MySpace Users Have Stronger Passwords Than Employees

Ant writes "A Wired News column reports on Bruce Schneier's analysis of data from a successful phishing attack on MySpace, and compares the captured user-passwords to an earlier data-set from a corporation. He concludes that MySpace users are better at coming up with good passwords than corporate drones." From the article: "We used to quip that 'password' is the most common password. Now it's 'password1.' Who said users haven't learned anything about security? But seriously, passwords are getting better. I'm impressed that less than 4 percent were dictionary words and that the great majority were at least alphanumeric. Writing in 1989, Daniel Klein was able to crack (.gz) 24 percent of his sample passwords with a small dictionary of just 63,000 words, and found that the average password was 6.4 characters long."

The Lesson?

[lunartik]

This may not mean that "passwords are getting better." It may just prove once again that people care more about their personal things than other people's stuff.

Re:Okay...

[biocute]

Or maybe strong-passworded MySpace users feel they're more technically superior thus easily fallen to good phising technique, while their weak-passworded counterparts feel more needs to be careful.

Or maybe nothing really happened, it's just a fake analysis.

Awesome statistic

[billdar]

The best quote is from the article linked within the article:

"I was surprised about how many Christian-sounding -- for example, "Ilovejesus" -- log-on names were associated with the worst cuss words."

Draw your own conclusions, but I think there might be something to this.

(and yes I did RTFA+LFA, do I lose my subscription?)

Don't be impressed.

[Anonymous Coward]

I'm impressed that less than 4 percent were dictionary words and that the great majority were at least alphanumeric.

I'm not. MySpace users have good passwords because MySpace requires them to, not because they're savvy. "Your password must contain at least one number and one punctuation mark," etc.

Re:The Lesson?

[Hijacked Public]

A company I used to work for rolled out a scheme on their mostly Windows network where everyone's password expired every 30 days. The time period was based on the idea that in the time required to crack a sniffed password (think l0phtcrack) the user may have changed it, or at least reduced the window of opportunity for it to be used. It wasn't really an attempt to prevent social engineering, or guessing.

Of course l0phtcrack would sniff and crack weak passwords in a matter of minutes, so I'm not sure how 30 days was arrived at, but I guess the ideas was that something is better than nothing.

enforced patheticism

[Anonymous Coward]

(is patheticism a word? nevermind...)

When I started at my current place of employment, I was asked to set up a password to get into our company VPN. The rules seemed pretty straightforward, and since I try to be conscientious about good passwords, I didn't think twice about the clause in the policy that said "Your password must be 8 characters in length."

It turns out, they meant it. As in, exactly eight characters. Not nine, not seven. Ten is right out.

For added amusement: one of my company's lines of business is IT security consulting. Ha.

MOD PARENT INSIGHTFUL

[chaosite]

I had a modpoint left, but it expired. Seriously, l33t sp33k makes for excellent passwords... weird spelling, dropping vowels, and replacing letters with numbers, along with the either stuff j00 d0 wh3n j00 r ub3r1337 makes for passwords that can withstand a dictionary attack, are stronger against brute force because you have digits in random places (and not just at the end), and more...

learning at age 6

[bcrowell]

Computer security is something that kids are learning at younger ages these days. Case in point: My 6-year-old daughter plays a flash game called clubpenguin.com, which is basically a MUD where you're a penguin and you go around playing video games, socializing with other penguins, taking care of your pet, etc. Yesterday at school, her friend asked her for her login info, and she gave it to her. Yesterday evening, my daughter finished her homework, tried to log on, and got a message saying she'd been banned for 24 hours for cussing, and the time when her penguin was cussing was a time when she hadn't been on the computer. No big deal, but at age 6, she's now had a concrete experience that shows her how it's not a good idea to give your password to someone else, even someone you think you can trust.

Some differences

[bgspence]

The MySpace user's password protects their own information.

The corporate user's password protects some corporation's information.

And, most passwords protect nothing worth protecting, such as my access to the NY Times.

Re:Okay...

[risk one]

Actually, this says that the subset of Myspace users that are dumb enough to fall for a phishing attack, are still picking better passwords than a representative subset of the whole set of corporate employees. So the worst of the Myspace users are still better than the average corporate employee.

It doesn't really surprise me. The slashdot hive mind may not greatly respect Myspace users, but the fact that they are on the internet and trying new stuff like Myspace, makes them a lot more tech-friendly than the average American, or the average corporate employee. There is a huge amount of technophobia among the general public, and just being able to use the internet as entertainment puts you very much ahead of the flock. And it gets you learning, at which point the process becomes autonomous, and you're on the slippery slope into geekdom.

Re:MOD PARENT INSIGHTFUL

[RicktheBrick]

I never worry about passwords. I would not worry if someone else knew my password for slashdot. What would they do with it? The only thing they could do it make comments in my name. Even with my bank accounts the only thing they can do it to see how much money I have and transfer money between two of my accounts. If someone wanted to be super mean they could transfer all my checking account money into my savings account and thus cause any checks I write to bounce. They still would not get any personal gain from it. If passwords are such a problem let me suggest a hardware fix. Let there be two passwords. A local password that the user would remember and a password that would be sent out. There would be a table on either the hard drive or a usb flash memory card for the lookup of the secondary password. Since no one would have to memorize or even know the secondary password it could be a 100 randomly generated characters and could be changed every time the user access the account. If one uses the usb flash memory than one could take it with them for use on another computer and by removing it from the computer prevent any other user on that computer from accessing their account. If it is that big a problem than a fix like that would have been used a long time ago.

Re:Duh!

[SeaFox]

How is a password from sample A more secure than sample B when BOTH sample A and B's passwords were compromised?

They were both compromised by social engineering. Which allows us to see the passwords people are choosing and find that corporate passwords are more venerable to brute force attacks.

Re:Duh!

[hackstraw]

They were both compromised by social engineering. Which allows us to see the passwords people are choosing and find that corporate passwords are more venerable to brute force attacks.

I was being a little facetious. I'm not one who believes in "strong" passwords simply because I don't believe that they are secure to begin with.

A standard lock on a door may not be as "strong" as a steel door with bolts going through it like a vault, but I do believe that most weak passwords are strong enough, like standard locks. In my years of working with computers, I have heard plenty of things about passwords (strong or not) being found or given away. I've heard of them phished, sniffed on plaintext transmissions, or social engineered. I've heard of root passwords being left in .bash_history files when someone mistyped 'su' and then typed the password having it stored.

In fact, as far as weak passwords go, I've heard of default passwords being used plenty of times, even here on slashdot a few years back. I've heard of a handful of people getting in with 200 or so attempts via the standard ssh bruteforce attacks, but almost 100% of the time a computer geek's version of a weak password will never be compromised. The only exceptions were when people knew someone and tried things like their kids names or whatnot, but that is VERY rare. I would like to hear any number of examples of brute force breakins via weak passwords, but its so much easier to just get the few characters from somebody via trickery or just asking them vs brute force. Back to the locks, even if a lock only takes a simple shoulder to break, most people will simply try all of the other doors and windows first.