Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

What LulzSec Logins Reveal About Bookworms, and Passwords

timothy posted more than 3 years ago | from the keeping-them-straight-does-get-tricky dept.

Security 136

Barence writes "Today the hacking group LulzSec posted 62,000 hacked email usernames and passwords online. PC Pro's Darien Graham-Smith has analysed the passwords stolen — which are believed to have come from a website for writers — and found some interesting patterns. Aside from 'password' and obvious numerical patterns (i.e. '12345') the most common passwords share a literary theme: 'romance,' 'mystery,' 'shadow' and 'bookworm' are all commonly used passwords. 'Clearly, this is a back-of-an-envelope breakdown of a mixed mass of unverified data,' said Graham-Smith. 'But it gives an interesting insight into the way people choose their passwords: in this case, apparently, on a theme that reflects the nature of the site they're visiting.'"

cancel ×

136 comments

Sorry! There are no comments related to the filter you selected.

Are you sure? (4, Insightful)

DanTheStone (1212500) | more than 3 years ago | (#36467578)

Perhaps these are their passwords for every site, and this site just over-represents people interested in books and writing. I certainly don't use custom passwords based on the type of site.

Re:Are you sure? (1)

RedACE7500 (904963) | more than 3 years ago | (#36467604)

You re-use the same password for multiple sites? Good to know. How would you like to register for a free account on my site?

Re:Are you sure? (1)

Stewie241 (1035724) | more than 3 years ago | (#36467626)

You must be on a netbook. You seem to have missed the last six words of his post.

Gay Girl Blogger from Syria? (2)

Jeremiah Cornelius (137) | more than 3 years ago | (#36467658)

Do we need to change "her" password? Right now it's "Lezcyclopedia".

Re:Gay Girl Blogger from Syria? (1)

tukang (1209392) | more than 3 years ago | (#36468136)

I hate to admit it but I laughed ... shame on you.

Re:Are you sure? (1)

citylivin (1250770) | more than 3 years ago | (#36467776)

Whats wrong with the same throw away password for multiple sites? Personally I usually make new usernames for different sites as well, but does it really matter if you didnt? The best someone could do is get your email address, which assumingly, you havent used a "throw away password".for. Or spam some forum account that by definition of it being "throw away worthy" you do not care about?

Otherwise you would have hundreds of unique password and usernames combinations that you would obviously need to write down. I would argue that is less secure.

Re:Are you sure? (1)

bhcompy (1877290) | more than 3 years ago | (#36467968)

Exactly. Someone hacks my Slashdot password, maybe gets access to a few other worthless sites, nothing of value was lost. Someone posts impersonating me? Oh noes. Having a worthless password for worthless sites is not a problem. It doesn't make you any closer to having the login credentials for my bank, the online stores I use, and other sources that would have actual personal information.

Re:Are you sure? (1)

NatasRevol (731260) | more than 3 years ago | (#36468030)

Well, see pictures from the riots in Vancouver last night.

Now imagine someone impersonating you. And posting your info. So that the cops can arrest you. As is happening right now in Vancouver.

You may not be guilty, but that doesn't mean your life won't be hell for a while.

Re:Are you sure? (1)

bhcompy (1877290) | more than 3 years ago | (#36468106)

And they'll also see me at the baseball field coaching my son's little league team in front of 50 witnesses. And that I was at work 2 hours earlier and it takes more than 2 hours to get to Vancouver from my location. etc

I'm honestly not worried one iota about that type of scenario. Framing someone doesn't just happen on the internet. There are a million reasons why it rarely works, and the internet provides better tracking to prove your whereabouts than analog life.

Re:Are you sure? (1)

Hylandr (813770) | more than 3 years ago | (#36468294)

Because people that reuse their passwords do so for paypal, ebay, their bank etc.

And if you get arrested in America on any of these charges expect to sit in Jail for a few years before the committee gets to you. If y ou get that lucky.

- Dan.
 

Re:Are you sure? (1)

bhcompy (1877290) | more than 3 years ago | (#36468584)

The first was already answered and the second is a bunch of bullshit for the majority of cases.

Re:Are you sure? (1)

hairyfeet (841228) | more than 3 years ago | (#36470492)

That is why I tell my customers to have a "bullshit" email address and password for sites they really don't give a crap about. Every damned site nowadays wants details to let you do anything, so I tell them to have a spam dump email (I personally use my Gmail as their excellent spam filters mean if someone actually sends me something worth reading to my spam dump I still see it) and a BS password they only use for crap sites.

Seriously who cares if they get the bullshit info, or spams some spam dump email address? Join the crowd, have fun. If someone manages to "hack" some forum I occasionally BS on when I'm bored? nothing of value was lost. Cooking up complex passwords to guard worthless crap is like putting laser tripwire alarm systems to guard my garbage can. You want my old packing material and empty milk jugs? Help thyself, try not to make a mess.

Re:Are you sure? (0)

Anonymous Coward | more than 3 years ago | (#36467978)

I have a throw away password that i use for multiple sites:
b 'OR''='

Re:Are you sure? (1)

rap_dot_com (2081432) | more than 3 years ago | (#36467632)

I doubt those 30 people using the password "writerspace" for writerspace.com [writerspace.com] use the same password for facebook or their email.

And just because you don't use a custom password based on the type of site doesn't mean that others don't. I've heard of people who have a base key that they use for their passwords - say "Camaro" for simplicity's sake. Then, for slashdot their password may be "Camslasharo" and for facebook "Camfacebookaro" "Camgmailaro" etc.

Re:Are you sure? (1)

Dunbal (464142) | more than 3 years ago | (#36467962)

I doubt those 30 people using the password "writerspace" for writerspace.com [writerspace.com] use the same password for facebook or their email.

No you're right, they probably use "facebook" for facebook, and "hotmail" for hotmail. The whole point is that once you identify a user name that uses this type of weak password, you go from astronomical odds of being able to crack to a few dozen possibilities.

And just because you don't use a custom password based on the type of site doesn't mean that others don't. I've heard of people who have a base key that they use for their passwords - say "Camaro" for simplicity's sake. Then, for slashdot their password may be "Camslasharo" and for facebook "Camfacebookaro" "Camgmailaro" etc.

Doesn't matter. A "key generation algorithm" simple enough for a person to remember or work out logically is simple enough to guess at - at least far simpler than the number of combinations possible with a truly random password. The point is that if you have identified that person as an algorithm user it will only take a few attempts at brute-forcing the algorithm. What's more, once you've proven that they are consistent and follow a pattern across online services, you suddenly have access to all their online data.

Re:Are you sure? (1)

rap_dot_com (2081432) | more than 3 years ago | (#36468240)

I never said that it was effective, I was just saying that it is a method that I am aware of that is a semi-common practice among people.

Re:Are you sure? (1)

slackzilly (2033012) | more than 3 years ago | (#36467646)

Me neither. If it is true, however, the majority of the passwords used here would be "slashdot", "newsfornerds", "linux", "micro$oftsuckz" or "applefanboi".

Re:Are you sure? (1)

_Sprocket_ (42527) | more than 3 years ago | (#36467754)

My password is "thatsmyluggagecombination". It's much better than the old standby "wordpassesyou".

Re:Are you sure? (1)

slackzilly (2033012) | more than 3 years ago | (#36467814)

Write that in leet speak and then replace all 4's with @
:)

Re:Are you sure? (4, Funny)

mwvdlee (775178) | more than 3 years ago | (#36467804)

My generic password is "iwillnevertellyou".
They'll never figure that one out, not even if they try to beat it out of me.

Re:Are you sure? (1)

artor3 (1344997) | more than 3 years ago | (#36467994)

I once changed a friend's BIOS password to 'idunno'. I tried telling him, but he just got increasingly aggravated.

Re:Are you sure? (1)

Coren22 (1625475) | more than 3 years ago | (#36468276)

Who's on first?

Re:Are you sure? (1)

enderjsv (1128541) | more than 3 years ago | (#36467702)

I thought about doing a mix. Like, I have a series of numbers, symbols and letters that I've memorized. It's a very secure password, and I like using it because I can remember it.

But of course, using the same password on every site isn't good practice, so I've made various little changes to the series. Only problem is, it gets hard to remember what series fits what site. So I thought of using the same series for every site, and then simply attaching the first and last alphanumeric character of the website address to the password. That way I'll have a secure password on every site that is easy to remember wherever I use it.

Re:Are you sure? (1)

Eponymous Coward (6097) | more than 3 years ago | (#36467836)

Why not just use LastPass or one of the bookmarklets that make a hash from a master password and the site url?

Re:Are you sure? (1)

enderjsv (1128541) | more than 3 years ago | (#36467980)

Because it's easier just to have the password in my head. Yup, I'm that lazy

Re:Are you sure? (0)

Anonymous Coward | more than 3 years ago | (#36468216)

Ultimate password even brute force attacks take forever to figure out.

Z-9_z-9_Z-9

Re:Are you sure? (1)

gnick (1211984) | more than 3 years ago | (#36468274)

So I thought of using the same series for every site, and then simply attaching the first and last alphanumeric character of the website address to the password. That way I'll have a secure password on every site that is easy to remember wherever I use it.

That's what I do, except to be more secure I use the first and last 3 alphanumerics from each site. Conveniently, several of my passwords are identical: "wwwpasswordcom".

check your passwords (3, Informative)

iamhassi (659463) | more than 3 years ago | (#36467744)

Here's a link to the passwords so you can check if your password is on there [pcpro.co.uk]

Just search the page for your password. Chrome does a great job of this because it starts highlighting matching passwords as you type it. I just checked my passwords, none of them are on this list.

Re:check your passwords (1)

budgenator (254554) | more than 3 years ago | (#36468408)

Cool mine aren't on there, a long time ago I was webmaster of poiuyt.com, I was always amazed at the number of people who used a @poiuyt.com as an email address with qwerty as the password on various sites around the web.

Re:Are you sure? (1)

SilentStaid (1474575) | more than 3 years ago | (#36467952)

Very true, though I must admit I've a very staunch supporter of different passwords for different sites and the easiest way that I've personally found to do that is to theme them according. For example my WoW password is usually some variation of #W4rCrfT#112 or my credit card is something like $5M0ni35s$$!... it just makes it easier.

Hmmm ... (1)

WrongSizeGlass (838941) | more than 3 years ago | (#36467614)

So they discovered a shadowy bookworm romance mystery? I'm guessing one participant was a librarian?

Re:Hmmm ... (1)

Dunbal (464142) | more than 3 years ago | (#36467986)

I'm guessing one participant was a librarian?

If that was the case, then the password would be "Ook.". Sorry if you're not a Terry Pratchett fan, you just won't get this.

Plaintext (2)

ebs16 (1069862) | more than 3 years ago | (#36467636)

There should be laws created to impose massive fines for sites storing plaintext passwords. There's absolutely no excuse for this. I understand that you can't govern the entire internet, but I would be content with American laws governing American sites. It would be a nice start.

Re:Plaintext (1)

BStroms (1875462) | more than 3 years ago | (#36467758)

My site uses a simple substitution cipher. With the characters I allow for a password there's over 80! possible keys. I'm confident my users all use sufficiently random passwords that no one would be able to analyze the cipher based on the data they hacked.

Re:Plaintext (0)

Anonymous Coward | more than 3 years ago | (#36467766)

Instead of demanding the whole world change to protect your insecure web habits, how about you take the easy solution and just stop using the same password on different sites?

Re:Plaintext (0)

Anonymous Coward | more than 3 years ago | (#36467828)

Well, on web sites I could care less about compromise, I do re-use simple passwords. I'm not going to memorize hundreds of passwords when security really doesn't matter 95% of the time.

Re:Plaintext (1)

Dunbal (464142) | more than 3 years ago | (#36468010)

Until someone post something very incriminating using your account on one of these sites and has the police knocking at your door. For the lulz, of course. Prove your innocence.

Re:Plaintext (1)

MrEricSir (398214) | more than 3 years ago | (#36467870)

Because that only solves half the problem?

Re:Plaintext (0)

Anonymous Coward | more than 3 years ago | (#36468188)

Hashing passwords on the sites is only a partial solution. The hackers could modify the Slashdot login code to log the username+password combo; if you log in before this is discovered, they get your password and can use it to get into your bank account or whatever. However, if you just use different passwords on different sites, hackers may get your Slashdot password but it's worthless to them. How is that "solving half the problem" compared to hashing?

Re:Plaintext (0)

Anonymous Coward | more than 3 years ago | (#36467976)

So you want to lock up everyone who has a /usr/dict/words file?

Please tell me that you don't vote or breed.

Re:Plaintext (1)

SheeEttin (899897) | more than 3 years ago | (#36468624)

There should be laws created to impose massive fines for sites storing plaintext passwords.

Be careful what you wish for--if that does happen, you should probably expect a whole lot of ROT13 implementations...

audit much ? (0)

Anonymous Coward | more than 3 years ago | (#36467648)

Guess admins should check these passwords against their server and then shake a stick at the users using them.

oh noez! (5, Interesting)

torgis (840592) | more than 3 years ago | (#36467650)

Easy-to-remember passwords for a site that doesn't matter at all? Color me shocked. When forced to sign up for forums to ask a question about coding or tech troubleshooting, I generally use a pretty basic password and then lie about all of my personal info. That way if someone does acquire this info (and it has happened multiple times) I don't get burned. For important things like banking and gmail, I have 2-step authentication enabled and use a strong password on top of that. Different on every site of course.

But for stuff like writers forums, tech support sites, slashdot (haha!) and the like? I don't use and don't care to use a strong password because, well, what's the point? You don't hear about individuals on these sites being hacked because of the insecure passwords they use. No, you hear about the administrators of these sites having their sites hacked and their userlists and passwords stolen. What good does a strong password serve on a site like this when there are gaping security holes in the OS hosting the forums?

And why, for Xenu's sake, are people still storing passwords in plaintext??

Re:oh noez! (1, Funny)

networkBoy (774728) | more than 3 years ago | (#36467724)

And why, for Xenu's sake, are people still storing passwords in plaintext??

because their lazy.

Re:oh noez! (2)

networkBoy (774728) | more than 3 years ago | (#36467736)

damn.
they're...

I'll hand in my spelling/grammer pedant card now.

Re:oh noez! (0)

Anonymous Coward | more than 3 years ago | (#36467924)

And whatever card you lose for saying "Xenu" (or any other "god"-like word): That one too, please! ;)

Re:oh noez! (1)

artor3 (1344997) | more than 3 years ago | (#36468040)

"spelling/grammer"

I'll assume that was in jest :-P

Re:oh noez! (2)

kcitren (72383) | more than 3 years ago | (#36468142)

It's wasn't a spelling error, he just got cut off. I'm sure he meant to say:

because their lazy asses can't be bothered to learn how to do things the right way.

http://en.wikipedia.org/wiki/Principle_of_charity/ [wikipedia.org]

Re:oh noez! (0)

Anonymous Coward | more than 3 years ago | (#36467800)

I called my ISP a few years back, because I'd forgotten an email account password. I asked the customer service person if she could reset the password for me.

She then TOLD me what my password was.

Is that scary?

Re:oh noez! (1)

Tolkien (664315) | more than 3 years ago | (#36468366)

Same happened with me in the 90s with AOL.

I'll just let that sink in, for laughs.



AOL.

Re:oh noez! (1)

SETIGuy (33768) | more than 3 years ago | (#36469976)

That's when it's time to change ISPs. Especially if you are paying them with a credit card.

Re:oh noez! (1)

DMUTPeregrine (612791) | more than 3 years ago | (#36467936)

I use "h=6.62606957e-34J*s" as a password in a few places that don't matter (work login at my old job that had to change every month mainly). It fits the most common security requirements (lower case letter, upper case letter, number, special character) is not terribly common (12345) and is easy to remember, after all, it's Plank's Constant. I rotate through universal physical constants for passwords. Of course I don't use it for /., nor do I reuse this username elsewhere. Actually "important" things (e-mail, a few websites, etc) get real passwords stored in KeePass, with a 20-word diceware passpoem. 256 bits of entropy ought to be enough...

Re:oh noez! (1)

interkin3tic (1469267) | more than 3 years ago | (#36468892)

When forced to sign up for forums to ask a question about coding or tech troubleshooting, I generally use a pretty basic password and then lie about all of my personal info.

Bonus points for unimportant sites that don't accept mailinator.com e-mail addresses or won't let you set a weak, easy to remember password.

Because, you know, if my "I can haz cheezeburger" account gets compromised, western civilization might end.

No reason not to use password manager (1)

rsborg (111459) | more than 3 years ago | (#36468924)

Password reuse is a major problem, regardless of site. There is very little excuse not to use tools like 1Password, LastPass or KeePassX.
I've gotten my technophobic parents and wife on the treadmill (all use 1password via a family license).

I've gotten them comfortable ditching their "known good password" on their other sites, learning the strong master password by heart, and got them comortable enough to generate a good-length (default 18 characters) passwords for any site that needs it.

The best part about a password manager is that you can share (Dropbox for now, perhaps iCloud tomorrow) your credential set (which are encrypted, of course) and now you don't get bugged about the Amazon password from your spouse, she just logs in and buys the stuff.

Caution (1)

Anonymous Coward | more than 3 years ago | (#36467674)

I'd always be wary about all these grand "revealings" about passwords from LulzSec.

How many usernames/passwords on an innocent blogging site like that are completely throwaway?

I know that on randomblog.com if I want to make an account on the spot, I'm certianly far more likely to use "asdf123" for a username and "randomblog" as a password than I am a 16 digit alphanumeric/symbol/mixed case password that I will forget in 5 minutes.

Who cares if your blogspot account gets hijacked? What are they going to do, write angry comments using your throwaway username?

Not wanting to write it down (2)

CLaRGe (2267700) | more than 3 years ago | (#36467684)

Many of these passwords are a consequence of a person not wanting to write down their passwords for fear of the written down password being found. Thus, instead of creating an effective, hard to guess (and hard to remember) password, many people simply come up with a password that is easy to remember, but that they hope is so random, or so obvious, that nobody would guess.

I teach my children, even the little ones, the old trick of coming up with an easy to remember sentence, picking the first letter of each word, and changing one or more characters to a number of symbol. They like the challenge, and create some reasonably tough passwords to guess.

Noticed similar pattern (1)

Relic of the Future (118669) | more than 3 years ago | (#36467704)

I saw a similar pattern several years ago when I was emailed a spreadsheet including forum passwords for a role-playing game company. (I was doing volunteer webwork for a regional part of their official fanclub.) The most popular password there (after "password" and "12345"), was "dragon" (even though it wasn't for D&D, although I'm sure many of their customers/fans were also D&D fans (I know I was.))

And for the record, yes, I told them stop emailing around spreadsheets that included everyone's passwords (this went out to a couple dozen volunteers every few months) but they did it for at least a few years, probably longer.

Passwords? (0)

metageek (466836) | more than 3 years ago | (#36467716)

Why are we still using passwords? They will go away, sooner or later.

the algorithmic approach to passwords (1)

circletimessquare (444983) | more than 3 years ago | (#36467720)

i've championed this before, and i don't why it doesn't get more press

instead of the same username pword for every site, make your uname/ pword a derivative of the website name or theme, and your own personal salt

the rules could be as quirky and arcane as you want

for example:

username is the first 3 letters of the website, plus your birthyear, plus the cousin whose name sounds most like the website you're visiting

password is the street you grew up on, minus the last 3 characters and plus the last 3 characters of the website, plus the songtitle from the group you like whose letter starts with the third letter of the website name, rotated 3 characters... blah blah blah

or whatever

the point being, we can't remember all your usernames and passwords, but with a quirky enough personal algorithm combining

1. a characteristic of the website, and
2. some personal arcane trivia,

all you have to do is remember your personal algorithm

and then you can get into every site you've ever visited, not worry about trying to remember anything, and not really worry about being easily tracked or cracked. as long as your personal algorithm is indeed truly quirky and personal enough that even with knowledge of 3 of your username/ passwords from 3 different sites, a potential hacker/ cracker would be utterly mystified as to a pattern

i really don't know why this idea of remembering just one personal quirky algorithm isn't more widespread

Re:the algorithmic approach to passwords (0)

Anonymous Coward | more than 3 years ago | (#36467808)

My method is easier and produces better results:

I carry a card in my wallet with a grid of random characters. That's it.

Then, in my e-mail account, I e-mail myself a list of usernames, along with the coordinates of the start of the password, and the length of the password.

I perform a small transformation to the password before typing it in (ex: swap characters at position 2 and 5).

If my wallet is stolen, the theif only has a grid of random characters, and has no idea what it is for. Even if they know it's for passwords, they don't know the grid locations, the user names, or the small transformation.

It cost around $20 to print out a stack of these cards (business card size). I have them at all my computer desks, and in my wallet.

I plan on generating a new card every 4 years, and updating passwords using the same coordinates.

Re:the algorithmic approach to passwords (0)

Anonymous Coward | more than 3 years ago | (#36467948)

username is the first 3 letters of the website, plus your birthyear, plus the cousin whose name sounds most like the website you're visiting

so in what way does /. spell like circle and which cousin of yours likes sound times square?

sounds nice in theory, too complicated for most.

Re:the algorithmic approach to passwords (1)

circletimessquare (444983) | more than 3 years ago | (#36468236)

it's really not complicated. it is no more complicated than using the same username/ pword on every site: an algorithm is just a few small simple steps to remember

Re:the algorithmic approach to passwords (1)

AliasMarlowe (1042386) | more than 3 years ago | (#36468590)

Different username+password per site is good, but as you noticed, it's a drag to remember them all and some algorithmic method and shared knowledge are useful. My method for most sites is to use a handful of usernames, based on class of web site (different on slashdot to banking sites, for instance). Each of these sites then gets a password as a hash of a phrase known to me together with part of the site name. For example:
echo -n "Shivelights and shadowtackle in long lashes lace lance and pair + slasHdoT" | sha256
The resulting checksum contains the password I'll use for that site. I'll skip the first M characters of the checksum and use the following N characters. An exception is for noncritical sites which I might want to access from machines I don't control, for which I have a handful of memorized passwords of nontrivial complexity.

Re:the algorithmic approach to passwords (1)

circletimessquare (444983) | more than 3 years ago | (#36469108)

now that's hot

your average user isn't going to do sha256 hashes though

but, skipping that step, it's still a workable framework

Re:the algorithmic approach to passwords (2)

rsborg (111459) | more than 3 years ago | (#36469034)

i really don't know why this idea of remembering just one personal quirky algorithm isn't more widespread

The problem with algorithms is stupid artificial restrictions on credentials by some sites. For example, I can only choose numbers for my "PIN" on my 401k. Or my password must be all lowercase for my public utilities site or contain no special characters at my bank some other hair-brained restriction.

Same with user names. Often your username must be your email address. Sometimes they don't allow the @ sign. Other times, it's not modifiable and random characters assigned to you (I have at least one brokerage site where this is the case).

I've tried the algorithm approach, and eventually all the numerous restrictions lead to a completely insecure result from your algorithm, or the algorithm is too complex to store in wetware, resulting in many "forgot my password" delays. Describing and documenting your algorithm is as silly as writing down your master password, so that's going to work.

Eventually you must keep track of them all and if you're doing so you should definitely encrypt/secure it. Thus the password manager. If you get a good one, typing in credentials will be automated based on site (this also removes phishing attacks) and it will exist on your smartphone/PDA and can by synced by Dropbox and/or memory stick.

Re:the algorithmic approach to passwords (1)

circletimessquare (444983) | more than 3 years ago | (#36469090)

this is a good criticism. you are correct. different policies and standards complicates the algorithm and is discouraging

"The Pentagon is about to roll out an expanded eff (0)

Anonymous Coward | more than 3 years ago | (#36467726)

(Reuters) - The Pentagon is about to roll out an expanded effort to safeguard its contractors from hackers and is building a virtual firing range in cyberspace to test new technologies, according to officials familiar with the plans, as a recent wave of cyber attacks boosts concerns about U.S. vulnerability to digital warfare. http://www.reuters.com/article/2011/06/16/us-usa-cybersecurity-idUSTRE75F4YG20110616

Let's see, government ready to spend billions (more) on "cyber"-security/Internet-surveillance, intelligence agencies and a ton of private companies set to benefit. LulzSec attacks of course part of justification.

Do you like (0)

Anonymous Coward | more than 3 years ago | (#36467746)

Fishsticks?

Well then you're a gay fish

It doesn't follow. (1)

Maltheus (248271) | more than 3 years ago | (#36467848)

Not sure I buy the premise. I went to a nerd college with few woman. Back then, before they shadowed PW files, I came across a lot of passwords. The two most common variants I found contained the words 'soccer' or 'jennifer.' Once again, I went to a nerd college with few women.

Re:It doesn't follow. (0)

Dunbal (464142) | more than 3 years ago | (#36468066)

Judging by your spelling and grammar I would assume that either you are a Korean who studied engineering at MIT or something, or a piece of trailer trash that considers community college to be "nerd college".

Re:It doesn't follow. (0)

Anonymous Coward | more than 3 years ago | (#36468278)

Judging by your response or something, I would assume you are bitter about not going to college and having a chance with the young Jennifers, or are a bitter person that went to college and still didn't have a chance with the young Jennifers.

Re:It doesn't follow. (1)

kcitren (72383) | more than 3 years ago | (#36468176)

Few women at a nerd college. I'll bet you one of them was named Jennifer, and I'm sure she was very popular.

Re:It doesn't follow. (1)

idontgno (624372) | more than 3 years ago | (#36468338)

Her phone number was 876-5309. She was veeeeery popular, back in the day. [songfacts.com]

Re:It doesn't follow. (1)

WindBourne (631190) | more than 3 years ago | (#36469424)

Well, she still might be. Of course, she would likely be a MILF, so just google for porn MILF Jenny.

Re:It doesn't follow. (0)

Anonymous Coward | more than 3 years ago | (#36470336)

you got the number wrong lol

But of course. (4, Funny)

Black Parrot (19622) | more than 3 years ago | (#36467902)

But it gives an interesting insight into the way people choose their passwords: in this case, apparently, on a theme that reflects the nature of the site they're visiting.

The three most popular Slashdot passwords are 'troll', 'slacker', and 'clown'.

Re:But of course. (0)

Anonymous Coward | more than 3 years ago | (#36469144)

The fourth one being 'msastroturfer'

Some of the emails are fakes (2)

daveywest (937112) | more than 3 years ago | (#36467934)

I work for an ISP that is represented in the list of emails and passwords. We determined all the addresses from domains we control are not, nor have they ever been used, on our system. I'm not saying they are all fakes, but all the addresses I'm able to verify are not legit.

they'll never get mine. (1)

nblender (741424) | more than 3 years ago | (#36467996)

Mine is all '*'s ...

Mmm, salt. (1)

Tarlus (1000874) | more than 3 years ago | (#36468070)

Seriously. Hashing. Does nobody practice this for user account databases?

Re:Mmm, salt. (1)

SETIGuy (33768) | more than 3 years ago | (#36470218)

Anyone writing code that stores passwords using plaintext or reversible hashes should probably take up a career in quilting.

As should anyone writing code that can't handle every printable ASCII character in a password. Better yet straight, passwords should allow any string of bytes. Any programmer who limits passwords to alphanumeric is probably writing SQL injection vectors.

Ahem (1)

Tolkien (664315) | more than 3 years ago | (#36468128)

Re:Ahem (1)

Hatta (162192) | more than 3 years ago | (#36468206)

Why would you believe the WHOIS data?

Re:Ahem (1)

Tolkien (664315) | more than 3 years ago | (#36468282)

Good point, but also, why not?

Re:Ahem (1)

Anonymous Coward | more than 3 years ago | (#36468644)

Adrian Lamo was the guy who turned in Bradley Manning. If you were a wikileaks supporting entity, looking for a random name to blame ...

Re:Ahem (0)

Anonymous Coward | more than 3 years ago | (#36468726)

Or, alternatively, if you are an attention-whore, register the domain name for a hack/DDOS group to get people to talk about you.

Re:Ahem (0)

Anonymous Coward | more than 3 years ago | (#36469296)

Because as is pointed out within the first couple of comments on your link it might be meant as a "fuck you" to Adrian Lamo which seems reasonable. Plus the idea that Adrian Lamo is Lulzsec is sort of stupid since he's already been in trouble with the Feds before so doing stupid shit like Lulzsec has been doing would be an excellent way for Mr. Lamo to spend the rest of his days in Federal lockup.

Re:Ahem (0)

Anonymous Coward | more than 3 years ago | (#36470004)

alternatively, Nakomis == LulzSec[i]; http://pastebin.com/5NJXfbVw [pastebin.com]

makes sense (0)

Anonymous Coward | more than 3 years ago | (#36468302)

my password for slashdot is "nerdporn"

FUCK lulzsec (-1)

Anonymous Coward | more than 3 years ago | (#36468762)

F U C K lulzsec

Re:FUCK lulzsec (-1)

Anonymous Coward | more than 3 years ago | (#36469632)

U MAD?

Yawn! (1)

Anonymous Coward | more than 3 years ago | (#36469128)

I am really starting to doubt these stories. Generating usernames and passwords is something that can be down with even a quick script - it is not hard to generate real words using a known dictionary source.

Selection bias, anyone? (1)

bkpark (1253468) | more than 3 years ago | (#36469166)

We can't know for sure since they aren't divulging their source, but some of the services listed are too sophisticated (esp. Gmail, even if you don't believe in competency of those who run Hotmail) even to store passwords in cleartext anywhere.

If I had to guess at how they obtained these passwords, they did it by actual hacking of the accounts (or somehow got a hold of the password hashes to run faster attacks on), and in that case, the accounts with weak passwords are the low-hanging fruits; of course the list will contain many, many weak passwords subject to various dictionary attacks.

This doesn't explain everything, since looking through the password list, I do see a few that actually look randomly-generated, such as "Zt8bNOI655" (maybe they used keylogger trojans in addition to other methods), but unless use of dictionary attack of any form can be ruled out, statistically, this list is worse than worthless—it's downright misleading, unless the only claim made is that there still exist users who use weak passwords.

Re:Selection bias, anyone? (1)

CSMastermind (847625) | more than 3 years ago | (#36469236)

They got the passwords by getting into a unknown website's database (obviously smart money is on writerspace.com). The email breakdown at the top of the article corresponds to the email that was associated with the accounts. None of the email services (hotmail or gmail) were actually compromised. Knowing Lulzsec's past work they probably got access via a simple SQL injection.

Did anybody here finish the article? (1)

CSMastermind (847625) | more than 3 years ago | (#36469198)

Any /. theories on ajcuivd289 ? I'm stumped, unless one dude has a lot of dupe accounts.

The passwords are likely vision based (2)

WindBourne (631190) | more than 3 years ago | (#36469408)

Ever sit and watch average ppl create new passwords at their desk? THey do not look into the air to think about it. Instead, they look at what is around them. I do not watch somebody enter the passwords, but I have noticed the subject's head. I believe that they are looking at the books, artwork, etc that is just around them.

Want to break into their stuff? Simply take a look around the desk and see what is important to them. Simple as that.

most of the emails are from Brazil (1)

tortovroddle (1969948) | more than 3 years ago | (#36469658)

The original list posted by LulzSec is divided in two parts. The first half has an assortment of emails from many domains. The second half contains emails of brazilians, most of them from hotmail and yahoo (many have .br at the end, or use brazilian names and words). Probably they compromised some windows live server? Looks live many of the are msn logins...

Perfect Paper Passwords (2)

reboot246 (623534) | more than 3 years ago | (#36469790)

The best system I've seen is the one Steve Gibson has on his website.

https://www.grc.com/ppp.htm

Guessable passwords. (2)

SETIGuy (33768) | more than 3 years ago | (#36470166)

People use guessable passwords because they want to use passwords that they can remember. And people that use passwords they can remember do reuse passwords. Any password I can remember probably isn't very secure. Any password used at more than one site definitely isn't secure.

It's past time that all browsers included a standard password generator with user definable salt set at first invocation, and master password prompting. Web standards should at a minimum specify support for all printable ASCII characters in passwords. If a bank isn't competent enough to hire a programmer that can write code to handle a quote in a password, you probably shouldn't be banking there.

Until then there's still PasswordMaker for which you have to salt each account separately if you not want the default unsalted hash. And there's still the annoyance of "alphanumeric only with at least one uppercase and one number" web sites.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?