MySpace Users Have Stronger Passwords Than Employees

Ant writes "A Wired News column reports on Bruce Schneier's analysis of data from a successful phishing attack on MySpace, and compares the captured user-passwords to an earlier data-set from a corporation. He concludes that MySpace users are better at coming up with good passwords than corporate drones." From the article: "We used to quip that 'password' is the most common password. Now it's 'password1.' Who said users haven't learned anything about security? But seriously, passwords are getting better. I'm impressed that less than 4 percent were dictionary words and that the great majority were at least alphanumeric. Writing in 1989, Daniel Klein was able to crack (.gz) 24 percent of his sample passwords with a small dictionary of just 63,000 words, and found that the average password was 6.4 characters long."

Okay...

[eln]

So MySpace users are smart enough to pick somewhat secure passwords, but still dumb enough to fall for basic phishing attacks.

It doesn't matter how strong their password is if they are still giving it to whoever asks for it.

More to lose

[CastrTroy]

It's because the MySpace users have more to lose. They don't want someone defacing their website. Employees on the other hand probably don't care if someone logs into their computer.

Re:The Lesson?

[Cat_Byte]

I tend to think people come up with a really good password, then they have to come up with 12 others in a row after each expires and disallows reusing an old one.

Which do you care more about?

[liak12345]

This shouldn't be groundbreaking news. Myspace accounts deal with personal part of people's lives and they don't want it interfered with. Which individuals have a vested interested in corporate security?

Re:Password1?

[Rob the Bold]

That's the kind of password an idiot would have on his electronic luggage!

Only because someone made him use at least one numeral.

Stronger Passwords

[Joe The Dragon]

It easy to have Strong Passwords when you don't need to change them all the time and can't reuse parts of the old password in the new password.

Passwords Expire

[Mr_Blank]

    The corporate drones have to deal with passwords that expire every 30/60/90 days, and once expired those passwords can never be reused. So creating a hard password and then remembering it is not so trivial. The myspace users can come up with one hard password and keep it forever.

why alphanumeric?

[Anonymous Coward]

> the great majority were at least alphanumeric

Why the great obsession with alphanumeric password? Is adklfjsldfjsdf harder to crack than adklf123dfjsdf? Doesn't the crackability depend on length of the password?

Re:Passwords Expire

[Otter]

That's one of the two points I was going to make; the other being that a comparison to corporate passwords from 1989 is only slightly more informative than one to passwords from 1889.

fear and netspeak

[Kenshin]

I figure there's two main reasons for this:

1) They're terrified of their peers breaking in and sabotaging their profiles. (I once got assaulted by a drunk girl I knew who thought I hacked her LiveJournal... which I didn't.)

2) They can't spell worth shit, due to netspeak, so typical dictionary approaches aren't going to work.

Also, you have to take into account the basic fact that younger people have grown up around computers, and understand the concept of passwords a bit better than your average middle-aged office worker.

Duh!

[EmbeddedJanitor]

Those corporate users that were dumb enough to fall for phishing had bad passwords. No suprises there. People prone to fishing are probably less securtity concious.

Are myspace users really more security consious? Or are the typical demographics those people who tend to use oddball non-English words and text phrases that end up being "good passwords". yourmom69

Re:The Lesson?

[lpcustom]

Yeah I agree. The time limits on passwords cause most people to just come up with something easier to remember. Why should I have to change my password every 30 days if it's something like Mxo2s0LLn234aAZSQ If I can't even get it right I'm sure no one else is going to guess it. There shouldn't be a need to change it.

Re:Duh!

[daeg]

Just shows that MySpace users value their virtual presence more than corporate users value their jobs.

Password Rotation Insanity

[The Monster]

I have never understood how making people change their passwords so often that they have to write them down like the school secretary in War Games, or use weak passwords that are easy to remember.

I understand the theory that it makes it tough on the crackers, of course, but that theory presumes that all other things are equal. I don't believe they are.

that is terrible advice

[Anonymous Coward]

You just cast what might be a secure passphrase into the set of characters [0-9a-f], greatly reducing the time needed to crack it.

Statistics from phishing attacks are wrong!

[tradeoph]

You can't compare the passwords from two different phishing attacks. You only get the passwords from people who fall for the scam. If one scam is easier to detect than the other one, then one sample will contain passwords from dumber people than the other sample.

The quality of passwords has nothing to do with the type of people that where scammed, but with the difficulty of detecting the spam.

Re:i'm not suprised

[Buelldozer]

You've been modded 'funny' but you should really be 'insightful' because your comment is TRUE.

Re:Duh!

[drinkypoo]

Just shows that MySpace users value their virtual presence more than corporate users value their jobs.

Au contraire! It shows that MySpace users value their virtual presence more than corporate users value data security on the corporate network. Not the same thing. Most people don't get fired for choosing a shit password and getting the company hacked up.

Re:Duh!

[hackstraw]

Au contraire! It shows that MySpace users value their virtual presence more than corporate users value data security on the corporate network. Not the same thing. Most people don't get fired for choosing a shit password and getting the company hacked up.

Riddle me this Batman.

How is a password from sample A more secure than sample B when BOTH sample A and B's passwords were compromised?

Re:Duh!

[Anonymous Coward]

uh, it actually says the MYSPACE users fell for the phishing scam, it doesn't specify how they got the corporate data... All it shows is the fact that employees care less about company information than people do about private accounts... my password at work is the current month and year...

Re:Password1?

[pete6677]

Maybe they're just tired of hearing it for the 45765th time on slashdot, therefore making it redundant.

Not a drawable conclusion

[Jarjarthejedi]

Okay so reading this article tells me that of the corporate people who fell for a phishing attack less had good passwords than those on myspace who fell for a similar attack. So yes, you could draw the conclusion that myspace passwords are better. You're likely wrong though since it's nowhere near a random sample. What I see in this study is that the myspace people who made good passwords fell for the oldest trick in the book whereas in the corporate world only those who don't make good passwords fell for the attack.

So yes, you could say what the article title says, but that's hardly even close to accurate. What's more likely is that myspace users are LESS security conscious and that myspace requires numbers.

Bias

[insertwackynamehere]

Note that the only passwords looked at were phished ones, which introduces bias as more security savvy people would be less likely to fall for phishing (and probably more likely to use strong passwords). Of course the article then shows even not-so-security savvy people have good passwords.. but still there is bias whether or not it seems logical :P