Forgot your password?
typodupeerror
Security IT

What LulzSec Logins Reveal About Bookworms, and Passwords 136

Posted by timothy
from the keeping-them-straight-does-get-tricky dept.
Barence writes "Today the hacking group LulzSec posted 62,000 hacked email usernames and passwords online. PC Pro's Darien Graham-Smith has analysed the passwords stolen — which are believed to have come from a website for writers — and found some interesting patterns. Aside from 'password' and obvious numerical patterns (i.e. '12345') the most common passwords share a literary theme: 'romance,' 'mystery,' 'shadow' and 'bookworm' are all commonly used passwords. 'Clearly, this is a back-of-an-envelope breakdown of a mixed mass of unverified data,' said Graham-Smith. 'But it gives an interesting insight into the way people choose their passwords: in this case, apparently, on a theme that reflects the nature of the site they're visiting.'"
This discussion has been archived. No new comments can be posted.

What LulzSec Logins Reveal About Bookworms, and Passwords

Comments Filter:
  • Are you sure? (Score:5, Insightful)

    by DanTheStone (1212500) on Thursday June 16, 2011 @04:13PM (#36467578)
    Perhaps these are their passwords for every site, and this site just over-represents people interested in books and writing. I certainly don't use custom passwords based on the type of site.
    • You re-use the same password for multiple sites? Good to know. How would you like to register for a free account on my site?

      • You must be on a netbook. You seem to have missed the last six words of his post.

      • Whats wrong with the same throw away password for multiple sites? Personally I usually make new usernames for different sites as well, but does it really matter if you didnt? The best someone could do is get your email address, which assumingly, you havent used a "throw away password".for. Or spam some forum account that by definition of it being "throw away worthy" you do not care about?

        Otherwise you would have hundreds of unique password and usernames combinations that you would obviously need to write do

        • by bhcompy (1877290)
          Exactly. Someone hacks my Slashdot password, maybe gets access to a few other worthless sites, nothing of value was lost. Someone posts impersonating me? Oh noes. Having a worthless password for worthless sites is not a problem. It doesn't make you any closer to having the login credentials for my bank, the online stores I use, and other sources that would have actual personal information.
          • Well, see pictures from the riots in Vancouver last night.

            Now imagine someone impersonating you. And posting your info. So that the cops can arrest you. As is happening right now in Vancouver.

            You may not be guilty, but that doesn't mean your life won't be hell for a while.

            • by bhcompy (1877290)
              And they'll also see me at the baseball field coaching my son's little league team in front of 50 witnesses. And that I was at work 2 hours earlier and it takes more than 2 hours to get to Vancouver from my location. etc

              I'm honestly not worried one iota about that type of scenario. Framing someone doesn't just happen on the internet. There are a million reasons why it rarely works, and the internet provides better tracking to prove your whereabouts than analog life.
              • by Hylandr (813770)

                Because people that reuse their passwords do so for paypal, ebay, their bank etc.

                And if you get arrested in America on any of these charges expect to sit in Jail for a few years before the committee gets to you. If y ou get that lucky.

                - Dan.
                 

              • You should be worried. The wheels of justice move slowly. Who knows when the cops will get those pictures of you at the game/work/else where?

                Now imagine that the pictures are of your son - aged 15. You're not always sure where he is. It's not documented. But someone posted a pic of him saying he was in Vancouver, participating in the riot.

                Again, he may not be guilty, but that doesn't mean his and your lives won't be miserable for a while.

          • by hairyfeet (841228)

            That is why I tell my customers to have a "bullshit" email address and password for sites they really don't give a crap about. Every damned site nowadays wants details to let you do anything, so I tell them to have a spam dump email (I personally use my Gmail as their excellent spam filters mean if someone actually sends me something worth reading to my spam dump I still see it) and a BS password they only use for crap sites.

            Seriously who cares if they get the bullshit info, or spams some spam dump email

    • I doubt those 30 people using the password "writerspace" for writerspace.com [writerspace.com] use the same password for facebook or their email.

      And just because you don't use a custom password based on the type of site doesn't mean that others don't. I've heard of people who have a base key that they use for their passwords - say "Camaro" for simplicity's sake. Then, for slashdot their password may be "Camslasharo" and for facebook "Camfacebookaro" "Camgmailaro" etc.
      • by Dunbal (464142) *

        I doubt those 30 people using the password "writerspace" for writerspace.com [writerspace.com] use the same password for facebook or their email.

        No you're right, they probably use "facebook" for facebook, and "hotmail" for hotmail. The whole point is that once you identify a user name that uses this type of weak password, you go from astronomical odds of being able to crack to a few dozen possibilities.

        And just because you don't use a custom password based on the type of site doesn't mean that others don't. I've heard of people who have a base key that they use for their passwords - say "Camaro" for simplicity's sake. Then, for slashdot their password may be "Camslasharo" and for facebook "Camfacebookaro" "Camgmailaro" etc.

        Doesn't matter. A "key generation algorithm" simple enough for a person to remember or work out logically is simple enough to guess at - at least far simpler than the number of combinations possible with a truly random password. The point is that if y

        • I never said that it was effective, I was just saying that it is a method that I am aware of that is a semi-common practice among people.
      • by hairyfeet (841228)

        You'll probably laugh at what i tell my customers when they need a really tough password for important sites: flip over your keyboard or look behind your monitor. The serial numbers on plenty of everyday devices around your house make for some pretty tough passwords that aren't tied to anything personally about you like in TFA, and these devices will be with them for years if not forever.

        I personally like the serial numbers on my musical equipment since I never get rid of my basses and if I ever forget i

    • Me neither. If it is true, however, the majority of the passwords used here would be "slashdot", "newsfornerds", "linux", "micro$oftsuckz" or "applefanboi".
    • by enderjsv (1128541)

      I thought about doing a mix. Like, I have a series of numbers, symbols and letters that I've memorized. It's a very secure password, and I like using it because I can remember it.

      But of course, using the same password on every site isn't good practice, so I've made various little changes to the series. Only problem is, it gets hard to remember what series fits what site. So I thought of using the same series for every site, and then simply attaching the first and last alphanumeric character of the websi

      • Why not just use LastPass or one of the bookmarklets that make a hash from a master password and the site url?

        • by enderjsv (1128541)

          Because it's easier just to have the password in my head. Yup, I'm that lazy

      • by gnick (1211984)

        So I thought of using the same series for every site, and then simply attaching the first and last alphanumeric character of the website address to the password. That way I'll have a secure password on every site that is easy to remember wherever I use it.

        That's what I do, except to be more secure I use the first and last 3 alphanumerics from each site. Conveniently, several of my passwords are identical: "wwwpasswordcom".

    • check your passwords (Score:4, Informative)

      by iamhassi (659463) on Thursday June 16, 2011 @04:30PM (#36467744) Journal
      Here's a link to the passwords so you can check if your password is on there [pcpro.co.uk]

      Just search the page for your password. Chrome does a great job of this because it starts highlighting matching passwords as you type it. I just checked my passwords, none of them are on this list.
      • Cool mine aren't on there, a long time ago I was webmaster of poiuyt.com, I was always amazed at the number of people who used a @poiuyt.com as an email address with qwerty as the password on various sites around the web.

      • by Ihmhi (1206036)

        hunter2 isn't on the list, but hunter22 is. Clearly our friend [bash.org] realized he was hacked and upgraded his password strength.

    • Very true, though I must admit I've a very staunch supporter of different passwords for different sites and the easiest way that I've personally found to do that is to theme them according. For example my WoW password is usually some variation of #W4rCrfT#112 or my credit card is something like $5M0ni35s$$!... it just makes it easier.
    • That was my 1st guess too. However, here's a list of the top 45 most common passwords for that site. I've bolded the obvious literature related passwords. Others may be as well, such as person names that might be references to characters. You may be right, of course, but literature related passwords do seem overrepresented.

      0.9231% "123456"
      0.3157% "123456789"
      0.2142% "password"
      0.1417% "romance"
      0.1095% "102030"
      0.1079% "mystery"
      0.0998% "123"
      0.0998% "ajcuivd289"
      0.0998% "shadow"
      0.0998% "tigger"
      0.08

  • So they discovered a shadowy bookworm romance mystery? I'm guessing one participant was a librarian?
    • by Dunbal (464142) *

      I'm guessing one participant was a librarian?

      If that was the case, then the password would be "Ook.". Sorry if you're not a Terry Pratchett fan, you just won't get this.

  • There should be laws created to impose massive fines for sites storing plaintext passwords. There's absolutely no excuse for this. I understand that you can't govern the entire internet, but I would be content with American laws governing American sites. It would be a nice start.
    • by BStroms (1875462)
      My site uses a simple substitution cipher. With the characters I allow for a password there's over 80! possible keys. I'm confident my users all use sufficiently random passwords that no one would be able to analyze the cipher based on the data they hacked.
    • by SheeEttin (899897)

      There should be laws created to impose massive fines for sites storing plaintext passwords.

      Be careful what you wish for--if that does happen, you should probably expect a whole lot of ROT13 implementations...

  • oh noez! (Score:5, Interesting)

    by torgis (840592) on Thursday June 16, 2011 @04:21PM (#36467650) Journal

    Easy-to-remember passwords for a site that doesn't matter at all? Color me shocked. When forced to sign up for forums to ask a question about coding or tech troubleshooting, I generally use a pretty basic password and then lie about all of my personal info. That way if someone does acquire this info (and it has happened multiple times) I don't get burned. For important things like banking and gmail, I have 2-step authentication enabled and use a strong password on top of that. Different on every site of course.

    But for stuff like writers forums, tech support sites, slashdot (haha!) and the like? I don't use and don't care to use a strong password because, well, what's the point? You don't hear about individuals on these sites being hacked because of the insecure passwords they use. No, you hear about the administrators of these sites having their sites hacked and their userlists and passwords stolen. What good does a strong password serve on a site like this when there are gaping security holes in the OS hosting the forums?

    And why, for Xenu's sake, are people still storing passwords in plaintext??

    • Re: (Score:2, Funny)

      by networkBoy (774728)

      And why, for Xenu's sake, are people still storing passwords in plaintext??

      because their lazy.

    • I use "h=6.62606957e-34J*s" as a password in a few places that don't matter (work login at my old job that had to change every month mainly). It fits the most common security requirements (lower case letter, upper case letter, number, special character) is not terribly common (12345) and is easy to remember, after all, it's Plank's Constant. I rotate through universal physical constants for passwords. Of course I don't use it for /., nor do I reuse this username elsewhere. Actually "important" things (e-mai
    • When forced to sign up for forums to ask a question about coding or tech troubleshooting, I generally use a pretty basic password and then lie about all of my personal info.

      Bonus points for unimportant sites that don't accept mailinator.com e-mail addresses or won't let you set a weak, easy to remember password.

      Because, you know, if my "I can haz cheezeburger" account gets compromised, western civilization might end.

    • Password reuse is a major problem, regardless of site. There is very little excuse not to use tools like 1Password, LastPass or KeePassX.
      I've gotten my technophobic parents and wife on the treadmill (all use 1password via a family license).

      I've gotten them comfortable ditching their "known good password" on their other sites, learning the strong master password by heart, and got them comortable enough to generate a good-length (default 18 characters) passwords for any site that needs it.

      The best part about

      • by tehcyder (746570)
        >quote> There is very little excuse not to use tools like 1Password, LastPass or KeePassX.

        How about "if it's not your bank account who gives a flying fuck about security and strong passwords" as an excuse?

    • by gad_zuki! (70830)

      Actually, the article is a little sensationalist. I just looked at the password file. About 2/3rds of the passwords are decent. Long, not 100% obvious, mix of numbers & characters, etc. I was expecting more of an 80/20 ratio of crap vs decent and I was really surprised. Also kudos to the guy who uses "707294en14.SmMeG"

      That said, I see a pattern of lots of numerical 6 and 7 digit passwords. They don't look like phone or postal codes. I'm guessing that their password reset tool picked 6 or 7 random numbe

    • by dadioflex (854298)

      When forced to sign up for forums to ask a question about coding or tech troubleshooting, I generally use a pretty basic password and then lie about all of my personal info. That way if someone does acquire this info (and it has happened multiple times) I don't get burned.

      And use guerrillamail.com to get a temporary email if you need to hit a verification link.

    • by gsslay (807818)

      And why, for Xenu's sake, are people still storing passwords in plaintext??

      Because, as you've already established, for this website they don't matter.

  • by Anonymous Coward

    I'd always be wary about all these grand "revealings" about passwords from LulzSec.

    How many usernames/passwords on an innocent blogging site like that are completely throwaway?

    I know that on randomblog.com if I want to make an account on the spot, I'm certianly far more likely to use "asdf123" for a username and "randomblog" as a password than I am a 16 digit alphanumeric/symbol/mixed case password that I will forget in 5 minutes.

    Who cares if your blogspot account gets hijacked? What are they going to do, w

  • Many of these passwords are a consequence of a person not wanting to write down their passwords for fear of the written down password being found. Thus, instead of creating an effective, hard to guess (and hard to remember) password, many people simply come up with a password that is easy to remember, but that they hope is so random, or so obvious, that nobody would guess.

    I teach my children, even the little ones, the old trick of coming up with an easy to remember sentence, picking the first letter of each

  • I saw a similar pattern several years ago when I was emailed a spreadsheet including forum passwords for a role-playing game company. (I was doing volunteer webwork for a regional part of their official fanclub.) The most popular password there (after "password" and "12345"), was "dragon" (even though it wasn't for D&D, although I'm sure many of their customers/fans were also D&D fans (I know I was.))

    And for the record, yes, I told them stop emailing around spreadsheets that included everyone's pa

  • Why are we still using passwords? They will go away, sooner or later.

  • i've championed this before, and i don't why it doesn't get more press

    instead of the same username pword for every site, make your uname/ pword a derivative of the website name or theme, and your own personal salt

    the rules could be as quirky and arcane as you want

    for example:

    username is the first 3 letters of the website, plus your birthyear, plus the cousin whose name sounds most like the website you're visiting

    password is the street you grew up on, minus the last 3 characters and plus the last 3 character

    • Different username+password per site is good, but as you noticed, it's a drag to remember them all and some algorithmic method and shared knowledge are useful. My method for most sites is to use a handful of usernames, based on class of web site (different on slashdot to banking sites, for instance). Each of these sites then gets a password as a hash of a phrase known to me together with part of the site name. For example:
      echo -n "Shivelights and shadowtackle in long lashes lace lance and pair + slasHdoT"
      • now that's hot

        your average user isn't going to do sha256 hashes though

        but, skipping that step, it's still a workable framework

    • by rsborg (111459)

      i really don't know why this idea of remembering just one personal quirky algorithm isn't more widespread

      The problem with algorithms is stupid artificial restrictions on credentials by some sites. For example, I can only choose numbers for my "PIN" on my 401k. Or my password must be all lowercase for my public utilities site or contain no special characters at my bank some other hair-brained restriction.

      Same with user names. Often your username must be your email address. Sometimes they don't allow the @ sign. Other times, it's not modifiable and random characters assigned to you (I have at least one broke

      • this is a good criticism. you are correct. different policies and standards complicates the algorithm and is discouraging

  • Not sure I buy the premise. I went to a nerd college with few woman. Back then, before they shadowed PW files, I came across a lot of passwords. The two most common variants I found contained the words 'soccer' or 'jennifer.' Once again, I went to a nerd college with few women.

    • by Dunbal (464142) *
      Judging by your spelling and grammar I would assume that either you are a Korean who studied engineering at MIT or something, or a piece of trailer trash that considers community college to be "nerd college".
    • by kcitren (72383)
      Few women at a nerd college. I'll bet you one of them was named Jennifer, and I'm sure she was very popular.
  • by Black Parrot (19622) on Thursday June 16, 2011 @04:46PM (#36467902)

    But it gives an interesting insight into the way people choose their passwords: in this case, apparently, on a theme that reflects the nature of the site they're visiting.

    The three most popular Slashdot passwords are 'troll', 'slacker', and 'clown'.

  • by daveywest (937112) on Thursday June 16, 2011 @04:50PM (#36467934)
    I work for an ISP that is represented in the list of emails and passwords. We determined all the addresses from domains we control are not, nor have they ever been used, on our system. I'm not saying they are all fakes, but all the addresses I'm able to verify are not legit.
  • Mine is all '*'s ...

    • Ironically, there is a password in the file that's "******", on line 795 if my text editor is working correctly. I appreciate you're joking, but it seems gengar@retrohappypeople.com beat you to it!
  • Seriously. Hashing. Does nobody practice this for user account databases?

    • by SETIGuy (33768) *

      Anyone writing code that stores passwords using plaintext or reversible hashes should probably take up a career in quilting.

      As should anyone writing code that can't handle every printable ASCII character in a password. Better yet straight, passwords should allow any string of bytes. Any programmer who limits passwords to alphanumeric is probably writing SQL injection vectors.

  • by Tolkien (664315)
  • by Anonymous Coward

    I am really starting to doubt these stories. Generating usernames and passwords is something that can be down with even a quick script - it is not hard to generate real words using a known dictionary source.

  • We can't know for sure since they aren't divulging their source, but some of the services listed are too sophisticated (esp. Gmail, even if you don't believe in competency of those who run Hotmail) even to store passwords in cleartext anywhere.

    If I had to guess at how they obtained these passwords, they did it by actual hacking of the accounts (or somehow got a hold of the password hashes to run faster attacks on), and in that case, the accounts with weak passwords are the low-hanging fruits; of course the

    • They got the passwords by getting into a unknown website's database (obviously smart money is on writerspace.com). The email breakdown at the top of the article corresponds to the email that was associated with the accounts. None of the email services (hotmail or gmail) were actually compromised. Knowing Lulzsec's past work they probably got access via a simple SQL injection.
  • Any /. theories on ajcuivd289 ? I'm stumped, unless one dude has a lot of dupe accounts.
  • by WindBourne (631190) on Thursday June 16, 2011 @07:24PM (#36469408) Journal
    Ever sit and watch average ppl create new passwords at their desk? THey do not look into the air to think about it. Instead, they look at what is around them. I do not watch somebody enter the passwords, but I have noticed the subject's head. I believe that they are looking at the books, artwork, etc that is just around them.

    Want to break into their stuff? Simply take a look around the desk and see what is important to them. Simple as that.
    • This happens all the time in film, but I've never seen it happen in real life. I know a few people who use passwords that have some sort of personally important bit of information nested in it, but having known the passwords of various friends and family members throughout my life the creation methods have never been related to what's around their desks.

      • Oh, I am amazed at how many ppl have passwords of stuff on their desk. Personally, I have an algorithm and use that. It works great. Prior to GPUs, I would have given mine very little chance of being cracked. At this point, that is gone.
  • The original list posted by LulzSec is divided in two parts. The first half has an assortment of emails from many domains. The second half contains emails of brazilians, most of them from hotmail and yahoo (many have .br at the end, or use brazilian names and words). Probably they compromised some windows live server? Looks live many of the are msn logins...
  • by reboot246 (623534) on Thursday June 16, 2011 @08:10PM (#36469790) Homepage
    The best system I've seen is the one Steve Gibson has on his website.

    https://www.grc.com/ppp.htm
  • by SETIGuy (33768) * on Thursday June 16, 2011 @08:52PM (#36470166) Homepage

    People use guessable passwords because they want to use passwords that they can remember. And people that use passwords they can remember do reuse passwords. Any password I can remember probably isn't very secure. Any password used at more than one site definitely isn't secure.

    It's past time that all browsers included a standard password generator with user definable salt set at first invocation, and master password prompting. Web standards should at a minimum specify support for all printable ASCII characters in passwords. If a bank isn't competent enough to hire a programmer that can write code to handle a quote in a password, you probably shouldn't be banking there.

    Until then there's still PasswordMaker for which you have to salt each account separately if you not want the default unsalted hash. And there's still the annoyance of "alphanumeric only with at least one uppercase and one number" web sites.

  • If the names and passwords come from someone cracking them on a big scale I think it says more about the pass list it used than what people are actually using as passwords. For a example if I ran a tiny password list with just a few like letmein love dolphin 12345 password peace god sex etc. I'd no doubt crack a lot of accounts but the amount of people using those exact password could be pretty small. Doesn't mean I couldn't assemble a huge amount of cracked accounts but the password data wouldn't reflect
  • that LulzSec are worms.

Uncompensated overtime? Just Say No.

Working...