Forgot your password?
typodupeerror
Security Sony IT

A Brief Sony Password Analysis 276

Posted by CmdrTaco
from the change-it-now-people dept.
troyhunt writes "With all this [Sony] customer data now unfortunately out there for public viewing, I thought it would be interesting to do some analysis on password practices. There are some rather alarming (although not entirely surprising) findings including: 36% of passwords appear in a common password dictionary. 50% of passwords are 7 characters or less. 67% of accounts on both Sony and Gawker use the same password. 82% of passwords are lowercase alphanumeric of 9 characters or less. 99% of passwords don't contain a single non-alphanumeric character."
This discussion has been archived. No new comments can be posted.

A Brief Sony Password Analysis

Comments Filter:
  • not surprising (Score:2, Insightful)

    by Anonymous Coward

    it's a pretty big PITA to enter a secure password, or any complex non-alphanumeric mix of characters using an on-screen keyboard.

    • it's a pretty big PITA to enter a secure password, or any complex non-alphanumeric mix of characters using an on-screen keyboard.

      No, it's really not, especially when you consider that the PS3 will store the password. You should only have to enter it a few times over the lifetime of the unit, and even then, entering some non-alphanumeric chars doesn't make it any more difficult.

    • by Gravatron (716477)
      I use a USB keyboard on my ps3. Helpful for chat, netflix, and password entry.
      • by swv3752 (187722)

        Yeah, I have a wireless mouse keyboard combo from my old MythTV box that I use for the PS3.

  • by vawwyakr (1992390) on Monday June 06, 2011 @09:37AM (#36349424)
    My sony account only held the minimal information and some of that not correct. The PW I used was my public throw away password that I only use on sites that require me to register when I just need it to use a basic service and not enter anything not already public knowledge. So I'm not going to burn a good PW or spend my time trying to memorize a new one to use for something I really wouldn't care if they cracked and couldn't use the same PW on a site for which I care about it being cracked.
    • by Aladrin (926209) on Monday June 06, 2011 @09:53AM (#36349586)

      For a situation such as yours, the website owner actually cares more than you do. If your password gets stolen from another site, the hackers will be able to log into your account on your other throw-away sites. This means they have a new spam account that -looks- like a legit account. That's quite valuable to spammers, and painful for admins.

    • by KidPix (1512501)
      Yeah, I'd like to see a comparison of bank passwords to Sony/Gawker passwords.
      • by Rary (566291)

        Yeah, I'd like to see a comparison of bank passwords to Sony/Gawker passwords.

        I don't have a Sony or Gawker password, but I can tell you that my Slashdot password is more secure than my bank password. However, that's not by my choice. The credit union I use has this pathetic system that requires passwords to be exactly 7 characters and ONLY numeric. Very annoying.

        • by gman003 (1693318)
          My bank is nearly as bad - only uppercase letters and numbers. I used my normal password as a basis for crafting my bank password, but I can never remember if I replaced all Os with 0s, or just the first one, or just the second, or what I did with the underscore, etc. So I still can't remember it. I got tired of doing a password reset every time I wanted to check my balance, and just signed up for mailed account updates. Fuck trees.
    • by aliquis (678370)

      Personally I don't see the horror in "99% of passwords don't contain a single non-alphanumeric character."

      Since then is a 8 character password with non-alphanumerics better than a say 50 character password with only alphanumerics?

      Which one is easier to remeber of:

      &/fhy47F

      or:

      "omg leet slashdot password try to crack this one stupid"

      and which one is safer?

      Also with no password reminder and all these shitty sites which require you to register for no obivous reason or which require it for a reason which matt

      • by hedwards (940851)

        If you add even a single non-alphanumeric key it means that in order to brute force the password, they don't get to stick with the 26 lower case letters, 26 uppercase letters and 10 digits, they also have to deal with the , ; . ! ? @ and probably even more. And they don't know that's the case until they try every combination of alphanumeric characters that is possible within the given length.

  • by mangu (126918) on Monday June 06, 2011 @09:38AM (#36349428)

    I don't think very long passwords are necessary.

    My own practices:

    No dictionary words, only a string of random letters
    No change, memorize and keep the same password forever

    I use the same password for all internet sites, slashdot, reddit, throwaway emails, etc. Another one for all my computers, at home and at work. A third one is for my bank account only.

    • I don't change mine all that often either, and similarly have different levels of passwords.

      What do you mean by "very long"? I think something like 8 or 9 characters minimum is probably necessary to avoid rainbow table cracking these days.

      I've taken to slightly modifying my password depending on which site I am using. It helps to lengthen the password but in an easy to remember way, even though my basic password is already above the length that should be easily crackable.

      Keeping the same password forever do

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      I do somewhat of the same. My letters aren't random though. I typically have a phrase that I remember such as:

      jack went to the store to buy some rice.

      That would become jwttstbsr

      Then append a number n (in this example we'll say n = 3)

      Every nth letter in the original sequence becomes uppercase.

      So then we get jwTtsTbsR3

      Finally, append a single letter suffix designating what it's for. C for computer passwords, F for financial, S for social networking, E for email, W for general websites, etc.

      I tend to change

    • by jovius (974690)

      i use something like 's0m3t#1nG'

      • Decent dictionary attack software already accounts for the more obvious substitutions like i/!, o/0, l/1, e/3, a/4 etc. I tend to use passwords that can be pronounced but aren't actual words.

        But even with a completely random password, you're still screwed if Sony makes the unbelievable and unexcusable mistake of storing them in plaintext. Hell, even the PHP for Beginners book on my shelf explains one-way encryption for passwords to online services.
      • I don't know why people think that "leet-ifying" a word makes it a better password. leetspeak modifications of dictionary words is one of the first variations that password cracking software tries after straight dictionary words.
        • by Inda (580031)
          I've said the same on here many, many times before giving up. No one will listen and no one will change their ways.

          I used to play with password cracking programs on my P3. They all allowed for character substitution and many had a 'leet-speak' option to tick.

          BTW, a full dictionary attack used to take about 3 seconds on my P3 and people would be magically impressed when I found their ZIP file passwords.

          PS. My bank allows 14 characters... *facepalm*
    • But you do know that slashdot e.g. does not transfer your paswd encrypted but in plain text? So everyone listening to your connection can read it? I would at least distinguish between https and non https accounts.

    • Security through Obscurity plays a part in the overall scheme of things. Not by itself, but a part. That said, unless you use different user names, you shouldn't be telling everyone that you use the same password for all those sites. There are several potential implications that could render partial to complete ID theft.

    • That depends on whether you assume that the attacker has your password hash and can brute-force it at an increased rate. For $1000, an attacker can easily build a unit capable of attacking most password hashes at a rate of say 1 billion per second.

      If your password is 8 character or less, it will be spit out by that machine in 2-48 hours.

      The math:

      Assume 60-80 possibles per letter in the password, weaker passwords that are mostly lower-case can be as low as 40 possibles per letter.

      40 = ~5.33 bits per
    • by binkzz (779594)

      I use the same password for all internet sites, slashdot, reddit, throwaway emails, etc. Another one for all my computers, at home and at work. A third one is for my bank account only.

      Hey! Would you like to sign up to my site? http://dodgysite.com/ [dodgysite.com] . It has tons of cool stuff. Hope to see you there soon!

  • lowercase (Score:5, Insightful)

    by Njovich (553857) on Monday June 06, 2011 @09:46AM (#36349506)

    '82% of passwords are lowercase alphanumeric of 9 characters or less.'

    So what about lowercase? As long as it's random-ish, it's fine. Good luck brute forcing a 9 character lowercase alphanumeric password... Capitals are overrated anyway, if asked to include an uppercase character, in my experience most people will use exactly 1 uppercase character. So, given a password with length 8, it's only 8 times as many possibilities you would check. However, it is still an extra keypress, so if you went for an extra character it would be a lot more effective. Then there is the point that on many phones it's a nuisance to type capital letters, then there is a problem of readability of for instance I (upper i), or l (lower L). Also, when speaking out a password it is annoying. Then, at least for me, it is hard to remember the location of the capital letters.

    • The point is that it's easier to guess a password when you know it only has 36 possible characters, as opposed to 62.
      • by Kjella (173770)

        Apple23
        aPple23
        apPle23
        appLe23
        applE23

        = about 5 times as difficult. The point is that people don't use combinations like ApPLe23, capitalizing one letter because you must isn't exactly a huge gain. Particularly since most people will capitalize the first, since it's easiest. I do stick to alphanumeric passwords though, everything else always generate so much crap with character sets, keyboard layout etc.

    • by stewbee (1019450)
      In a way I agree with you, but lets just look at the numbers. A password of n characters long of only lower case letters (in English) is 26^n possible combinations. Adding upper case then give 52^n combinations. If you were a code cracker, and knew in advanced that most people only used lower case letters, then why waste you time with upper case letters. Your code cracking program would take longer allowing for upper case letters. It a matter of low hanging fruit; non capitalized password code cracker will
      • Re:lowercase (Score:4, Insightful)

        by Rich0 (548339) on Monday June 06, 2011 @03:35PM (#36354388) Homepage

        In a way I agree with you, but lets just look at the numbers. A password of n characters long of only lower case letters (in English) is 26^n possible combinations. Adding upper case then give 52^n combinations.

        The parent's point was that this isn't actually correct. That is only true if ANY or ALL of those characters could be upper case. Well, they could be, but most likely they aren't. Instead it is probably the case that all but one are lower case. So, the number of possibilities isn't 52^n, but rather n*26^n. That is barely larger than 26^n.

        Require 8 characters, of which at least one is upper case and one is a number? Ok, users will go with the minimums on both, so you start with 6 lowercase and 1 uppercase letters, which is 7*26^7. Then you throw in a digit. That could go in 8 positions, and could be any of 10 characters, so multiply that number by 80. If you just check a "1" in the last character position then you don't increase the number of combinations at all and you'll probably nail 80% of the passwords anyway.

        If I lose my car keys then a true brute force search would have to cover the entire volume of c * the elapsed time since I last saw them. However, I wouldn't start by searching the moons of Jupiter - the kitchen counter is far more likely to yield dividends.

    • by Rary (566291)

      Also, when speaking out a password it is annoying. Then, at least for me, it is hard to remember the location of the capital letters.

      For starters, you shouldn't be speaking out a password, unless it's the password to something really trivial and low security, in which case go ahead and use a simple all lowercase password. As for remembering the location of the capital letters, use a simple pattern.

      For example, if you take the word "password", replace a couple letters with numbers, such as "p4ssw0rd", and then just hold down the SHIFT key for every second character, you get "p$sSw)rD", which is many times more secure, and simple to memori

    • Actually, it's not exactly true if you are brute-forcing. If you have a nine-characters-long password, of which exactly one letter is uppercase (assuming you can determine that), you would have 8 lowercase letters (26^8) * 26*9 possibilities (because the uppercase letter can appear in 9 different places), so that would make it 9 times the time required to bruteforce an all-lowercase password. That's why they recommend you to use digits, special characters and uppercase letters; they DO increase a LOT the am

    • by swillden (191260)

      Good luck brute forcing a 9 character lowercase alphanumeric password

      Per yesterday's article, a GPU can test 3.3 million passwords per second. That means the entire space of 9-character lowercase alphanumeric passwords (there are 36^9 of them) can be searched on a single GPU in 356 days, which means that on average it will take 178 days to find a given password with an undirected brute force search. In practice, that can probably be reduced significantly by searching first for dictionary words, combinations of pieces of dictionary words or letter sequences that are "pronou

  • by Anonymous Coward on Monday June 06, 2011 @09:53AM (#36349578)

    The whole point of a password is to have something you can memorize (without writing it down) as a security precaution. The problem is that different websites have different password requirements. For example, one website might require at least 8 characters in your password with at least one numeric and one non-alphanumeric character. But then another website might require at least 6 characters (alphanumeric), but DOES NOT ALLOW non-alphanumeric characters. So now you have two different passwords to remember. On top of that, it is recommended that you have a different password for each account. I don't know about you, but I have probably 100 accounts to various websites, games, etc - and there's no way I could memorize that many different passwords containing a mixture of alphanumeric and non-alphanumeric characters.

    • by tompaulco (629533) on Monday June 06, 2011 @11:49AM (#36351060) Homepage Journal
      Mod parent up. Nevermind different sites, we have different password requirements on different systems WITHIN MY OWN COMPANY. Our expense reporting system, bug tracking system, OS login, and intranet login all have different and incompatible password requirements, and some of these also expire, requiring you think of a NEW one that fits the format. So within my own company I have to remember 5 different passwords (plus the other system passwords, some of which I also need to know to perform my job). Then externally, I probably have 30 to 40 sites that I have accounts on that I use on a regular basis. Some of these not only have crazy password requirements, but some have non-choosable usernames, like a number or a name that they assign you. Sometimes they assign you a password as well and won't let you change it.
      So it comes down to sticky notes, or a trusted source to keep all your passwords. I have chosen the latter. I have a password file that I keep on my own domain. However, even that is not foolproof, because I don't host the sever myself, so somebody at the host, or somebody that compromised the host could get in and look at that file (I have permissions set to keep the casual viewer out, but these people would obviously have admin permission). I still have security through obscurity, as they would have to recognize the file for what it was, while wading through thousands of uninteresting files, and then figure out what user and password goes with what site, which is somewhat cryptic, but recognizable by me.
      As an aside, why does talking about my file which is hosted on a unix based system make me want to use vi editor keys when typing into slashdot?
  • My Best Practices (Score:4, Interesting)

    by gregarican (694358) on Monday June 06, 2011 @09:55AM (#36349612) Homepage

    For my passwords I use the keys one-up-and-to-the-right of the "dictionary style" password I have. For example, for password this would come out as -wee305r, making it harder to brute force. Of course if the passwords are all stored plain text by some incompetents what's the point?!

  • by Anonymous Coward on Monday June 06, 2011 @09:57AM (#36349626)

    '); DROP TABLE Password;

  • by Idimmu Xul (204345) on Monday June 06, 2011 @09:57AM (#36349628) Homepage Journal

    of having 100 alphanumeric+special character long passwords when websites just give up the password lists with the magical words 'sql injection'?

    Unique passwords at least ensure that once a website you frequent is compromised you don't get further screwed over...

  • by chemicaldave (1776600) on Monday June 06, 2011 @09:58AM (#36349632)
    There must have been a few dozen.
  • 67% of accounts on both Sony and Gawker use the same password.

    Without a map of Sony accounts to Gawker accounts I don't know what this means... I take it to mean "The cardinalty of the set that is the union of password sets from Sony and Gawker is 67% of the cardinality of the set of Sony passwords."

    • by Jim Hall (2985)

      67% of accounts on both Sony and Gawker use the same password.

      Without a map of Sony accounts to Gawker accounts I don't know what this means... I take it to mean "The cardinalty of the set that is the union of password sets from Sony and Gawker is 67% of the cardinality of the set of Sony passwords."

      IIRC, Gawker had their username/password database stolen a year or so ago? I read the "67%" as: for accounts on both Gawker and Sony, where the email address matched up, 67% of the passwords were also the same.

      That is, 2/3 of the people who had accounts on both Gawker and Sony were using the same password, not a different one.

  • by mcmonkey (96054) on Monday June 06, 2011 @10:01AM (#36349652) Homepage

    The issue is I have, at last count, 13 systems with separate passwords. There's a network account, elevated privileges account for server admin, HR systems, online learning systems, expenses system, which is not the same as the travel booking system, etc.

    With the company's computer, I can't just install any software I want, so one of the password tracking programs is not an option. So I use the same password for all 13 systems.

    So the next issue, not all those systems have the same password requirements. There is one system which does not allow the use of special characters. So while my password always has lower case, upper case, and numeric, I'm always going to be in that 99% with no non-alphanumeric characters. Oh, and I think the max characters limit is around 12.

    Of course, writing down passwords is such a bad practice. But there's no way I can afford to burn the cycles to memorize 13 new passwords every 90 days, so I use the same password for all work systems. The same bad password.

    • you could use a password management tool like keepassx to remember them for you

      • by mcmonkey (96054)

        Except I can't install any software I want on the company's computer. You know, for security!

        • If you use 1Password, it has companion iOS and Android apps which will automatically sync via Dropbox to your computers. No need to install anything on the company computers when you can keep it on your phone, and the data on the phone is independently encrypted and password protected in addition to anything the mobile OS does.

        • by Terrasque (796014)

          You could try looking at a solution like http://www.hashapass.com/ [hashapass.com]

          The relevant JS code:

          function update()
          {
          var res = document.getElementById('resultId');
          var seed = document.getElementById('seedId');
          var param = document.getElementById('parameterId');
          var hashapass =
          b64_hmac_sha1
          (seed.value,
          param.value) .substr(0,8);
          res.value = hashapass;
          seed.value = '';
          res.select();
          }

          As long as you're allowed to make an ascii text document and have access to a web browser, that's available.

    • by KMitchell (223623) on Monday June 06, 2011 @10:17AM (#36349828)

      Of course, writing down passwords is such a bad practice. But there's no way I can afford to burn the cycles to memorize 13 new passwords every 90 days, so I use the same password for all work systems. The same bad password.

      Nothing inherently wrong with writing down passwords. You move from "something you know" to something you have, As long as you properly secure "what you have", it's still decent single-factor authentication. Just write your passwords on a $100 bill, and you're fine.

    • Agreed!

      I've recently invested time and changed *all* my online passwords. Everything stored inside KeePass with random very strong passwords. Even comparing with the 'core' sites such as Facebook, Twitter, Ebay, Paypal, Gmail --- *ALL* of them have different requirements which I think is unacceptable. Some enforce 14 chars but don't accept alpha-characters while others cap at 20. One big kudos is Facebook was the best and accepted 256 random characters.

      So yes, *we* need to agreed on the minimum standar

      • by CastrTroy (595695)
        Kind of funny, since they are only using a hash, why not just allow any length of password. The hash will always be the same length, regardless of the length of the password. You could even allow users to upload a file as their password, in order to allow for non-typeable byte values in order to increase entropy. If you stored the files for each website on a truecrypt partition that automatically dismounted after a timeout, it would probably be about as secure as using keepass, and the actually password
    • by eulernet (1132389)

      At my job, the policy was to change passwords every month.

      The guy explaining how to be able to keep memorizing the passwords gave us the following trick:

      use your normal password as a prefix
      then as suffix, add a counter, like 00, 01, 02, etc...
      The idea is to increment the counter when the password expires.

      After a few months, the management got upset about this policy, and we have now the same password since 2 years.

    • by danpat (119101)

      Online password manager with client-side encryption and secure password generation: http://clipperz.com/ [clipperz.com]

    • This is exactly the type of thing a smartcard would be good for. You could have all unique passwords using the strongest randomizer possible (or use PKI or similar) and only have to remember a simple PIN for your card. The PIN can be relatively short and simple too (although making it more complicated is recommended).

      A smartcard provides a hardware level of protection as it's much more difficult to brute force because it can be set to self destruct after a certain number of bad PIN attempts. Usually betw

    • by Roogna (9643)

      Use a password management system, that is -not- on your computer. For instance 1Password is available on iOS devices. I'm sure Android has similar apps.

    • Re: (Score:3, Informative)

      by gman003 (1693318)
      I have three different passwords I use for everything. The weakest (8 characters, 2 non-alphanumeric and one uppercase, but I sometimes have to strip the & and @ on things that don't allow it) is used on things where I really don't give a shit if someone hacks it. Want to upload stuff to Imageshack in my name? Who cares? Want to hack my Dropbox? I only use it as free file hosting - everything on it is supposed to be publically-viewed, and I have local copies of all the data. Want my Gawker account? Knoc
      • by PhilHibbs (4537)

        I've considered using the postfix system (ie. $kurg^is42 would become $kurg^is42_fb on facebook, $kurg^is42_sd on /., etc), but haven't gotten around to actually doing it yet. Probably should.

        I do something like that, and I have a few variants of the cryptic prefix as well. I have occasional moments of paranoia that someone will get both Slashdot and Facebook's databases and notice the similarity between my passwords, but really, I'm not that interesting a target for that much effort.

    • by jomama717 (779243)
      I use password safe [sourceforge.net], installed on a thumb drive. I have over 150 unique passwords I have to keep track of for work, as well as close to 100 unique passwords for personal sites stored on it. For passwords I rarely need I let the safe generate them for me, I never even actually know them. Just double click on the entry and it is inserted into your clipboard for ~3 minutes or something. For ones I use more frequently I came up with a scheme:
      • All passwords are of the form "[prefix][password][postfix]"
      • Choose
  • by dmatos (232892) on Monday June 06, 2011 @10:15AM (#36349808)

    Here's how I look at it:

    My PSN account is used purely for entertainment. It is not linked to a credit card. I have made one PSN purchase on my credit card. My credit card company offers fraud protection.

    Why should I have a 26-character long UTF-8 password that I'm never going to remember? It's about as useful as having a strong password on the hotmail account I use to sign up to websites. Huge pain in the ass, negligible benefit.

    My banking site, my PayPal account, my Canada Revenue Agency account - these are the places that I bother to use strong passwords. Elsewhere, I don't care that much.

  • Knowing Sony's recent track record with system security, I wouldn't bother using one of my "good" passwords at one of their sites anyway. If there is a good chance that some hacker is going to get a hold of their password file and post it on the Internet, it might as well be "password" or "abc123". I sure as hell wouldn't use the same password that I use for my bank or my e-mail, anyway.

  • Sit down and think of the number of sites/services/etc. that you access each week.

    Pretend for a second your browser doesn't remember a single one of them.

    I came up with 34 different sites. 34 different systems with their own rules, regulations and security questions. Some sites only allow alpha numeric, some require the alphabet to be limited to what shows up on a touch tone phone. Others require passwords to change every 30 days with no repeats for the last 5 passwords.

    At 9 characters a piece, tha
  • Excuse my ignorance, but why not have a system that locks you out after three attempts and sends an email to your previously verified email account?

    Why all this focus on "unguessable" passwords when it looks like if you have a powerful enough computer you can guess most in minutes?

    Ok perhaps banks & public utilities need all the crypto stuff, but Joe-sixpack? Surely there's a more elegant solution than getting people to remember unmemorable passwords (which leads to post-it note on the monitor syndrome

  • I use a sort of "incremental" password. My base password is 10+ characters containing letters/numbers/symbols where no character is used more than once. Using part of the website's URL, based on a pattern I've devised for myself, I take letters/symbols out of the URL and prepend it to my password. So if my base password was E21jd78&@qPm and the site was slashdot.org, my password for slashdot dot might end up being SshoTE21jd78&@qPm. This way I only have to memorize the base password, and use the UR
  • Since the Sony debacle I've switched to deciding my passwords algorithmically. I use a base password of six lower case digits that is the same for all websites. Then I use two capital letters that are related to the website in question (e.g. "SD" for slashdot) which I offset by a certain number of keys in a certain direction (e.g. SD might become "XC" if my offset is one key down, but it's not). Then I append a single number to the end (same in all cases). This gets me a nine digit password with mixed case
  • The real problem with passwords is that there's so damned many of them. It's a little exasperating to me that in the 21st century we're still managing security and authentication the same flawed, stupid way. All the idiot users in the world and the hapless tech support people reseting their passwords would cry tears of joy if we could just change to a standardized approach. What I'd really like is something like this:

    1) Everybody pick a trusted authentication provider (the Google, Facebook, Verisign,
  • I wouldn't read too much into people's bad password habits to a site that didn't collect any sensitive personal data. Sharing passwords across sites would be more of a problem as it may lead to inadvertently revealig a password to another site that does have more importance; or losing access to a bunch of individually unimportant accounts may be more traumatic.

If a camel is a horse designed by a committee, then a consensus forecast is a camel's behind. -- Edgar R. Fiedler

Working...