Analysis of 32 Million Breached Passwords 499
An anonymous reader writes "Imperva released a study analyzing 32 million passwords exposed in the Rockyou.com breach. The data provides a unique glimpse into the way that users select passwords and an opportunity to evaluate the true strength of these as a security mechanism. In the past, password studies have focused mostly on surveys. Never before has there been such a high volume of real-world passwords to examine." Most interesting to me was that in the sample, less than 4% used any non alpha-numerics in their #$#%'ing passwords.
Have they released the list anywhere? (Score:4, Interesting)
Re:Given the sample set, is it a surprise? (Score:5, Interesting)
Until they break into your facebook account and use that to socially engineer access to something else and escalate their way into something beyond that. Or they access your facebook account and start taking guesses are the answers to the security questions you're forced to use (what school did you go to, what was your first pet called, etc., etc.)
There are so many links between so much of what we do online that you would do well to treat it all as worth securing equally.
Security should not depend on strong passwords (Score:2, Interesting)
The article says that in 20 years users have not gotten better at creating good passwords.
Logically then the solution is NOT to get users to take "password security seriously". This is like trying to stop VD by convincing teens to abstain from sex - it's in the never-going-to-happen catagory.
The solution is to mitigate the damage of a brute force attack - when bots make password guess attempts, you need counter-"bots" to detect patterns of access and then block IPs, warn users, or disable accounts. This is a form of intrusion
detection.
This is not to mention that for most web accounts, a break in doesn't matter - what damage can the hacker really do? Like post things-you-didn't-say and trash your reputation on www.social-site-for-people-who-spend-to-much-time-online.com? Heck, that's major dude.
Just a wild guess here, but let's ask: Are there web site owners who think the logins they host are way more important to their customers than they actually are?
Hmmm
-paul
Re:My password (Score:1, Interesting)
Here's two more "unique" glimpses into what kinds of passwords people use.
http://www.schneier.com/blog/archives/2009/02/another_passwor.html [schneier.com]
Oh look another "unique" look at what passwords people use
http://blog.jimmyr.com/Password_analysis_of_databases_that_were_hacked_28_2009.php [jimmyr.com]
This site gets dumber and dumber every day. The Onion insults my intelligence far less often.
A couple questions about passwords (Score:3, Interesting)
I have a couple questions for some more security minded folks here on slashdot, about the 'conclusions' of the analysis in the linked article. . .
* "The shortness and simplicity of passwords means many users select credentials that will make them susceptible to basic forms of cyber attacks known as 'brute force attacks.'"
Is this really true? Here's why I ask - most websites (though unfortunately not all), seem to lock your account if you don't get the right password in 3-5 attempts. Then, it may stay locked for 15 minutes, or 24 hours, or until you go through a process of some sort to verify the account (such as an automated email to the address on record, with a link you have to click in the email).
If the website takes such measures, doesn't that shut down brute force attacks pretty fast, even with fairly simple passwords? If the website is doing that, and it shuts down brute force attacks, doesn't that mean that even a somewhat weak password can provide 'good enough' protection?
* While I'm sure that adding special symbols does make the password harder to brute force, isn't even an alpha-num password pretty strong if it's about 10-12 characters long and mixes both upper and lower as well as some numbers? Personally, if I was guiding someone about a password, and I know they have a hard time remembering complex passwords, I would urge them to a longer password instead of a more complex one, because the length makes the complexity grow exponentially, right?
* Sort of touching on the parent's point - appropriateness. We can't remember lots of complex long passwords, so I would think that we should get people to concentrate on remembering complex passwords for the things that most need them - particularly things which can be attacked 'offline'? By 'offline', I'm thinking of something like, say, an encrypted file (like a zip file or TrueCrypt volume file), and online passwords which protect truly important stuff like access to your network account at work, your bank account, Tax-site password, etc.
Of course, there are always 'password safe' type applications, but I've never really liked the idea of a password safe, simply because I don't necessarily have access to it whenever I need a password. Take, for example, going to a library, FedexKinkos, or college computer lab, and needing to access a password protected site. Even if you *do* have your password safe file, on a USB key (for example; or maybe you can download your 'safe' from a site online), you may not be able to run the password safe software to decrypt it. Even if you *can* run the password safe file from the USB key, on the public computer, do you really trust that public computer to decrypt all your passwords? I just don't like the concept of password safes, for these reasons.
Re:Why surprising? (Score:3, Interesting)
Re:Password strength vs. how often you change it (Score:1, Interesting)
Forcing users to use random strings as passwords doesn't actually increase security -- it just forces users to write their password down on a post-it note. I've captured passwords by 1) Looking in an employees top desk drawer for the post-it 2) Writing a trojan that emulates a log-in screen on a dumb terminal, waiting for someone to log in, logging the information, then pretending there was an error so they need to log in again, and 3) Writing a program that put a Sun workstation into promiscuous mode, then monitored all traffic for telnet username/password sequences (this actually netted the admin password for all Oracle HQ computers). A "strong" password would have done NOTHING to lessen the effectiveness of any of these techniques! Why would anybody attempt to brute force a password by dictionary attack when there are much easier methods available? (E.g. social engineering.) Locking out an account after too many failed logins is effective against brute force attacks, and is already implemented in every system I know of. Requiring arbitrarily complex passwords just means the admins have to reset passwords more often, 'cause people forget them. That being said, forcing periodic password changes actually IS a good measure; it limits access to shared passwords.
Re:Password strength vs. how often you change it (Score:3, Interesting)
Given the above policy, a smart hacker would bruteforce the following template:
(1 capital letter)(7 lower case letters)(1 number)(1 special character). With a dictionary attack for the first 8 characters.
Password1!
Re:Password strength vs. how often you change it (Score:3, Interesting)
I wish someone (ISO? NIST? DOHS?) would establish an honest-to-god STANDARD for what makes a strong password. For instance, >=8 characters, at least one each of upper, lower, numeric, other.
Why? Because I use a fantastic Firefox addon called Password Hasher (and there are other good ones for the same purpose), which uses a hashing algorithm to combine the site's domain name with my own personal master password to create a different, secure password for every account, while only forcing me to remember one nice, strong password.
The problem is, different sites require different kinds of passwords, to the point where NO combination of settings for length and content of the generated password can work for every site. PH does a good job of remembering the individual sites' settings on my own computer, but it gets a lot less convenient when I'm on someone else's.
Re:Password strength vs. how often you change it (Score:5, Interesting)
You must have missed the bulletin which explains that security consists of becoming a less inviting target than the guy beside you. If the sheep tend to use all lower-case passwords (baaaaaa), then you're best off wearing a different cloak.
I thought script kiddies were all playing on the streets of the Facebook favela these days, and that unemployed Russian PhDs were out there flexing their combinatorics.
From that training set, it would be pretty easy to code up a Markov letter bigram or trigram model and enumerate from least entropy on up (a near approximation to this is plenty good enough). My guess is that that nine letter all-lowercase passwords would be on roughly the same tier as six letter passwords with multiple punctuation marks.
This study was a bit stupid in reporting password strength. A nine letter password from two symbol sets will be close in strength to an eight letter password from three symbol sets, as long as the nine letter password doesn't build upon trivial substrings.
I think this is why the recommendation demands three symbol sets: it gives users less scope to squander entropy that a longer, ordinary character password ought to have.
One time, as a joke, a very long time ago, a devious coworker put a keystroke logger on a paranoid coworker and the password revealed was 6uldv8. Apparently there's more than one reason to keep your passwords secret.
I generate all my own passwords starting from suggestions offered by OpenBSD's apg utility. For crap sites, I try to achieve an estimated entropy in the vicinity of 30 bits and scale up to about 60 bits at the paranoid end: 5*6 (a brief burst of line noise), 6*5, 7*4, 8*4, 9*3, 10*3 (baby talk).
For longer passwords, you can pair two words from a large dictionary (about 13 bits entropy each) and then add another four bits with a single symbol corruption. Routinely sticking an ! in between two obscure dictionary words is not a good idea if you're concerned about cross entropy, where the attacker already knows some of your passwords by other means. I avoid consistent corruption templates, because I don't want to lower the cross-entropy on a set of partially exposed passwords too severely.
For most purposes, even 20 bits of entropy is a good start, if the attack involves knocking on the front door. Not so good if the hashed password file is compromised behind the scenes. Even 30 bits is pathetic in the latter case, but this reasonably well mitigated by never sharing a password across multiple sites.
At 40 bits, the attacker begins to ask whether there's any money involved. A high-end video card, properly coded, would sneeze at 40 bits. However, properly coded still isn't free,
By the time you get to 50 bits, it's time to start asking whether you've seriously pissed off the wrong person. Quite doable, with a modicum of enmity, but not worth the bother if the game is shooting fish in a barrel at least expense. Armour piercing rounds are deployed sparingly.
I wouldn't be the least bit surprised that the NSA has accumulated a dictionary of the trillion most common passwords, sorted by descending order of frequency, covering all languages and source lexicons of the world (pets, pet names, Klingon, Thalassian, Qenya) permuted into all manner of imposed password template schema. I'd be shocked if they hadn't. For that matter, Google could build a good approximation to that dictionary just using their lexigram index, on roughly the terascale.
Shedding about 10 bits of protection per decade, we'll soon need to return to Beowulf era culture where reciting your ancestors back to the garden of Eden was the gold standard for accurate recall.
I wish every login box on every site had a
Re:Password strength vs. how often you change it (Score:3, Interesting)
I hate it when systems specifically require odd crap though...requiring a mixed password (must have 2 of the 3 following features or something) is good but saying that my 8-character password must include at least two numbers is actually decreasing the keyspace fairly significantly since you can limit several parts of the password to 0,1,2,3,4,5,6,7,8,9 as opposed to every single letter/number/punctuation.
My personal favorite dumbass password requirement was an internal company one that checked your password for dictionary words and ruled any dictionary word in a password invalid. I thought that was stupid, and then I found out by accident that the dictionary contained "it". And then I realized it contained every two letter word I could think of. So "4!h8B^%iT2" was a weak password because iT is a dictionary word (?!?) and thus the password will be ZOMG dictionary hacked.
We also had like, six different internal systems, each with their own password requirements. One needed at least one number, another normalized mixed case to lowercase, one just didn't care about anything, etc. Passwords all had to be changed, but the dates on which they did was different. (Payroll password changes once a month. I only needed to access the payroll system once a month.)
Ultimately, even the dedicated never-write-it-down people like me had to give up and write their passwords down. I had my cheat sheet in my wallet, but a lot of people just had them at their desks. (Only monitor post-it-notes were caught by management. Paper under the keyboard? Never caught. In a desk drawer? Like the managers are gonna go around opening every drawer in the building!)
So, yay security?