

Flawed

[schabot]

The analysis is flawed as a general indicator of MySpace passwords because it is only a subset of people who would actually fall for phishing attacks. Of course such people will have horrible password habits

Now, I am changing my password to cookie321, no one will see that coming.

Who cares about myspace password strength?

[smkndrkn]

I have a few "sets" of passwords that I use. Basically it goes like this:

1) Online banking - Very complex ( as complex as my banking site will allow that is ) / Important work related passwords
2) Unimportant work related passwords (Such as the log in to view the cacti graphs for example) / Public websites that require a password and I care a little bit about
3) Public websites I could give a rats ass about having broken into. Myspace would be listed here. So would my slashdot account.

So my point is just because people use crappy passwords for myspace doesn't nesasarily mean they don't have a clue......but being caught by phishers does. ;)

Re:666 - myname

[rednip]

Most common passwords used:

Really, it should read: the most commonly used passwords, by MySpace users who were targeted by and fell for a phisher.

Almost

[benhocking]

"Really, it should read: the most commonly used passwords, by MySpace users who were targeted by and fell for a phisher" - or by people pretending to be MySpace users when targeted by a phisher - or by people giving a bogus password when targeted by a phisher.

Re:666 - myname

[Tanktalus]

It depends on how smart the phisher is. If they take the password then redirect to the real MySpace account (to avoid arousing suspicions among even the gullable) where they can try again, there won't be many second-tries.

If I were of low enough moral character to phish, that'd be what I'd do, anyway.

Due Diligence

[bigattichouse]

Due diligence would have him write a script to check which user/pass combinations were valid, and then analyze only those.

This 'paper' doesn't give MySpace haters much ammo

[erikwestlund]

I almost sense a disappointment that MySpace users didn't come out looking stupider. Give the MySpace users a break! Their computer illiteracy is made painfully clear, but imagine if Slashdot had a comparable way to highlight its posters social illiteracy. Perhaps there would be MySpacers writing on message boards about how stupid all Slashdot users were for their poor fashion sense. Yes, that would be stupid, but comparably as stupid as the blind, generalizing hate for MySpace users that is prevalent here.

Re:Flawed

[Zapman]

This is what it is. It's an analysis of passwords, obtained by a script kiddie's phishing site. The author makes no claims to 'analysing the strength of every myspace password' or some such. All the information you need to analyze his results are right there.

He didn't 'choose' to study this... the data fell into his hands, and he offered analysis.

This is a great little 'news for nerds' thing. The author says he has this data, he's smart enough not to publish it (just the analysis), he gives some interesting results from raw analysis of the 'data'. Take the story for what it is: Sunday morning on Slashdot.

Re:Almost

[flooey]

"Really, it should read: the most commonly used passwords, by MySpace users who were targeted by and fell for a phisher" - or by people pretending to be MySpace users when targeted by a phisher - or by people giving a bogus password when targeted by a phisher.

I'd imagine that's why fuckyou is up there so high. I sort of assume that's a message to the phisher rather than a real password.

Re:Flawed

[tomhudson]

My point was (if you had read the article) that his claim that he was able to measure the strength of the passwords was flawed. There were passwords that myspace couldn't have accepted as valid passwords because they require at least one digit (so "fuckyou" couldn't have been a password).

The "known bad" data should have been dropped immediately.

Password Strength

[localman]

Most interesting to me is that despite most of the passwords being decent it makes not a lick of difference in these people being phished. Once again, being sharp and understanding of the big picture is more important than following any isolated rule about security. Good luck getting that out to the masses, though :)

Cheers.

Re:Due Diligence

[TubeSteak]

Due diligence would have him write a script to check which user/pass combinations were valid

I think we would call that "unauthorized access"

Methinks most people would know enough to avoid publicly admitting to testing those l/p's.

Re:strong passwords

[mrcaseyj]

The probability calculation is flawed. Although restricting the choices of passwords reduces the number of possibilities it doesn't reduce them all that much. A three character password with an upper, a lower, and a digit, isn't 10*26*26 possibilities. The first char can be any of 62. The next char can be any of at least 36 but could be any of 52 if the first char was a digit. The last char could be any of at least 10. Thus the correct calculation is at LEAST 62*36*10 but is actually more.

More importantly, as you add more characters to the password you only add factors of 62 and you have just one factor of 36 and one of 10. So for an eight char password with at least one digit and one alternate case, you have at LEAST 62*62*62*62*62*62*36*10 possibilities.

Furthermore, attakers never start with a brute force attack except with trivially short passwords. They start with a dictionary attack. Hacker dictionaries contain not just the dictionary but millions of passwords that other people have used. Before they do a full on brute force attack, they do an all lower case brute force. They also try passwords with a beginning upper and ending in a number. Then chars with one number in between the chars. Combinations that include upper and lower and digits are about the last thing they try even if they resort to a full on brute force.

Since all passwords of just a few chars (maybe 8 or so) can be brute forced no matter what they contain, it would make no sense to require certain characters but not have a minimum password length. Just increase the minimum length by one and you've more than made up for any combinations lost to restrictions, while drastically reducing vulnerability to dictionary attacks.

Re:I've been notiving a trend of sorts

[AriaStar]

I read both sites because I like the different articles on each. But lately many of the same articles are on both. I suspect people are seeing articles there and submitting them here. I'd like to see variety again.