Analyzing 20,000 MySpace Passwords

Rub3X writes "Author found 20 thousand MySpace passwords on a phishing site and did some tests on them. They were tested for strength, length and a number of other things. Also tested was the most popular password, and the most popular email service used when registering for myspace."

Passwords from hacker site = biased.

[Vo0k]

Say, 10% of passwords contained on a site was obtained using a dictionary attack. Then perform analysis on these password. Conclusion that basing on statistically significant number of passwords (10%, >10000) almost 100% of passwords on the site are vulnerable to dictionary attack is simply wrong - the sample was biased.
Similar about phishing-originated passwords. Phishing is a result of bad practices on user side, and usually clicking attachments in spam, using insecure browser and no antivirus is connected with using poor quality passwords. The results WILL show worse quality of user passwords than real simply because the passwords originate from subset of users who know less of security in general (and as result, got hacked.)

Email Passwrod

[lobsterGun]

It would be interesting to see how many of the names in that list use the same password for MySpace account as they do in their email account.

Re:Interesting analysis, but...

[Daytona955i]

Also people who have stronger password probably would recognize it as a phishing site so the data is pretty much worthless. Also how many people went to the phising site, it's probably a small percentage of users.

While the data is interesting, it really can't be used to determine anything other than the fact that some users have lame passwords.

How to get a password

[Anonymous Coward]

1. Put up a site that claims to have tens of thousands of passwords up.
2. Post news on Slashdot.
3. Users go to site, and SEARCH for their password. Hacker now has REAL passwords thanks to the searches.

strong passwords

[DigitalLifeForm]

There was an MIT study claiming that the strength of passwords was affected by length alone. Because of brute force cracking, the longer the password, the longer it took to break. Consider the three character password where I allowed only numbers, and upper and lower case letters. Each position in the password would have 10 + 26 + 26 = 62 possibilities. A three letter password would have 62 * 62 * 62 combinations. Now, if I required "strength" by requiring the use of a letter, and both upper and lower case, I now have only 10 * 26 * 26 combinations. Requiring "strength" always reduces the set of possible combinations for the password.

trustno1

[illectro]

Recently while auditing user accounts this password turned up as one of the top 10 most common passwords - if you don't know, it's Fox Mulder's password in the X-Files. Passwords used in movies and tv are surprisingly common, 'joshua' is pretty common, and quite a few people use 'CPE1704TKS' proving that just because people remember detailed trivia from hacking movies they don't know what makes a good password.

Re:strong passwords

[nobodynoone]

Yes, but in the instance of bruteforce, it is all about PERCIEVED strength, in which case the bruteforce attack must include numbers as well as letters, increasing possible combinations from the attack side to 36*36*36. So while the ACTUAL combinations may drop, the POSSIBLE combinations increase.

Obvious password detector

[Animats]

Twenty-two years on, here's my obvous password detector [animats.com]. This is C source code I wrote in 1984. This simple piece of code will prevent the use of passwords that are English words, by requiring that the password have at least two sequences of three letters not found in the dictionary. The "dictionary" is compressed down to a big table of hex constants; it's a 27x27x27 array of bool, with a 1 for each triplet found in the UNIX dictionary. So the code is simple, self-contained, and does no I/O.

Put this in your password-change program and dictionary attacks stop working.

The code is a bit dated; this is original K&R C, not ANSI C.

I should do a Javascript version and give that out. The code is so small that it could easily be executed on user-side password pages.

Re:Due Diligence

[jandrese]

Honestly, most of these pishing operations that I've seen are real lowbrow affairs. Proper engineering isn't exactly a common feature. Most of the time they don't care if 50% of the passwords (or more) don't work, all they need are a few hits to get what they need.

One point deserves emphasis...

[dghcasp]

He came up with a rating scheme from 1 to 4, where 4 is the "best" password. And he says "I consider strength two fine for a myspace account." Very good point: Not all websites need the same level of password strength.

My personal pet peeve is websites that probably only require a 2 or 3 (on his scale) but demand strength 99. For example, forum sites that reject passwords that my bank would consider good enough.

Your password was rejected because it was only seven characters long, does not contain enough characters that are neither letters or numbers, and contains a substring that was found in a dictionary of Croation words. Plus, you used that password three years ago when we forced you to change it with our 30-day password aging policy.

My plea to anyone reading this who develops websites: The strength of the password only has to match the importance of the information that it's protecting.

Thus endeth my rant.

Re:Interesting analysis, but...

[TheCarp]

Nope, I actually use a mnemonic system to hel me remeber them

Its funny how often I have to give someone "the stare" when they ask "whats your password"... but truth is, I couldn't even rattle it off if I tried. I learn the mnemonic and the muscle memory of typing it, but I don't know it character by character.

I have to sit down for a sec and go over the mnemonic to remeber the individual chars.

-Steve