A Brief Sony Password Analysis

troyhunt writes "With all this [Sony] customer data now unfortunately out there for public viewing, I thought it would be interesting to do some analysis on password practices. There are some rather alarming (although not entirely surprising) findings including: 36% of passwords appear in a common password dictionary. 50% of passwords are 7 characters or less. 67% of accounts on both Sony and Gawker use the same password. 82% of passwords are lowercase alphanumeric of 9 characters or less. 99% of passwords don't contain a single non-alphanumeric character."

not surprising

[Anonymous Coward]

it's a pretty big PITA to enter a secure password, or any complex non-alphanumeric mix of characters using an on-screen keyboard.

Re:

[chemicaldave]

it's a pretty big PITA to enter a secure password, or any complex non-alphanumeric mix of characters using an on-screen keyboard.

No, it's really not, especially when you consider that the PS3 will store the password. You should only have to enter it a few times over the lifetime of the unit, and even then, entering some non-alphanumeric chars doesn't make it any more difficult.

Re:

[John Hasler]

> And if you write the pwd down, it will be lost/stolen anyway...

Only if you are a fool, in which all is lost anyway.

Re:

[WuphonsReach]

And if you write the pwd down, it will be lost/stolen anyway...

Do you also leave your wallet, credit-cards or money laying around so that they get lost/stolen all the time?

Writing the password down is fine, as long as it gets stored in a safe place (safe deposit box, home safe, sealed envelope, even tucked in a wallet). The weakness is not that the password is written down, it's that it is not kept secure against the eyes of others. Like putting it on a sticky note attached to the monitor/keyboard.

Re:

[GIL_Dude]

Exactly. Also some basic, much maligned but still useful, security by obscurity can be used. For example, if you have trouble remembering your ATM PIN, simply put a piece of paper in your wallet with a couple of "phone numbers" on it (for example one would be "Adam - 722-1416" where 1416 is your PIN.) Simple mnemonic - Adam - ATOM - ATM... Simple thieves won't get your PIN from that, but you certainly can remember it. Passwords can be done in a similar fashion.

Re:

[MareLooke]

KeePassX [keepassx.org] helps with that. But it obviously doens't help with companies spilling their pwd databases...

Re:

[Gravatron]

I use a USB keyboard on my ps3. Helpful for chat, netflix, and password entry.

Re:

[swv3752]

Yeah, I have a wireless mouse keyboard combo from my old MythTV box that I use for the PS3.

As someone who probably fell into some of those

[vawwyakr]

My sony account only held the minimal information and some of that not correct. The PW I used was my public throw away password that I only use on sites that require me to register when I just need it to use a basic service and not enter anything not already public knowledge. So I'm not going to burn a good PW or spend my time trying to memorize a new one to use for something I really wouldn't care if they cracked and couldn't use the same PW on a site for which I care about it being cracked.

Re:As someone who probably fell into some of those

[Aladrin]

For a situation such as yours, the website owner actually cares more than you do. If your password gets stolen from another site, the hackers will be able to log into your account on your other throw-away sites. This means they have a new spam account that -looks- like a legit account. That's quite valuable to spammers, and painful for admins.

Re:

[KidPix]

Yeah, I'd like to see a comparison of bank passwords to Sony/Gawker passwords.

Re:

[Rary]

Yeah, I'd like to see a comparison of bank passwords to Sony/Gawker passwords.

I don't have a Sony or Gawker password, but I can tell you that my Slashdot password is more secure than my bank password. However, that's not by my choice. The credit union I use has this pathetic system that requires passwords to be exactly 7 characters and ONLY numeric. Very annoying.

Re:

[gman003]

My bank is nearly as bad - only uppercase letters and numbers. I used my normal password as a basis for crafting my bank password, but I can never remember if I replaced all Os with 0s, or just the first one, or just the second, or what I did with the underscore, etc. So I still can't remember it. I got tired of doing a password reset every time I wanted to check my balance, and just signed up for mailed account updates. Fuck trees.

Re:

[aliquis]

Personally I don't see the horror in "99% of passwords don't contain a single non-alphanumeric character."

Since then is a 8 character password with non-alphanumerics better than a say 50 character password with only alphanumerics?

Which one is easier to remeber of:

&/fhy47F

or:

"omg leet slashdot password try to crack this one stupid"

and which one is safer?

Also with no password reminder and all these shitty sites which require you to register for no obivous reason or which require it for a reason which matt

Re:

[hedwards]

If you add even a single non-alphanumeric key it means that in order to brute force the password, they don't get to stick with the 26 lower case letters, 26 uppercase letters and 10 digits, they also have to deal with the , ; . ! ? @ and probably even more. And they don't know that's the case until they try every combination of alphanumeric characters that is possible within the given length.

Best password practices

[mangu]

I don't think very long passwords are necessary.

My own practices:

No dictionary words, only a string of random letters
No change, memorize and keep the same password forever

I use the same password for all internet sites, slashdot, reddit, throwaway emails, etc. Another one for all my computers, at home and at work. A third one is for my bank account only.

Re:

[somersault]

I don't change mine all that often either, and similarly have different levels of passwords.

What do you mean by "very long"? I think something like 8 or 9 characters minimum is probably necessary to avoid rainbow table cracking these days.

I've taken to slightly modifying my password depending on which site I am using. It helps to lengthen the password but in an easy to remember way, even though my basic password is already above the length that should be easily crackable.

Keeping the same password forever do

Re:

[Anonymous Coward]

I do somewhat of the same. My letters aren't random though. I typically have a phrase that I remember such as:

jack went to the store to buy some rice.

That would become jwttstbsr

Then append a number n (in this example we'll say n = 3)

Every nth letter in the original sequence becomes uppercase.

So then we get jwTtsTbsR3

Finally, append a single letter suffix designating what it's for. C for computer passwords, F for financial, S for social networking, E for email, W for general websites, etc.

I tend to change

Re:

[jovius]

i use something like 's0m3t#1nG'

Re:

[JaredOfEuropa]

Decent dictionary attack software already accounts for the more obvious substitutions like i/!, o/0, l/1, e/3, a/4 etc. I tend to use passwords that can be pronounced but aren't actual words.

But even with a completely random password, you're still screwed if Sony makes the unbelievable and unexcusable mistake of storing them in plaintext. Hell, even the PHP for Beginners book on my shelf explains one-way encryption for passwords to online services.

Re:

[Danny Rathjens]

I don't know why people think that "leet-ifying" a word makes it a better password. leetspeak modifications of dictionary words is one of the first variations that password cracking software tries after straight dictionary words.

Re:

[Inda]

I've said the same on here many, many times before giving up. No one will listen and no one will change their ways.

I used to play with password cracking programs on my P3. They all allowed for character substitution and many had a 'leet-speak' option to tick.

BTW, a full dictionary attack used to take about 3 seconds on my P3 and people would be magically impressed when I found their ZIP file passwords.

PS. My bank allows 14 characters... *facepalm*

Re:

[angel'o'sphere]

But you do know that slashdot e.g. does not transfer your paswd encrypted but in plain text? So everyone listening to your connection can read it? I would at least distinguish between https and non https accounts.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[WuphonsReach]

That depends on whether you assume that the attacker has your password hash and can brute-force it at an increased rate. For $1000, an attacker can easily build a unit capable of attacking most password hashes at a rate of say 1 billion per second.

If your password is 8 character or less, it will be spit out by that machine in 2-48 hours.

The math:

Assume 60-80 possibles per letter in the password, weaker passwords that are mostly lower-case can be as low as 40 possibles per letter.

40 = ~5.33 bits per

Re:

[binkzz]

I use the same password for all internet sites, slashdot, reddit, throwaway emails, etc. Another one for all my computers, at home and at work. A third one is for my bank account only.

Hey! Would you like to sign up to my site? http://dodgysite.com/ [dodgysite.com] . It has tons of cool stuff. Hope to see you there soon!

lowercase

[Njovich]

'82% of passwords are lowercase alphanumeric of 9 characters or less.'

So what about lowercase? As long as it's random-ish, it's fine. Good luck brute forcing a 9 character lowercase alphanumeric password... Capitals are overrated anyway, if asked to include an uppercase character, in my experience most people will use exactly 1 uppercase character. So, given a password with length 8, it's only 8 times as many possibilities you would check. However, it is still an extra keypress, so if you went for an extra character it would be a lot more effective. Then there is the point that on many phones it's a nuisance to type capital letters, then there is a problem of readability of for instance I (upper i), or l (lower L). Also, when speaking out a password it is annoying. Then, at least for me, it is hard to remember the location of the capital letters.

Re:

[chemicaldave]

The point is that it's easier to guess a password when you know it only has 36 possible characters, as opposed to 62.

Re:

[Kjella]

Apple23
aPple23
apPle23
appLe23
applE23

= about 5 times as difficult. The point is that people don't use combinations like ApPLe23, capitalizing one letter because you must isn't exactly a huge gain. Particularly since most people will capitalize the first, since it's easiest. I do stick to alphanumeric passwords though, everything else always generate so much crap with character sets, keyboard layout etc.

Re:

[stewbee]

In a way I agree with you, but lets just look at the numbers. A password of n characters long of only lower case letters (in English) is 26^n possible combinations. Adding upper case then give 52^n combinations. If you were a code cracker, and knew in advanced that most people only used lower case letters, then why waste you time with upper case letters. Your code cracking program would take longer allowing for upper case letters. It a matter of low hanging fruit; non capitalized password code cracker will

Re:lowercase

[Rich0]

In a way I agree with you, but lets just look at the numbers. A password of n characters long of only lower case letters (in English) is 26^n possible combinations. Adding upper case then give 52^n combinations.

The parent's point was that this isn't actually correct. That is only true if ANY or ALL of those characters could be upper case. Well, they could be, but most likely they aren't. Instead it is probably the case that all but one are lower case. So, the number of possibilities isn't 52^n, but rather n*26^n. That is barely larger than 26^n.

Require 8 characters, of which at least one is upper case and one is a number? Ok, users will go with the minimums on both, so you start with 6 lowercase and 1 uppercase letters, which is 7*26^7. Then you throw in a digit. That could go in 8 positions, and could be any of 10 characters, so multiply that number by 80. If you just check a "1" in the last character position then you don't increase the number of combinations at all and you'll probably nail 80% of the passwords anyway.

If I lose my car keys then a true brute force search would have to cover the entire volume of c * the elapsed time since I last saw them. However, I wouldn't start by searching the moons of Jupiter - the kitchen counter is far more likely to yield dividends.

Re:

[Rich0]

Your calculations are way off as you don't know in advance where the one capital letter will be, so you are still stuck with all possibilities.

If the password is n characters long, then the capital letter could be in one of n positions. So, the number of possibilities is n*26^n. Basically you take each 8-char lowercase password and then you capitalize each of the 8 letters in turn.

Or you could look at it this way - you have n-1 chars lowercase, which is 26^(n-1). Then you have 26 possible uppercase chars in any of n positions, or 26*n. So, you get 26*n*26^(n-1), which is just another way of saying n*26^n.

As far as your arguments about making t

Re:

[Rary]

Also, when speaking out a password it is annoying. Then, at least for me, it is hard to remember the location of the capital letters.

For starters, you shouldn't be speaking out a password, unless it's the password to something really trivial and low security, in which case go ahead and use a simple all lowercase password. As for remembering the location of the capital letters, use a simple pattern.

For example, if you take the word "password", replace a couple letters with numbers, such as "p4ssw0rd", and then just hold down the SHIFT key for every second character, you get "p$sSw)rD", which is many times more secure, and simple to memori

Re:

[tchernobog]

Actually, it's not exactly true if you are brute-forcing. If you have a nine-characters-long password, of which exactly one letter is uppercase (assuming you can determine that), you would have 8 lowercase letters (26^8) * 26*9 possibilities (because the uppercase letter can appear in 9 different places), so that would make it 9 times the time required to bruteforce an all-lowercase password. That's why they recommend you to use digits, special characters and uppercase letters; they DO increase a LOT the am

Re:

[swillden]

Good luck brute forcing a 9 character lowercase alphanumeric password

Per yesterday's article, a GPU can test 3.3 million passwords per second. That means the entire space of 9-character lowercase alphanumeric passwords (there are 36^9 of them) can be searched on a single GPU in 356 days, which means that on average it will take 178 days to find a given password with an undirected brute force search. In practice, that can probably be reduced significantly by searching first for dictionary words, combinations of pieces of dictionary words or letter sequences that are "pronou

Password Requirements Are Inconsistent

[Anonymous Coward]

The whole point of a password is to have something you can memorize (without writing it down) as a security precaution. The problem is that different websites have different password requirements. For example, one website might require at least 8 characters in your password with at least one numeric and one non-alphanumeric character. But then another website might require at least 6 characters (alphanumeric), but DOES NOT ALLOW non-alphanumeric characters. So now you have two different passwords to remember. On top of that, it is recommended that you have a different password for each account. I don't know about you, but I have probably 100 accounts to various websites, games, etc - and there's no way I could memorize that many different passwords containing a mixture of alphanumeric and non-alphanumeric characters.

Re:Password Requirements Are Inconsistent

[tompaulco]

Mod parent up. Nevermind different sites, we have different password requirements on different systems WITHIN MY OWN COMPANY. Our expense reporting system, bug tracking system, OS login, and intranet login all have different and incompatible password requirements, and some of these also expire, requiring you think of a NEW one that fits the format. So within my own company I have to remember 5 different passwords (plus the other system passwords, some of which I also need to know to perform my job). Then externally, I probably have 30 to 40 sites that I have accounts on that I use on a regular basis. Some of these not only have crazy password requirements, but some have non-choosable usernames, like a number or a name that they assign you. Sometimes they assign you a password as well and won't let you change it.
So it comes down to sticky notes, or a trusted source to keep all your passwords. I have chosen the latter. I have a password file that I keep on my own domain. However, even that is not foolproof, because I don't host the sever myself, so somebody at the host, or somebody that compromised the host could get in and look at that file (I have permissions set to keep the casual viewer out, but these people would obviously have admin permission). I still have security through obscurity, as they would have to recognize the file for what it was, while wading through thousands of uninteresting files, and then figure out what user and password goes with what site, which is somewhat cryptic, but recognizable by me.
As an aside, why does talking about my file which is hosted on a unix based system make me want to use vi editor keys when typing into slashdot?

My Best Practices

[gregarican]

For my passwords I use the keys one-up-and-to-the-right of the "dictionary style" password I have. For example, for password this would come out as -wee305r, making it harder to brute force. Of course if the passwords are all stored plain text by some incompetents what's the point?!

Re:

[gregarican]

Good point. And my US keyboards render the passwords a lot differently than the time I am trying to enter in my password from my iPhone/iPad...and since I don't always memorize the jumbled version I sometimes get a brain cramp :)

My password is

[Anonymous Coward]

'); DROP TABLE Password;

Re:My password is

[snookerhog]

Bobby, is that you?

Whats the point ..

[Idimmu Xul]

of having 100 alphanumeric+special character long passwords when websites just give up the password lists with the magical words 'sql injection'?

Unique passwords at least ensure that once a website you frequent is compromised you don't get further screwed over...

hunter2

[chemicaldave]

There must have been a few dozen.

Huh?

[iluvcapra]

67% of accounts on both Sony and Gawker use the same password.

Without a map of Sony accounts to Gawker accounts I don't know what this means... I take it to mean "The cardinalty of the set that is the union of password sets from Sony and Gawker is 67% of the cardinality of the set of Sony passwords."

Re:

[Jim Hall]

67% of accounts on both Sony and Gawker use the same password.

Without a map of Sony accounts to Gawker accounts I don't know what this means... I take it to mean "The cardinalty of the set that is the union of password sets from Sony and Gawker is 67% of the cardinality of the set of Sony passwords."

IIRC, Gawker had their username/password database stolen a year or so ago? I read the "67%" as: for accounts on both Gawker and Sony, where the email address matched up, 67% of the passwords were also the same.

That is, 2/3 of the people who had accounts on both Gawker and Sony were using the same password, not a different one.

Bad passwords are not always the user's fault.

[mcmonkey]

The issue is I have, at last count, 13 systems with separate passwords. There's a network account, elevated privileges account for server admin, HR systems, online learning systems, expenses system, which is not the same as the travel booking system, etc.

With the company's computer, I can't just install any software I want, so one of the password tracking programs is not an option. So I use the same password for all 13 systems.

So the next issue, not all those systems have the same password requirements. There is one system which does not allow the use of special characters. So while my password always has lower case, upper case, and numeric, I'm always going to be in that 99% with no non-alphanumeric characters. Oh, and I think the max characters limit is around 12.

Of course, writing down passwords is such a bad practice. But there's no way I can afford to burn the cycles to memorize 13 new passwords every 90 days, so I use the same password for all work systems. The same bad password.

Re:

[Idimmu Xul]

you could use a password management tool like keepassx to remember them for you

Re:

[mcmonkey]

Except I can't install any software I want on the company's computer. You know, for security!

Re:

[Anubis IV]

If you use 1Password, it has companion iOS and Android apps which will automatically sync via Dropbox to your computers. No need to install anything on the company computers when you can keep it on your phone, and the data on the phone is independently encrypted and password protected in addition to anything the mobile OS does.

Re:

[Terrasque]

You could try looking at a solution like http://www.hashapass.com/ [hashapass.com]

The relevant JS code:

function update()
{
var res = document.getElementById('resultId');
var seed = document.getElementById('seedId');
var param = document.getElementById('parameterId');
var hashapass =
b64_hmac_sha1
(seed.value,
param.value) .substr(0,8);
res.value = hashapass;
seed.value = '';
res.select();
}

As long as you're allowed to make an ascii text document and have access to a web browser, that's available.

Re:Bad passwords are not always the user's fault.

[KMitchell]

Of course, writing down passwords is such a bad practice. But there's no way I can afford to burn the cycles to memorize 13 new passwords every 90 days, so I use the same password for all work systems. The same bad password.

Nothing inherently wrong with writing down passwords. You move from "something you know" to something you have, As long as you properly secure "what you have", it's still decent single-factor authentication. Just write your passwords on a $100 bill, and you're fine.

Mod parent up.

[John Hasler]

Mod parent up.

Re:

[mcmonkey]

Oh great. All my accounts have been compromised AND I have to skip lunch for a couple weeks. ;)

Re:

[Mr_Plattz]

Agreed!

I've recently invested time and changed *all* my online passwords. Everything stored inside KeePass with random very strong passwords. Even comparing with the 'core' sites such as Facebook, Twitter, Ebay, Paypal, Gmail --- *ALL* of them have different requirements which I think is unacceptable. Some enforce 14 chars but don't accept alpha-characters while others cap at 20. One big kudos is Facebook was the best and accepted 256 random characters.

So yes, *we* need to agreed on the minimum standar

Re:

[CastrTroy]

Kind of funny, since they are only using a hash, why not just allow any length of password. The hash will always be the same length, regardless of the length of the password. You could even allow users to upload a file as their password, in order to allow for non-typeable byte values in order to increase entropy. If you stored the files for each website on a truecrypt partition that automatically dismounted after a timeout, it would probably be about as secure as using keepass, and the actually password

Re:

[eulernet]

At my job, the policy was to change passwords every month.

The guy explaining how to be able to keep memorizing the passwords gave us the following trick:

use your normal password as a prefix
then as suffix, add a counter, like 00, 01, 02, etc...
The idea is to increment the counter when the password expires.

After a few months, the management got upset about this policy, and we have now the same password since 2 years.

Re:

[danpat]

Online password manager with client-side encryption and secure password generation: http://clipperz.com/ [clipperz.com]

Re:

[Cthefuture]

This is exactly the type of thing a smartcard would be good for. You could have all unique passwords using the strongest randomizer possible (or use PKI or similar) and only have to remember a simple PIN for your card. The PIN can be relatively short and simple too (although making it more complicated is recommended).

A smartcard provides a hardware level of protection as it's much more difficult to brute force because it can be set to self destruct after a certain number of bad PIN attempts. Usually betw

Re:

[Roogna]

Use a password management system, that is -not- on your computer. For instance 1Password is available on iOS devices. I'm sure Android has similar apps.

Re:

[gman003]

I have three different passwords I use for everything. The weakest (8 characters, 2 non-alphanumeric and one uppercase, but I sometimes have to strip the & and @ on things that don't allow it) is used on things where I really don't give a shit if someone hacks it. Want to upload stuff to Imageshack in my name? Who cares? Want to hack my Dropbox? I only use it as free file hosting - everything on it is supposed to be publically-viewed, and I have local copies of all the data. Want my Gawker account? Knoc

Re:

[PhilHibbs]

I've considered using the postfix system (ie. $kurg^is42 would become $kurg^is42_fb on facebook, $kurg^is42_sd on /., etc), but haven't gotten around to actually doing it yet. Probably should.

I do something like that, and I have a few variants of the cryptic prefix as well. I have occasional moments of paranoia that someone will get both Slashdot and Facebook's databases and notice the similarity between my passwords, but really, I'm not that interesting a target for that much effort.

Re:

[jomama717]

I use password safe [sourceforge.net], installed on a thumb drive. I have over 150 unique passwords I have to keep track of for work, as well as close to 100 unique passwords for personal sites stored on it. For passwords I rarely need I let the safe generate them for me, I never even actually know them. Just double click on the entry and it is inserted into your clipboard for ~3 minutes or something. For ones I use more frequently I came up with a scheme:

• All passwords are of the form "[prefix][password][postfix]"
• Choose

Re:

[John Hasler]

> ...would that be secure enough?

As long as you are the only one doing it. Once the practice became widespread it would become worthless (I am not a security expert.)

Strong Password Necessity?

[dmatos]

Here's how I look at it:

My PSN account is used purely for entertainment. It is not linked to a credit card. I have made one PSN purchase on my credit card. My credit card company offers fraud protection.

Why should I have a 26-character long UTF-8 password that I'm never going to remember? It's about as useful as having a strong password on the hotmail account I use to sign up to websites. Huge pain in the ass, negligible benefit.

My banking site, my PayPal account, my Canada Revenue Agency account - these are the places that I bother to use strong passwords. Elsewhere, I don't care that much.

Would you trust your "good" passwords to Sony?

[leonbev]

Knowing Sony's recent track record with system security, I wouldn't bother using one of my "good" passwords at one of their sites anyway. If there is a good chance that some hacker is going to get a hold of their password file and post it on the Internet, it might as well be "password" or "abc123". I sure as hell wouldn't use the same password that I use for my bank or my e-mail, anyway.

Here's the Thing

[wbav]

Sit down and think of the number of sites/services/etc. that you access each week.

Pretend for a second your browser doesn't remember a single one of them.

I came up with 34 different sites. 34 different systems with their own rules, regulations and security questions. Some sites only allow alpha numeric, some require the alphabet to be limited to what shows up on a touch tone phone. Others require passwords to change every 30 days with no repeats for the last 5 passwords.

At 9 characters a piece, tha

Why protect against brute force attacks?

[Phurge]

Excuse my ignorance, but why not have a system that locks you out after three attempts and sends an email to your previously verified email account?

Why all this focus on "unguessable" passwords when it looks like if you have a powerful enough computer you can guess most in minutes?

Ok perhaps banks & public utilities need all the crypto stuff, but Joe-sixpack? Surely there's a more elegant solution than getting people to remember unmemorable passwords (which leads to post-it note on the monitor syndrome

"incremental" passwords

[ironicsky]

I use a sort of "incremental" password. My base password is 10+ characters containing letters/numbers/symbols where no character is used more than once. Using part of the website's URL, based on a pattern I've devised for myself, I take letters/symbols out of the URL and prepend it to my password. So if my base password was E21jd78&@qPm and the site was slashdot.org, my password for slashdot dot might end up being SshoTE21jd78&@qPm. This way I only have to memorize the base password, and use the UR

Algorithmic Passwords

[hipp5]

Since the Sony debacle I've switched to deciding my passwords algorithmically. I use a base password of six lower case digits that is the same for all websites. Then I use two capital letters that are related to the website in question (e.g. "SD" for slashdot) which I offset by a certain number of keys in a certain direction (e.g. SD might become "XC" if my offset is one key down, but it's not). Then I append a single number to the end (same in all cases). This gets me a nine digit password with mixed case

The Password Problem

[InsertCleverUsername]

The real problem with passwords is that there's so damned many of them. It's a little exasperating to me that in the 21st century we're still managing security and authentication the same flawed, stupid way. All the idiot users in the world and the hapless tech support people reseting their passwords would cry tears of joy if we could just change to a standardized approach. What I'd really like is something like this:

1) Everybody pick a trusted authentication provider (the Google, Facebook, Verisign,

Don't read too much into it

[matunos]

I wouldn't read too much into people's bad password habits to a site that didn't collect any sensitive personal data. Sharing passwords across sites would be more of a problem as it may lead to inadvertently revealig a password to another site that does have more importance; or losing access to a bunch of individually unimportant accounts may be more traumatic.

Re:Is Sony now in the banking business?

[j00r0m4nc3r]

I guess credit card data is not important to protect

Re:

[somersault]

Bah! I don't waste good passwords on trivial things like money!

Re:

[jhoegl]

OP point is valid.
The only reason people know your Sony password isnt because your account at Sony was brute forced.
Its because Sony is lackadaisical in their patching and security efforts.
Seriously, no one brute forces anymore unless it is against an offline database that they downloaded from the site in question.

Re:

[dgatwood]

My Facebook account got brute forced just a few months ago. It still happens.

Re:

[dgatwood]

I seldom use Facebook anywhere other than on my own home network, my company's network, or a cellular network (none of which are very likely to result in cookie attacks). It's certainly possible that it was attacked in some other way, but the likelihood of that is fairly low.

Re:

[hedwards]

I've found that using non-alphanumeric characters in password fields to be problematic. The main reason being that a lot of sites won't let you use them and that it gets to be a real pain in the ass to fill them in at times. On top of which a lot of companies fail miserably at validating the password fields when they're being entered initially.

In other words, if companies weren't so incompetent when it comes to passwords then we could insist that users enter stronger passwords, as it stands now, if you go f

Re:

[JustOK]

That's the same as I have for my luggage.

Re:

[Big Smirk]

If Sony had my credit card info, then that would make sense. They don't and based on recent history they are either not good enough at security, or too lucrative of a target, so they won't get identifiable information.

Quite frankly, I don't even know the user name I used.

Its just a game console to me

Re:

[Lumpy]

Only a fool gives their credit card to everything.

MY Xbox live account is a simple password. and I'm not dumb enough to give them my credit card. I use their prepaid cards to keep their fingers out of my finances.

Re:

[sangreal66]

You're not even liable for $50 if your credit card number is stolen. That number is the maximum liability if your physical card is stolen (and you report it such). You cannot be held liable for anything if the card remains in your possession. This is regulated in federal law (FCBA) and not subject to bank policies.

So no, it isn't that important for you to protect. That is a problem between the vendor and the bank.

Re:Is Sony now in the banking business?

[Anonymous Coward]

This case underlines the futility of long passwords. Everyone's data was exposed no matter how strong they were.

It does however underline the importance of compartmentalisation. Don't reuse passwords between sites.

Re:

[Anubis IV]

Exactly. I use 1Password to generate and store all of my passwords, and apparently I fell into the 1% that used a non-alphanumeric character in their password. Mine was a 16-character password that mixed caps, numbers, and symbols, and it was unique to PSN, so I've had pretty decent peace of mind when it comes to my password.

Unfortunately, I lacked the forethought to not keep my credit card information on file with them. :/

Re:

[Yvan256]

Of course they're not salted. They're checking their sodium intake!

Re:

[Yvan256]

And, most shockingly, over 99% of passwords are not dead locked, leaving them susceptible to infiltration via sonic technology.

Stop screwing around.

Re:

[snookerhog]

+1 insightful

Re:

[smitty97]

exactly. call it a PIN and you'll get 4 numbers. and most people will use their REAL bank pin on shadystealyourinfosite.biz just so they remember it

Re:

[Quiet_Desperation]

Ask a dozen people on the street about the "Sony rootkit" and most will probably think it's an MP3 player for plants.

Re:

[PhilHibbs]

They probably do that because by French law you have to store them in plain text or something fungible, no one-way-hashing of passwords is allowed in France.

Re:

[BrokenHalo]

It doesn't help when some sites don't even allow non-alphanumeric passwords.

Indeed, and by far the worst culprits I have found for such asinine limitations are banks. I have come across many that impose arbitrarily small password lengths and refuse all non-alphanumeric characters.

Re:

[Captain Centropyge]

Exactly! You'd think a bank would want the most-secure passwords a user can come up with. Why would you ever disallow special characters? And, unlike the other poster who replied, these aren't French banks. They're local American banks. I don't get it...

Re:

[John Hasler]

Sounds like you missed an opportunity to put Bobby Tables to work...

It's also possible that the "#" just happened to fall right after the end of the maximum length password accepted by the site.

Re:

[WuphonsReach]

Which sounds like they're storing the passwords in plain text.

(Yet another reason to just use randomized passwords across different websites. At least an attack on one site won't lead to accounts on other sites being exposed due to password re-use. Heck, for sites like talk forums and community sites where you don't have financial information exposed, just let the browser remember the password. Or use a program or a few GPG encrypted text files.)

Re:

[WuphonsReach]

An issue is, however, hash security. But salts help with that.

Not really. If I know that your password is short, comprised of common english words (say 4,000 common words that are short enough), something like "football123" is going to be cracked in a matter of hours.

4000^2 x 1000 = about 4.4 hours at 1 million/sec

Worse, since "football" is itself probably in that list of the 4000 most common words, my search space is only 4000 x 1000, or 4 seconds.

And probably even faster then that since I would

Re:

[Spy Handler]

what if you need to access a web account (let's say Gawker) and you're not at home? And you can't remember any of your passwords because they're all strong 35-character random characters stored in your password safe? Do you carry a USB stick with your password safe around with you everywhere you go?

And if you do, you still have to insert your USB stick into a foreign computer and type in your master password. What if that gets owned by a keylogger? Then not only is your Gawker password compromised, ever

Re:

[wintercolby]

The article about hash cracking with GPUs was all about cracking NTLM hashes. Even less secure are the random websites that people sign up to with absolutely no idea what type of hash might be used to store their password. To get a good indication of whether or not a site uses a two way encryption or no encryption at all, I usually reset my password. If they email me the (bogus) password that I used to create the account, I know it can't be trusted and put in something simple. There's no telling how str

Re:

[Canazza]

yours had a password?

Re:

[xaxa]

ah geez. it's like being back in school. my best mate's password was "123".

Ah, the memories. (The school's admin password was "access".)

When I was 12 I found out from an older student that the admin password was "changeme". I used it to increase my disc quota.

I then gave the password to a younger student, who changed it. IIRC he had a letter sent to his parents, but I was merely banned from using school computers at lunchtime "until the end of the year", which was about 2 weeks. I think talking to people outside for two weeks probably did me good.

Re:

[WuphonsReach]

It seems that standard username and password as authentication may be coming to an end. Anyone agree?

It's dire, but not as dire at that.

8 characters or less, with little to no complexity is truly dead (and has been for years).

Longer passwords (10-15 characters), with complexity checks and not reusing passwords across sites is still fine for 90% of use cases. In 90% of those cases, you're not protecting anything of much value and an accidental exposure does not lead to loss of life or massive theft.

Re:

[WuphonsReach]

If someone got a hand of the password hash, its gameover - doesnt matter if its a week or 2 month to crack it.

We need to get our collective heads out of the sand and triage the REAL security values!

All sane, opportunistic, attackers operate under the principle of cost/benefit. Is it really worth 2 weeks of computer time to break a password of moderate strength? (12+ characters, reasonable complexity) Is it worth 2 months? Most attackers are going to give up after about an hour and go after the rest