32 million passwords show most users careless about security

[Hav]

From Ars Technica;

"The latest confirmation of that comes with some pretty significant numbers behind it: 32 million, to be exact. That's how many passwords were obtained in a recent hack of the RockYou service. The hacker left a file with all the passwords on a public site, and security firm iMPERVA has now analyzed them. The numbers aren't pretty: about a third are less than six characters, and half are vulnerable to dictionary attacks. The most common password was 123456, and it was followed by 12345, 123456789, and Password."

So now you know how to become a successful hacker. It's worth pointing out that generally speaking your average website professional wouldn't be caught dead storing passwords in plain text anymore, which tends to mean that you don't come across amusing examples of terrible passwords, but from the prehistory of the 1990s doing some dbadmin on systems involved with login gave the following gems;

• froggie
• elvis
• letmein

So without further ado, how to create passwords.

Rule 1) ignore length. Length doesn't mean much unless someones determined to run brute force attacks, and usually you can get better results from lower hanging fruit.
Rule 2) Don't use single words. Take a leaf from AOLs old technique and intersect words in new and exciting ways. 'Juggaliciouscarnivore' isn't going to be dictionary attacked and is quite memorable if you like Dinosaurs with breasts.
Rule 3) Mix stuff up with punctuation and numbers. Variety is the spice of life.
Rule 4) Avoid birthdays, schools, friends names, pet names, wife's names and anything else connected to you.
Rule 5) Don't use the same password everywhere. Nothing will fuck you up more than the day that there's a database leak and someone gets your email account. Generally the email account is the touchstone for all other security.

[Tyrael]

This article will make my dad, the database admin, cringe and will probably provide my brother, the programmer, with ample justification to create even more tiers of security on his system. However, let's look at what website this data was pulled from; some website called Rock You or whatever. Is there really justification to create a leet password that only you will remember and probably forget a few times due to the complexity? Everything on my hard drive is guaranteed boring and not important to anyone, but for networks admins, sure passwords are way more important. The majority of people should worry more about plugging in 'found' USBs and not falling for social engineering via email or myspace...

[Hav]

However, let's look at what website this data was pulled from; some website called Rock You or whatever.

The 'rock you' facebook application, hence the 32 million passwords. _32 million_.

Is there really justification to create a leet password that only you will remember and probably forget a few times due to the complexity?

Yup, totally. The vast majority now store hashed one-way transformed keys which means that the dbadmins don't have access, and your general recourse is to reset the password. Best thing to do is harden your email account and come up with a couple of decent passwords that you can use on a semi-random basis, such as the mnemomic two word jobbies (now used by amazon as a 'fast checkout' system) maybe even with another key mixed in. Complexity is all relative.

I had a debate with the register about five years ago regarding password security...there are quite a few ways to get around password security, but they usually involve a weak password or direct disclosure. The debate started when it turned out that UK workers would quite happily give up their work network logins for a free pen; social engineering of a direct nature. This then started the craze off for the RSA fobs, which kinda move the problem sideways without actually fixing anything.

Everything on my hard drive is guaranteed boring and not important to anyone, but for networks admins, sure passwords are way more important. The majority of people should worry more about plugging in 'found' USBs and not falling for social engineering via email or myspace...

You don't buy anything, do any internet banking or have an always on connection to the interwebs? All three provide ample motive.

[Lord Gabriell]

Three factor auth is much better than the typical two factor user/pass combo. We use a quasi-linux based bootable cd to log into ultra-security networks at work w/ several layers of endpoint security, mainly for HSM (root/intermediate keys), secure time server and app signing interfaces. You can make something ultra-secure, but the cost is complexity.

I tend to agree that passwords in general are a pretty poor challenge for important things, but with the ease hacking of fingerprint readers and other assorted tech it's better than nothing.

[BCD]

I don't understand why people don't just use numeric sequences as passwords. Is it really that hard to remember a few strings of numbers that have some significance beyond birthday or SSN?

[Alex Clomsaver]

Yes, retard, it is.


Beep boop enter password here :sperg:

[RansomList]

How many phone numbers do you know?

Do you know at least two?

Would you have difficulty using a password comprised of half one phone number and half another?

[Alex Clomsaver]

People with jobs typically have more than two passwords, idiot. I, myself, have at least eight currrently in use and have no real ability to par that number down.

[RansomList]

I don't understand why people don't just use numeric sequences as passwords. Is it really that hard to remember a few strings of numbers that have some significance beyond birthday or SSN?

Yes, retard, it is.
Beep boop enter password here :sperg:

How many phone numbers do you know?
Do you know at least two?
Would you have difficulty using a password comprised of half one phone number and half another?

People with jobs typically have more than two passwords, idiot. I, myself, have at least eight currrently in use and have no real ability to par that number down.

Here is the thread of the conversation for you and a precis if it makes it easier to follow:

-Someone query's why people don't just use numeric sequences for passwords, says surely it cant be that hard to remember them.

-You call him an retard and say that it is.

-I ask if you can remember phone numbers- my point being that unless you were dropped on the head as a baby you can easily remember multiple sequences of numbers 10-11 in length with ease.

-You call me an idiot. You tell me you have to remember 8 passwords and cant reduce that number. You miss the point that remembering numerical passwords is not a problem for most people, you should be able to remember 8 passwords that are numbers.

Unless of course you cant remember peoples phone numbers, your bank account number, National insurance number or the American equivalent and all manner of other long strings of digits people memorize in everyday life.

I expect if you think really hard you can think of 8 long sequences of number you remember.

As usual the common theme here is you calling people idiot or retard and ploughing on towards some conclusion you have already decided is right like an structural engineer continuing to build a bridge over a river with plywood even when his calculations say it isn't load bearing.

You may be uninterested to know that every neg rep i have for several pages on this account is from you.

(EDIT: if you retort with 'fag' i win the Clomsaver Bingo this week)

[Alex Clomsaver]

I'm not exactly sure where you get the idea that most people can remember multiple ten digit numbers with ease but its pretty good at proving you don;t know much about the human mind. Why don't you stick to leaving creepy messages on people's facebook pages instead of talking about stuff you do not understand.

[RansomList]

I'm not exactly sure where you get the idea that most people can remember multiple ten digit numbers with ease

Because people do.

but its pretty good at proving you don;t know much about the human mind.

Does that count as calling someone ignorant? I'm going to have to argue this as a win.

Why don't you stick to leaving creepy messages on people's facebook pages

?

[Murr]

COMPETITIVE POSTING ENVIRONMENT!!!!!!

[RansomList]

Does he think I'm posting creepy messages on his facebook or is he saying he thinks I'm the kind of person that probably does post creepy messages to people on facebook.


Competitive Posting Environment!

[Alex Clomsaver]

Because people do.

Here, have some learning you ignorant savage.

Of course that does ignore the fact that phone numbers are really only nine digits long, that the vast majority of people don't have to worry about different area codes which further reduces it to six digits and that few people keep more than four or five phone numbers memorized at any one time.

[RansomList]

First, that paper deals with short term memory or immediate/flash recognition so far as limitations on memory span for sequences of numbers.

Regards longer term memory, read about chunks. Something interesting to consider is that your credit card number is (probably) displayed in quartets. Do you remember it as such?

I did specifically mention several different kinds of long numerical sequences for a reason. Phone numbers aren't the only such thing people have to remember.

Another thing to consider is that the concepts discussed deal largely with average Joe. Good card tellers and numbers men in poker and other card games are quite capable of smashing these assumption made, as are London Taxi drivers, bank tellers and a whole range of professionals.

The brain is a learning entity.

You may not want to use numerical passwords, but you are quite capable of doing so if you want to and without real difficulty, just like countless numbers of people do in their everyday lives (remember many long strings of numbers or not immediately related symbols or letters that is).



Can we just agree that you were wrong, or that in your specific case you find it too hard to use numerical passwords and are altogether too eager to throw a flippant 'idiot' or 'retard' (or 'fag') at someone?

[Alex Clomsaver]

Oh boy, chunking. Works a hell of a lot better with letters that can be formed into syllables than numbers which really can't unless they go "2468" or something. For what its worth, I, along with most every normal human being, does not remember his credit card number.

Now I think its time to end the argument so feel free to admit defeat anytime, Ransomlist. (which is, of course, just a restatement of your last sentence except in this case it is logical since I am the one who is right and you are the one who is wrong.)

[Hav]

Oh boy, chunking. Works a hell of a lot better with letters that can be formed into syllables than numbers which really can't unless they go "2468" or something. For what its worth, I, along with most every normal human being, does not remember his credit card number.

Or your social security number?

I am the one who is right and you are the one who is wrong.

Yes, you're a special princess and we're lucky to have you.

[Murr]

Oh boy, chunking. Works a hell of a lot better with letters that can be formed into syllables than numbers which really can't unless they go "2468" or something. For what its worth, I, along with most every normal human being, does not remember his credit card number.

Now I think its time to end the argument so feel free to admit defeat anytime, Ransomlist. (which is, of course, just a restatement of your last sentence except in this case it is logical since I am the one who is right and you are the one who is wrong.)

Most people can't even remember a single telephone number or their pin, of course he's wrong.

[Dutchman]

its so simple, people CAN remember, but no one cares.

I still remember the phone numbers of quite a few friends from before mobile phones were commonplace. If I tried I could remember several.

but I don't, why? I can't be arsed to remember all of that for sites that I consider mediocherly important. I use another system that isn't foolproof but will at least skip the dictionary things.

only exception is kugu as I'm paranoid

[Algey]

One of the biggest problems for security is getting people to remember passwords. I was recently involved in trying to get a secure system to access patient data altered, however the tech people were certain that doctors can remember 12 complex passwords. It is worth mentioning that this is 12 "strong" passwords (defined as an 8 character string with uppercase, lowercase and numbers in the string) that would change every month for added security. Sadly though it isn't every month, just on first login after a month, so using a sequence doesn't help much as it loses synch (some doctors only log into some systems every few months).

Oddly enough all of the doctors write the passwords down and keep them with the notebook computers. The tech people still think this is the doctors fault.

[Hav]

The tech people still think this is the doctors fault.

The Tech people get blamed when they fail PCI compliance or SOX regulations. Having said that, the passwords on stickies is still SOP for so many places that it isn't funny.

Getting people to give up passwords over the phone is still depressingly easy.

[Algey]

I agree that the tech people have a responsibility to ensure that a solution is up to standards, however the problem here was the tech people not listening to reason. A sensible person would simply have said "this cannot work" rather than "of course they can remember all these complex and changing passwords".

So now we have terrible security but have saved the difficulty of developing a centralised log in. All because there is this idea that it is easy to remember passwords.