Forgot your password?
typodupeerror
Security IT

Analysis of 32 Million Breached Passwords 499

Posted by CmdrTaco
from the trust-no-1 dept.
An anonymous reader writes "Imperva released a study analyzing 32 million passwords exposed in the Rockyou.com breach. The data provides a unique glimpse into the way that users select passwords and an opportunity to evaluate the true strength of these as a security mechanism. In the past, password studies have focused mostly on surveys. Never before has there been such a high volume of real-world passwords to examine." Most interesting to me was that in the sample, less than 4% used any non alpha-numerics in their #$#%'ing passwords.
This discussion has been archived. No new comments can be posted.

Analysis of 32 Million Breached Passwords

Comments Filter:
  • by Anonymous Coward on Thursday January 21, 2010 @09:46AM (#30845068)

    My company wants me to change my pass every 2 months. Guess what happens to the password strength over time.

    • by Rockoon (1252108) on Thursday January 21, 2010 @09:54AM (#30845136)
      My company (over 10,000 employees, not in the computer industry) does the same thing, but the really annoying part..

      ..it must be EXACTLY 2 letters, followed by EXACTLY 4 digits.

      So even allowing for upper case (which I am not sure that it differentiates), the total password space is only 2704000000.

      The size of this space can conveniently fit into a 32-bit value, which is probably what they are doing: storing passwords in an integer field.

      Did I mention that they pay our IT department $11/hour?

      Yeah, all my coworkers do the same thing: use the same 2 letters every time they need to change it, followed by "1111" then "2222" then "3333" and so forth...
      • Did I mention that they pay our IT department $11/hour?

        Yeah, all my coworkers do the same thing: use the same 2 letters every time they need to change it, followed by "1111" then "2222" then "3333" and so forth...

        Shit, I thought I had it bad with pay.

        We moved to a required 8 digits and 3 of the 4: Upper case, lower case, symbol, number. Resets every 30 days. What has happened with me? My strong 20 digit password has been trimmed down to the bare minimum because I will have to change it in 30 days anyway. Completely defeats the purpose.

      • by Anonymous Coward on Thursday January 21, 2010 @10:35AM (#30845590)

        .., followed by "1111" then "2222" then "3333" and so forth...

        Dont you mean so 4444th.

      • by nine-times (778537) <nine.times@gmail.com> on Thursday January 21, 2010 @10:52AM (#30845798) Homepage

        ..it must be EXACTLY 2 letters, followed by EXACTLY 4 digits.

        That's retarded.

        I've thought about this sort of thing before, where password policies also have the effect of narrowing the number of possible passwords. For example, it's pretty standard for a company to have a policy like, "Your password must be at least 10 characters, contain at least one capital letter and one lower case letter, contain at least 1 number and one non-alpha-numeric character." And yes, it's true that keeping these policies has the effect of increasing the number of combinations, but it also is simultaneously narrowing the combinations.

        If a hacker knows this policy and were to try a brute-force attack, they would be able to disregard any possible passwords made of 7 characters or less. They would be able to get rid of all combinations that were all lower-case, all upper-case, or even all alphanumeric. I haven't done the math and I'm sure that requiring some of these things are still a net gain, but it struck me as funny. Like if someone were to try a very clever brute-force attack that didn't bother trying all-alphanumeric passwords, then "password" would in that case be a safer password than "*pQQ\K6"XSiM". It might take him a million years to get to "*pQQ\K6"XSiM", but he'd never try "password".

        • by clodney (778910) on Thursday January 21, 2010 @11:19AM (#30846190)

          It may narrow the nominal keyspace, but it almost certainly increases the average keyspace that needs to be searched. Without the complexity requirements most people will use a dictionary word or something like that. And the company wants to keep all the accounts secure, so it has to care about the average password.

          And think of it this way - in a keyspace that requires 10 numeric digits, what percentage of the total keyspace is consumed by anything containing less than 10 digits? seems to me you have only given up 10% of the space, and an even smaller percentage if you consider the full printable range of characters instead of just numerics.

        • by kalirion (728907) on Thursday January 21, 2010 @12:11PM (#30846854)

          Given the above policy, a smart hacker would bruteforce the following template:

          (1 capital letter)(7 lower case letters)(1 number)(1 special character). With a dictionary attack for the first 8 characters.

          Password1!

    • by suso (153703) * on Thursday January 21, 2010 @10:11AM (#30845288) Homepage Journal

      I dealt with a bank once that expected its customers to change its passwords every 2 weeks. So obviously what happened is every time a customer needed to check their bank account, probably once a month, they were locked out. Now this isn't necessarily the problem here. The problem is that with people having to call in every time to reset their password, it becomes such a norm that it probably drastically increases the potential for social engineering.

    • by WuphonsReach (684551) on Thursday January 21, 2010 @10:18AM (#30845394)
      My company wants me to change my pass every 2 months. Guess what happens to the password strength over time.

      It's a leftover idea from a bygone decade.

      The primary advantage of a required monthly or bi-monthly change is that if a password is compromised, it's only useful for about 1/2 of the expiration period. So it's a way of reducing risk in the case of accidental or nefarious disclosure.

      But the big downside is that it requires users to be constantly learning new passwords every month or so. And unless these passwords are automatically assigned, users WILL pick weaker and weaker passwords over time or passwords that fit into an easily remembered sequence. So you really end up back where you started.

      Forced password renewal is a valid strategy in a small number of cases. Such as a system which protects billions of dollars in assets or is super super critical to the business. But in those cases, there should be 2-factor authentication in play anyway and the passwords probably only need to be changed every 3-6 months and should be randomly assigned.

      For end users? Limit their permissions, force complex passwords, but don't require them to change frequently (*maybe* once every 2 years). Tell them to go ahead and write the passwords down and store them in their wallet next to their credit cards. Which is at least a huge step up from putting it under the keyboard or stuck to the monitor.

      Longer passwords are also easier to remember if they are used frequently (at least daily). But for some users, it may take as long as 2-3 weeks for them to remember it without looking.
    • That’s why I chose “visual pattern” passwords. I draw symbols on the keyboard, e.g. while holding Mod3. (NEO layout [neo-layout.org]. Hover the mouse above “Ebene 3”.)
      Like a N. Which results in “#\.../|{[” or “#u...1_a~e]4” (where ... is one character [&hellip;], that Slashdot does not accept.)

      (This is an example. The real type of pattern I use is something different. ;)

    • by zx75 (304335) on Thursday January 21, 2010 @10:33AM (#30845566) Homepage

      I need to change my company password every month, but the password strength for my company account remains strong.

      My password strength for a website forum where I never need to change it however, is usually weak.

      The password strength I use is highly correlated with the sensitivity of the information it allows access to and the importance of the systems.

      I would fall into the 96% of people who don't use non-alphanumerics for "Rockyou.com"

  • I think it would be interesting to search the passwords I use against the list. I like to think that my passwords are pretty good, but it would be interesting to see how similar they are to the passwords that were obtained and used in the study.
  • The Top 10 (Score:5, Informative)

    by goldaryn (834427) on Thursday January 21, 2010 @09:48AM (#30845078) Homepage

    1. 123456
    2. 12345
    3. 123456789
    4. Password
    5. iloveyou
    6. princess
    7. rockyou
    8. 1234567
    9. 12345678
    10. abc123

    By a massive coincidence, these happen to be the passwords for their respective /. userids!

  • by geekmux (1040042) on Thursday January 21, 2010 @09:49AM (#30845094)

    ...Most interesting to me was that in the sample, less than 4% used any non alpha-numerics in their #$#%'ing passwords.

    Er, does it REALLY matter anymore the strength of your password with the FBI using post-it notes as a search warrant? I mean I hate to say that, but seriously.

    On a related note, what pisses me off even more is going to a website and trying to use a strong password and their system doesn't allow it.

  • by realsilly (186931) on Thursday January 21, 2010 @09:49AM (#30845098)

    I can't tell you how frustrating it is to try to keep information secure on various web sites or with companies that still use antiquated password styles. 6-8 chars or numbers only? Really? Still? After all the identity theft you'd think companies would at least step up their need to have users have strong passwords. But nope, places like Earthlink still use limited password capability.

    • by Scutter (18425) on Thursday January 21, 2010 @09:53AM (#30845130) Journal

      The report makes it painfully obvious that passwords are an ineffective way to secure information because too many people find strong passwords cumbersome. Maybe we need to come up with something better.

      • by jellomizer (103300) on Thursday January 21, 2010 @10:16AM (#30845360)

        Every attempt at doing so creates a serious privacy problem, adds an extra level of security problem, or is very complicated that it is difficult to deploy on a large scale.

  • by 140Mandak262Jamuna (970587) on Thursday January 21, 2010 @09:51AM (#30845106) Journal
    At least in Alaska, ZIP codes seem to be the most popular choice, according to a survey of one known case.
  • by naz404 (1282810) on Thursday January 21, 2010 @09:52AM (#30845120) Homepage
    Does anyone have the list of passwords itself?

    It would be fun to perform one's own statistical analysis of the list :)
    Here's the top 20 most common passwords used according to the report:
    Rank Password # of Users
    1 123456 290731
    2 12345 79078
    3 123456789 76790
    4 Password 61958
    5 iloveyou 51622
    6 princess 35231
    7 rockyou 22588
    8 1234567 21726
    9 12345678 20553
    10 abc123 17542
    11 Nicole 17168
    12 Daniel 16409
    13 babygirl 16094
    14 monkey 15294
    15 Jessica 15162
    16 Lovely 14950
    17 michael 14898
    18 Ashley 14329
    19 654321 13984
    20 Qwerty 13856
  • by adosch (1397357) on Thursday January 21, 2010 @09:58AM (#30845166)
    RockYou is a MySpace photo/video sharing site (from what I could gather from googling, never used it myself) and it's certainly no excuse that people implement bone-head password choices such as the 10 shame shame list FTFA. However, I didn't really see the article address or even consider that their target users on the RockYou site aren't generally what geek, wanna-be security folks on /. are security conscious. I'm glad the analysis and study was done, but I'm really not surprised. If people are picking '123456' as the #1 password, as much as we have a PEBKAC [wikipedia.org] situation on our hands, fault RockYou for not implementing some sort of semi-secure password standard.
  • by tunabomber (259585) on Thursday January 21, 2010 @09:59AM (#30845182) Homepage

    Is it even worth the effort of coming up with a secure password for that site? If I had for some reason found it necessary to register with such a vapid site I would have just re-used one of my low-security passwords (which many other sites have access to). It isn't too surprising that nobody cares whether someone else is using their account to steal their noisy, eye-burning flash videos. What is far worse is if people are re-using passwords from much more important sites. In this case, it doesn't matter if your password is a random string of letters, numbers and special characters.

    • by tunabomber (259585) on Thursday January 21, 2010 @10:06AM (#30845238) Homepage

      To clarify here, I only reuse passwords for accounts which could not be used for anything too nefarious if they were hacked. My logins for more important sites (like /.) have unique passwords.

    • by JSBiff (87824) on Thursday January 21, 2010 @10:37AM (#30845612) Journal

      I have a couple questions for some more security minded folks here on slashdot, about the 'conclusions' of the analysis in the linked article. . .

      * "The shortness and simplicity of passwords means many users select credentials that will make them susceptible to basic forms of cyber attacks known as 'brute force attacks.'"

            Is this really true? Here's why I ask - most websites (though unfortunately not all), seem to lock your account if you don't get the right password in 3-5 attempts. Then, it may stay locked for 15 minutes, or 24 hours, or until you go through a process of some sort to verify the account (such as an automated email to the address on record, with a link you have to click in the email).

            If the website takes such measures, doesn't that shut down brute force attacks pretty fast, even with fairly simple passwords? If the website is doing that, and it shuts down brute force attacks, doesn't that mean that even a somewhat weak password can provide 'good enough' protection?

      * While I'm sure that adding special symbols does make the password harder to brute force, isn't even an alpha-num password pretty strong if it's about 10-12 characters long and mixes both upper and lower as well as some numbers? Personally, if I was guiding someone about a password, and I know they have a hard time remembering complex passwords, I would urge them to a longer password instead of a more complex one, because the length makes the complexity grow exponentially, right?

      * Sort of touching on the parent's point - appropriateness. We can't remember lots of complex long passwords, so I would think that we should get people to concentrate on remembering complex passwords for the things that most need them - particularly things which can be attacked 'offline'? By 'offline', I'm thinking of something like, say, an encrypted file (like a zip file or TrueCrypt volume file), and online passwords which protect truly important stuff like access to your network account at work, your bank account, Tax-site password, etc.

      Of course, there are always 'password safe' type applications, but I've never really liked the idea of a password safe, simply because I don't necessarily have access to it whenever I need a password. Take, for example, going to a library, FedexKinkos, or college computer lab, and needing to access a password protected site. Even if you *do* have your password safe file, on a USB key (for example; or maybe you can download your 'safe' from a site online), you may not be able to run the password safe software to decrypt it. Even if you *can* run the password safe file from the USB key, on the public computer, do you really trust that public computer to decrypt all your passwords? I just don't like the concept of password safes, for these reasons.

  • by Dun Malg (230075) on Thursday January 21, 2010 @10:00AM (#30845192) Homepage

    Most interesting to me was that in the sample, less than 4% used any non alpha-numerics in their #$#%'ing passwords.

    Why is it any surprise that people tend to approach passwords as a pass-WORD? It has to be something they can remember, and remembering a string of characters they can't pronounce is far more difficult than remembering (say) their favorite basketball team and the year they graduated high school.

    • by Megane (129182) on Thursday January 21, 2010 @10:37AM (#30845610) Homepage

      There's no reason something can't be both pronounceable and secure. Start with two nonsense syllables, and add a special character between them. Not quite as "secure" as a completely random password, but much less likely to be written down, plus some of the letters can be l33t3d for variant forms. Make three base words for various levels of usage (one for regular web stuff, one for login passwords, and another rarely used for important stuff), and you can even keep around hints for rarely used passwords with one letter and a bunch of ## or @@ symbols for the parts that change.

      A good way to make something pronounceable is with the old "D&D character name generator" type of program, making a CVCCVC name. So you get, for instance, DORLOT (FWIW, I cheated just now and used an alpha D20), and don't tell me you can't pronounce that. Then some variant passwords from that would be "dor%lot", "d0r##lOt", and "D0r:*!o+". They're still "dorlot", but the result is a lot more secure than picking a dictionary word and puts you into that tiny wedge on TFA's pie chart. And while they're all similar, they're different enough that a compromise in one place won't let someone get into every account you have anywhere.

  • by jmauro (32523) on Thursday January 21, 2010 @10:05AM (#30845224)

    Since most sites have a bunch of silly restrictions (no special characters, no more than 8, etc) most systems if the don't enforce strength, randomness, etc will degrade down to the lowest level where the password will work on all the systems.

  • by AbbeyRoad (198852) <p@2038bug.com> on Thursday January 21, 2010 @10:05AM (#30845228) Homepage

    The article says that in 20 years users have not gotten better at creating good passwords.

    Logically then the solution is NOT to get users to take "password security seriously". This is like trying to stop VD by convincing teens to abstain from sex - it's in the never-going-to-happen catagory.

    The solution is to mitigate the damage of a brute force attack - when bots make password guess attempts, you need counter-"bots" to detect patterns of access and then block IPs, warn users, or disable accounts. This is a form of intrusion
    detection.

    This is not to mention that for most web accounts, a break in doesn't matter - what damage can the hacker really do? Like post things-you-didn't-say and trash your reputation on www.social-site-for-people-who-spend-to-much-time-online.com? Heck, that's major dude.

    Just a wild guess here, but let's ask: Are there web site owners who think the logins they host are way more important to their customers than they actually are?

    Hmmm

    -paul

  • by Pojut (1027544) on Thursday January 21, 2010 @10:08AM (#30845254) Homepage

    My passwords tend to be words that I make up on the spot, with a couple of numbers thrown into the mix. They don't seem too difficult on the surface...but then again it is a word that I make up, some of which don't even have vowels lol. I have a series of seven different ones that I use.

    It's worked quite well for me over the years :-)

  • Does one really need to worry about "brute force" attacks if it's a system that enforces a lock-out of a user account after a set number of incorrect passwords (say, 5 in 10 minutes or so)?

  • Why surprising? (Score:5, Insightful)

    by argStyopa (232550) on Thursday January 21, 2010 @10:09AM (#30845278) Journal

    "Most interesting to me was that in the sample, less than 4% used any non alpha-numerics in their #$#%'ing passwords."

    Not surprising at all, because the rules for what you CAN use as passwords are so inconsistent. Some places REQUIRE non alphanumerics, but have a limited choice of what you can use. Some don't accept ANY non alphanumerics, some will accept them but again it's different from site to site.

    I don't know about you, but I've probably got 100 different passwords rattling around in my brain. I'd guess most people are like me in that they see passwords as a necessary evil but otherwise a giant pain in the ass, and so accept the slight increase in security risk by using a system that changes predictably (at least for me) from site to site. So I'm not going to use a base-password or base-concept that includes any characters that might be disallowed on some other site.

  • by Kupfernigk (1190345) on Thursday January 21, 2010 @10:16AM (#30845340)
    One thing that bugs me is the people who think that requiring at least one capital and one non-alphanumeric makes the password a lot stronger. Using lower case alphanumeric gives a range of 36 symbols at each point. Adding the new constraint increases this to around 70, given the limited set of non-alpha likely to be used. It doesn't take a genius to work out that, for instance, an 8-character plain lower case alphanumeric has more possible values than a 6-character mixed password. And I can easily generate a highly insecure password with the stricter requirement which will still be memorable for me and perhaps guessable - e.g. Fred-41

    As a simple example, test installing SQL Server 2008 refused to accept an sa password which was highly secure - 11 random lower case alphanumerics - but was quite happy with Micro$0ft. Childish I know, but I wanted to check if they had implemented an algorithm to detect "obvious" password variants.

    Perhaps someone is still using MD5 hashes for passwords. Or not using any hashes at all.

  • 12345? (Score:3, Funny)

    by selven (1556643) on Thursday January 21, 2010 @10:16AM (#30845350)

    That sounds like a combination that an idiot would put on his luggage.

  • by ugen (93902) on Thursday January 21, 2010 @10:18AM (#30845392)

    Strength of a chosen password is a function of information it protects. I am sure most users follow this rule even without specifically identifying it.
    In this sense, services like Rockyou are at the very bottom - the only reason users select a password for such a service is because it requires them to. I would bet that if it let users have an optopn of not having a password at all - they would gladly do so.

    While I don't have a sample to prove this, it would be interesting to compare these to passwords selected for a major email provider (gmail, yahoo) and an online banking service. I would bet that (even without any specific controls and limits on characters used) these would be quite a bit more complicated, proportionately. I.e. somewhat more difficult to guess for the email, depending on how important the particular mailbox is to its owner, and quite complex for a bank account.

    In any case, this selection of users is hardly a random sample and drawing any general conclusions based on it would be premature to say the least.

  • intelligent password management:

    pick something you will always remember say "frankie45"

    lets say the website you are visiting is facebook.com

    so your password there will be "frankie45face"

    and your password at twitter.com would be "frankie45twit"

    in other words, you want to use what's called an algorithm

    make your ALGORITHM unique, not your password. so maybe your algorithm would be "'twenty23' plus the second through fifth letters in the website's name plus my daughter's birthday" or whatever

    the point is: having one password across all websites is a vulnerability, and having simple passwords is a vulnerability. so instead, don't remember a password, remember an ALGORITHM that you can use to recreate your password for any site on the fly

    by the way, i got this idea from a slashdot thread, and it was an eureka moment for me, and i went about resetting all my passwords

    i forget the thread or the user id of whoever made the comment, but it was a password related subject matter and i think it was in the last 6 months or so

    whoever you are, and i hope you read this: thank you!

    • by Culture20 (968837) on Thursday January 21, 2010 @10:44AM (#30845700)

      pick something you will always remember say "frankie45" lets say the website you are visiting is facebook.com so your password there will be "frankie45face" and your password at twitter.com would be "frankie45twit"

      And if you use the same username on all of the sites, all it takes is one unscrupulous (or incompetent) site manager to quickly have your other accounts accessed.

  • by petes_PoV (912422) on Thursday January 21, 2010 @10:20AM (#30845406)
    The study makes reference to another analysis down on Unix systems 20 years ago and concludes nothing (much) has changed.
    All this tells us is that the exhortations to choose more secure passwords reaches a certain level and then has no more effect. The implication is that ways of educating users has not improved in the past 20 years.

    Let's not blame the users -they are only doing what they're told. The problem is that we (i.e. IT people) are not telling them the right things in a way that they are willing to accept. That's the problem, not laziness, incompetence or ignorance - motivation. The users ARE motivated to choose passwords, but not to go to the inconvenience of choosing complex ones.

    In every other area of computer use, the trend has been to making things simpler to use. Maybe it's time this process was applied to passwords. Of course it's possible we don't really want better security - we just want someone to blame for lapses.

    • by CaroKann (795685) on Thursday January 21, 2010 @10:32AM (#30845550)
      The article concludes that after 20 years of dealing with this problem, "It’s time for everyone to take password security seriously". That is the wrong conclusion. If things have not improved after 20 years, then they are not going to improve ever.

      The password concept needs to be replaced with a better concept. I think the password idea has been proven to be a bad concept due to human nature.
  • by TheNinjaroach (878876) on Thursday January 21, 2010 @10:21AM (#30845412)
    I don't know about everyone else, but I don't use my work credentials or my root password when I visit sites that look like rockyou.com. They just aren't important enough for me to use secure passwords. Five letters and a digit is more than enough for me to use on most forums, Myspace, and other unimportant sites -- all of whom I don't trust to actually store my passwords in a secure manner. So I am refraining from commenting on the horrible state of passwords when it concerns a horrible state of a website, because I don't think I'm the only one who acts this way.
  • by pongo000 (97357) on Thursday January 21, 2010 @10:27AM (#30845484)

    I don't know if anyone bothered to read the full report [imperva.com], but I found this recommendation tucked in at the end of the report:
    ast character in the password. (pg. 3)

    Allow and encourage passphrases instead of passwords. (pg. 5)

    And I say amen, amen to that. I've done quite a bit of personal research in this area, and have found passphrase systems to be far superior in terms of security and ease of use/recall over random combinations of characters. For years I've used the list provided at Diceware [diceware.com] to generate my passphrases, and I have no problem still recalling little-used 5- or 6-phrase passphrases years later.

    The idea that random sequences of characters is somehow superior to a passphrase of equal entropy is a myth borne of ignorance and a resistance to change. So long as companies that know better keep forcing their minions to adhere to a strict range of letter/number combinations, we'll continue to be saddled with the problem presented by the Rockyou.com crack.

  • by MattBurke (58682) on Thursday January 21, 2010 @10:32AM (#30845542)

    I don't know about anyone else, but I have accounts on so many sites it would be impossible to use strong passwords without reuse. I really don't see the harm in using the same weak passwords if I don't care if my account on the site's compromised.

    I have a number of site-specific strong passwords I use on sites I care about, and a further handful of very strong passwords I use for accounts that have the ability to charge my credit cards. My unix passwords are completely different too, and I run sshd needing key auth. If I have anything worth protecting (personal information more than an email address, an identity within a community, etc) on a website, I'll use a better password, but if I just want to comment on someone's blog or see what a site's about, I don't care - I certainly wouldn't shed a tear if one of my weak passwords were compromised! Boo hoo, someone's pretending to be Asdf Asdf from Qwer (postcode AA1 1AA) over at www.dontcare.com/phpbb/ and www.whogivesarats.as/blog/ and sending me spam on email addresses I'll just blacklist...

    I would bet money that if you look at the password complexity of users of a busy registration-required forum both before and after you discount people with less than 5 posts, there'd be a substantial difference. Likewise, it'd be interesting to see the strength distribution of the subset of these "32 million" accounts on rockyou.com that belonged to people that actually used them or had valid personal information attached. Otherwise I think it's a pretty worthless study

  • by ZorbaTHut (126196) on Thursday January 21, 2010 @10:33AM (#30845558) Homepage

    is doing the same thing over and over while expecting different results.

    I quote the end of this paper:

    "The problem has changed very little over the past 20 years," explained Shulman, referring to a 1990 Unix password study that showed a password selection pattern similar to what consumers select today. "It's time for everyone to take password security seriously; it's an important first step in data security.

    He's correct, of course. The problem hasn't changed. That's because the vast majority of people don't care. We've been telling people to use good passwords for 20 years, and it hasn't worked. People don't use good passwords, people have never used good passwords, people never will use good passwords.

    Maybe it's time to come up with a solution that may actually work, instead of pushing the same old obviously-failed solution yet again?

  • by jollyreaper (513215) on Thursday January 21, 2010 @10:58AM (#30845866)

    I understand why you don't want to use dictionary words for passwords, too easy to brute-force. Though how likely is it that servers these days would sit still while a single account fails login ten thousand times? I know once the hacker is in, he can then run the hash file against the dictionary and back into the passwords of other accounts. But wouldn't even a dictionary word with a number or two after it be fine? duck1234 should be just as secure as duck!@#$, right?

    I'm running through the ways you can get hacked and what a secure password would mean.

    1. Guessing by a person sitting at your computer, brute force hacker from outside, running the dictionary against the hash -- strong is good.
    2. Your PC gets rooted, your keystrokes are captured -- strength doesn't matter a bit, you typed it in for the hacker and he won't even have to touch the keyboard when his scripts hit your account and drain it.
    3. Data breach and your password is stolen -- Why was it stored in plaintext? Regardless, they have it and can copy and paste if they use it.

    The consensus on security now was that draconian policies on the part of IT without any seeming rhyme or reason to the employee will simply foster non-compliance and animosity towards IT.

  • by Quiet_Desperation (858215) on Thursday January 21, 2010 @11:04AM (#30845964)
    No "swordfish", huh?
  • Passwords (Score:5, Informative)

    by Stooshie (993666) on Thursday January 21, 2010 @11:18AM (#30846168) Journal
    I worked for a company that ran a birth/death/marriage certificate site. People were having problems logging in, so we kept a log of passwords that did not result in a successful login.

    We found that one of the most commonly typed passwords that was denied was "case-sensitive".

    Needless to say, we soon took off the "Your password is case-sensitive" text from the login page.
  • by mnslinky (1105103) * on Thursday January 21, 2010 @01:04PM (#30847684) Homepage

    I've been playing around with the password file, and there are some gross errors in the report.

    First, their top 20 list has many passwords with capital letters, where none actually exist in the 'real' top 20. Also, their numbers are off. I am guess they used a case-insensitive match, which for most passwords will not work. The 'real' top 20, which case respected is:

    290729 123456
    79076 12345
    76789 123456789
    59462 password
    49952 iloveyou
    33291 princess
    21725 1234567
    20901 rockyou
    20553 12345678
    16648 abc123
    16227 nicole
    15308 daniel
    15163 babygirl
    14726 monkey
    14331 lovely
    14103 jessica
    13984 654321
    13981 michael
    13488 ashley
    13456 qwerty

    You can download my list of all common passwords used by more than 1000 people at http://www.secure-computing.net/files/count_gt_1k.txt [secure-computing.net] (1KB file) which maintains case. A file without the counts is at http://www.secure-computing.net/files/gt_1k.txt [secure-computing.net] for use with john, etc.

  • Stupid (Score:3, Insightful)

    by Kral_Blbec (1201285) on Thursday January 21, 2010 @02:52PM (#30849148)
    There is a very simple way to prevent 100% of brute force attacks. Permenant/temporary lockout after 3 failed attempts. Its a lot harder to make 100 million guesses when you can only make 3 per day.

"Just Say No." - Nancy Reagan "No." - Ronald Reagan

Working...