Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Analysis of 32 Million Breached Passwords

CmdrTaco posted more than 4 years ago | from the trust-no-1 dept.

Security 499

An anonymous reader writes "Imperva released a study analyzing 32 million passwords exposed in the Rockyou.com breach. The data provides a unique glimpse into the way that users select passwords and an opportunity to evaluate the true strength of these as a security mechanism. In the past, password studies have focused mostly on surveys. Never before has there been such a high volume of real-world passwords to examine." Most interesting to me was that in the sample, less than 4% used any non alpha-numerics in their #$#%'ing passwords.

cancel ×

499 comments

My password (0)

Anonymous Coward | more than 4 years ago | (#30845054)

Is password. So damn obvious, nobody would think to try it =)

Re:My password (0)

Anonymous Coward | more than 4 years ago | (#30845216)

This comment was also posted the last 5 times this "unique" glimpse was given into what kind of passwords people use. Whoever wrote the description must be 6 years old for them to think this is actually unique.

Re: *password* (1)

conureman (748753) | more than 4 years ago | (#30845284)

IIRC it was in the text of TFA last time.

Re:My password (1, Interesting)

Anonymous Coward | more than 4 years ago | (#30845452)

Here's two more "unique" glimpses into what kinds of passwords people use.
http://www.schneier.com/blog/archives/2009/02/another_passwor.html [schneier.com]

Oh look another "unique" look at what passwords people use
http://blog.jimmyr.com/Password_analysis_of_databases_that_were_hacked_28_2009.php [jimmyr.com]

This site gets dumber and dumber every day. The Onion insults my intelligence far less often.

Your account has been breached. (1, Funny)

Anonymous Coward | more than 4 years ago | (#30845292)

How else do you explain all these people posting as "Anonymous Coward"?

Password strength vs. how often you change it (5, Insightful)

Anonymous Coward | more than 4 years ago | (#30845068)

My company wants me to change my pass every 2 months. Guess what happens to the password strength over time.

Re:Password strength vs. how often you change it (1)

celardore (844933) | more than 4 years ago | (#30845116)

Agreed. We use an old accounting system called JDE, which has a caseless, mandatory 8 digit password - no more, no less. It forces a change every 2 months. You could pretty much calculate anybodies password by taking their surname, and their length of employment. So Joe Bloggs who worked for the company 3 years would likely be bloggs18, for example.

They would be better off allowing us to keep one $EcúR3 password for the duration of employment really.

Re:Password strength vs. how often you change it (4, Funny)

mrcaseyj (902945) | more than 4 years ago | (#30845272)

For places that require password changes I'd suggest to take a very long base password with a month appended and hash it, then convert the hex hash into printable characters. Maybe something like this:
echo -n "LongUnchangingBasePasswordSiteNameJan2009" | sha512sum | xxd -r -p | tr -cd [:print:]
This has the advantage of being highly secure and easily memorable, but someone shoulder surfing your password wouldn't be able to figure out what your password is next month. People more familiar with windows could suggest a command available on that system. Be careful to do this on a computer where the command will not be stored in a command history.

I'm planning to go all lower case with my passwords though. I'll have to make my passwords 50% longer, but I think they'll be easier to type and almost as easy to remember as totally random ones. In fact my error rate with the totally random ones is an issue with shoulder surfing because I make mistakes and have to retype it so often, giving shoulder surfers repeated sightings, and because the numbers and symbols and shifts slow me down.

Re:Password strength vs. how often you change it (2, Insightful)

Anonymous Coward | more than 4 years ago | (#30845390)

At my work we are all required to logon with Smart Card and PIN. Nobody has these "passwords" of which people speak. Shoulder surfers don't have my Smart Card, so lots of luck if they think getting my PIN was very important.

Re:Password strength vs. how often you change it (5, Insightful)

Ploum (632141) | more than 4 years ago | (#30845488)

That's highly annoying. Even more if this is a web proxy password and that, each month, you have to change the proxy password for every f*** application that connect to the web (That Windows OS is really really bad).

I took another approach :

1) informing the computer dpt that it's a very bad idea. Here are some links:
http://www.cerias.purdue.edu/site/blog/post/password-change-myths/ [purdue.edu]
http://ploum.frimouvy.org/images/dilbert.png [frimouvy.org]
http://ploum.frimouvy.org/?177-le-gilet-de-sauvetage-et-le-tgv [frimouvy.org] (in french)

2) of course, they won't change. So consider : what will you loose if you password is corrupted ? Nothing personal. Only stuffs from the company that didn't want to hear you. Should you have a more complicated life because they are too dumb ?

3) if the answer is no, simply change your password to :
yearmonth. That makes it : january2010. Easy to remember and will change all the time.

4) Share the tip with your collegues. Anyway, they should have access to my files, you are working together, isn't it ? Guess what ? Most thought it's a good idea and do the same.

Result : easier work for everybody.
Security ? You tried to improve it, you were not listened. That's their problem now.

PS: of course, be careful to analyse what you are sharing and what are the risk. I will never do that for my personal stuffs.

PPS: even better solution. Try to think about systems that cannot change their password, like the backup system. Usually, that login/password has access to everything in the company, doesn't change and is really easy to find if you know where to look. (and is, 99%, something like "permanent_pass" or "autologin"). That's make your life even more easier.

Re:Password strength vs. how often you change it (1)

KlaymenDK (713149) | more than 4 years ago | (#30845416)

They would be better off allowing us to keep one $EcúR3 password for the duration of employment really.

Not really, no. If someone gets hold of your password, that person is able to access your systems potentially without you detecting it until you change your password.

The quality of the password doesn't matter, and that's why even digital signatures have a given life span. It's more a matter of damage control than anything else. The side-effect that this tends to lower the overall password quality points more to the user employing a poor password construction strategy.

Of course, if the attacker changes your password or makes other obvious changes, then that's a different game. I'm talking about the surreptitious scenario.

Re:Password strength vs. how often you change it (4, Informative)

Rockoon (1252108) | more than 4 years ago | (#30845136)

My company (over 10,000 employees, not in the computer industry) does the same thing, but the really annoying part..

..it must be EXACTLY 2 letters, followed by EXACTLY 4 digits.

So even allowing for upper case (which I am not sure that it differentiates), the total password space is only 2704000000.

The size of this space can conveniently fit into a 32-bit value, which is probably what they are doing: storing passwords in an integer field.

Did I mention that they pay our IT department $11/hour?

Yeah, all my coworkers do the same thing: use the same 2 letters every time they need to change it, followed by "1111" then "2222" then "3333" and so forth...

Re:Password strength vs. how often you change it (1)

Spazztastic (814296) | more than 4 years ago | (#30845460)

Did I mention that they pay our IT department $11/hour?

Yeah, all my coworkers do the same thing: use the same 2 letters every time they need to change it, followed by "1111" then "2222" then "3333" and so forth...

Shit, I thought I had it bad with pay.

We moved to a required 8 digits and 3 of the 4: Upper case, lower case, symbol, number. Resets every 30 days. What has happened with me? My strong 20 digit password has been trimmed down to the bare minimum because I will have to change it in 30 days anyway. Completely defeats the purpose.

Re:Password strength vs. how often you change it (5, Funny)

Anonymous Coward | more than 4 years ago | (#30845590)

.., followed by "1111" then "2222" then "3333" and so forth...

Dont you mean so 4444th.

Re:Password strength vs. how often you change it (1)

R0UTE (807673) | more than 4 years ago | (#30845286)

And guess how people end up remembering these passwords. Post-it notes within the vicinity of the PC seems to be a favourite.

Enforcing people to change passwords regularly seems to have many drawbacks. I really don't understand the point.

Re:Password strength vs. Validation Rules (5, Insightful)

wwwillem (253720) | more than 4 years ago | (#30845560)

It is not just the mandatory password changes that increases the mess. It is also that each and every site has different validation rules. If I could use one-and-only strong password for many sites, then I could remember that. However, some sites _require_ special characters, while others _forbid_ it, etc, etc. So each time you end up inventing something on the spot, and then two months down the road you've forgotten it.

I guess that I've 50 passwords to remember, so if I can't do that with just a few (I don't use the same password for my online banking as for my slashdot login :-) then it quickly becomes Post-it time again. Or worse, that little file on the PC desktop with a list of userid/passwd combo's.

Too often is bad too. (5, Insightful)

suso (153703) | more than 4 years ago | (#30845288)

I dealt with a bank once that expected its customers to change its passwords every 2 weeks. So obviously what happened is every time a customer needed to check their bank account, probably once a month, they were locked out. Now this isn't necessarily the problem here. The problem is that with people having to call in every time to reset their password, it becomes such a norm that it probably drastically increases the potential for social engineering.

Re:Password strength vs. how often you change it (5, Insightful)

WuphonsReach (684551) | more than 4 years ago | (#30845394)

My company wants me to change my pass every 2 months. Guess what happens to the password strength over time.

It's a leftover idea from a bygone decade.

The primary advantage of a required monthly or bi-monthly change is that if a password is compromised, it's only useful for about 1/2 of the expiration period. So it's a way of reducing risk in the case of accidental or nefarious disclosure.

But the big downside is that it requires users to be constantly learning new passwords every month or so. And unless these passwords are automatically assigned, users WILL pick weaker and weaker passwords over time or passwords that fit into an easily remembered sequence. So you really end up back where you started.

Forced password renewal is a valid strategy in a small number of cases. Such as a system which protects billions of dollars in assets or is super super critical to the business. But in those cases, there should be 2-factor authentication in play anyway and the passwords probably only need to be changed every 3-6 months and should be randomly assigned.

For end users? Limit their permissions, force complex passwords, but don't require them to change frequently (*maybe* once every 2 years). Tell them to go ahead and write the passwords down and store them in their wallet next to their credit cards. Which is at least a huge step up from putting it under the keyboard or stuck to the monitor.

Longer passwords are also easier to remember if they are used frequently (at least daily). But for some users, it may take as long as 2-3 weeks for them to remember it without looking.

Re:Password strength vs. how often you change it (1)

Hurricane78 (562437) | more than 4 years ago | (#30845442)

That’s why I chose “visual pattern” passwords. I draw symbols on the keyboard, e.g. while holding Mod3. (NEO layout [neo-layout.org] . Hover the mouse above “Ebene 3”.)
Like a N. Which results in “#\.../|{[” or “#u...1_a~e]4” (where ... is one character […], that Slashdot does not accept.)

(This is an example. The real type of pattern I use is something different. ;)

Re:Password strength vs. how often you change it (1)

zx75 (304335) | more than 4 years ago | (#30845566)

I need to change my company password every month, but the password strength for my company account remains strong.

My password strength for a website forum where I never need to change it however, is usually weak.

The password strength I use is highly correlated with the sensitivity of the information it allows access to and the importance of the systems.

I would fall into the 96% of people who don't use non-alphanumerics for "Rockyou.com"

Have they released the list anywhere? (3, Interesting)

damn_registrars (1103043) | more than 4 years ago | (#30845074)

I think it would be interesting to search the passwords I use against the list. I like to think that my passwords are pretty good, but it would be interesting to see how similar they are to the passwords that were obtained and used in the study.

Why such a search isn't advisable (1)

tepples (727027) | more than 4 years ago | (#30845144)

I think it would be interesting to search the passwords I use against the list. [...] This year we confirmed that indeed you can buy everything in New York City.

But can you buy a log of searches?

Re:Have they released the list anywhere? (0)

Anonymous Coward | more than 4 years ago | (#30845208)

You could try typing them into Google or Bing...

Re:Have they released the list anywhere? (1, Funny)

Anonymous Coward | more than 4 years ago | (#30845306)

"love", "secret", "sex", not necessarily in that order. And don't forget "god". System operators love to use "god".

Re:Have they released the list anywhere? (1)

g0bshiTe (596213) | more than 4 years ago | (#30845322)

Why not just hash out your password, and try to crack it with John The Ripper or something similar?

That would give you a good indication of how good it is.

Re:Have they released the list anywhere? (5, Funny)

QuantumRiff (120817) | more than 4 years ago | (#30845492)

Post it here, I'll check it for you.. Don't worry, Slashdot blanks your password.

My password is *******

See, blanked out!

The Top 10 (4, Informative)

goldaryn (834427) | more than 4 years ago | (#30845078)

1. 123456
2. 12345
3. 123456789
4. Password
5. iloveyou
6. princess
7. rockyou
8. 1234567
9. 12345678
10. abc123

By a massive coincidence, these happen to be the passwords for their respective /. userids!

Re:The Top 10 (0)

Anonymous Coward | more than 4 years ago | (#30845226)

Not anymore they're not!

Re:The Top 10 (3, Insightful)

Anonymous Coward | more than 4 years ago | (#30845268)

Is there a reason to have a really strong password on "rockyou.com"?

Maybe since it integrates with facebook and the like?

I'm really annoyed when all I want to do listen to some online music (ie pandora, etc) and the web site gets pissy because I choose pandora as my password.

Why should I care?

Re:The Top 10 (1)

L4t3r4lu5 (1216702) | more than 4 years ago | (#30845280)

Whatever happened to love, secret, sex, and God?

Re:The Top 10 (1)

R.Mo_Robert (737913) | more than 4 years ago | (#30845282)

Dear mods: funny? No, this is fact--read the article. (I was surprised too.)

Re:The Top 10 (0)

Anonymous Coward | more than 4 years ago | (#30845332)

Yes, it's factual, but I think the 'funny' mods are for the comment he added at the end.

Re:The Top 10 (0)

Anonymous Coward | more than 4 years ago | (#30845334)

The report mentions this:

If a hacker would have used the list of the top 5000 passwords as a dictionary for brute force attack on Rockyou.
com users, it would take only one attempt (per account) to guess 0.9% of the users passwords or a rate of one
success per 111 attempts.

Interesting but how does this really apply to any other instance of password cracking? You would not know the top 5000 passwords ahead of time in anything other than this specific RockYou instance? I guess some of the general trends apply though, I'm sure more hotmail users use hotmail as their password then would use RockYou. Where is the list of usernames that you are running against this list of top 5000 known passwords? I guess my point it, if you already have a list of passwords and usernames that are in use, comparing cracking statistics for dictionary attacks and the additional password complexity of using special characters and non dictionary words does not apply. Just run the known passwords against the known usernames.

Obligatory Spaceballs Reference (5, Funny)

Pollux (102520) | more than 4 years ago | (#30845404)

Roland: One.
Dark Helmet: One.
Colonel Sandurz: One.
Roland: Two.
Dark Helmet: Two.
Colonel Sandurz: Two.
Roland: Three.
Dark Helmet: Three.
Colonel Sandurz: Three.
Roland: Four.
Dark Helmet: Four.
Colonel Sandurz: Four.
Roland: Five.
Dark Helmet: Five.
Colonel Sandurz: Five.
Dark Helmet: So the combination is... one, two, three, four, five? That's the stupidest combination I've ever heard in my life! The kind of thing an idiot would have on his luggage!

-----

President Skroob: What's the combination?
Colonel Sandurz: 1 - 2 - 3 - 4 - 5.
President Skroob: 1 - 2 - 3 - 4 - 5?
Colonel Sandurz: Yes.
President Skroob: That's amazing! I've got the same combination on my luggage!

Re:The Top 10 (1)

BlueBoxSW.com (745855) | more than 4 years ago | (#30845544)

Really? "Password" as password? I'm so disappointed.

Why does password strength matter? (5, Insightful)

geekmux (1040042) | more than 4 years ago | (#30845094)

...Most interesting to me was that in the sample, less than 4% used any non alpha-numerics in their #$#%'ing passwords.

Er, does it REALLY matter anymore the strength of your password with the FBI using post-it notes as a search warrant? I mean I hate to say that, but seriously.

On a related note, what pisses me off even more is going to a website and trying to use a strong password and their system doesn't allow it.

Re:Why does password strength matter? (4, Insightful)

AndersOSU (873247) | more than 4 years ago | (#30845170)

Well it doesn't matter (and it never did) if you're selecting passwords so the FBI can't read your secret diary.

If, on the other hand, you're concerned about someone in Russia gaining access to your credit card it still matters.

Re:Why does password strength matter? (1)

xgadflyx (828530) | more than 4 years ago | (#30845172)

I have to agree. It's especially frustrating when FEDERAL sites don't allow the use of complex (~!@#$%^&*-+) passwords. "Eight characters with at least one capital and one numeric" just doesn't sit well with me.

Re:Why does password strength matter? (1)

HappyHead (11389) | more than 4 years ago | (#30845256)

The eight-character limit is due to them using the standard Unix crypt() function, which Unix passwords were traditionally encrypted with - it's a one-way encryption, so brute force is generally the only way to recover the passwords, and at the time the computations needed to guarantee cracking a password would take too long to make it worthwhile.

Of course, modern computing systems can run through all of the possible passwords in an 8-character password pretty quickly, so it's a good thing modern systems are switching over to md5 for password encryption.

The big problem I see is that a lot of sites on the internet (where most of the cracking is probably happening) won't allow non-alphanumeric characters, and refuse to allow you to use that password if you try to include them - that automatically cuts off multiple possible digits, and reduces the maximum password strength on their site by a massive degree. My own university is sadly one of these offenders - anything that isn't a letter or number gets your password disqualified, and yet they also complain when your password is "too simple"...

can't use md5 (1)

jasonhamilton (673330) | more than 4 years ago | (#30845398)

md5 in my company (very large multinational corp) is a big no-no. We can't use it. SHA1 is what everything had to be hashed with.

Re:Why does password strength matter? (0)

Anonymous Coward | more than 4 years ago | (#30845450)

The eight-character limit is due to them using the standard Unix crypt() function, which Unix passwords were traditionally encrypted with - it's a one-way encryption, so brute force is generally the only way to recover the passwords, and at the time the computations needed to guarantee cracking a password would take too long to make it worthwhile.

Of course, modern computing systems can run through all of the possible passwords in an 8-character password pretty quickly, so it's a good thing modern systems are switching over to md5 for password encryption.

The big problem I see is that a lot of sites on the internet (where most of the cracking is probably happening) won't allow non-alphanumeric characters, and refuse to allow you to use that password if you try to include them - that automatically cuts off multiple possible digits, and reduces the maximum password strength on their site by a massive degree. My own university is sadly one of these offenders - anything that isn't a letter or number gets your password disqualified, and yet they also complain when your password is "too simple"...

Good thing and md5 in the same sentance? MD5 was cracked a long time ago it has no salt it is useless.

Re:Why does password strength matter? (0)

antifoidulus (807088) | more than 4 years ago | (#30845458)

Thats usually a very good indication that the site uses Windows to store your information and thus should be avoided. Windows is the only major OS that is still so primitive that it still has trouble handling special characters, real operating systems moved beyond that years ago.

Re:Why does password strength matter? (2, Insightful)

Omegium (576650) | more than 4 years ago | (#30845174)

Do you really think that the FBI is your greatest enemy online?
IT IS NOT.
It is nice to think that you are enemy of the state nr 1 and that everybody cares about your secrets, but that's not the case. You should worry about phishers and other criminals, not about law enforcement. And they don't use search warrants. They need to crack passwords

Re:Why does password strength matter? (1)

The FBI (1717712) | more than 4 years ago | (#30845462)

Do you really think that the FBI is your greatest enemy online?

IT IS NOT.

It is nice to think that you are enemy of the state nr 1 and that everybody cares about your secrets, but that's not the case. You should worry about phishers and other criminals, not about law enforcement.

I concur, you are absolutely right, Sir.

Re:Why does password strength matter? (0)

Anonymous Coward | more than 4 years ago | (#30845194)

I completely agree with this. What really ticks me off is dealing with financial institutions which refuse to allow special, non-numeric characters. The reason so few people's passwords include special characters is because so many people like to reuse 2-4 password sets. If you get 3 tries, and you have 3 password sets, you're really pushing the likelihood of using last month's iteration.

Re:Why does password strength matter? (1)

martyros (588782) | more than 4 years ago | (#30845234)

On a related note, what pisses me off even more is going to a website and trying to use a strong password and their system doesn't allow it.

Tell me about it. I got a good idea from a slashdot comment about a way to easily have secure, diverse passwords for my websites: use a password generator to make a grid of passwords, and devise a mapping from the website name onto the grid. Print the grid on a business-card size sheet. Put a photocopy in your wallet, and the original somewhere you will absolutely not lose it. (I put mine with my passport folder.) Instant, close-to-unique, strong passwords for each site without memorization, ready on-demand.

But the federal tax payment system, of all people, won't allow some of the characters. Oh, they require some characters, like $ or %. But forbid others, like ) and ;. (Afraid of an SQL injection attack, perhaps?) *sigh*

Re:Why does password strength matter? (0)

Anonymous Coward | more than 4 years ago | (#30845244)

trying to use a strong password and their system doesn't allow it

We are not representative of "normal" users.

Here is what an average teh noob thinks about strong passwords [youtube.com]

Re:Why does password strength matter? (1)

jittles (1613415) | more than 4 years ago | (#30845250)

On a related note, what pisses me off even more is going to a website and trying to use a strong password and their system doesn't allow it.

I'm afraid of using a good password at some sites because I fear they store passwords in cleartext. No point in wasting a good password on that!

Re:Why does password strength matter? (1)

2obvious4u (871996) | more than 4 years ago | (#30845266)

Whats even worse is when that website is your bank.

Re:Why does password strength matter? (1)

Known Nutter (988758) | more than 4 years ago | (#30845546)

*cough* Chase *cough*

Re:Why does password strength matter? (1)

Kozz (7764) | more than 4 years ago | (#30845348)

I have to change my password at work every 90 days. The result is that I'm creating passwords that don't have non-alphanumerics, but are usually phrases of two or more words together, like "anappleaday" or "lookatmenow" or "changingpwsucks". Am I more or less secure than people forced to use non-alphanumerics who create passwords like "judy1" or "maroon5"? I think so...

Re:Why does password strength matter? (0)

Anonymous Coward | more than 4 years ago | (#30845354)

Er, does it REALLY matter anymore the strength of your password with the FBI using post-it notes as a search warrant?

I don't live in America, you insensitive clod!

Re:Why does password strength matter? (1)

Hijacked Public (999535) | more than 4 years ago | (#30845368)

Or, what should also piss you off, is you using a strong password and the web site storing it clear text on a vulnerable SQL server.

Re:Why does password strength matter? (1)

Hurricane78 (562437) | more than 4 years ago | (#30845478)

Well, in a properly designed system all private data is encrypted with that password, and only when you enter it, and it is cached in the current session, can that data be decrypted.
Of course, how many properly designed systems are there out there. I heard in the US, not even banks do this properly. (Except maybe if you consider WoW a bank. ;)

Protip: Data that is shown to everyone on Facebook, is never encrypted. ;)

Limited in Password size and chars (1)

realsilly (186931) | more than 4 years ago | (#30845098)

I can't tell you how frustrating it is to try to keep information secure on various web sites or with companies that still use antiquated password styles. 6-8 chars or numbers only? Really? Still? After all the identity theft you'd think companies would at least step up their need to have users have strong passwords. But nope, places like Earthlink still use limited password capability.

Re:Limited in Password size and chars (4, Insightful)

Scutter (18425) | more than 4 years ago | (#30845130)

The report makes it painfully obvious that passwords are an ineffective way to secure information because too many people find strong passwords cumbersome. Maybe we need to come up with something better.

Re:Limited in Password size and chars (0)

BigSlowTarget (325940) | more than 4 years ago | (#30845212)

This, definitely. Does anyone actually think users remember all of their twenty or so ideally ideally special character, varying length hopefully different passwords used at infrequent but varying intervals? Obviously they would be written down somewhere and that place is probably not secure.

We've got to get people to change to better solutions en mass and with a single standard.

Re:Limited in Password size and chars (1)

Skater (41976) | more than 4 years ago | (#30845482)

I just counted: at work I have 27 passwords on my list. Maybe 4 of those are for defunct systems, but everything else I use at least occasionally. Just about all of them have to be changed every three months, to a new 13-character string. There's no way I could remember all of them. And these are all different from my my "personal" passwords for things like root/admin, websites, banks, etc. I requested software to manage passwords, but of course it was ignored. I'm pretty sure everyone has a list somewhere, because they don't want to spend all day on the phone getting passwords reset. We definitely need a better solution. I'm starting to think fingerprint readers on our computers WOULD be a good idea, except that I know our security office: they'd require the fingerprint AND a password.

Re:Limited in Password size and chars (1)

jellomizer (103300) | more than 4 years ago | (#30845360)

Every attempt at doing so creates a serious privacy problem, adds an extra level of security problem, or is very complicated that it is difficult to deploy on a large scale.

Re:Limited in Password size and chars (0)

Anonymous Coward | more than 4 years ago | (#30845470)

The report makes it painfully obvious that passwords are an ineffective way to secure information because too many people find strong passwords cumbersome. Maybe we need to come up with something better.

no please don't make it be a question for a passphrase with an example, we all know that the examples will come out top in the next accidential list of passwords revealed...that would take the belief in mass intelligence away completely and make all our lives more meaningless and horrible.

Re:Limited in Password size and chars (0)

Anonymous Coward | more than 4 years ago | (#30845200)

You mean like Verified by Visa? 6-10 chars and no special chars. ARGH!

PKI authentication solves password hell (1)

gnieboer (1272482) | more than 4 years ago | (#30845534)

One of the best things the government IT folks have done is the use of the PKI infrastructure. Must have a physical token (smart card) and then an unchanging PIN to access the physical token. The private key never leaves the card itself. And all internal sites are mandated to use that authentication, so no more password hell.
Yes, the cards expire every couple years, but it's about worn out by then anyways.

Most of them are zip codes anyway (1)

140Mandak262Jamuna (970587) | more than 4 years ago | (#30845106)

At least in Alaska, ZIP codes seem to be the most popular choice, according to a survey of one known case.

special characters (0)

Anonymous Coward | more than 4 years ago | (#30845108)

Adding a special character increases the base. Adding a character - i.e. increasing the length of your password - increases the exponent. Either method helps provide strong passwords. Shoulder surfing special characters is easier, because they are a reach from the home keys, and most pause to hit them.

actual list of passwords? (4, Informative)

naz404 (1282810) | more than 4 years ago | (#30845120)

Does anyone have the list of passwords itself?

It would be fun to perform one's own statistical analysis of the list :)
Here's the top 20 most common passwords used according to the report:
Rank Password # of Users
1 123456 290731
2 12345 79078
3 123456789 76790
4 Password 61958
5 iloveyou 51622
6 princess 35231
7 rockyou 22588
8 1234567 21726
9 12345678 20553
10 abc123 17542
11 Nicole 17168
12 Daniel 16409
13 babygirl 16094
14 monkey 15294
15 Jessica 15162
16 Lovely 14950
17 michael 14898
18 Ashley 14329
19 654321 13984
20 Qwerty 13856

Nicole... :-) (1)

alobar72 (974422) | more than 4 years ago | (#30845164)

funny - this girl seems to be quite popular *cough* :-) Anyone has a picture ?

Re:Nicole... :-) (1)

Spazztastic (814296) | more than 4 years ago | (#30845502)

funny - this girl seems to be quite popular *cough* :-)
Anyone has a picture ?

That's my sister you insensitive clod!

Re:actual list of passwords? (1)

khchung (462899) | more than 4 years ago | (#30845186)

Amazing! All small letters "password" is not in the top 20?!

obligatory (0)

Anonymous Coward | more than 4 years ago | (#30845122)

hunter2

Re:obligatory (0)

Anonymous Coward | more than 4 years ago | (#30845302)

Given the sample set, is it a surprise? (1, Insightful)

Anonymous Coward | more than 4 years ago | (#30845126)

I vary the strength of my passwords based on the importance of them being secure.

More secure passwords are typically harder to remember. My financial related passwords are much more secure than my Facebook password because I really don't give a damn if someone breaks into my facebook account.

Re:Given the sample set, is it a surprise? (4, Interesting)

Blade (1720) | more than 4 years ago | (#30845206)

Until they break into your facebook account and use that to socially engineer access to something else and escalate their way into something beyond that. Or they access your facebook account and start taking guesses are the answers to the security questions you're forced to use (what school did you go to, what was your first pet called, etc., etc.)

There are so many links between so much of what we do online that you would do well to treat it all as worth securing equally.

Look at the user base for RockYou... (2, Insightful)

adosch (1397357) | more than 4 years ago | (#30845166)

RockYou is a MySpace photo/video sharing site (from what I could gather from googling, never used it myself) and it's certainly no excuse that people implement bone-head password choices such as the 10 shame shame list FTFA. However, I didn't really see the article address or even consider that their target users on the RockYou site aren't generally what geek, wanna-be security folks on /. are security conscious. I'm glad the analysis and study was done, but I'm really not surprised. If people are picking '123456' as the #1 password, as much as we have a PEBKAC [wikipedia.org] situation on our hands, fault RockYou for not implementing some sort of semi-secure password standard.

Re:Look at the user base for RockYou... (1)

Anonymusing (1450747) | more than 4 years ago | (#30845258)

From the source report [imperva.com] (PDF, 387kb), we also read this: "Passwords were stored in cleartext in the database and were extracted through a SQL Injection vulnerability."

So RockYou was rather security unconcious from the beginning. Cleartext instead of hashed? C'mon.

Keep in mind, this is RockYou.com (4, Insightful)

tunabomber (259585) | more than 4 years ago | (#30845182)

Is it even worth the effort of coming up with a secure password for that site? If I had for some reason found it necessary to register with such a vapid site I would have just re-used one of my low-security passwords (which many other sites have access to). It isn't too surprising that nobody cares whether someone else is using their account to steal their noisy, eye-burning flash videos. What is far worse is if people are re-using passwords from much more important sites. In this case, it doesn't matter if your password is a random string of letters, numbers and special characters.

Re:Keep in mind, this is RockYou.com (1)

tunabomber (259585) | more than 4 years ago | (#30845238)

To clarify here, I only reuse passwords for accounts which could not be used for anything too nefarious if they were hacked. My logins for more important sites (like /.) have unique passwords.

Re:Keep in mind, this is RockYou.com (0)

Anonymous Coward | more than 4 years ago | (#30845528)

Exactly. I do have a habit of reusing the same relatively weak passwords for web accounts of low importance, but that does not mean that I use the same passwords on my computers, routers, bank accounts, etc. Some web accounts are for single use only, and others cannot be used for anything nefarious as you point out: why care about the password?

Why Is That Interesting? (4, Informative)

Dun Malg (230075) | more than 4 years ago | (#30845192)

Most interesting to me was that in the sample, less than 4% used any non alpha-numerics in their #$#%'ing passwords.

Why is it any surprise that people tend to approach passwords as a pass-WORD? It has to be something they can remember, and remembering a string of characters they can't pronounce is far more difficult than remembering (say) their favorite basketball team and the year they graduated high school.

Alphanumeric (0)

Anonymous Coward | more than 4 years ago | (#30845210)

As being a developer I was grown up with US layout which is far the best for coding. But in most countries nowadays you really have to look hard to find such a keyboard. Or not to mention configuring the damn layout on a random OS on a random machine. Everyone around me uses some strange layout I wouldn't find non-alphanumeric characters on. And there are even worst places where even simple digits are hard to be entered, e.g. Belgium.

but... (0, Troll)

polle404 (727386) | more than 4 years ago | (#30845218)

Most interesting to me was that in the sample, less than 4% used any non alpha-numerics in their #$#%'ing passwords.

but... there's no non Alpha-numericals in 'CowboyNeal'?

Not really suprising (2, Insightful)

jmauro (32523) | more than 4 years ago | (#30845224)

Since most sites have a bunch of silly restrictions (no special characters, no more than 8, etc) most systems if the don't enforce strength, randomness, etc will degrade down to the lowest level where the password will work on all the systems.

Security should not depend on strong passwords (2, Interesting)

AbbeyRoad (198852) | more than 4 years ago | (#30845228)

The article says that in 20 years users have not gotten better at creating good passwords.

Logically then the solution is NOT to get users to take "password security seriously". This is like trying to stop VD by convincing teens to abstain from sex - it's in the never-going-to-happen catagory.

The solution is to mitigate the damage of a brute force attack - when bots make password guess attempts, you need counter-"bots" to detect patterns of access and then block IPs, warn users, or disable accounts. This is a form of intrusion
detection.

This is not to mention that for most web accounts, a break in doesn't matter - what damage can the hacker really do? Like post things-you-didn't-say and trash your reputation on www.social-site-for-people-who-spend-to-much-time-online.com? Heck, that's major dude.

Just a wild guess here, but let's ask: Are there web site owners who think the logins they host are way more important to their customers than they actually are?

Hmmm

-paul

Re:Security should not depend on strong passwords (1)

FlyingBishop (1293238) | more than 4 years ago | (#30845594)

Security is hard. There's no way to secure something if users don't take steps to secure their logins.

Strong passwords strike a tricky balance, and people are perfectly capable of keeping passwords strong. They simply choose not to.

Doing counter-bruteforce work takes a lot of time and resources, and it has a dubious gain, since no one has found a way to do it with 100% effectiveness. Things always slip through the cracks. The best you can do is provide people a doable means of keeping their data secure. The rest is up to them.

Made-up words (1)

Pojut (1027544) | more than 4 years ago | (#30845254)

My passwords tend to be words that I make up on the spot, with a couple of numbers thrown into the mix. They don't seem too difficult on the surface...but then again it is a word that I make up, some of which don't even have vowels lol. I have a series of seven different ones that I use.

It's worked quite well for me over the years :-)

Lock-out after a certain number of attempts? (1)

mdm-adph (1030332) | more than 4 years ago | (#30845262)

Does one really need to worry about "brute force" attacks if it's a system that enforces a lock-out of a user account after a set number of incorrect passwords (say, 5 in 10 minutes or so)?

Impenetrable (1)

G2GAlone (1600001) | more than 4 years ago | (#30845276)

Surely no one uses God, Sex, Money, or Love as their password! I use my birthday or sometimes my mother's maiden name... no one will ever guess that, right? =X

Why surprising? (5, Insightful)

argStyopa (232550) | more than 4 years ago | (#30845278)

"Most interesting to me was that in the sample, less than 4% used any non alpha-numerics in their #$#%'ing passwords."

Not surprising at all, because the rules for what you CAN use as passwords are so inconsistent. Some places REQUIRE non alphanumerics, but have a limited choice of what you can use. Some don't accept ANY non alphanumerics, some will accept them but again it's different from site to site.

I don't know about you, but I've probably got 100 different passwords rattling around in my brain. I'd guess most people are like me in that they see passwords as a necessary evil but otherwise a giant pain in the ass, and so accept the slight increase in security risk by using a system that changes predictably (at least for me) from site to site. So I'm not going to use a base-password or base-concept that includes any characters that might be disallowed on some other site.

Silly password requirements (1)

Kupfernigk (1190345) | more than 4 years ago | (#30845340)

One thing that bugs me is the people who think that requiring at least one capital and one non-alphanumeric makes the password a lot stronger. Using lower case alphanumeric gives a range of 36 symbols at each point. Adding the new constraint increases this to around 70, given the limited set of non-alpha likely to be used. It doesn't take a genius to work out that, for instance, an 8-character plain lower case alphanumeric has more possible values than a 6-character mixed password. And I can easily generate a highly insecure password with the stricter requirement which will still be memorable for me and perhaps guessable - e.g. Fred-41

As a simple example, test installing SQL Server 2008 refused to accept an sa password which was highly secure - 11 random lower case alphanumerics - but was quite happy with Micro$0ft. Childish I know, but I wanted to check if they had implemented an algorithm to detect "obvious" password variants.

Perhaps someone is still using MD5 hashes for passwords. Or not using any hashes at all.

Layered security (0)

Anonymous Coward | more than 4 years ago | (#30845342)

I have three different "layers" of security. I have my "throwaway" password that gets used for sites I just don't care about. I have my "kind of important" password that gets used for sites that I kind of do care about. And I have regularly changed, per-site passwords for anything that involves my identity, personal information or money--paypal, facebook, etc. And, frankly, the throwaway password ain't much. Posted anonymously for the obvious reason--I'd hate for everyone to be trying to hack my Slashdot account now.

12345? (2, Funny)

selven (1556643) | more than 4 years ago | (#30845350)

That sounds like a combination that an idiot would put on his luggage.

Password strength is relative (1)

ugen (93902) | more than 4 years ago | (#30845392)

Strength of a chosen password is a function of information it protects. I am sure most users follow this rule even without specifically identifying it.
In this sense, services like Rockyou are at the very bottom - the only reason users select a password for such a service is because it requires them to. I would bet that if it let users have an optopn of not having a password at all - they would gladly do so.

While I don't have a sample to prove this, it would be interesting to compare these to passwords selected for a major email provider (gmail, yahoo) and an online banking service. I would bet that (even without any specific controls and limits on characters used) these would be quite a bit more complicated, proportionately. I.e. somewhat more difficult to guess for the email, depending on how important the particular mailbox is to its owner, and quite complex for a bank account.

In any case, this selection of users is hardly a random sample and drawing any general conclusions based on it would be premature to say the least.

repost from my comment on nyt: (2, Insightful)

circletimessquare (444983) | more than 4 years ago | (#30845402)

intelligent password management:

pick something you will always remember say "frankie45"

lets say the website you are visiting is facebook.com

so your password there will be "frankie45face"

and your password at twitter.com would be "frankie45twit"

in other words, you want to use what's called an algorithm

make your ALGORITHM unique, not your password. so maybe your algorithm would be "'twenty23' plus the second through fifth letters in the website's name plus my daughter's birthday" or whatever

the point is: having one password across all websites is a vulnerability, and having simple passwords is a vulnerability. so instead, don't remember a password, remember an ALGORITHM that you can use to recreate your password for any site on the fly

by the way, i got this idea from a slashdot thread, and it was an eureka moment for me, and i went about resetting all my passwords

i forget the thread or the user id of whoever made the comment, but it was a password related subject matter and i think it was in the last 6 months or so

whoever you are, and i hope you read this: thank you!

Same problem as 20 years ago (1)

petes_PoV (912422) | more than 4 years ago | (#30845406)

The study makes reference to another analysis down on Unix systems 20 years ago and concludes nothing (much) has changed.
All this tells us is that the exhortations to choose more secure passwords reaches a certain level and then has no more effect. The implication is that ways of educating users has not improved in the past 20 years.

Let's not blame the users -they are only doing what they're told. The problem is that we (i.e. IT people) are not telling them the right things in a way that they are willing to accept. That's the problem, not laziness, incompetence or ignorance - motivation. The users ARE motivated to choose passwords, but not to go to the inconvenience of choosing complex ones.

In every other area of computer use, the trend has been to making things simpler to use. Maybe it's time this process was applied to passwords. Of course it's possible we don't really want better security - we just want someone to blame for lapses.

Re:Same problem as 20 years ago (3, Insightful)

CaroKann (795685) | more than 4 years ago | (#30845550)

The article concludes that after 20 years of dealing with this problem, "It’s time for everyone to take password security seriously". That is the wrong conclusion. If things have not improved after 20 years, then they are not going to improve ever.

The password concept needs to be replaced with a better concept. I think the password idea has been proven to be a bad concept due to human nature.

Not Important Website = Not Important Passwords (1)

TheNinjaroach (878876) | more than 4 years ago | (#30845412)

I don't know about everyone else, but I don't use my work credentials or my root password when I visit sites that look like rockyou.com. They just aren't important enough for me to use secure passwords. Five letters and a digit is more than enough for me to use on most forums, Myspace, and other unimportant sites -- all of whom I don't trust to actually store my passwords in a secure manner. So I am refraining from commenting on the horrible state of passwords when it concerns a horrible state of a website, because I don't think I'm the only one who acts this way.

One had to dig deep for this gem... (3, Insightful)

pongo000 (97357) | more than 4 years ago | (#30845484)

I don't know if anyone bothered to read the full report [imperva.com] , but I found this recommendation tucked in at the end of the report:
ast character in the password. (pg. 3)

Allow and encourage passphrases instead of passwords. (pg. 5)

And I say amen, amen to that. I've done quite a bit of personal research in this area, and have found passphrase systems to be far superior in terms of security and ease of use/recall over random combinations of characters. For years I've used the list provided at Diceware [diceware.com] to generate my passphrases, and I have no problem still recalling little-used 5- or 6-phrase passphrases years later.

The idea that random sequences of characters is somehow superior to a passphrase of equal entropy is a myth borne of ignorance and a resistance to change. So long as companies that know better keep forcing their minions to adhere to a strict range of letter/number combinations, we'll continue to be saddled with the problem presented by the Rockyou.com crack.

Intentionally weak passwords? (1)

MattBurke (58682) | more than 4 years ago | (#30845542)

I don't know about anyone else, but I have accounts on so many sites it would be impossible to use strong passwords without reuse. I really don't see the harm in using the same weak passwords if I don't care if my account on the site's compromised.

I have a number of site-specific strong passwords I use on sites I care about, and a further handful of very strong passwords I use for accounts that have the ability to charge my credit cards. My unix passwords are completely different too, and I run sshd needing key auth. If I have anything worth protecting (personal information more than an email address, an identity within a community, etc) on a website, I'll use a better password, but if I just want to comment on someone's blog or see what a site's about, I don't care - I certainly wouldn't shed a tear if one of my weak passwords were compromised! Boo hoo, someone's pretending to be Asdf Asdf from Qwer (postcode AA1 1AA) over at www.dontcare.com/phpbb/ and www.whogivesarats.as/blog/ and sending me spam on email addresses I'll just blacklist...

I would bet money that if you look at the password complexity of users of a busy registration-required forum both before and after you discount people with less than 5 posts, there'd be a substantial difference. Likewise, it'd be interesting to see the strength distribution of the subset of these "32 million" accounts on rockyou.com that belonged to people that actually used them or had valid personal information attached. Otherwise I think it's a pretty worthless study

Stop calling it "passWORD" (1)

R2.0 (532027) | more than 4 years ago | (#30845556)

People only use letters and numbers because when they thing "word" it implies some meaning or coherence. We all understand what letters and numbers stand for or "mean". Non-alphanumerics? Hell, we can't even decide what to call "#" - is it "hash" or "pound?"
Is "." "dot" or "point?" For that matter, I still associate "$" with "string" in Fortran.

Start calling them security codes, pass codes, mystery keys, whatever.

The definition of insanity (1)

ZorbaTHut (126196) | more than 4 years ago | (#30845558)

is doing the same thing over and over while expecting different results.

I quote the end of this paper:

"The problem has changed very little over the past 20 years," explained Shulman, referring to a 1990 Unix password study that showed a password selection pattern similar to what consumers select today. "It's time for everyone to take password security seriously; it's an important first step in data security.

He's correct, of course. The problem hasn't changed. That's because the vast majority of people don't care. We've been telling people to use good passwords for 20 years, and it hasn't worked. People don't use good passwords, people have never used good passwords, people never will use good passwords.

Maybe it's time to come up with a solution that may actually work, instead of pushing the same old obviously-failed solution yet again?

Password Utils (1)

Lummoxx (736834) | more than 4 years ago | (#30845568)

I know it's been said around here before, but...

Dropbox + Keepass.  It's been working great for me.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...