What LulzSec Logins Reveal About Bookworms, and Passwords

Barence writes "Today the hacking group LulzSec posted 62,000 hacked email usernames and passwords online. PC Pro's Darien Graham-Smith has analysed the passwords stolen — which are believed to have come from a website for writers — and found some interesting patterns. Aside from 'password' and obvious numerical patterns (i.e. '12345') the most common passwords share a literary theme: 'romance,' 'mystery,' 'shadow' and 'bookworm' are all commonly used passwords. 'Clearly, this is a back-of-an-envelope breakdown of a mixed mass of unverified data,' said Graham-Smith. 'But it gives an interesting insight into the way people choose their passwords: in this case, apparently, on a theme that reflects the nature of the site they're visiting.'"

Are you sure?

[DanTheStone]

Perhaps these are their passwords for every site, and this site just over-represents people interested in books and writing. I certainly don't use custom passwords based on the type of site.

Re:

[RedACE7500]

You re-use the same password for multiple sites? Good to know. How would you like to register for a free account on my site?

Re:

[Stewie241]

You must be on a netbook. You seem to have missed the last six words of his post.

Gay Girl Blogger from Syria?

[Jeremiah Cornelius]

Do we need to change "her" password? Right now it's "Lezcyclopedia".

Re:

[tukang]

I hate to admit it but I laughed ... shame on you.

Re:

[citylivin]

Whats wrong with the same throw away password for multiple sites? Personally I usually make new usernames for different sites as well, but does it really matter if you didnt? The best someone could do is get your email address, which assumingly, you havent used a "throw away password".for. Or spam some forum account that by definition of it being "throw away worthy" you do not care about?

Otherwise you would have hundreds of unique password and usernames combinations that you would obviously need to write do

Re:

[bhcompy]

Exactly. Someone hacks my Slashdot password, maybe gets access to a few other worthless sites, nothing of value was lost. Someone posts impersonating me? Oh noes. Having a worthless password for worthless sites is not a problem. It doesn't make you any closer to having the login credentials for my bank, the online stores I use, and other sources that would have actual personal information.

Re:

[NatasRevol]

Well, see pictures from the riots in Vancouver last night.

Now imagine someone impersonating you. And posting your info. So that the cops can arrest you. As is happening right now in Vancouver.

You may not be guilty, but that doesn't mean your life won't be hell for a while.

Re:

[bhcompy]

And they'll also see me at the baseball field coaching my son's little league team in front of 50 witnesses. And that I was at work 2 hours earlier and it takes more than 2 hours to get to Vancouver from my location. etc

I'm honestly not worried one iota about that type of scenario. Framing someone doesn't just happen on the internet. There are a million reasons why it rarely works, and the internet provides better tracking to prove your whereabouts than analog life.

Re:

[Hylandr]

Because people that reuse their passwords do so for paypal, ebay, their bank etc.

And if you get arrested in America on any of these charges expect to sit in Jail for a few years before the committee gets to you. If y ou get that lucky.

- Dan.
 

Re:

[bhcompy]

The first was already answered and the second is a bunch of bullshit for the majority of cases.

Re:

[Hylandr]

http://news.slashdot.org/story/11/06/16/2059204/British-Student-Faces-Extradition-To-US-Over-Copyright [slashdot.org]

Re:

[NatasRevol]

You should be worried. The wheels of justice move slowly. Who knows when the cops will get those pictures of you at the game/work/else where?

Now imagine that the pictures are of your son - aged 15. You're not always sure where he is. It's not documented. But someone posted a pic of him saying he was in Vancouver, participating in the riot.

Again, he may not be guilty, but that doesn't mean his and your lives won't be miserable for a while.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[rap_dot_com]

I doubt those 30 people using the password "writerspace" for writerspace.com [writerspace.com] use the same password for facebook or their email.

And just because you don't use a custom password based on the type of site doesn't mean that others don't. I've heard of people who have a base key that they use for their passwords - say "Camaro" for simplicity's sake. Then, for slashdot their password may be "Camslasharo" and for facebook "Camfacebookaro" "Camgmailaro" etc.

Re:

[Dunbal]

I doubt those 30 people using the password "writerspace" for writerspace.com [writerspace.com] use the same password for facebook or their email.

No you're right, they probably use "facebook" for facebook, and "hotmail" for hotmail. The whole point is that once you identify a user name that uses this type of weak password, you go from astronomical odds of being able to crack to a few dozen possibilities.

And just because you don't use a custom password based on the type of site doesn't mean that others don't. I've heard of people who have a base key that they use for their passwords - say "Camaro" for simplicity's sake. Then, for slashdot their password may be "Camslasharo" and for facebook "Camfacebookaro" "Camgmailaro" etc.

Doesn't matter. A "key generation algorithm" simple enough for a person to remember or work out logically is simple enough to guess at - at least far simpler than the number of combinations possible with a truly random password. The point is that if y

Re:

[rap_dot_com]

I never said that it was effective, I was just saying that it is a method that I am aware of that is a semi-common practice among people.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[slackzilly]

Me neither. If it is true, however, the majority of the passwords used here would be "slashdot", "newsfornerds", "linux", "micro$oftsuckz" or "applefanboi".

Re:

[_Sprocket_]

My password is "thatsmyluggagecombination". It's much better than the old standby "wordpassesyou".

Re:

[slackzilly]

Write that in leet speak and then replace all 4's with @
:)

Re:Are you sure?

[mwvdlee]

My generic password is "iwillnevertellyou".
They'll never figure that one out, not even if they try to beat it out of me.

Re:

[artor3]

I once changed a friend's BIOS password to 'idunno'. I tried telling him, but he just got increasingly aggravated.

Re:

[Coren22]

Who's on first?

Re:

[rohan972]

My local video store started to requiring a password to rent movies. I tell them "Idontwantapasswordtorentmovies".

Re:

[enderjsv]

I thought about doing a mix. Like, I have a series of numbers, symbols and letters that I've memorized. It's a very secure password, and I like using it because I can remember it.

But of course, using the same password on every site isn't good practice, so I've made various little changes to the series. Only problem is, it gets hard to remember what series fits what site. So I thought of using the same series for every site, and then simply attaching the first and last alphanumeric character of the websi

Re:

[Eponymous Coward]

Why not just use LastPass or one of the bookmarklets that make a hash from a master password and the site url?

Re:

[enderjsv]

Because it's easier just to have the password in my head. Yup, I'm that lazy

Re:

[txmcse]

I'm not sure what you are asking. Can someone help me help this poor chap?

Re:

[Eponymous Coward]

Because the passwords stored in the cloud are encrypted, they aren't in the clear. A service like LastPass cannot send you your plaintext password. All they have is the encrypted version. If they are hacked, all the hacker will get is a bunch of random looking data.

The downside is that if you lose your master password, you are screwed.

The upside is that the passwords that LastPass generates are very strong. Much stronger than what people typically use (like "pa55word"). And because you don't have to remembe

Re:

[gnick]

So I thought of using the same series for every site, and then simply attaching the first and last alphanumeric character of the website address to the password. That way I'll have a secure password on every site that is easy to remember wherever I use it.

That's what I do, except to be more secure I use the first and last 3 alphanumerics from each site. Conveniently, several of my passwords are identical: "wwwpasswordcom".

Re:

[chaos.squirrel]

I like my system. I have a somewhat unique word that is about 8 characters long. I mix that with the domain name of the site I am visiting in the format of an email address (which we all seem to be able to remember).

The only problem with this is that it is still mostly useless if someone gets one of your passwords.

For example if newyorktimes.com gets hacked and the login info is published, then it's not a massive intellectual effort to figure out the scheme that you are using and applying it to any other sites that you may be on.

In passwords size matters :)

Only if you're just brute forcing.

Re:

[CapnStank]

I think this is a *whoosh* moment.... but I can't quite tell.

check your passwords

[iamhassi]

Here's a link to the passwords so you can check if your password is on there [pcpro.co.uk]

Just search the page for your password. Chrome does a great job of this because it starts highlighting matching passwords as you type it. I just checked my passwords, none of them are on this list.

Re:

[budgenator]

Cool mine aren't on there, a long time ago I was webmaster of poiuyt.com, I was always amazed at the number of people who used a @poiuyt.com as an email address with qwerty as the password on various sites around the web.

Re:

[Ihmhi]

hunter2 isn't on the list, but hunter22 is. Clearly our friend [bash.org] realized he was hacked and upgraded his password strength.

Re:

[SilentStaid]

Very true, though I must admit I've a very staunch supporter of different passwords for different sites and the easiest way that I've personally found to do that is to theme them according. For example my WoW password is usually some variation of #W4rCrfT#112 or my credit card is something like $5M0ni35s$$!... it just makes it easier.

I thought so too until...

[LongearedBat]

That was my 1st guess too. However, here's a list of the top 45 most common passwords for that site. I've bolded the obvious literature related passwords. Others may be as well, such as person names that might be references to characters. You may be right, of course, but literature related passwords do seem overrepresented.

0.9231% "123456"
0.3157% "123456789"
0.2142% "password"
0.1417% "romance"
0.1095% "102030"
0.1079% "mystery"
0.0998% "123"
0.0998% "ajcuivd289"
0.0998% "shadow"
0.0998% "tigger"
0.08

Hmmm ...

[WrongSizeGlass]

So they discovered a shadowy bookworm romance mystery? I'm guessing one participant was a librarian?

Re:

[Dunbal]

I'm guessing one participant was a librarian?

If that was the case, then the password would be "Ook.". Sorry if you're not a Terry Pratchett fan, you just won't get this.

Plaintext

[ebs16]

There should be laws created to impose massive fines for sites storing plaintext passwords. There's absolutely no excuse for this. I understand that you can't govern the entire internet, but I would be content with American laws governing American sites. It would be a nice start.

Re:

[BStroms]

My site uses a simple substitution cipher. With the characters I allow for a password there's over 80! possible keys. I'm confident my users all use sufficiently random passwords that no one would be able to analyze the cipher based on the data they hacked.

Re:

[SheeEttin]

There should be laws created to impose massive fines for sites storing plaintext passwords.

Be careful what you wish for--if that does happen, you should probably expect a whole lot of ROT13 implementations...

Re:

[MrEricSir]

Because that only solves half the problem?

Re:

[Dunbal]

Until someone post something very incriminating using your account on one of these sites and has the police knocking at your door. For the lulz, of course. Prove your innocence.

oh noez!

[torgis]

Easy-to-remember passwords for a site that doesn't matter at all? Color me shocked. When forced to sign up for forums to ask a question about coding or tech troubleshooting, I generally use a pretty basic password and then lie about all of my personal info. That way if someone does acquire this info (and it has happened multiple times) I don't get burned. For important things like banking and gmail, I have 2-step authentication enabled and use a strong password on top of that. Different on every site of course.

But for stuff like writers forums, tech support sites, slashdot (haha!) and the like? I don't use and don't care to use a strong password because, well, what's the point? You don't hear about individuals on these sites being hacked because of the insecure passwords they use. No, you hear about the administrators of these sites having their sites hacked and their userlists and passwords stolen. What good does a strong password serve on a site like this when there are gaping security holes in the OS hosting the forums?

And why, for Xenu's sake, are people still storing passwords in plaintext??

Re:

[networkBoy]

And why, for Xenu's sake, are people still storing passwords in plaintext??

because their lazy.

Re:

[networkBoy]

damn.
they're...

I'll hand in my spelling/grammer pedant card now.

Re:

[artor3]

"spelling/grammer"

I'll assume that was in jest :-P

Re:

[kcitren]

It's wasn't a spelling error, he just got cut off. I'm sure he meant to say:

because their lazy asses can't be bothered to learn how to do things the right way.

http://en.wikipedia.org/wiki/Principle_of_charity/ [wikipedia.org]

Re:

[DMUTPeregrine]

I use "h=6.62606957e-34J*s" as a password in a few places that don't matter (work login at my old job that had to change every month mainly). It fits the most common security requirements (lower case letter, upper case letter, number, special character) is not terribly common (12345) and is easy to remember, after all, it's Plank's Constant. I rotate through universal physical constants for passwords. Of course I don't use it for /., nor do I reuse this username elsewhere. Actually "important" things (e-mai

Re:

[interkin3tic]

When forced to sign up for forums to ask a question about coding or tech troubleshooting, I generally use a pretty basic password and then lie about all of my personal info.

Bonus points for unimportant sites that don't accept mailinator.com e-mail addresses or won't let you set a weak, easy to remember password.

Because, you know, if my "I can haz cheezeburger" account gets compromised, western civilization might end.

No reason not to use password manager

[rsborg]

Password reuse is a major problem, regardless of site. There is very little excuse not to use tools like 1Password, LastPass or KeePassX.
I've gotten my technophobic parents and wife on the treadmill (all use 1password via a family license).

I've gotten them comfortable ditching their "known good password" on their other sites, learning the strong master password by heart, and got them comortable enough to generate a good-length (default 18 characters) passwords for any site that needs it.

The best part about

Re:

[tehcyder]

>quote> There is very little excuse not to use tools like 1Password, LastPass or KeePassX.

How about "if it's not your bank account who gives a flying fuck about security and strong passwords" as an excuse?

Re:

[gad_zuki!]

Actually, the article is a little sensationalist. I just looked at the password file. About 2/3rds of the passwords are decent. Long, not 100% obvious, mix of numbers & characters, etc. I was expecting more of an 80/20 ratio of crap vs decent and I was really surprised. Also kudos to the guy who uses "707294en14.SmMeG"

That said, I see a pattern of lots of numerical 6 and 7 digit passwords. They don't look like phone or postal codes. I'm guessing that their password reset tool picked 6 or 7 random numbe

Re:

[dadioflex]

When forced to sign up for forums to ask a question about coding or tech troubleshooting, I generally use a pretty basic password and then lie about all of my personal info. That way if someone does acquire this info (and it has happened multiple times) I don't get burned.

And use guerrillamail.com to get a temporary email if you need to hit a verification link.

Re:

[gsslay]

And why, for Xenu's sake, are people still storing passwords in plaintext??

Because, as you've already established, for this website they don't matter.

Re:

[Tolkien]

Same happened with me in the 90s with AOL.

I'll just let that sink in, for laughs.



AOL.

Re:

[SETIGuy]

That's when it's time to change ISPs. Especially if you are paying them with a credit card.

Caution

[Anonymous Coward]

I'd always be wary about all these grand "revealings" about passwords from LulzSec.

How many usernames/passwords on an innocent blogging site like that are completely throwaway?

I know that on randomblog.com if I want to make an account on the spot, I'm certianly far more likely to use "asdf123" for a username and "randomblog" as a password than I am a 16 digit alphanumeric/symbol/mixed case password that I will forget in 5 minutes.

Who cares if your blogspot account gets hijacked? What are they going to do, w

Not wanting to write it down

[CLaRGe]

Many of these passwords are a consequence of a person not wanting to write down their passwords for fear of the written down password being found. Thus, instead of creating an effective, hard to guess (and hard to remember) password, many people simply come up with a password that is easy to remember, but that they hope is so random, or so obvious, that nobody would guess.

I teach my children, even the little ones, the old trick of coming up with an easy to remember sentence, picking the first letter of each

Noticed similar pattern

[Relic of the Future]

I saw a similar pattern several years ago when I was emailed a spreadsheet including forum passwords for a role-playing game company. (I was doing volunteer webwork for a regional part of their official fanclub.) The most popular password there (after "password" and "12345"), was "dragon" (even though it wasn't for D&D, although I'm sure many of their customers/fans were also D&D fans (I know I was.))

And for the record, yes, I told them stop emailing around spreadsheets that included everyone's pa

Passwords?

[metageek]

Why are we still using passwords? They will go away, sooner or later.

the algorithmic approach to passwords

[circletimessquare]

i've championed this before, and i don't why it doesn't get more press

instead of the same username pword for every site, make your uname/ pword a derivative of the website name or theme, and your own personal salt

the rules could be as quirky and arcane as you want

for example:

username is the first 3 letters of the website, plus your birthyear, plus the cousin whose name sounds most like the website you're visiting

password is the street you grew up on, minus the last 3 characters and plus the last 3 character

Re:

[AliasMarlowe]

Different username+password per site is good, but as you noticed, it's a drag to remember them all and some algorithmic method and shared knowledge are useful. My method for most sites is to use a handful of usernames, based on class of web site (different on slashdot to banking sites, for instance). Each of these sites then gets a password as a hash of a phrase known to me together with part of the site name. For example:
echo -n "Shivelights and shadowtackle in long lashes lace lance and pair + slasHdoT"

Re:

[circletimessquare]

now that's hot

your average user isn't going to do sha256 hashes though

but, skipping that step, it's still a workable framework

Re:

[rsborg]

i really don't know why this idea of remembering just one personal quirky algorithm isn't more widespread

The problem with algorithms is stupid artificial restrictions on credentials by some sites. For example, I can only choose numbers for my "PIN" on my 401k. Or my password must be all lowercase for my public utilities site or contain no special characters at my bank some other hair-brained restriction.

Same with user names. Often your username must be your email address. Sometimes they don't allow the @ sign. Other times, it's not modifiable and random characters assigned to you (I have at least one broke

Re:

[circletimessquare]

this is a good criticism. you are correct. different policies and standards complicates the algorithm and is discouraging

Re:

[circletimessquare]

it's really not complicated. it is no more complicated than using the same username/ pword on every site: an algorithm is just a few small simple steps to remember

It doesn't follow.

[Maltheus]

Not sure I buy the premise. I went to a nerd college with few woman. Back then, before they shadowed PW files, I came across a lot of passwords. The two most common variants I found contained the words 'soccer' or 'jennifer.' Once again, I went to a nerd college with few women.

Re:

[Dunbal]

Judging by your spelling and grammar I would assume that either you are a Korean who studied engineering at MIT or something, or a piece of trailer trash that considers community college to be "nerd college".

Re:

[kcitren]

Few women at a nerd college. I'll bet you one of them was named Jennifer, and I'm sure she was very popular.

Re:

[idontgno]

Her phone number was 876-5309. She was veeeeery popular, back in the day. [songfacts.com]

Re:

[WindBourne]

Well, she still might be. Of course, she would likely be a MILF, so just google for porn MILF Jenny.

But of course.

[Black Parrot]

But it gives an interesting insight into the way people choose their passwords: in this case, apparently, on a theme that reflects the nature of the site they're visiting.

The three most popular Slashdot passwords are 'troll', 'slacker', and 'clown'.

Some of the emails are fakes

[daveywest]

I work for an ISP that is represented in the list of emails and passwords. We determined all the addresses from domains we control are not, nor have they ever been used, on our system. I'm not saying they are all fakes, but all the addresses I'm able to verify are not legit.

they'll never get mine.

[nblender]

Mine is all '*'s ...

Re:

[Jumpin' Jon]

Ironically, there is a password in the file that's "******", on line 795 if my text editor is working correctly. I appreciate you're joking, but it seems gengar@retrohappypeople.com beat you to it!

Mmm, salt.

[Tarlus]

Seriously. Hashing. Does nobody practice this for user account databases?

Re:

[SETIGuy]

Anyone writing code that stores passwords using plaintext or reversible hashes should probably take up a career in quilting.

As should anyone writing code that can't handle every printable ASCII character in a password. Better yet straight, passwords should allow any string of bytes. Any programmer who limits passwords to alphanumeric is probably writing SQL injection vectors.

Ahem

[Tolkien]

Adrian Lamo == LulzSec [reddit.com]

Re:

[Hatta]

Why would you believe the WHOIS data?

Re:

[Tolkien]

Good point, but also, why not?

Re:

[Anonymous Coward]

Adrian Lamo was the guy who turned in Bradley Manning. If you were a wikileaks supporting entity, looking for a random name to blame ...

Re:

[Tolkien]

Hah. That would indeed be pretty cool.

Yawn!

[Anonymous Coward]

I am really starting to doubt these stories. Generating usernames and passwords is something that can be down with even a quick script - it is not hard to generate real words using a known dictionary source.

Selection bias, anyone?

[bkpark]

We can't know for sure since they aren't divulging their source, but some of the services listed are too sophisticated (esp. Gmail, even if you don't believe in competency of those who run Hotmail) even to store passwords in cleartext anywhere.

If I had to guess at how they obtained these passwords, they did it by actual hacking of the accounts (or somehow got a hold of the password hashes to run faster attacks on), and in that case, the accounts with weak passwords are the low-hanging fruits; of course the

Re:

[CSMastermind]

They got the passwords by getting into a unknown website's database (obviously smart money is on writerspace.com). The email breakdown at the top of the article corresponds to the email that was associated with the accounts. None of the email services (hotmail or gmail) were actually compromised. Knowing Lulzsec's past work they probably got access via a simple SQL injection.

Did anybody here finish the article?

[CSMastermind]

Any /. theories on ajcuivd289 ? I'm stumped, unless one dude has a lot of dupe accounts.

The passwords are likely vision based

[WindBourne]

Ever sit and watch average ppl create new passwords at their desk? THey do not look into the air to think about it. Instead, they look at what is around them. I do not watch somebody enter the passwords, but I have noticed the subject's head. I believe that they are looking at the books, artwork, etc that is just around them.

Want to break into their stuff? Simply take a look around the desk and see what is important to them. Simple as that.

Re:

[DigitaLunatiC]

This happens all the time in film, but I've never seen it happen in real life. I know a few people who use passwords that have some sort of personally important bit of information nested in it, but having known the passwords of various friends and family members throughout my life the creation methods have never been related to what's around their desks.

Re:

[WindBourne]

Oh, I am amazed at how many ppl have passwords of stuff on their desk. Personally, I have an algorithm and use that. It works great. Prior to GPUs, I would have given mine very little chance of being cracked. At this point, that is gone.

most of the emails are from Brazil

[tortovroddle]

The original list posted by LulzSec is divided in two parts. The first half has an assortment of emails from many domains. The second half contains emails of brazilians, most of them from hotmail and yahoo (many have .br at the end, or use brazilian names and words). Probably they compromised some windows live server? Looks live many of the are msn logins...

Comment removed

[account_deleted]

Comment removed based on user account deletion

Guessable passwords.

[SETIGuy]

People use guessable passwords because they want to use passwords that they can remember. And people that use passwords they can remember do reuse passwords. Any password I can remember probably isn't very secure. Any password used at more than one site definitely isn't secure.

It's past time that all browsers included a standard password generator with user definable salt set at first invocation, and master password prompting. Web standards should at a minimum specify support for all printable ASCII characters in passwords. If a bank isn't competent enough to hire a programmer that can write code to handle a quote in a password, you probably shouldn't be banking there.

Until then there's still PasswordMaker for which you have to salt each account separately if you not want the default unsalted hash. And there's still the annoyance of "alphanumeric only with at least one uppercase and one number" web sites.

I don't think the Data is that relevent

[Teknikal69]

If the names and passwords come from someone cracking them on a big scale I think it says more about the pass list it used than what people are actually using as passwords. For a example if I ran a tiny password list with just a few like letmein love dolphin 12345 password peace god sex etc. I'd no doubt crack a lot of accounts but the amount of people using those exact password could be pretty small. Doesn't mean I couldn't assemble a huge amount of cracked accounts but the password data wouldn't reflect

It reveals

[kikito]

that LulzSec are worms.