Analyzing 20,000 MySpace Passwords 177
Rub3X writes "Author found 20 thousand MySpace passwords on a phishing site and did some tests on them. They were tested for strength, length and a number of other things. Also tested was the most popular password, and the most popular email service used when registering for myspace."
Interesting analysis, but... (Score:5, Insightful)
Personally, I try to fit the following in every eBay phishing page I see:
Field 1: "just who do you think you're kidding?"
Field 2: "better luck next time, dolt."
Flawed (Score:4, Insightful)
Now, I am changing my password to cookie321, no one will see that coming.
Who cares about myspace password strength? (Score:5, Insightful)
1) Online banking - Very complex ( as complex as my banking site will allow that is ) / Important work related passwords
2) Unimportant work related passwords (Such as the log in to view the cacti graphs for example) / Public websites that require a password and I care a little bit about
3) Public websites I could give a rats ass about having broken into. Myspace would be listed here. So would my slashdot account.
So my point is just because people use crappy passwords for myspace doesn't nesasarily mean they don't have a clue......but being caught by phishers does.
Re:666 - myname (Score:5, Insightful)
Almost (Score:5, Insightful)
Re:666 - myname (Score:5, Insightful)
It depends on how smart the phisher is. If they take the password then redirect to the real MySpace account (to avoid arousing suspicions among even the gullable) where they can try again, there won't be many second-tries.
If I were of low enough moral character to phish, that'd be what I'd do, anyway.
Due Diligence (Score:3, Insightful)
This 'paper' doesn't give MySpace haters much ammo (Score:4, Insightful)
Re:Flawed (Score:5, Insightful)
He didn't 'choose' to study this... the data fell into his hands, and he offered analysis.
This is a great little 'news for nerds' thing. The author says he has this data, he's smart enough not to publish it (just the analysis), he gives some interesting results from raw analysis of the 'data'. Take the story for what it is: Sunday morning on Slashdot.
Re:Almost (Score:5, Insightful)
I'd imagine that's why fuckyou is up there so high. I sort of assume that's a message to the phisher rather than a real password.
Re:Flawed (Score:3, Insightful)
My point was (if you had read the article) that his claim that he was able to measure the strength of the passwords was flawed. There were passwords that myspace couldn't have accepted as valid passwords because they require at least one digit (so "fuckyou" couldn't have been a password).
The "known bad" data should have been dropped immediately.
Password Strength (Score:3, Insightful)
Cheers.
Re:Due Diligence (Score:3, Insightful)
Methinks most people would know enough to avoid publicly admitting to testing those l/p's.
Re:strong passwords (Score:3, Insightful)
More importantly, as you add more characters to the password you only add factors of 62 and you have just one factor of 36 and one of 10. So for an eight char password with at least one digit and one alternate case, you have at LEAST 62*62*62*62*62*62*36*10 possibilities.
Furthermore, attakers never start with a brute force attack except with trivially short passwords. They start with a dictionary attack. Hacker dictionaries contain not just the dictionary but millions of passwords that other people have used. Before they do a full on brute force attack, they do an all lower case brute force. They also try passwords with a beginning upper and ending in a number. Then chars with one number in between the chars. Combinations that include upper and lower and digits are about the last thing they try even if they resort to a full on brute force.
Since all passwords of just a few chars (maybe 8 or so) can be brute forced no matter what they contain, it would make no sense to require certain characters but not have a minimum password length. Just increase the minimum length by one and you've more than made up for any combinations lost to restrictions, while drastically reducing vulnerability to dictionary attacks.
Re:I've been notiving a trend of sorts (Score:3, Insightful)