MySpace Users Have Stronger Passwords Than Employees

Ant writes "A Wired News column reports on Bruce Schneier's analysis of data from a successful phishing attack on MySpace, and compares the captured user-passwords to an earlier data-set from a corporation. He concludes that MySpace users are better at coming up with good passwords than corporate drones." From the article: "We used to quip that 'password' is the most common password. Now it's 'password1.' Who said users haven't learned anything about security? But seriously, passwords are getting better. I'm impressed that less than 4 percent were dictionary words and that the great majority were at least alphanumeric. Writing in 1989, Daniel Klein was able to crack (.gz) 24 percent of his sample passwords with a small dictionary of just 63,000 words, and found that the average password was 6.4 characters long."

Okay...

[eln]

So MySpace users are smart enough to pick somewhat secure passwords, but still dumb enough to fall for basic phishing attacks.

It doesn't matter how strong their password is if they are still giving it to whoever asks for it.

Re:

[biocute]

Or maybe strong-passworded MySpace users feel they're more technically superior thus easily fallen to good phising technique, while their weak-passworded counterparts feel more needs to be careful.

Or maybe nothing really happened, it's just a fake analysis.

Re:Okay...

[Brewskibrew]

Hello, this is http://slashdot.org./ [slashdot.org.] We're undergoing a routine security check and your account has been flagged as it is being accessed by computers in other countries. Please click "reply" to this post and enter your userid, password, shoe size, and iq so that your account can be unlocked. Failure to do so indicates that you are a non-compliant individual and appropriate steps will be taken.

Re:Okay...

[Dabido]

You're going to have trouble typing my password, as it's 6.4 characters long. The first six characters are 'passwo' The .4 consists of 'r' and 'd' type in such a way as to only use 0.2 of each. :-)

Re:

[chroot_james]

I keep my password on a post-it. On the same post-it I have a reminder to make sure I see "http://www.myspace.com/..." when I log in.

Re:Okay...

[andreamer]

From a link in the article:

"The attacker had registered a MySpace account named login_home_index_html, meaning that the MySpace page hosting the fake login, looked like a legitimate place where users would sign on to the service."

So it was just a user page but it DID have myspace.com in the URL. The URL was:

http://www.myspace.com/login_home_index_html [myspace.com]

Re:

[chroot_james]

Well, my comment was a joke, but point taken...

Duh!

[EmbeddedJanitor]

Those corporate users that were dumb enough to fall for phishing had bad passwords. No suprises there. People prone to fishing are probably less securtity concious.

Are myspace users really more security consious? Or are the typical demographics those people who tend to use oddball non-English words and text phrases that end up being "good passwords". yourmom69

Re:Duh!

[daeg]

Just shows that MySpace users value their virtual presence more than corporate users value their jobs.

Re:Duh!

[drinkypoo]

Just shows that MySpace users value their virtual presence more than corporate users value their jobs.

Au contraire! It shows that MySpace users value their virtual presence more than corporate users value data security on the corporate network. Not the same thing. Most people don't get fired for choosing a shit password and getting the company hacked up.

Re:

[hackstraw]

Au contraire! It shows that MySpace users value their virtual presence more than corporate users value data security on the corporate network. Not the same thing. Most people don't get fired for choosing a shit password and getting the company hacked up.

Riddle me this Batman.

How is a password from sample A more secure than sample B when BOTH sample A and B's passwords were compromised?

Re:Duh!

[SeaFox]

How is a password from sample A more secure than sample B when BOTH sample A and B's passwords were compromised?

They were both compromised by social engineering. Which allows us to see the passwords people are choosing and find that corporate passwords are more venerable to brute force attacks.

Re:

[hackstraw]

They were both compromised by social engineering. Which allows us to see the passwords people are choosing and find that corporate passwords are more venerable to brute force attacks.

I was being a little facetious. I'm not one who believes in "strong" passwords simply because I don't believe that they are secure to begin with.

A standard lock on a door may not be as "strong" as a steel door with bolts going through it like a vault, but I do believe that most weak passwords are strong enough, like standard l

Re:

[silas_moeckel]

Might have something to do with the fact that myspace allows users to sign in via http. I see hundreds of myspace passwords going though corporate permimiters any way to many of them match there corporate logins when tested. Yes the fact that people sign into myspace from work is it's own separate issue. Just goes to show that you need more than just passwords, time synced pseudo random number generators for everyone :)

Re:Okay...

[Anonymous Coward]

Wow. We MySpace usrz hav BetA security. hu wouldve thunk it. It's not lIk Im doin NEthing dfrnt. Im not lIk tinkN security 24-7.

MOD PARENT INSIGHTFUL

[chaosite]

I had a modpoint left, but it expired. Seriously, l33t sp33k makes for excellent passwords... weird spelling, dropping vowels, and replacing letters with numbers, along with the either stuff j00 d0 wh3n j00 r ub3r1337 makes for passwords that can withstand a dictionary attack, are stronger against brute force because you have digits in random places (and not just at the end), and more...

Re:MOD PARENT INSIGHTFUL

[drinkypoo]

Not really. Most cracking software knows that a letter k might be k, K, |<, et cetera. It makes things take a little longer but most check for such substitutions by default now.

Re:MOD PARENT INSIGHTFUL

[RicktheBrick]

I never worry about passwords. I would not worry if someone else knew my password for slashdot. What would they do with it? The only thing they could do it make comments in my name. Even with my bank accounts the only thing they can do it to see how much money I have and transfer money between two of my accounts. If someone wanted to be super mean they could transfer all my checking account money into my savings account and thus cause any checks I write to bounce. They still would not get any personal gain from it. If passwords are such a problem let me suggest a hardware fix. Let there be two passwords. A local password that the user would remember and a password that would be sent out. There would be a table on either the hard drive or a usb flash memory card for the lookup of the secondary password. Since no one would have to memorize or even know the secondary password it could be a 100 randomly generated characters and could be changed every time the user access the account. If one uses the usb flash memory than one could take it with them for use on another computer and by removing it from the computer prevent any other user on that computer from accessing their account. If it is that big a problem than a fix like that would have been used a long time ago.

Re:Okay...

[h2g2bob]

Or maybe it's just the fact that Myspace requires new users to have a number in the password!

Re:

[risk one]

Actually, this says that the subset of Myspace users that are dumb enough to fall for a phishing attack, are still picking better passwords than a representative subset of the whole set of corporate employees. So the worst of the Myspace users are still better than the average corporate employee.

It doesn't really surprise me. The slashdot hive mind may not greatly respect Myspace users, but the fact that they are on the internet and trying new stuff like Myspace, makes them a lot more tech-friendly than the

Re:

[Darthmalt]

Keep in mind that a lot of corporate employees have to change their password every 60 - 90 day. Myspace users probably keep the same password forever. I have different sets of passwords, the one I use for sites like myspace slashdot fark etc never changes. It's fairly secure but since I haven't changed it in at least 6 years it's easy to remember. Whereas if I had to change it a lot it would probably be much simpler.

Re:Okay...

[ceoyoyo]

Maybe MySpace users just can't spell....

Re:

[Mr. Underbridge]

It doesn't matter how strong their password is if they are still giving it to whoever asks for it

Just think of all the fantastic passwords that might belong to the people who *didn't* fall for the phish! Alas, we'll never know.

The Lesson?

[lunartik]

This may not mean that "passwords are getting better." It may just prove once again that people care more about their personal things than other people's stuff.

Re:The Lesson?

[Cat_Byte]

I tend to think people come up with a really good password, then they have to come up with 12 others in a row after each expires and disallows reusing an old one.

Re:The Lesson?

[lpcustom]

Yeah I agree. The time limits on passwords cause most people to just come up with something easier to remember. Why should I have to change my password every 30 days if it's something like Mxo2s0LLn234aAZSQ If I can't even get it right I'm sure no one else is going to guess it. There shouldn't be a need to change it.

Re:

[Hijacked Public]

A company I used to work for rolled out a scheme on their mostly Windows network where everyone's password expired every 30 days. The time period was based on the idea that in the time required to crack a sniffed password (think l0phtcrack) the user may have changed it, or at least reduced the window of opportunity for it to be used. It wasn't really an attempt to prevent social engineering, or guessing.

Of course l0phtcrack would sniff and crack weak passwords in a matter of minutes, so I'm not sure how 30

Re:

[speculatrix]

at current job, password rotation on windows login domains is 21 days, so pretty much EVERYONE uses a good 8 char pass followed by a two digit serial number :-/

it's much better to educate people... since I work at a bank, I tell people when they choose their VPN password that we will hold them liable for all costs incurred if someone got hold of their password and stole money - at that point they stop and think very hard about their password!

Re:

[ceoyoyo]

At that point I'd refuse VPN access.

I assume you've got some sort of VPN token to go with the password and you're just trying to scare them straight?

Maybe, but...

[schwaang]

From the InfoWorld article: [infoworld.com]

One last note: The password list contained several e-mail/log-on account names from popular OS and software vendors. Although we can't be assured that the passwords used on the exploited site were the same as the employee's company password, I'm sure some are matches.

Remember this and learn from it: An exploited Web site that's completely unrelated to your company could still put your company at risk. Remind all employees not to use their company passwords on noncompany Web sites,

Re:

[Vlad_the_Inhaler]

Dead on.
The passwords I use at work are pretty pathetic.

The first reason is that I have to be able to remember them which is difficult when they have to change every 6 weeks, the second reason is that only people within the company have access to the network anyway.

In order to get in from outside, I need another (strong, permanent, set by me) password and a 6-digit Tamagotchi code which changes every 60 seconds. If I did not have to change my work password so frequently, it would be a lot stronger.

Re:

[prodangle]

This may not mean that "passwords are getting better." It may just prove once again that people care more about their personal things than other people's stuff.

Myspace users are likely to be younger, and although stereotypically they are not renowned for their spelling ability, they will be more technology aware than the average corporate user. Myspace users are comfortable with the internet and use it for leisure, whereas at work those who otherwise wouldn't mix well with technology are forced to cope

Re:

[Curien]

Funny. Folks in my branch of the US Federal government all log in with a smart card and 7-digit PIN.

Re:

[JourneymanMereel]

Funny, my AKO account (which is provided by the US Army, a branch of the US Government) has the most ridiculous password policy I've ever seen. It has to be 10 characters long, expires every 150 days, and must contain at least two lower case letters, uppercase letters, numbers, AND symbols. I guess they don't realize that be mandating what 8 of the 10 characters have to be they've actually reduced the number of possible combinations.

Oh, and it gets better. In order to change this password, you have to log i

Password1?

[spun]

That's the kind of password an idiot would have on his electronic luggage!

Re:

[Rob the Bold]

That's the kind of password an idiot would have on his electronic luggage!

Only because someone made him use at least one numeral.

Re:

[0kComputer]

/obligitory That's the same combination I have on my luggage!

The three most commonly used passwords are...

[Pojut]

"Love, Sexxxx, and...GOD. So, would her royal highness care to change her password?"

Re:

[Jesterboy]

Mod parent up for on topic Hackers quote. ^_^

Security through obscurity?

[GoodbyeBlueSky1]

...found that the average password was 6.4 characters long.

What kind of newfangled keyboard do you need to type one of those in?!

Re:Security through obscurity?

[kaizenfury7]

You need to use an average keyboard because an average keyboard has 101.4 keys.

nobody can guess mine

[zakeria]

I use this password ;#E4][££2&9a for everything.. Oops?

Re:nobody can guess mine

[kaizenfury7]

Don't worry... all we saw was:

I use this password ************ for everything.. Oops?

Slashcode is pretty advanced like that... it has filters that automatically hide your personal information in case you accidentally post it. Try posting your ATM PIN or social security code and see how advanced those filters are.

Re:nobody can guess mine

[Tired_Blood]

Don't worry... all we saw was:

I use this password ************ for everything.. Oops?

Slashcode is pretty advanced like that... it has filters that automatically hide your personal information in case you accidentally post it. Try posting your ATM PIN or social security code and see how advanced those filters are.

"you can go hunter2 my hunter2-ing hunter2"

*Cough* [bash.org]

Re:

[MindStalker]

he probably used html codes.
You can also hold alt while you type numbers on your keypad. like alt(128) = Ç

Note: most password forms won't allow anything non alphanumeric even slashdot didn't allow alt(127)

Re:

[Vlad_the_Inhaler]

British keyboard.
I suppose it keeps US and Russian script kiddies out. Maybe I should use something like HääkürDöödß (oops, one of those characters gets eaten by /. does that mean it is secure?).

Re:

[Fordiman]

[Alt]+0163 == &pound;
[Alt]+1 == &#9786;
[Alt]+2 == &#9787;

Re:

[Fordiman]

Trying again...
[Alt]+0162 ==
[Alt]+0163 == £
[Alt]+0165 == ¥
[Alt]+0128 ==

Hm. Looks like the smileys don't stay. Oh well.

i'm not suprised

[JeanBaptiste]

a 14 year old cares far more about their social life than most adults care about their jobs.

Re:

[Buelldozer]

You've been modded 'funny' but you should really be 'insightful' because your comment is TRUE.

More to lose

[CastrTroy]

It's because the MySpace users have more to lose. They don't want someone defacing their website. Employees on the other hand probably don't care if someone logs into their computer.

Re:

[ElephanTS]

yes exactly. And what's worse than forgetting your complicated password at work and looking like a complete knob and having to get the IT guy and then your boss finds out you're useless. Best of sticking with your dog's name. Or your name.

On the right track but...

[Cthefuture]

I feel it has more to do with a (possibly false) feeling on security when you're behind corporate doors. You're on the corporate network which probably has a firewall, virus protection, official administrators, security experts and similar. However misplaced, I think workers are generally more likely to trust other employees rather the whole Internet.

Being on the corporate net they assume they don't need to protect themselves from the Internet attacks. Which is generally true, typically their computers a

Wrong Assumptions

[brunes69]

You're assuming that

      a) If someone hacked into your company via your PC, you would be held accountable
      b) MySpace users have jobs, or are even old enough to do so

Both of those assumptions are incorrect 99% of the time.

Re:

[Vexorian]

It could be the opposite as well. If they forget their mySpace passwords they can use email validation to get it back, what exactly happens to you if you forget your job's?

Which do you care more about?

[liak12345]

This shouldn't be groundbreaking news. Myspace accounts deal with personal part of people's lives and they don't want it interfered with. Which individuals have a vested interested in corporate security?

Stronger Passwords

[Joe The Dragon]

It easy to have Strong Passwords when you don't need to change them all the time and can't reuse parts of the old password in the new password.

Password Rotation Insanity

[The Monster]

I have never understood how making people change their passwords so often that they have to write them down like the school secretary in War Games, or use weak passwords that are easy to remember.

I understand the theory that it makes it tough on the crackers, of course, but that theory presumes that all other things are equal. I don't believe they are.

Re:

[ronanbear]

It's because people reuse the name passwords for different accounts. If one account gets compromised that password can be used on other accounts. Force people to change and they might have to use more than one password for everything.

Passwords Expire

[Mr_Blank]

    The corporate drones have to deal with passwords that expire every 30/60/90 days, and once expired those passwords can never be reused. So creating a hard password and then remembering it is not so trivial. The myspace users can come up with one hard password and keep it forever.

Re:Passwords Expire

[Otter]

That's one of the two points I was going to make; the other being that a comparison to corporate passwords from 1989 is only slightly more informative than one to passwords from 1889.

Re:

[Billosaur]

The myspace users can come up with one hard password and keep it forever.

And better yet, share it with their friends...

Pr0gr355

[Doc Ruby]

People have now demonstrated that we are more willing to change our language and ideas of "spelling", rather than remember obscure passwords. That's what "7337 5p34X" is all about. It's a way of permuting spelling into the larger, ambiguous character set to represent personal phonetics. It makes dictionary attacks much harder. If 2 7337 words are used, the password is probably nearly as tedious to crack as a truly random one.

Re:

[Doc Ruby]

Haha, you can't crack my code.

Awesome statistic

[billdar]

The best quote is from the article linked within the article:

"I was surprised about how many Christian-sounding -- for example, "Ilovejesus" -- log-on names were associated with the worst cuss words."

Draw your own conclusions, but I think there might be something to this.

(and yes I did RTFA+LFA, do I lose my subscription?)

Re:

[value_added]

Draw your own conclusions, but I think there might be something to this.

Christian girls (Protestant born-again evangelicals) are more keen to do it. Mormon girls even more so.

Discuss.

Re:

[jb.hl.com]

You're hardly likely to guess that someone called "Ilovejesus" has swearing in their password, are you?

Re:

[i.r.id10t]

Had the same problems with some php programming I did for a local church... needless to say, I didn't offer to host them on my server...

password1???

[Rob T Firefly]

Amazing! That's the same password I have on my luggage!

fear and netspeak

[Kenshin]

I figure there's two main reasons for this:

1) They're terrified of their peers breaking in and sabotaging their profiles. (I once got assaulted by a drunk girl I knew who thought I hacked her LiveJournal... which I didn't.)

2) They can't spell worth shit, due to netspeak, so typical dictionary approaches aren't going to work.

Also, you have to take into account the basic fact that younger people have grown up around computers, and understand the concept of passwords a bit better than your average middle-aged office worker.

Re:

[danpsmith]

2) They can't spell worth shit, due to netspeak, so typical dictionary approaches aren't going to work.

Why do people keep making this point, as if a cracker's dictionary doesn't include slang and l33tspeak? They make the dictionaries themselves...

Re:

[DocSavage64109]

1. There are many varieties of leet speek. 2. Because of this, the number of words and length of time in your dictionary attack increase exponentially.

Re:

[ceoyoyo]

That assumes you can spell in leet speak better than you can spell in English.

Your average hacker is far more coherent (though still not very) when typing than your average thirteen year old girl.

This is all wrong...

[__aaclcg7560]

MySpace passwords would fail more often if a l33t dictionary was used instead. Do kids even know words from a plain old dictionary?

Dictionary words?

[chrisb33]

I'm impressed that less than 4 percent were dictionary words

Considering only 10 percent of the words on myspace are dictionary words to begin with, this isn't very surprising.

Maybe the users just used their usernames as passwords - that would probably be the best way to generate a random sequence of characters.

Don't be impressed.

[Anonymous Coward]

I'm impressed that less than 4 percent were dictionary words and that the great majority were at least alphanumeric.

I'm not. MySpace users have good passwords because MySpace requires them to, not because they're savvy. "Your password must contain at least one number and one punctuation mark," etc.

Of course they do

[vitaflo]

Have you seen MySpace posts? I bet half their passwords are "OMGH0ttieL0lz".

Easy way of generating password from passphrase.

[Chyeburashka]

$ cat passphrase
Slashdot It is what IT is.
$ openssl dgst -sha1 <passphrase
78538e69c508e665ccdbc37c841af2453bb69 035

Just pick how many digits/letters you want from either the beginning or the end, and pick a passphrase which you can correctly and exactly remember.

Re:Easy way of generating password from passphrase

[JourneymanMereel]

Neat idea.... but is it really any more secure than:

$ echo "Slashdot It is what IT is." | md5sum
ba88480f773dd6371b99ab0e464b7263 -

Which is also an easier command line to remember?

It's obvious!

[AntEater]

Of course dictionary attacks won't work - have you seen the spelling on MySpace?!? It's not that they are trying to be more secure, it's that the users can't spell well enough to get a dictionary match.

Getoffamylawn!

It makes sense

[Cro Magnon]

Think about the password suggestions. Longer than 7 character, mixed case, numbers and special characters. Then think about the average MySpacer.

"OMFGLoL1337kiss@$$!!"

.gz?

[mattpointblank]

Writing in 1989, Daniel Klein was able to crack (.gz) 24 percent of his sample

I love when the editors just copy and paste without even reading what they're posting. Which part of that sentence was a .gz file, Zonk?

Statistics from phishing attacks are wrong!

[tradeoph]

You can't compare the passwords from two different phishing attacks. You only get the passwords from people who fall for the scam. If one scam is easier to detect than the other one, then one sample will contain passwords from dumber people than the other sample.

The quality of passwords has nothing to do with the type of people that where scammed, but with the difficulty of detecting the spam.

How many do they have?

[gelfling]

My corporate environment is close to implosion from the unending requirements for yet more passwords. You need a password to power up your machine, a password to start Windows, a password for Lotus Notes, a VPN dialer password, an intranet password for web apps, timecard apps, expenses, etc, an IM password (generally the intranet password), a password for HR apps, a password for benefits information. And we check for all of them and they expire but not at the same time and various password delivery subsyste

sometimes corporate users can't choose passwords

[artifex2004]

A lot of companies have systems that don't allow users to change passwords. They're assigned by someone else.
Often, the person assigning them ends up using some easily deciphered pattern out of boredom (or lack of training), like lastname123, or even uses the same password for every person (gobears!).
It's trivial in these cases for inside attacks to occur, at least. And if an external attacker finds a couple of passwords to a system, he can often guess the pattern, also.

I kinda question the validity of this experiment..

[rainman_bc]

This isn't a really great random sampling; it's skewed slightly by the fact that it's about myspace users dumb enough to fall for a phishing attack only.

Cool article though!

MySpace requires strong passwords

[D H NG]

The only reason MySpace users have stronger passwords is because they're required to. Try signing up to MySpace with a weak password (i.e. without numeric characters) and see what I mean. I signed up for MySpace for a throwaway account with an easy-to-remember password, but couldn't.

learning at age 6

[bcrowell]

Computer security is something that kids are learning at younger ages these days. Case in point: My 6-year-old daughter plays a flash game called clubpenguin.com, which is basically a MUD where you're a penguin and you go around playing video games, socializing with other penguins, taking care of your pet, etc. Yesterday at school, her friend asked her for her login info, and she gave it to her. Yesterday evening, my daughter finished her homework, tried to log on, and got a message saying she'd been banned for 24 hours for cussing, and the time when her penguin was cussing was a time when she hadn't been on the computer. No big deal, but at age 6, she's now had a concrete experience that shows her how it's not a good idea to give your password to someone else, even someone you think you can trust.

MakeMeAPassword.com --- plug

[mgkimsal2]

Yes, it's a blatant plug, but if you're trying to show users a way to come up with a complex, yet memorable password, http://www.makemeapassword.com/ [makemeapassword.com] can walk them through a short algorithm. The passwords are reasonably complex, but follow a few rules that hopefully people can remember. "Ycagwyw,1983,%" is a bit more hard to brute force attack than "password2". :)

Some differences

[bgspence]

The MySpace user's password protects their own information.

The corporate user's password protects some corporation's information.

And, most passwords protect nothing worth protecting, such as my access to the NY Times.

It's because

[G00F]

It's because

1. They don't need 6 different passwords and logins
2. and they don't have to change it every 45 days.

As we all know...

[BitwizeGHC]

"...the four most commonly used passwords are 'Love', 'Sex', 'Secret', and... 'God'. So would Her Holiness mind changing her password?"

Re:

[TranscendentalAnarch]

It depends on length and the character set. Many cracking programs, brute force cracks, will iterate through all possible combinations of a character set up to a certain length. This lets the program find simpler passwords faster.

With just alphabetic characters and a 6 character length you have about 26^6 or about 308 million possibilities

With alphanumeric characters and a 6 character length you have about 36^6 or about 2.1 billion possibilities

Extending to common non-alphanumeric characters (us

Re:

[danpsmith]

"adklfjsldfjsdf" is 15 in length and alpha characters only (26^15) "adklf123dfjsdf" is 15 in length and alphanumeric (36^15)

You *kind of* have a point. However, if you consider the possibility that the hacker doesn't *know* that the password is easier to attack because he/she is using a brute force attacker and doesn't know that the password is all alphabetic or alphanumeric. The only thing the hacker knows if doing a blind cracking of the password is the password field's limits. If the password field

Re:

[Carewolf]

If you use both upper and lower case, you have 52 characters, and adding number still only adds 10 more.

So it is significantly more important to use mixed case than to use alphanumerical passwords.

Re:

[Ferzerp]

where i come from, we have this thing called capital letters.

we use them in passwords, but no where else.

Re:

[multipartmixed]

What do you think?

Okay, I'll make it easy.

Two possibilities: one password is chosen from all the letters of the alphabet, and is one character long. Another password is chosen from just the letters a, b, and c.. but is TWO letters long (twice as long).

Which is easier to guess?

Answer: The two character password has 3^2 = 9 possibilities: aa, ab, ac, ba, bb, bc, ca, cb, cc.
The one character password has 26 possibilities.

Now you should know whether or not password length or alphabet size dominate brute-force p

Re:

[Vlad_the_Inhaler]

Am trying it:

-> Phishing -

What does that look like?

HEY!!!!!

Re:

[danpsmith]

What I find is a cool way to do passwords is to use first letters and/or numbers of a phrase. Something that means something to you but is unlikely to mean anything to anyone else. Example: December 25th is the birth date of Christ supposedly.

D25itBDoCS

Try that one on for size.

Re:

[Technician]

There are no .4 length characters!

Which is exactly why my password is so hard to guess. ;-)