MySpace Users Have Stronger Passwords Than Employees 263
Ant writes "A Wired News column reports on Bruce Schneier's analysis of data from a successful phishing attack on MySpace, and compares the captured user-passwords to an earlier data-set from a corporation. He concludes that MySpace users are better at coming up with good passwords than corporate drones." From the article: "We used to quip that 'password' is the most common password. Now it's 'password1.' Who said users haven't learned anything about security? But seriously, passwords are getting better. I'm impressed that less than 4 percent were dictionary words and that the great majority were at least alphanumeric. Writing in 1989, Daniel Klein was able to crack (.gz) 24 percent of his sample passwords with a small dictionary of just 63,000 words, and found that the average password was 6.4 characters long."
The Lesson? (Score:5, Interesting)
Re:Okay... (Score:3, Interesting)
Or maybe nothing really happened, it's just a fake analysis.
Awesome statistic (Score:4, Interesting)
Draw your own conclusions, but I think there might be something to this.
(and yes I did RTFA+LFA, do I lose my subscription?)
Don't be impressed. (Score:4, Interesting)
I'm not. MySpace users have good passwords because MySpace requires them to, not because they're savvy. "Your password must contain at least one number and one punctuation mark," etc.
Re:The Lesson? (Score:3, Interesting)
Of course l0phtcrack would sniff and crack weak passwords in a matter of minutes, so I'm not sure how 30 days was arrived at, but I guess the ideas was that something is better than nothing.
enforced patheticism (Score:1, Interesting)
When I started at my current place of employment, I was asked to set up a password to get into our company VPN. The rules seemed pretty straightforward, and since I try to be conscientious about good passwords, I didn't think twice about the clause in the policy that said "Your password must be 8 characters in length."
It turns out, they meant it. As in, exactly eight characters. Not nine, not seven. Ten is right out.
For added amusement: one of my company's lines of business is IT security consulting. Ha.
MOD PARENT INSIGHTFUL (Score:2, Interesting)
learning at age 6 (Score:4, Interesting)
Some differences (Score:2, Interesting)
The corporate user's password protects some corporation's information.
And, most passwords protect nothing worth protecting, such as my access to the NY Times.
Re:Okay... (Score:3, Interesting)
It doesn't really surprise me. The slashdot hive mind may not greatly respect Myspace users, but the fact that they are on the internet and trying new stuff like Myspace, makes them a lot more tech-friendly than the average American, or the average corporate employee. There is a huge amount of technophobia among the general public, and just being able to use the internet as entertainment puts you very much ahead of the flock. And it gets you learning, at which point the process becomes autonomous, and you're on the slippery slope into geekdom.
Re:MOD PARENT INSIGHTFUL (Score:5, Interesting)
Re:Duh! (Score:4, Interesting)
They were both compromised by social engineering. Which allows us to see the passwords people are choosing and find that corporate passwords are more venerable to brute force attacks.
Re:Duh! (Score:3, Interesting)
I was being a little facetious. I'm not one who believes in "strong" passwords simply because I don't believe that they are secure to begin with.
A standard lock on a door may not be as "strong" as a steel door with bolts going through it like a vault, but I do believe that most weak passwords are strong enough, like standard locks. In my years of working with computers, I have heard plenty of things about passwords (strong or not) being found or given away. I've heard of them phished, sniffed on plaintext transmissions, or social engineered. I've heard of root passwords being left in
In fact, as far as weak passwords go, I've heard of default passwords being used plenty of times, even here on slashdot a few years back. I've heard of a handful of people getting in with 200 or so attempts via the standard ssh bruteforce attacks, but almost 100% of the time a computer geek's version of a weak password will never be compromised. The only exceptions were when people knew someone and tried things like their kids names or whatnot, but that is VERY rare. I would like to hear any number of examples of brute force breakins via weak passwords, but its so much easier to just get the few characters from somebody via trickery or just asking them vs brute force. Back to the locks, even if a lock only takes a simple shoulder to break, most people will simply try all of the other doors and windows first.