MySpace Users Have Stronger Passwords Than Employees 263
Ant writes "A Wired News column reports on Bruce Schneier's analysis of data from a successful phishing attack on MySpace, and compares the captured user-passwords to an earlier data-set from a corporation. He concludes that MySpace users are better at coming up with good passwords than corporate drones." From the article: "We used to quip that 'password' is the most common password. Now it's 'password1.' Who said users haven't learned anything about security? But seriously, passwords are getting better. I'm impressed that less than 4 percent were dictionary words and that the great majority were at least alphanumeric. Writing in 1989, Daniel Klein was able to crack (.gz) 24 percent of his sample passwords with a small dictionary of just 63,000 words, and found that the average password was 6.4 characters long."
Re:nobody can guess mine (Score:3, Informative)
You can also hold alt while you type numbers on your keypad. like alt(128) = Ç
Note: most password forms won't allow anything non alphanumeric even slashdot didn't allow alt(127)
Easy way of generating password from passphrase. (Score:2, Informative)
Just pick how many digits/letters you want from either the beginning or the end, and pick a passphrase which you can correctly and exactly remember.
Re:why alphanumeric? (Score:3, Informative)
With just alphabetic characters and a 6 character length you have about 26^6 or about 308 million possibilities
With alphanumeric characters and a 6 character length you have about 36^6 or about 2.1 billion possibilities
Extending to common non-alphanumeric characters (using shift+#) adds another 10, 46^6 or 9.4 billion possibilities
By comparison, changing the length of the previous examples:
Alpha: 26^7 = 8 billion
Alphanumeric: 36^7 = 78 billion
Extended with non-alphanumeric: 435 billion
So "crackability" as you dub it, is influenced heavily by the length of the password, but it is also greatly influenced by the character set used.
As for whether "adklfjsldfjsdf" is harder to crack than "adklf123dfjsdf".
"adklfjsldfjsdf" is 15 in length and alpha characters only (26^15)
"adklf123dfjsdf" is 15 in length and alphanumeric (36^15)
1,677,259,342,285,725,925,376 is less than 221,073,919,720,733,357,899,776
So the alphanumeric one is definitely more secure.
Re:The Lesson? (Score:3, Informative)
The passwords I use at work are pretty pathetic.
The first reason is that I have to be able to remember them which is difficult when they have to change every 6 weeks, the second reason is that only people within the company have access to the network anyway.
In order to get in from outside, I need another (strong, permanent, set by me) password and a 6-digit Tamagotchi code which changes every 60 seconds. If I did not have to change my work password so frequently, it would be a lot stronger.
Re:Okay... (Score:5, Informative)
Re:Okay... (Score:5, Informative)
"The attacker had registered a MySpace account named login_home_index_html, meaning that the MySpace page hosting the fake login, looked like a legitimate place where users would sign on to the service."
So it was just a user page but it DID have myspace.com in the URL. The URL was:
http://www.myspace.com/login_home_index_html [myspace.com]
MySpace requires strong passwords (Score:3, Informative)
Re:MOD PARENT INSIGHTFUL (Score:4, Informative)
Re:Duh! (Score:3, Informative)