Analyzing 20,000 MySpace Passwords 177
Rub3X writes "Author found 20 thousand MySpace passwords on a phishing site and did some tests on them. They were tested for strength, length and a number of other things. Also tested was the most popular password, and the most popular email service used when registering for myspace."
Passwords from hacker site = biased. (Score:5, Interesting)
Similar about phishing-originated passwords. Phishing is a result of bad practices on user side, and usually clicking attachments in spam, using insecure browser and no antivirus is connected with using poor quality passwords. The results WILL show worse quality of user passwords than real simply because the passwords originate from subset of users who know less of security in general (and as result, got hacked.)
Email Passwrod (Score:5, Interesting)
Re:Interesting analysis, but... (Score:4, Interesting)
While the data is interesting, it really can't be used to determine anything other than the fact that some users have lame passwords.
How to get a password (Score:2, Interesting)
2. Post news on Slashdot.
3. Users go to site, and SEARCH for their password. Hacker now has REAL passwords thanks to the searches.
strong passwords (Score:4, Interesting)
trustno1 (Score:2, Interesting)
Re:strong passwords (Score:4, Interesting)
Obvious password detector (Score:5, Interesting)
Twenty-two years on, here's my obvous password detector [animats.com]. This is C source code I wrote in 1984. This simple piece of code will prevent the use of passwords that are English words, by requiring that the password have at least two sequences of three letters not found in the dictionary. The "dictionary" is compressed down to a big table of hex constants; it's a 27x27x27 array of bool, with a 1 for each triplet found in the UNIX dictionary. So the code is simple, self-contained, and does no I/O.
Put this in your password-change program and dictionary attacks stop working.
The code is a bit dated; this is original K&R C, not ANSI C.
I should do a Javascript version and give that out. The code is so small that it could easily be executed on user-side password pages.
Re:Due Diligence (Score:3, Interesting)
One point deserves emphasis... (Score:5, Interesting)
He came up with a rating scheme from 1 to 4, where 4 is the "best" password. And he says "I consider strength two fine for a myspace account." Very good point: Not all websites need the same level of password strength.
My personal pet peeve is websites that probably only require a 2 or 3 (on his scale) but demand strength 99. For example, forum sites that reject passwords that my bank would consider good enough.
My plea to anyone reading this who develops websites: The strength of the password only has to match the importance of the information that it's protecting.
Thus endeth my rant.
Re:Interesting analysis, but... (Score:3, Interesting)
Its funny how often I have to give someone "the stare" when they ask "whats your password"... but truth is, I couldn't even rattle it off if I tried. I learn the mnemonic and the muscle memory of typing it, but I don't know it character by character.
I have to sit down for a sec and go over the mnemonic to remeber the individual chars.
-Steve