Analysis of 32 Million Breached Passwords 499
An anonymous reader writes "Imperva released a study analyzing 32 million passwords exposed in the Rockyou.com breach. The data provides a unique glimpse into the way that users select passwords and an opportunity to evaluate the true strength of these as a security mechanism. In the past, password studies have focused mostly on surveys. Never before has there been such a high volume of real-world passwords to examine." Most interesting to me was that in the sample, less than 4% used any non alpha-numerics in their #$#%'ing passwords.
Password strength vs. how often you change it (Score:5, Insightful)
My company wants me to change my pass every 2 months. Guess what happens to the password strength over time.
Re:Password strength vs. how often you change it (Score:5, Informative)
So even allowing for upper case (which I am not sure that it differentiates), the total password space is only 2704000000.
The size of this space can conveniently fit into a 32-bit value, which is probably what they are doing: storing passwords in an integer field.
Did I mention that they pay our IT department $11/hour?
Yeah, all my coworkers do the same thing: use the same 2 letters every time they need to change it, followed by "1111" then "2222" then "3333" and so forth...
Re: (Score:2)
Did I mention that they pay our IT department $11/hour?
Yeah, all my coworkers do the same thing: use the same 2 letters every time they need to change it, followed by "1111" then "2222" then "3333" and so forth...
Shit, I thought I had it bad with pay.
We moved to a required 8 digits and 3 of the 4: Upper case, lower case, symbol, number. Resets every 30 days. What has happened with me? My strong 20 digit password has been trimmed down to the bare minimum because I will have to change it in 30 days anyway. Completely defeats the purpose.
Re:Password strength vs. how often you change it (Score:5, Funny)
.., followed by "1111" then "2222" then "3333" and so forth...
Dont you mean so 4444th.
Re: (Score:3, Insightful)
..it must be EXACTLY 2 letters, followed by EXACTLY 4 digits.
That's retarded.
I've thought about this sort of thing before, where password policies also have the effect of narrowing the number of possible passwords. For example, it's pretty standard for a company to have a policy like, "Your password must be at least 10 characters, contain at least one capital letter and one lower case letter, contain at least 1 number and one non-alpha-numeric character." And yes, it's true that keeping these policies has the effect of increasing the number of combinations, but i
Re:Password strength vs. how often you change it (Score:5, Informative)
It may narrow the nominal keyspace, but it almost certainly increases the average keyspace that needs to be searched. Without the complexity requirements most people will use a dictionary word or something like that. And the company wants to keep all the accounts secure, so it has to care about the average password.
And think of it this way - in a keyspace that requires 10 numeric digits, what percentage of the total keyspace is consumed by anything containing less than 10 digits? seems to me you have only given up 10% of the space, and an even smaller percentage if you consider the full printable range of characters instead of just numerics.
Re: (Score:3, Interesting)
Given the above policy, a smart hacker would bruteforce the following template:
(1 capital letter)(7 lower case letters)(1 number)(1 special character). With a dictionary attack for the first 8 characters.
Password1!
Too often is bad too. (Score:5, Insightful)
I dealt with a bank once that expected its customers to change its passwords every 2 weeks. So obviously what happened is every time a customer needed to check their bank account, probably once a month, they were locked out. Now this isn't necessarily the problem here. The problem is that with people having to call in every time to reset their password, it becomes such a norm that it probably drastically increases the potential for social engineering.
Re:Password strength vs. how often you change it (Score:5, Insightful)
It's a leftover idea from a bygone decade.
The primary advantage of a required monthly or bi-monthly change is that if a password is compromised, it's only useful for about 1/2 of the expiration period. So it's a way of reducing risk in the case of accidental or nefarious disclosure.
But the big downside is that it requires users to be constantly learning new passwords every month or so. And unless these passwords are automatically assigned, users WILL pick weaker and weaker passwords over time or passwords that fit into an easily remembered sequence. So you really end up back where you started.
Forced password renewal is a valid strategy in a small number of cases. Such as a system which protects billions of dollars in assets or is super super critical to the business. But in those cases, there should be 2-factor authentication in play anyway and the passwords probably only need to be changed every 3-6 months and should be randomly assigned.
For end users? Limit their permissions, force complex passwords, but don't require them to change frequently (*maybe* once every 2 years). Tell them to go ahead and write the passwords down and store them in their wallet next to their credit cards. Which is at least a huge step up from putting it under the keyboard or stuck to the monitor.
Longer passwords are also easier to remember if they are used frequently (at least daily). But for some users, it may take as long as 2-3 weeks for them to remember it without looking.
Re: (Score:2)
unless these passwords are automatically assigned
In which case it is guaranteed to be written down somewhere on a piece of paper. Talking about "improved security".....
Re:Password strength vs. how often you change it (Score:5, Funny)
Hey, I used to use a password that could be found on my coworker's monitor, in plain view. I had the idea when they required me to come up with a secure, 10-digit-or-more password containing alphanumeric characters and his monitor's serial number fit the bill.
Re: (Score:2)
That’s why I chose “visual pattern” passwords. I draw symbols on the keyboard, e.g. while holding Mod3. (NEO layout [neo-layout.org]. Hover the mouse above “Ebene 3”.) ... is one character […], that Slashdot does not accept.)
Like a N. Which results in “#\.../|{[” or “#u...1_a~e]4” (where
(This is an example. The real type of pattern I use is something different. ;)
Re: (Score:2)
I need to change my company password every month, but the password strength for my company account remains strong.
My password strength for a website forum where I never need to change it however, is usually weak.
The password strength I use is highly correlated with the sensitivity of the information it allows access to and the importance of the systems.
I would fall into the 96% of people who don't use non-alphanumerics for "Rockyou.com"
Re:Password strength vs. how often you change it (Score:5, Funny)
For places that require password changes I'd suggest to take a very long base password with a month appended and hash it, then convert the hex hash into printable characters. Maybe something like this:
echo -n "LongUnchangingBasePasswordSiteNameJan2009" | sha512sum | xxd -r -p | tr -cd [:print:]
This has the advantage of being highly secure and easily memorable, but someone shoulder surfing your password wouldn't be able to figure out what your password is next month. People more familiar with windows could suggest a command available on that system. Be careful to do this on a computer where the command will not be stored in a command history.
I'm planning to go all lower case with my passwords though. I'll have to make my passwords 50% longer, but I think they'll be easier to type and almost as easy to remember as totally random ones. In fact my error rate with the totally random ones is an issue with shoulder surfing because I make mistakes and have to retype it so often, giving shoulder surfers repeated sightings, and because the numbers and symbols and shifts slow me down.
Re: (Score:2, Insightful)
Re: (Score:3, Funny)
Re: (Score:3, Funny)
Luxury! At my job, every morning we have to beat a confession out of a captive Yorkshireman, and hash that with each employee's ID number.
Comment removed (Score:5, Insightful)
Re: (Score:2)
I'm planning to go all lower case with my passwords though. I'll have to make my passwords 50% longer, but I think they'll be easier to type and almost as easy to remember as totally random ones. In fact my error rate with the totally random ones is an issue with shoulder surfing because I make mistakes and have to retype it so often, giving shoulder surfers repeated sightings, and because the numbers and symbols and shifts slow me down.
Going all lower case would not be a wise move... more and more stupid password systems are requiring mixed case alpha letters plus at least one digit. The most silly part of this is that I had to do this to download an update for a piece of commercial software. A piece of software that requires lmserv!
Re: (Score:3, Interesting)
I wish someone (ISO? NIST? DOHS?) would establish an honest-to-god STANDARD for what makes a strong password. For instance, >=8 characters, at least one each of upper, lower, numeric, other.
Why? Because I use a fantastic Firefox addon called Password Hasher (and there are other good ones for the same purpose), which uses a hashing algorithm to combine the site's domain name with my own personal master password to create a different, secure password for every account, while only forcing me to remember
Re: (Score:3, Informative)
That's impossible. A password's strength is related to its Kolmogorov complexity [wikipedia.org], and Kolmogorov complexity is incomputable.
Re:Password strength vs. how often you change it (Score:5, Interesting)
You must have missed the bulletin which explains that security consists of becoming a less inviting target than the guy beside you. If the sheep tend to use all lower-case passwords (baaaaaa), then you're best off wearing a different cloak.
I thought script kiddies were all playing on the streets of the Facebook favela these days, and that unemployed Russian PhDs were out there flexing their combinatorics.
From that training set, it would be pretty easy to code up a Markov letter bigram or trigram model and enumerate from least entropy on up (a near approximation to this is plenty good enough). My guess is that that nine letter all-lowercase passwords would be on roughly the same tier as six letter passwords with multiple punctuation marks.
This study was a bit stupid in reporting password strength. A nine letter password from two symbol sets will be close in strength to an eight letter password from three symbol sets, as long as the nine letter password doesn't build upon trivial substrings.
I think this is why the recommendation demands three symbol sets: it gives users less scope to squander entropy that a longer, ordinary character password ought to have.
One time, as a joke, a very long time ago, a devious coworker put a keystroke logger on a paranoid coworker and the password revealed was 6uldv8. Apparently there's more than one reason to keep your passwords secret.
I generate all my own passwords starting from suggestions offered by OpenBSD's apg utility. For crap sites, I try to achieve an estimated entropy in the vicinity of 30 bits and scale up to about 60 bits at the paranoid end: 5*6 (a brief burst of line noise), 6*5, 7*4, 8*4, 9*3, 10*3 (baby talk).
For longer passwords, you can pair two words from a large dictionary (about 13 bits entropy each) and then add another four bits with a single symbol corruption. Routinely sticking an ! in between two obscure dictionary words is not a good idea if you're concerned about cross entropy, where the attacker already knows some of your passwords by other means. I avoid consistent corruption templates, because I don't want to lower the cross-entropy on a set of partially exposed passwords too severely.
For most purposes, even 20 bits of entropy is a good start, if the attack involves knocking on the front door. Not so good if the hashed password file is compromised behind the scenes. Even 30 bits is pathetic in the latter case, but this reasonably well mitigated by never sharing a password across multiple sites.
At 40 bits, the attacker begins to ask whether there's any money involved. A high-end video card, properly coded, would sneeze at 40 bits. However, properly coded still isn't free,
By the time you get to 50 bits, it's time to start asking whether you've seriously pissed off the wrong person. Quite doable, with a modicum of enmity, but not worth the bother if the game is shooting fish in a barrel at least expense. Armour piercing rounds are deployed sparingly.
I wouldn't be the least bit surprised that the NSA has accumulated a dictionary of the trillion most common passwords, sorted by descending order of frequency, covering all languages and source lexicons of the world (pets, pet names, Klingon, Thalassian, Qenya) permuted into all manner of imposed password template schema. I'd be shocked if they hadn't. For that matter, Google could build a good approximation to that dictionary just using their lexigram index, on roughly the terascale.
Shedding about 10 bits of protection per decade, we'll soon need to return to Beowulf era culture where reciting your ancestors back to the garden of Eden was the gold standard for accurate recall.
I wish every login box on every site had a
Re: (Score:3, Interesting)
I hate it when systems specifically require odd crap though...requiring a mixed password (must have 2 of the 3 following features or something) is good but saying that my 8-character password must include at least two numbers is actually decreasing the keyspace fairly significantly since you can limit several parts of the password to 0,1,2,3,4,5,6,7,8,9 as opposed to every single letter/number/punctuation.
My personal favorite dumbass password requirement was an internal company one that checked your password for dictionary words and ruled any dictionary word in a password invalid. I thought that was stupid, and then I found out by accident that the dictionary contained "it". And then I realized it contained every two letter word I could think of. So "4!h8B^%iT2" was a weak password because iT is a dictionary word (?!?) and thus the password will be ZOMG dictionary hacked.
We also had like, six different int
Design your own coding system (Score:4, Insightful)
so that you don't need to be sitting in from of your own Linux command line to remember your passwords. I use a base of two nonsense pairs (things like AkB and jzQ) and then use positions 4 and 5 in the password as a code for the type of site and "rank" in terms of frequency of use, for example (these aren't mine but you get the idea):
! (shift-1) = social networking
@ (shift-2) = banking
# (shift-3) = utilities / bill payments
1 = site in this category I use most
2 = second most used site
3 = third most used site
and so on. So the base for something like Facebook using a system like this might be A@B!1jzQ, for Twitter maybe AkB!2jzQ, and for my primary bank account AkB@1jzQ (invariant components AkB and jzQ, with @ [for banking] and 1 [for most used] sandwiched in between them).
Then, I postfix the password with the number of the instance of the password.
A = first use
B = first mandated change
C = second mandated change
D = third mandated change
and so on. So after the third change, my primary banking password at a bank might be:
AkB@1jzQD
After they ask me to change it again, it will increment to:
AkB@1jzQE
and so on.
This way, there is always a base of predictability to my passwords (usually enough to get it within three tries) and the variable information is context-based in a way that is only meaningful to me and no two sites will ever share the same password.
The only place this falls down is when sites mandate their own password structure (max or min length, etc.) but it usually works (includes uppercase, lowercase, symbols, and numbers, which is enough to make most of them happy) and the few sites that don't allow such passwords are far enough between to stand out in my memory, meaning that I don't forget the specially-formed exceptions that I created for those sites.
A system like this won't work for everyone, but for most people with a reasonable IQ, it's good enough, once you can get them to buy into the need for password security and for them to design their own system.
Re: (Score:3, Insightful)
Funny.
People familiar with Windows won't be recommending a command available on Windows. Your example is several commands. Which one?
Seriously, strong passwords require some creativity and of course some investment by the user. If you've administered a fairly large (or even small) corporate network for any length of time, you know users generally are not overly concerned about security until they are personally inconvenienced. Then they blame everyone else.
This is a corporate issue, as important as fina
Re: (Score:2)
They would be better off allowing us to keep one $EcúR3 password for the duration of employment really.
Not really, no. If someone gets hold of your password, that person is able to access your systems potentially without you detecting it until you change your password.
The quality of the password doesn't matter, and that's why even digital signatures have a given life span. It's more a matter of damage control than anything else. The side-effect that this tends to lower the overall password quality points more to the user employing a poor password construction strategy.
Of course, if the attacker changes your
Re:Password strength vs. Validation Rules (Score:5, Insightful)
It is not just the mandatory password changes that increases the mess. It is also that each and every site has different validation rules. If I could use one-and-only strong password for many sites, then I could remember that. However, some sites _require_ special characters, while others _forbid_ it, etc, etc. So each time you end up inventing something on the spot, and then two months down the road you've forgotten it.
I guess that I've 50 passwords to remember, so if I can't do that with just a few (I don't use the same password for my online banking as for my slashdot login :-) then it quickly becomes Post-it time again. Or worse, that little file on the PC desktop with a list of userid/passwd combo's.
Re:Password strength vs. Validation Rules (Score:4, Informative)
Or worse, that little file on the PC desktop with a list of userid/passwd combo's.
Just use a password store utility instead of a text file. They encrypt a file that stores the passwords.
Re:Password strength vs. Validation Rules (Score:4, Informative)
KeePass is an excellent utility, available for Windows, Linux, and other platforms. It's simple, quick to use, and configured correctly, you will only have to learn one password the one to unlock the encryption file.
Have they released the list anywhere? (Score:4, Interesting)
Why such a search isn't advisable (Score:2)
I think it would be interesting to search the passwords I use against the list. [...] This year we confirmed that indeed you can buy everything in New York City.
But can you buy a log of searches?
Re: (Score:2)
That would give you a good indication of how good it is.
Re: (Score:2)
Why not just hash out your password, and try to crack it with John The Ripper or something similar?
That would give you a good indication of how good it is.
Yes, but that wouldn't answer the question I am after with the password list. I want to know how common my passwords are, or if they are even similar to common passwords. 32M passwords is a pretty good set for checking against to answer that kind of question.
Re:Have they released the list anywhere? (Score:5, Funny)
Post it here, I'll check it for you.. Don't worry, Slashdot blanks your password.
My password is *******
See, blanked out!
Re:Have they released the list anywhere? (Score:5, Funny)
Re: (Score:3, Funny)
Wonderful, mine is also blanked out: hunter2 :)
See?
Obligatory bash.org reference: http://www.bash.org/?244321 [bash.org]
The Top 10 (Score:5, Informative)
1. 123456
2. 12345
3. 123456789
4. Password
5. iloveyou
6. princess
7. rockyou
8. 1234567
9. 12345678
10. abc123
By a massive coincidence, these happen to be the passwords for their respective /. userids!
Re: (Score:3, Insightful)
Is there a reason to have a really strong password on "rockyou.com"?
Maybe since it integrates with facebook and the like?
I'm really annoyed when all I want to do listen to some online music (ie pandora, etc) and the web site gets pissy because I choose pandora as my password.
Why should I care?
Re: (Score:2)
Re: (Score:2)
Dear mods: funny? No, this is fact--read the article. (I was surprised too.)
Re: (Score:2)
Yes, it's factual, but I think the 'funny' mods are for the comment he added at the end.
And the 40% Informative is from whoever now controls CmdrTaco's account
Obligatory Spaceballs Reference (Score:5, Funny)
Roland: One.
Dark Helmet: One.
Colonel Sandurz: One.
Roland: Two.
Dark Helmet: Two.
Colonel Sandurz: Two.
Roland: Three.
Dark Helmet: Three.
Colonel Sandurz: Three.
Roland: Four.
Dark Helmet: Four.
Colonel Sandurz: Four.
Roland: Five.
Dark Helmet: Five.
Colonel Sandurz: Five.
Dark Helmet: So the combination is... one, two, three, four, five? That's the stupidest combination I've ever heard in my life! The kind of thing an idiot would have on his luggage!
-----
President Skroob: What's the combination?
Colonel Sandurz: 1 - 2 - 3 - 4 - 5.
President Skroob: 1 - 2 - 3 - 4 - 5?
Colonel Sandurz: Yes.
President Skroob: That's amazing! I've got the same combination on my luggage!
Re: (Score:2)
Really? "Password" as password? I'm so disappointed.
Why does password strength matter? (Score:5, Insightful)
...Most interesting to me was that in the sample, less than 4% used any non alpha-numerics in their #$#%'ing passwords.
Er, does it REALLY matter anymore the strength of your password with the FBI using post-it notes as a search warrant? I mean I hate to say that, but seriously.
On a related note, what pisses me off even more is going to a website and trying to use a strong password and their system doesn't allow it.
Re:Why does password strength matter? (Score:5, Insightful)
Well it doesn't matter (and it never did) if you're selecting passwords so the FBI can't read your secret diary.
If, on the other hand, you're concerned about someone in Russia gaining access to your credit card it still matters.
Re: (Score:3, Funny)
Re: (Score:2, Insightful)
IT IS NOT.
It is nice to think that you are enemy of the state nr 1 and that everybody cares about your secrets, but that's not the case. You should worry about phishers and other criminals, not about law enforcement. And they don't use search warrants. They need to crack passwords
Re: (Score:2)
Tell me about it. I got a good idea from a slashdot comment about a way to easily have secure, diverse passwords for my websites: use a password generator to make a grid of passwords, and devise a mapping from the website name onto the grid. Print the grid on a business-card size sheet. Put a photocopy in your wallet, and the original somewhere you will absolutely no
Re: (Score:2)
On a related note, what pisses me off even more is going to a website and trying to use a strong password and their system doesn't allow it.
I'm afraid of using a good password at some sites because I fear they store passwords in cleartext. No point in wasting a good password on that!
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
I have to change my password at work every 90 days. The result is that I'm creating passwords that don't have non-alphanumerics, but are usually phrases of two or more words together, like "anappleaday" or "lookatmenow" or "changingpwsucks". Am I more or less secure than people forced to use non-alphanumerics who create passwords like "judy1" or "maroon5"? I think so...
Re: (Score:2)
Re: (Score:2)
Well, in a properly designed system all private data is encrypted with that password, and only when you enter it, and it is cached in the current session, can that data be decrypted. ;)
Of course, how many properly designed systems are there out there. I heard in the US, not even banks do this properly. (Except maybe if you consider WoW a bank.
Protip: Data that is shown to everyone on Facebook, is never encrypted. ;)
Re: (Score:2)
The eight-character limit is due to them using the standard Unix crypt() function, which Unix passwords were traditionally encrypted with - it's a one-way encryption, so brute force is generally the only way to recover the passwords, and at the time the computations needed to guarantee cracking a password would take too long to make it worthwhile.
Of course, modern computing systems can run through all of the possible passwords in an 8-character password pretty quickly, so it's a good thing modern systems ar
can't use md5 (Score:2)
md5 in my company (very large multinational corp) is a big no-no. We can't use it. SHA1 is what everything had to be hashed with.
Re: (Score:2)
And financial institutions that do their best to keep you from using a password manager.
Limited in Password size and chars (Score:2)
I can't tell you how frustrating it is to try to keep information secure on various web sites or with companies that still use antiquated password styles. 6-8 chars or numbers only? Really? Still? After all the identity theft you'd think companies would at least step up their need to have users have strong passwords. But nope, places like Earthlink still use limited password capability.
Re:Limited in Password size and chars (Score:5, Insightful)
The report makes it painfully obvious that passwords are an ineffective way to secure information because too many people find strong passwords cumbersome. Maybe we need to come up with something better.
Re: (Score:2)
Every attempt at doing so creates a serious privacy problem, adds an extra level of security problem, or is very complicated that it is difficult to deploy on a large scale.
Re: (Score:2)
Most of them are zip codes anyway (Score:2)
actual list of passwords? (Score:4, Informative)
It would be fun to perform one's own statistical analysis of the list
Here's the top 20 most common passwords used according to the report:
Rank Password # of Users
1 123456 290731
2 12345 79078
3 123456789 76790
4 Password 61958
5 iloveyou 51622
6 princess 35231
7 rockyou 22588
8 1234567 21726
9 12345678 20553
10 abc123 17542
11 Nicole 17168
12 Daniel 16409
13 babygirl 16094
14 monkey 15294
15 Jessica 15162
16 Lovely 14950
17 michael 14898
18 Ashley 14329
19 654321 13984
20 Qwerty 13856
Re: (Score:2)
Amazing! All small letters "password" is not in the top 20?!
Re: (Score:3, Informative)
http://thepiratebay.org/torrent/5232943/RockYou.com_UserAccount-passwords [thepiratebay.org]
Re: (Score:2)
funny - this girl seems to be quite popular *cough* :-)
Anyone has a picture ?
That's my sister you insensitive clod!
Re: (Score:2)
funny - this girl seems to be quite popular *cough* :-)
Anyone has a picture ?
That's my sister you insensitive clod!
So that's a yes?
Re: (Score:2)
funny - this girl seems to be quite popular *cough* :-)
Anyone has a picture ?
That's my sister you insensitive clod!
So that's a yes?
It's a yes if you have enough money on you...
Re: (Score:2, Insightful)
Re: (Score:2)
From the source report [imperva.com] (PDF, 387kb), we also read this: "Passwords were stored in cleartext in the database and were extracted through a SQL Injection vulnerability."
So RockYou was rather security unconcious from the beginning. Cleartext instead of hashed? C'mon.
Keep in mind, this is RockYou.com (Score:5, Insightful)
Is it even worth the effort of coming up with a secure password for that site? If I had for some reason found it necessary to register with such a vapid site I would have just re-used one of my low-security passwords (which many other sites have access to). It isn't too surprising that nobody cares whether someone else is using their account to steal their noisy, eye-burning flash videos. What is far worse is if people are re-using passwords from much more important sites. In this case, it doesn't matter if your password is a random string of letters, numbers and special characters.
Re: (Score:2)
To clarify here, I only reuse passwords for accounts which could not be used for anything too nefarious if they were hacked. My logins for more important sites (like /.) have unique passwords.
A couple questions about passwords (Score:3, Interesting)
I have a couple questions for some more security minded folks here on slashdot, about the 'conclusions' of the analysis in the linked article. . .
* "The shortness and simplicity of passwords means many users select credentials that will make them susceptible to basic forms of cyber attacks known as 'brute force attacks.'"
Is this really true? Here's why I ask - most websites (though unfortunately not all), seem to lock your account if you don't get the right password in 3-5 attempts. Th
Why Is That Interesting? (Score:5, Informative)
Most interesting to me was that in the sample, less than 4% used any non alpha-numerics in their #$#%'ing passwords.
Why is it any surprise that people tend to approach passwords as a pass-WORD? It has to be something they can remember, and remembering a string of characters they can't pronounce is far more difficult than remembering (say) their favorite basketball team and the year they graduated high school.
Re: (Score:3, Informative)
There's no reason something can't be both pronounceable and secure. Start with two nonsense syllables, and add a special character between them. Not quite as "secure" as a completely random password, but much less likely to be written down, plus some of the letters can be l33t3d for variant forms. Make three base words for various levels of usage (one for regular web stuff, one for login passwords, and another rarely used for important stuff), and you can even keep around hints for rarely used passwords wit
Not really suprising (Score:3, Insightful)
Since most sites have a bunch of silly restrictions (no special characters, no more than 8, etc) most systems if the don't enforce strength, randomness, etc will degrade down to the lowest level where the password will work on all the systems.
Security should not depend on strong passwords (Score:2, Interesting)
The article says that in 20 years users have not gotten better at creating good passwords.
Logically then the solution is NOT to get users to take "password security seriously". This is like trying to stop VD by convincing teens to abstain from sex - it's in the never-going-to-happen catagory.
The solution is to mitigate the damage of a brute force attack - when bots make password guess attempts, you need counter-"bots" to detect patterns of access and then block IPs, warn users, or disable accounts. This is
Made-up words (Score:2)
My passwords tend to be words that I make up on the spot, with a couple of numbers thrown into the mix. They don't seem too difficult on the surface...but then again it is a word that I make up, some of which don't even have vowels lol. I have a series of seven different ones that I use.
It's worked quite well for me over the years :-)
Lock-out after a certain number of attempts? (Score:2)
Does one really need to worry about "brute force" attacks if it's a system that enforces a lock-out of a user account after a set number of incorrect passwords (say, 5 in 10 minutes or so)?
Why surprising? (Score:5, Insightful)
"Most interesting to me was that in the sample, less than 4% used any non alpha-numerics in their #$#%'ing passwords."
Not surprising at all, because the rules for what you CAN use as passwords are so inconsistent. Some places REQUIRE non alphanumerics, but have a limited choice of what you can use. Some don't accept ANY non alphanumerics, some will accept them but again it's different from site to site.
I don't know about you, but I've probably got 100 different passwords rattling around in my brain. I'd guess most people are like me in that they see passwords as a necessary evil but otherwise a giant pain in the ass, and so accept the slight increase in security risk by using a system that changes predictably (at least for me) from site to site. So I'm not going to use a base-password or base-concept that includes any characters that might be disallowed on some other site.
Re: (Score:3, Interesting)
Silly password requirements (Score:2)
12345? (Score:3, Funny)
That sounds like a combination that an idiot would put on his luggage.
Password strength is relative (Score:2)
Strength of a chosen password is a function of information it protects. I am sure most users follow this rule even without specifically identifying it.
In this sense, services like Rockyou are at the very bottom - the only reason users select a password for such a service is because it requires them to. I would bet that if it let users have an optopn of not having a password at all - they would gladly do so.
While I don't have a sample to prove this, it would be interesting to compare these to passwords selec
repost from my comment on nyt: (Score:3, Insightful)
by the way, i got this idea from a slashdot thread, and it was an eureka moment for me, and i went about resetting all my passwords
i forget the thread or the user id of whoever made the comment, but it was a password related subject matter and i think it was in the last 6 months or so
whoever you are, and i hope you read this: thank you!
Re: (Score:3, Insightful)
pick something you will always remember say "frankie45" lets say the website you are visiting is facebook.com so your password there will be "frankie45face" and your password at twitter.com would be "frankie45twit"
And if you use the same username on all of the sites, all it takes is one unscrupulous (or incompetent) site manager to quickly have your other accounts accessed.
Same problem as 20 years ago (Score:2)
All this tells us is that the exhortations to choose more secure passwords reaches a certain level and then has no more effect. The implication is that ways of educating users has not improved in the past 20 years.
Let's not blame the users -they are only doing what they're told. The problem is that we (i.e. IT people) are not telling them the right things in a way that they are willing
Re:Same problem as 20 years ago (Score:4, Insightful)
The password concept needs to be replaced with a better concept. I think the password idea has been proven to be a bad concept due to human nature.
Not Important Website = Not Important Passwords (Score:2)
One had to dig deep for this gem... (Score:4, Insightful)
I don't know if anyone bothered to read the full report [imperva.com], but I found this recommendation tucked in at the end of the report:
ast character in the password. (pg. 3)
Allow and encourage passphrases instead of passwords. (pg. 5)
And I say amen, amen to that. I've done quite a bit of personal research in this area, and have found passphrase systems to be far superior in terms of security and ease of use/recall over random combinations of characters. For years I've used the list provided at Diceware [diceware.com] to generate my passphrases, and I have no problem still recalling little-used 5- or 6-phrase passphrases years later.
The idea that random sequences of characters is somehow superior to a passphrase of equal entropy is a myth borne of ignorance and a resistance to change. So long as companies that know better keep forcing their minions to adhere to a strict range of letter/number combinations, we'll continue to be saddled with the problem presented by the Rockyou.com crack.
Intentionally weak passwords? (Score:2)
I don't know about anyone else, but I have accounts on so many sites it would be impossible to use strong passwords without reuse. I really don't see the harm in using the same weak passwords if I don't care if my account on the site's compromised.
I have a number of site-specific strong passwords I use on sites I care about, and a further handful of very strong passwords I use for accounts that have the ability to charge my credit cards. My unix passwords are completely different too, and I run sshd needing
The definition of insanity (Score:2)
is doing the same thing over and over while expecting different results.
I quote the end of this paper:
He's correct, of course. The problem hasn't changed. That's because the vast majority of people don't
security now had a show about this (Score:3, Insightful)
I understand why you don't want to use dictionary words for passwords, too easy to brute-force. Though how likely is it that servers these days would sit still while a single account fails login ten thousand times? I know once the hacker is in, he can then run the hash file against the dictionary and back into the passwords of other accounts. But wouldn't even a dictionary word with a number or two after it be fine? duck1234 should be just as secure as duck!@#$, right?
I'm running through the ways you can get hacked and what a secure password would mean.
1. Guessing by a person sitting at your computer, brute force hacker from outside, running the dictionary against the hash -- strong is good.
2. Your PC gets rooted, your keystrokes are captured -- strength doesn't matter a bit, you typed it in for the hacker and he won't even have to touch the keyboard when his scripts hit your account and drain it.
3. Data breach and your password is stolen -- Why was it stored in plaintext? Regardless, they have it and can copy and paste if they use it.
The consensus on security now was that draconian policies on the part of IT without any seeming rhyme or reason to the employee will simply foster non-compliance and animosity towards IT.
Wow (Score:3)
Passwords (Score:5, Informative)
We found that one of the most commonly typed passwords that was denied was "case-sensitive".
Needless to say, we soon took off the "Your password is case-sensitive" text from the login page.
Faulty Data in Report Linked in Summary (Score:3, Informative)
I've been playing around with the password file, and there are some gross errors in the report.
First, their top 20 list has many passwords with capital letters, where none actually exist in the 'real' top 20. Also, their numbers are off. I am guess they used a case-insensitive match, which for most passwords will not work. The 'real' top 20, which case respected is:
290729 123456
79076 12345
76789 123456789
59462 password
49952 iloveyou
33291 princess
21725 1234567
20901 rockyou
20553 12345678
16648 abc123
16227 nicole
15308 daniel
15163 babygirl
14726 monkey
14331 lovely
14103 jessica
13984 654321
13981 michael
13488 ashley
13456 qwerty
You can download my list of all common passwords used by more than 1000 people at http://www.secure-computing.net/files/count_gt_1k.txt [secure-computing.net] (1KB file) which maintains case. A file without the counts is at http://www.secure-computing.net/files/gt_1k.txt [secure-computing.net] for use with john, etc.
Stupid (Score:3, Insightful)
Re:Given the sample set, is it a surprise? (Score:5, Interesting)
Until they break into your facebook account and use that to socially engineer access to something else and escalate their way into something beyond that. Or they access your facebook account and start taking guesses are the answers to the security questions you're forced to use (what school did you go to, what was your first pet called, etc., etc.)
There are so many links between so much of what we do online that you would do well to treat it all as worth securing equally.
Re: (Score:2)
Indeed. Facebook, or anything that has either personal information on you, or where you've established relationships with others are valuable sites. Having your login to such a site compromised can cost you dearly - what would your friends think if "you" posted pictures of kiddie pr0n on your Facebook page? Have you 'friended' your boss?
Even somewhere like a gaming forum, you may build up a friendship with people over the time you may have invested there - that's worth something too.
Some random site you spe
Re: *password* (Score:2)
IIRC it was in the text of TFA last time.