Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

MySpace Users Have Stronger Passwords Than Employees

Zonk posted more than 7 years ago | from the hardly-surprising dept.

Security 263

Ant writes "A Wired News column reports on Bruce Schneier's analysis of data from a successful phishing attack on MySpace, and compares the captured user-passwords to an earlier data-set from a corporation. He concludes that MySpace users are better at coming up with good passwords than corporate drones." From the article: "We used to quip that 'password' is the most common password. Now it's 'password1.' Who said users haven't learned anything about security? But seriously, passwords are getting better. I'm impressed that less than 4 percent were dictionary words and that the great majority were at least alphanumeric. Writing in 1989, Daniel Klein was able to crack (.gz) 24 percent of his sample passwords with a small dictionary of just 63,000 words, and found that the average password was 6.4 characters long."

cancel ×

263 comments

Sorry! There are no comments related to the filter you selected.

Okay... (5, Insightful)

eln (21727) | more than 7 years ago | (#17243498)

So MySpace users are smart enough to pick somewhat secure passwords, but still dumb enough to fall for basic phishing attacks.

It doesn't matter how strong their password is if they are still giving it to whoever asks for it.

Re:Okay... (2, Interesting)

biocute (936687) | more than 7 years ago | (#17243598)

Or maybe strong-passworded MySpace users feel they're more technically superior thus easily fallen to good phising technique, while their weak-passworded counterparts feel more needs to be careful.

Or maybe nothing really happened, it's just a fake analysis.

Re:Okay... (5, Funny)

Brewskibrew (945086) | more than 7 years ago | (#17244066)

Hello, this is http://slashdot.org./ [slashdot.org.] We're undergoing a routine security check and your account has been flagged as it is being accessed by computers in other countries. Please click "reply" to this post and enter your userid, password, shoe size, and iq so that your account can be unlocked. Failure to do so indicates that you are a non-compliant individual and appropriate steps will be taken.

Re:Okay... (1)

chroot_james (833654) | more than 7 years ago | (#17243694)

I keep my password on a post-it. On the same post-it I have a reminder to make sure I see "http://www.myspace.com/..." when I log in.

Re:Okay... (5, Informative)

andreamer (937648) | more than 7 years ago | (#17244448)

From a link in the article:

"The attacker had registered a MySpace account named login_home_index_html, meaning that the MySpace page hosting the fake login, looked like a legitimate place where users would sign on to the service."

So it was just a user page but it DID have myspace.com in the URL. The URL was:

http://www.myspace.com/login_home_index_html [myspace.com]

Duh! (3, Insightful)

EmbeddedJanitor (597831) | more than 7 years ago | (#17243772)

Those corporate users that were dumb enough to fall for phishing had bad passwords. No suprises there. People prone to fishing are probably less securtity concious.

Are myspace users really more security consious? Or are the typical demographics those people who tend to use oddball non-English words and text phrases that end up being "good passwords". yourmom69

Re:Duh! (3, Insightful)

daeg (828071) | more than 7 years ago | (#17243826)

Just shows that MySpace users value their virtual presence more than corporate users value their jobs.

Re:Okay... (4, Funny)

Anonymous Coward | more than 7 years ago | (#17243782)

Wow. We MySpace usrz hav BetA security. hu wouldve thunk it. It's not lIk Im doin NEthing dfrnt. Im not lIk tinkN security 24-7.

MOD PARENT INSIGHTFUL (2, Interesting)

chaosite (930734) | more than 7 years ago | (#17244444)

I had a modpoint left, but it expired. Seriously, l33t sp33k makes for excellent passwords... weird spelling, dropping vowels, and replacing letters with numbers, along with the either stuff j00 d0 wh3n j00 r ub3r1337 makes for passwords that can withstand a dictionary attack, are stronger against brute force because you have digits in random places (and not just at the end), and more...

Re:Okay... (1)

Kotukunui (410332) | more than 7 years ago | (#17243922)

It doesn't matter how strong their password is if they are still giving it to whoever asks for it.
I assume that the supposedly popular password choice of fuckyou is a sign that a lot of people being phished actually realised they were being targeted and told the phishers what they thought of them.

Re:Okay... (5, Informative)

h2g2bob (948006) | more than 7 years ago | (#17244410)

Or maybe it's just the fact that Myspace requires new users to have a number in the password!

The Lesson? (5, Interesting)

lunartik (94926) | more than 7 years ago | (#17243502)

This may not mean that "passwords are getting better." It may just prove once again that people care more about their personal things than other people's stuff.

Re:The Lesson? (4, Insightful)

Cat_Byte (621676) | more than 7 years ago | (#17243538)

I tend to think people come up with a really good password, then they have to come up with 12 others in a row after each expires and disallows reusing an old one.

Re:The Lesson? (5, Insightful)

lpcustom (579886) | more than 7 years ago | (#17243800)

Yeah I agree. The time limits on passwords cause most people to just come up with something easier to remember. Why should I have to change my password every 30 days if it's something like Mxo2s0LLn234aAZSQ If I can't even get it right I'm sure no one else is going to guess it. There shouldn't be a need to change it.

Re:The Lesson? (2, Interesting)

Hijacked Public (999535) | more than 7 years ago | (#17244060)

A company I used to work for rolled out a scheme on their mostly Windows network where everyone's password expired every 30 days. The time period was based on the idea that in the time required to crack a sniffed password (think l0phtcrack) the user may have changed it, or at least reduced the window of opportunity for it to be used. It wasn't really an attempt to prevent social engineering, or guessing.

Of course l0phtcrack would sniff and crack weak passwords in a matter of minutes, so I'm not sure how 30 days was arrived at, but I guess the ideas was that something is better than nothing.

Re:The Lesson? (1)

swimin (828756) | more than 7 years ago | (#17244352)

I know people who work at companies like this, and theyre passwords invariably end up in the form password1206. If I had arrived at the password password1106 and it stopped working, I could most definetly guess the next one in the series.

Re:The Lesson? (2, Informative)

Vlad_the_Inhaler (32958) | more than 7 years ago | (#17244118)

Dead on.
The passwords I use at work are pretty pathetic.

The first reason is that I have to be able to remember them which is difficult when they have to change every 6 weeks, the second reason is that only people within the company have access to the network anyway.

In order to get in from outside, I need another (strong, permanent, set by me) password and a 6-digit Tamagotchi code which changes every 60 seconds. If I did not have to change my work password so frequently, it would be a lot stronger.

enforced patheticism (1, Interesting)

Anonymous Coward | more than 7 years ago | (#17244366)

(is patheticism a word? nevermind...)

When I started at my current place of employment, I was asked to set up a password to get into our company VPN. The rules seemed pretty straightforward, and since I try to be conscientious about good passwords, I didn't think twice about the clause in the policy that said "Your password must be 8 characters in length."

It turns out, they meant it. As in, exactly eight characters. Not nine, not seven. Ten is right out.

For added amusement: one of my company's lines of business is IT security consulting. Ha.

Re:The Lesson? (1)

Truman Starr (949802) | more than 7 years ago | (#17243728)

Also, Myspace passwords don't expire (do they!?). At work, I have to have an alphanumeric+ password, at least 15 characters long. It expires every 90 days and cannot be the same as any of the last 7 passwords.

IMHO, this is a ridiculously draconian security policy (but then again it IS the US Government). I normally have a MUCH stronger set of shorter passwords (8-10 chars) that I use for most things. However, because of the perceived risks in this situation, I can't use my normal passwords (at least not more than once). And since my password rotates so often, it is difficult to memorize every 3 months. Hence the weakest point in my chain is that all of mine are stored in a password vault program.

Re:The Lesson? (1)

Curien (267780) | more than 7 years ago | (#17243836)

Funny. Folks in my branch of the US Federal government all log in with a smart card and 7-digit PIN.

Password1? (2, Funny)

spun (1352) | more than 7 years ago | (#17243504)

That's the kind of password an idiot would have on his electronic luggage!

Re:Password1? (2, Insightful)

Rob the Bold (788862) | more than 7 years ago | (#17243568)

That's the kind of password an idiot would have on his electronic luggage!

Only because someone made him use at least one numeral.

Re:Password1? (1)

MorderVonAllem (931645) | more than 7 years ago | (#17243776)

I guess whoever it was that modded you redundant doesn't quite get the movie reference

Re:Password1? (2, Funny)

0kComputer (872064) | more than 7 years ago | (#17244312)

/obligitory That's the same combination I have on my luggage!

The three most commonly used passwords are... (4, Funny)

Pojut (1027544) | more than 7 years ago | (#17243510)

"Love, Sexxxx, and...GOD. So, would her royal highness care to change her password?"

Re:The three most commonly used passwords are... (1)

Jesterboy (106813) | more than 7 years ago | (#17243838)

Mod parent up for on topic Hackers quote. ^_^

Security through obscurity? (4, Funny)

GoodbyeBlueSky1 (176887) | more than 7 years ago | (#17243524)

...found that the average password was 6.4 characters long.
What kind of newfangled keyboard do you need to type one of those in?!

Re:Security through obscurity? (0)

Anonymous Coward | more than 7 years ago | (#17243620)

Er, average, not median. Or was that a joke?

Re:Security through obscurity? (1)

GoodbyeBlueSky1 (176887) | more than 7 years ago | (#17243738)

Yes I'm well aware. It was mostly a joke with a little bit of commentary on how in this case only an integer average should have been used, since the length of a password can't possibly include a fraction.

Re:Security through obscurity? (5, Funny)

kaizenfury7 (322351) | more than 7 years ago | (#17244084)

You need to use an average keyboard because an average keyboard has 101.4 keys.

Re:Security through obscurity? (1)

berashith (222128) | more than 7 years ago | (#17244338)

so everyone is using the same .4 key in there passwords. seems to make it easier to guess that way. unless of course there are several .1 keys laying around.

nobody can guess mine (4, Funny)

zakeria (1031430) | more than 7 years ago | (#17243530)

I use this password ;#E4][££2&9a for everything.. Oops?

Re:nobody can guess mine (1)

Professor_UNIX (867045) | more than 7 years ago | (#17243644)

I use this password ;#E4][££2&9a for everything.. Oops?
Damn, that is pretty secure. How the hell do you make those two little squiggly symbol things between the "[" and "2"? I wonder if I can make my password have that ASCII smiley face in it.

Re:nobody can guess mine (2, Informative)

MindStalker (22827) | more than 7 years ago | (#17243762)

he probably used html codes.
You can also hold alt while you type numbers on your keypad. like alt(128) = Ç

Note: most password forms won't allow anything non alphanumeric even slashdot didn't allow alt(127)

Re:nobody can guess mine (1)

Vlad_the_Inhaler (32958) | more than 7 years ago | (#17244186)

British keyboard.
I suppose it keeps US and Russian script kiddies out. Maybe I should use something like HääkürDöödß (oops, one of those characters gets eaten by /. does that mean it is secure?).

Re:nobody can guess mine (1)

poticlin (1034042) | more than 7 years ago | (#17244252)

How the hell do you make those two little squiggly symbol things between the "[" and "2"? It's the English pound Symbol...For the ignorant clod -> UK Money Symbol.

Re:nobody can guess mine (1)

Fordiman (689627) | more than 7 years ago | (#17244450)

[Alt]+0163 == £
[Alt]+1 == ☺
[Alt]+2 == ☻

Re:nobody can guess mine (5, Funny)

kaizenfury7 (322351) | more than 7 years ago | (#17243896)

Don't worry... all we saw was:

I use this password ************ for everything.. Oops?
Slashcode is pretty advanced like that... it has filters that automatically hide your personal information in case you accidentally post it. Try posting your ATM PIN or social security code and see how advanced those filters are.

Re:nobody can guess mine (5, Funny)

Tired_Blood (582679) | more than 7 years ago | (#17244122)

Don't worry... all we saw was:

I use this password ************ for everything.. Oops?

Slashcode is pretty advanced like that... it has filters that automatically hide your personal information in case you accidentally post it. Try posting your ATM PIN or social security code and see how advanced those filters are.


"you can go hunter2 my hunter2-ing hunter2"

*Cough* [bash.org]

i'm not suprised (5, Funny)

JeanBaptiste (537955) | more than 7 years ago | (#17243532)

a 14 year old cares far more about their social life than most adults care about their jobs.

More to lose (4, Insightful)

CastrTroy (595695) | more than 7 years ago | (#17243534)

It's because the MySpace users have more to lose. They don't want someone defacing their website. Employees on the other hand probably don't care if someone logs into their computer.

Re:More to lose (1)

Sheepeep (994464) | more than 7 years ago | (#17243614)

I would argue that my job is more to lose than a MySpace account, personally.

Wrong Assumptions (1)

brunes69 (86786) | more than 7 years ago | (#17243748)

You're assuming that

      a) If someone hacked into your company via your PC, you would be held accountable
      b) MySpace users have jobs, or are even old enough to do so

Both of those assumptions are incorrect 99% of the time.

Re:Wrong Assumptions (1)

Sheepeep (994464) | more than 7 years ago | (#17243888)

Perhaps, but in my nation of a two-CCTV-cameras-on-every-corner-everyone-knows-yo ur-mothers-maiden-name culture, it's not too invalid an assumption to adopt. There was an incident here where someone left their password on a sticky note (Classic, eh?) and the wrong person just happened to get hold of it...Long story short, I haven't seen him since. Sure, it doesn't happen everywhere, but since it's happened right here, it's an assumption I'm willing to make. ;)

Re:More to lose (1)

Vexorian (959249) | more than 7 years ago | (#17244104)

It could be the opposite as well. If they forget their mySpace passwords they can use email validation to get it back, what exactly happens to you if you forget your job's?

Which do you care more about? (3, Insightful)

liak12345 (967676) | more than 7 years ago | (#17243548)

This shouldn't be groundbreaking news. Myspace accounts deal with personal part of people's lives and they don't want it interfered with. Which individuals have a vested interested in corporate security?

fractions (0)

Anonymous Coward | more than 7 years ago | (#17243558)

"...and found that the average password was 6.4 characters long."

There are no .4 length characters!

Oh wait, I guess they were cracked...

Stronger Passwords (5, Insightful)

Joe The Dragon (967727) | more than 7 years ago | (#17243572)

It easy to have Strong Passwords when you don't need to change them all the time and can't reuse parts of the old password in the new password.

Password Rotation Insanity (2, Insightful)

The Monster (227884) | more than 7 years ago | (#17244120)

I have never understood how making people change their passwords so often that they have to write them down like the school secretary in War Games, or use weak passwords that are easy to remember.

I understand the theory that it makes it tough on the crackers, of course, but that theory presumes that all other things are equal. I don't believe they are.

Passwords Expire (4, Insightful)

Mr_Blank (172031) | more than 7 years ago | (#17243576)


    The corporate drones have to deal with passwords that expire every 30/60/90 days, and once expired those passwords can never be reused. So creating a hard password and then remembering it is not so trivial. The myspace users can come up with one hard password and keep it forever.

Re:Passwords Expire (4, Insightful)

Otter (3800) | more than 7 years ago | (#17243698)

That's one of the two points I was going to make; the other being that a comparison to corporate passwords from 1989 is only slightly more informative than one to passwords from 1889.

Re:Passwords Expire (1)

Billosaur (927319) | more than 7 years ago | (#17243948)

The myspace users can come up with one hard password and keep it forever.

And better yet, share it with their friends...

Pr0gr355 (1)

Doc Ruby (173196) | more than 7 years ago | (#17243578)

People have now demonstrated that we are more willing to change our language and ideas of "spelling", rather than remember obscure passwords. That's what "7337 5p34X" is all about. It's a way of permuting spelling into the larger, ambiguous character set to represent personal phonetics. It makes dictionary attacks much harder. If 2 7337 words are used, the password is probably nearly as tedious to crack as a truly random one.

Re:Pr0gr355 (0)

Anonymous Coward | more than 7 years ago | (#17243962)

That's what "7337 5p34X" is all about.
What is this "Teet speak" you mention?

Re:Pr0gr355 (1)

Doc Ruby (173196) | more than 7 years ago | (#17244106)

Haha, you can't crack my code.

Re:Pr0gr355 (0)

Anonymous Coward | more than 7 years ago | (#17244208)

Using the same character to encode multiple letters is a dubious scheme at best. If you were trying to encode 'leet', you would have been better off with the string '1337', since the 7 bears a closer resemblance to a T than it does an L, or even the lower case l. The use of the number 1 allows for a clearer differentiation between the two. Of course, you'd then run into the same kind of problem distinguishing between lower case L and either case I, although, a | pipe symbol could be introduced to clear things up. Be creative.

Shit! I thought I was safe... (0)

Anonymous Coward | more than 7 years ago | (#17243602)

...with my 6.4 character password.

I thought even if they cracked the first 6 characters they'd never guess the last 0.4. I guess I was wrong.

You're ignoring the obvious (1, Funny)

neimon (713907) | more than 7 years ago | (#17243612)

How do you get .4 characters? What's 2/5 of 8 bits? 16/5? That's so kewel. NO one will guess that.

Awesome statistic (3, Interesting)

billdar (595311) | more than 7 years ago | (#17243616)

The best quote is from the article linked within the article:

"I was surprised about how many Christian-sounding -- for example, "Ilovejesus" -- log-on names were associated with the worst cuss words."

Draw your own conclusions, but I think there might be something to this.

(and yes I did RTFA+LFA, do I lose my subscription?)

Re:Awesome statistic (0, Flamebait)

smooth wombat (796938) | more than 7 years ago | (#17243704)

Even better, my brother's wife's mother works for a small AM radio station. She's in charge of figuring out who owes the station what for advertising.

She recently said that the most deadbeat non-payers are christian advertisers. Sometimes she has to practically fight with them to get them to pay.

Draw your own conclusions.

Re:Awesome statistic (1)

i.r.id10t (595143) | more than 7 years ago | (#17243734)

Had the same problems with some php programming I did for a local church... needless to say, I didn't offer to host them on my server...

why alphanumeric? (0, Insightful)

Anonymous Coward | more than 7 years ago | (#17243660)

> the great majority were at least alphanumeric

Why the great obsession with alphanumeric password? Is adklfjsldfjsdf harder to crack than adklf123dfjsdf? Doesn't the crackability depend on length of the password?

Re:why alphanumeric? (1)

JeanBaptiste (537955) | more than 7 years ago | (#17243892)

well it depends on the length of the password times the number of possibilities per character

so alphanumeric is harder than straight alpha
and alphanumeric + special characters is harder than just alphanumeric

Re:why alphanumeric? (0)

Anonymous Coward | more than 7 years ago | (#17244158)

I agree with your math. This is true with when comparing a security system that allows passwords with alphanumeric characters to a system that only allows alphabetical characters. However, given a system that allows alphanumeric characters, what is the point of requiring digits in a password? Why not just insist on a minimum number of characters? As long as this minimum number will take more than a year of computer time to crack.

because assuming people are lazy usually works (1)

brokeninside (34168) | more than 7 years ago | (#17244350)

Someone cracking a list of alphanumeric passwords where it is known that there is no requirement that the users include at least one numeric digit will (or at least should) assume that most users will be to lazy to include at least one numeric digit. Since this assumption will be true in the majority of cases, they've just reduced the time that it takes to them to use either brute force or a dictionary attack in most cases. Requiring all users to at use at least numeric digit means that the hacker will always fail if this assumption is made. Requiring at least one digit /or/ punctuation symbol is even better.

Re:why alphanumeric? (1)

LiquidCoooled (634315) | more than 7 years ago | (#17244442)

Its because generally the routines will try alphas first

a
aa
ab
ac
ad
a.
az
a0
a1
a.
a9
abcd8

But you are right I think.

I wonder if anyone has done an analysis of the password crackers available and see which actual character flows there are (do any use random testing making "999999" just as statistically quick to crack as "aaaaaa"

Re:why alphanumeric? (1)

SgtPepperKSU (905229) | more than 7 years ago | (#17244268)

well it depends on the length of the password times the number of possibilities per character

so alphanumeric is harder than straight alpha
and alphanumeric + special characters is harder than just alphanumeric
Only if they know (or assume) that there are no numeric||special characters in your password.

Re:why alphanumeric? (3, Informative)

TranscendentalAnarch (1005937) | more than 7 years ago | (#17244088)

It depends on length and the character set.  Many cracking programs, brute force cracks, will iterate through all possible combinations of a character set up to a certain length.  This lets the program find simpler passwords faster.

With just alphabetic characters and a 6 character length you have about 26^6 or about 308 million possibilities

With alphanumeric characters and a 6 character length you have about 36^6 or about 2.1 billion possibilities

Extending to common non-alphanumeric characters (using shift+#) adds another 10, 46^6 or 9.4 billion possibilities

By comparison, changing the length of the previous examples:

Alpha: 26^7 = 8 billion
Alphanumeric: 36^7 = 78 billion
Extended with non-alphanumeric: 435 billion

So "crackability" as you dub it, is influenced heavily by the length of the password, but it is also greatly influenced by the character set used.

As for whether "adklfjsldfjsdf" is harder to crack than "adklf123dfjsdf".

"adklfjsldfjsdf" is 15 in length and alpha characters only (26^15)
"adklf123dfjsdf" is 15 in length and alphanumeric (36^15)

1,677,259,342,285,725,925,376 is less than 221,073,919,720,733,357,899,776

So the alphanumeric one is definitely more secure.

password1??? (1, Funny)

Rob T Firefly (844560) | more than 7 years ago | (#17243688)

Amazing! That's the same password I have on my luggage!

fear and netspeak (4, Insightful)

Kenshin (43036) | more than 7 years ago | (#17243702)

I figure there's two main reasons for this:

1) They're terrified of their peers breaking in and sabotaging their profiles. (I once got assaulted by a drunk girl I knew who thought I hacked her LiveJournal... which I didn't.)

2) They can't spell worth shit, due to netspeak, so typical dictionary approaches aren't going to work.

Also, you have to take into account the basic fact that younger people have grown up around computers, and understand the concept of passwords a bit better than your average middle-aged office worker.

It's fun writing in-house software (1)

Mr Muppet (139986) | more than 7 years ago | (#17243718)

Our corporate users are forced to come up with "complex" passwords (well, more complex than some people) because our auditors demanded it - minimum 7 characters, must have mixed case and numeric digits, and I put an easter egg in the code if you try to change your password to anything with the word 'password' in it :-)

The auditors haven't found the egg yet in the last few years, but they're back again in January....

My password ideas (1)

Non-CleverNickName (1027234) | more than 7 years ago | (#17243814)

None of my passwords mean anything.

All of my passwords are usually numeric patterns (done on the numpad) that form some shape or random pattern that I've come up with. They're not my birthday, my time of birth, SS#, phone number, etc, nothing that actually has any concrete meaning to it. Some are alphanumeric if both are required, but they still lack any concrete meaning.

It's alot harder for someone to guess a password that just looks like a bunch of random numbers with no real meaning, especially when they ARE just a bunch of random numbers with no real meaning.

evil monkey in my closet (1)

coldsleep (1037374) | more than 7 years ago | (#17243822)

So what it's saying is that people who actually want to use a computer and internet are better at creating passwords than people who mostly see computers as something that cuts into profit? Color me shocked. Nothing really new here...passwords are easy to crack, yup. I don't know what the deal is with monkeys. Come on, everyone likes monkeys. Well, except the evil monkeys.

This is all wrong... (4, Funny)

creimer (824291) | more than 7 years ago | (#17243834)

MySpace passwords would fail more often if a l33t dictionary was used instead. Do kids even know words from a plain old dictionary?

usernames (1)

zakeria (1031430) | more than 7 years ago | (#17243882)

A good cryptic username is the best defence anyhow! passwords how needs em!!

Try it! (-1, Offtopic)

faqmaster (172770) | more than 7 years ago | (#17243906)

Did you know that if you type in your Slashdot password in the Comment box without using the Preview function, Slashcode will automatically replace it with *'s?

I'll type my password in below:
*********
See?

Try it yourself!

Re:Try it! (1)

RagingFuryBlack (956453) | more than 7 years ago | (#17243990)

prick Guess it diddn't work

Re:Try it! (0, Flamebait)

Mantooth (991503) | more than 7 years ago | (#17244344)

My little brother's myspace password is bigcunt69 You won't find that in any dictionary.

Re:Try it! (0)

Anonymous Coward | more than 7 years ago | (#17244010)


Did it work?

Re:Try it! (1)

Vlad_the_Inhaler (32958) | more than 7 years ago | (#17244304)

Am trying it:

-> Phishing -

What does that look like?

HEY!!!!!

Long passwords (0)

Anonymous Coward | more than 7 years ago | (#17243910)

How do you get a 6.4 character long password??

Re:Long passwords (1)

zakeria (1031430) | more than 7 years ago | (#17244036)

with windows stickykeys!!!

Dictionary words? (5, Funny)

chrisb33 (964639) | more than 7 years ago | (#17243924)

I'm impressed that less than 4 percent were dictionary words
Considering only 10 percent of the words on myspace are dictionary words to begin with, this isn't very surprising.

Maybe the users just used their usernames as passwords - that would probably be the best way to generate a random sequence of characters.

Don't be impressed. (4, Interesting)

Anonymous Coward | more than 7 years ago | (#17243976)

I'm impressed that less than 4 percent were dictionary words and that the great majority were at least alphanumeric.

I'm not. MySpace users have good passwords because MySpace requires them to, not because they're savvy. "Your password must contain at least one number and one punctuation mark," etc.

Of course they do (1)

vitaflo (20507) | more than 7 years ago | (#17243986)

Have you seen MySpace posts? I bet half their passwords are "OMGH0ttieL0lz".

Easy way of generating password from passphrase. (2, Informative)

Chyeburashka (122715) | more than 7 years ago | (#17244002)

$ cat passphrase
Slashdot It is what IT is.
$ openssl dgst -sha1 <passphrase
78538e69c508e665ccdbc37c841af2453bb69 035

Just pick how many digits/letters you want from either the beginning or the end, and pick a passphrase which you can correctly and exactly remember.

that is terrible advice (1, Insightful)

Anonymous Coward | more than 7 years ago | (#17244320)

You just cast what might be a secure passphrase into the set of characters [0-9a-f], greatly reducing the time needed to crack it.

It's obvious! (2, Funny)

AntEater (16627) | more than 7 years ago | (#17244026)

Of course dictionary attacks won't work - have you seen the spelling on MySpace?!? It's not that they are trying to be more secure, it's that the users can't spell well enough to get a dictionary match.

Getoffamylawn!

It makes sense (1)

Cro Magnon (467622) | more than 7 years ago | (#17244028)

Think about the password suggestions. Longer than 7 character, mixed case, numbers and special characters. Then think about the average MySpacer.

"OMFGLoL1337kiss@$$!!"

this doesn't say that much... (1)

shotgunsaint (968677) | more than 7 years ago | (#17244068)

It didn't used to be that way on Myspace, but now if you change your password or sign up for a new account, Myspace will force you to use at least an alphanumeric password. So maybe this should be a comparison of corporate IT vs. Myspace IT??

What About Leetspeak? (0)

Anonymous Coward | more than 7 years ago | (#17244110)

I'm impressed that less than 4 percent were dictionary words and that the great majority were at least alphanumeric.

It sounds like he should've run his dictionary cracker through a l33tsp3@k algorithm or two. He might have gotten far more positive results.

This AC finds the likelyhood that the marjority of the passwords were genuinely alphanumeric (random), to be highly suspect.

Our corporate secrets revealed (0)

Anonymous Coward | more than 7 years ago | (#17244136)


Our departmental password is Claire1.

When corporate policy stipulates a change, we change it to Claire2, Claire3 etc.

To make sure we remember which Claire we are on, it is written on a sticky note prominently stuck to the access computer.

Regards,

your friendly anonymous employee at a company administrating a couple of tens of billions.

Simple reason (0)

Anonymous Coward | more than 7 years ago | (#17244182)

MySpace is voluntary and people are more invested in keeping their content there safe. Work "makes you" use a password, so you slough it off.

How to make your password more secure (1)

mattnuzum (839319) | more than 7 years ago | (#17244212)

Change from 'password1' to 'Password1' - this is now mixed case alphanumeric > 8 chars. How much more secure can you get than that?

I know, I know, I shouldn't have said anything... now there will be a sudden rush to slashdot's 'change password' page since I just exposed half the passwords here.

Well, duh. (0, Troll)

n1hilist (997601) | more than 7 years ago | (#17244354)

That's cause they're all kiddie fiddlers!

Agrre with $Previousposter (1)

bishbashbosh (1018704) | more than 7 years ago | (#17244358)

i couldn't agree more with the fact that people who use myspace are absolutely petrified of their site being defaced, whereas your average corporate rat couldn't care less about the security of their computer...

password strenght enforced (1)

itsdave (105030) | more than 7 years ago | (#17244362)

aparently you are all unaware that myspace actually enforces password strength.

they will not allow you to set your password to password, it must be alpha numeric, or contain special characters.

.gz? (2, Funny)

mattpointblank (936343) | more than 7 years ago | (#17244382)

Writing in 1989, Daniel Klein was able to crack (.gz) 24 percent of his sample


I love when the editors just copy and paste without even reading what they're posting. Which part of that sentence was a .gz file, Zonk?

Statistics from phishing attacks are wrong! (3, Insightful)

tradeoph (691427) | more than 7 years ago | (#17244438)

You can't compare the passwords from two different phishing attacks. You only get the passwords from people who fall for the scam. If one scam is easier to detect than the other one, then one sample will contain passwords from dumber people than the other sample.

The quality of passwords has nothing to do with the type of people that where scammed, but with the difficulty of detecting the spam.

How many do they have? (1)

gelfling (6534) | more than 7 years ago | (#17244484)

My corporate environment is close to implosion from the unending requirements for yet more passwords. You need a password to power up your machine, a password to start Windows, a password for Lotus Notes, a VPN dialer password, an intranet password for web apps, timecard apps, expenses, etc, an IM password (generally the intranet password), a password for HR apps, a password for benefits information. And we check for all of them and they expire but not at the same time and various password delivery subsystems employ different rules with different strengths. So it's almost impossible to keep it all straight without your own database. Once you find a new password that meets a given criterion you really just want to reset all of them to the same password - even though they are on different systems. So you wind up either with a lot of different passwords or exactly the same one. Or some messed up place in between.

I don't suspect MyAss users have more than two passwords to worry about - IM and MyAss. So they can afford to get creative. I don't, if I screw it up it's huge pain in the ass to get a reset.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>