Analysis of 32 Million Breached Passwords 499
An anonymous reader writes "Imperva released a study analyzing 32 million passwords exposed in the Rockyou.com breach. The data provides a unique glimpse into the way that users select passwords and an opportunity to evaluate the true strength of these as a security mechanism. In the past, password studies have focused mostly on surveys. Never before has there been such a high volume of real-world passwords to examine." Most interesting to me was that in the sample, less than 4% used any non alpha-numerics in their #$#%'ing passwords.
Re:Password strength vs. how often you change it (Score:5, Funny)
For places that require password changes I'd suggest to take a very long base password with a month appended and hash it, then convert the hex hash into printable characters. Maybe something like this:
echo -n "LongUnchangingBasePasswordSiteNameJan2009" | sha512sum | xxd -r -p | tr -cd [:print:]
This has the advantage of being highly secure and easily memorable, but someone shoulder surfing your password wouldn't be able to figure out what your password is next month. People more familiar with windows could suggest a command available on that system. Be careful to do this on a computer where the command will not be stored in a command history.
I'm planning to go all lower case with my passwords though. I'll have to make my passwords 50% longer, but I think they'll be easier to type and almost as easy to remember as totally random ones. In fact my error rate with the totally random ones is an issue with shoulder surfing because I make mistakes and have to retype it so often, giving shoulder surfers repeated sightings, and because the numbers and symbols and shifts slow me down.
Your account has been breached. (Score:1, Funny)
Re:Have they released the list anywhere? (Score:1, Funny)
"love", "secret", "sex", not necessarily in that order. And don't forget "god". System operators love to use "god".
12345? (Score:3, Funny)
That sounds like a combination that an idiot would put on his luggage.
Obligatory Spaceballs Reference (Score:5, Funny)
Roland: One.
Dark Helmet: One.
Colonel Sandurz: One.
Roland: Two.
Dark Helmet: Two.
Colonel Sandurz: Two.
Roland: Three.
Dark Helmet: Three.
Colonel Sandurz: Three.
Roland: Four.
Dark Helmet: Four.
Colonel Sandurz: Four.
Roland: Five.
Dark Helmet: Five.
Colonel Sandurz: Five.
Dark Helmet: So the combination is... one, two, three, four, five? That's the stupidest combination I've ever heard in my life! The kind of thing an idiot would have on his luggage!
-----
President Skroob: What's the combination?
Colonel Sandurz: 1 - 2 - 3 - 4 - 5.
President Skroob: 1 - 2 - 3 - 4 - 5?
Colonel Sandurz: Yes.
President Skroob: That's amazing! I've got the same combination on my luggage!
Re:Have they released the list anywhere? (Score:5, Funny)
Post it here, I'll check it for you.. Don't worry, Slashdot blanks your password.
My password is *******
See, blanked out!
Re:Password strength vs. how often you change it (Score:5, Funny)
.., followed by "1111" then "2222" then "3333" and so forth...
Dont you mean so 4444th.
Re:Password strength vs. how often you change it (Score:5, Funny)
Hey, I used to use a password that could be found on my coworker's monitor, in plain view. I had the idea when they required me to come up with a secure, 10-digit-or-more password containing alphanumeric characters and his monitor's serial number fit the bill.
Re:Why does password strength matter? (Score:3, Funny)
Re:Password strength vs. how often you change it (Score:3, Funny)
Re:Have they released the list anywhere? (Score:5, Funny)
Re:Have they released the list anywhere? (Score:3, Funny)
Wonderful, mine is also blanked out: hunter2 :)
See?
Obligatory bash.org reference: http://www.bash.org/?244321 [bash.org]
Re:Password strength vs. how often you change it (Score:2, Funny)
Re:Password strength vs. how often you change it (Score:3, Funny)
Luxury! At my job, every morning we have to beat a confession out of a captive Yorkshireman, and hash that with each employee's ID number.