|
A couple of days ago, LulzSec published a batch of 62K random logins (emails and passwords). At first, I grabbed it in order to make sure that neither me nor anyone on my contacts had his passwords revealed. Later I decided to run a few stats on this rare dump of data. Following are a few interesting facts. Password length The dump’s average password length is 7.63. I was surprised, because I thought most users would use something like 4 characters, but then remembered a lot of sites nowadays enforce a a 6-8 character limit minimum, so this makes sense. As you should know, and as you can find in Hacking: The Art of Exploitation, longer passwords are greatly harder to crack, so this is definitely a case where size does matter. Not surprisingly, the most common password is 123456 with 569 occurrences, followed by its “more secure” cousin 123456789 with 184. The 3rd most common password is… “password” (132 occurrences)! The other top-10 passwords are interesting - some are plain words such as “romance”, “mystery”, “tigger” and “shadow”, “102030” makes quite a few appearances. The 10th most used password is quite intriguing actually - “ajcuivd289”. Everyone on the internet seem baffled as to the source of this password. My guess would have to be it’s some worm that resets the accounts it hacked into to it. Edit: As Marc comments below, the logins with these passwords seem “clustered”, which makes it more likely that these are actually the result of some bot creating accounts. Thanks Marc! A couple hundred passwords are just not-so-random keyboard taps (“123qwe”, “asdf1234”, etc.). 789 passwords are taken exactly from the username, and twice that many are part of the username followed by some digits (most seem like birth years). 12179 of the passwords are all numeric, some are 14 digits long! That’s just crazy. While 34717 (that’s more than half) of the passwords contain any digits, only 1262 contain capital letters and 533 contain special characters! http://www.codelord.net/2011/06/18/...f-62k-passwords https://www.google.com/#hl=en&sclie...iw=1920&bih=900 At least giving you candy , doesn't a password anymore. How to tell if they store your password in plain text is easy. In light of all the Chinese hacking America and stuff, we are limited to 8 chars as a password, no speacial chars allowed, because it costs money. My password for this site is. @wepboowoa$er.scootscoot.43%%%3. ALso, you may say well, its not fruad because of the lovely systems implemented. China broke my enhanced license when i never was traveling to Thailand. I'm still trying to figure it out, but MY GOVERNMENT is saying that there was no security breach at a DMV. Reads like a ranting like a mad man, but my "enhanced license" is stolen. It is my fault. Edit: it is my fault because its someone elses fault. (USER WAS PUT ON PROBATION FOR THIS POST) (USER WAS BANNED FOR THIS POST)
|
| # ? Feb 26, 2013 20:41 |
|
|
|
| # ? May 18, 2013 18:14 |
|
|
 Since I saw this comic I've been doing this where allowed, and guess what? I had my Guild Wars 2 password set as "givemesomethingshiny" and I survived multiple rounds of people having their accounts hacked. Hell, after my gmail was hacked multiple times I changed my password to "fuckoffyouhackingcunts" and no longer had an issue.
|
| # ? Feb 26, 2013 20:46 |
|
|
I have no goddamned clue what's happening in the OP after those URLs.
|
| # ? Feb 26, 2013 20:49 |
|
|
Is there a way to see how many goons have reset their passwords in the last 24 hours?
|
| # ? Feb 26, 2013 20:50 |
|
|
First time I've seen a single-post Flowers for Algernon.
|
| # ? Feb 26, 2013 20:50 |
|
|
I used 'ihaveaboner' for all my porn site accounts but I still got hacked, what gives?
|
| # ? Feb 26, 2013 20:51 |
|
|
Your followup to the article is incomprehensible. I'm sorry, I really don't understand what you're getting at. Are you a less comprehensible Kyoon?
|
| # ? Feb 26, 2013 20:51 |
|
|
Reading this Op is like watching someone slowly slip into a coma. 
|
| # ? Feb 26, 2013 20:53 |
|
|
Anne Whateley posted:First time I've seen a single-post Flowers for Algernon. Okay, so it's not just me then. I was worried I had an aneurysm or something. Kyoon?
|
| # ? Feb 26, 2013 20:53 |
|
|
OK so apparently what the OP is referring to is something that occurred in June 2011.
|
| # ? Feb 26, 2013 20:55 |
|
|
I don't know what you guys are talking about. The OP's entire post makes a lot of sense to me. As a post-grad in the computer science department of a major research institute I was tasked recently with conducting heuristic analyses of several password button pressing click, click, clicky ding dong poop.
|
| # ? Feb 26, 2013 20:58 |
|
|
Thanks for copy and pasting from that article you linked OP. Sure saved me time! Thanks Marc!
|
| # ? Feb 26, 2013 20:59 |
|
|
treiz01 posted:
For my workplace's staff learning service (it's a thing we all have to do once every few weeks keeping us up to date on our knowledge of banking and insurance regulations), the requirements are at least one lower case character, at least one upper case character, at least one number, at least one non-alphanumeric character, and the password in question must be between eight and ten characters. Oh, and you have to change it every 60 days. Don't write the password down! All this for a system on our company's intranet that presents training modules that teach us published public domain government regulations.
|
| # ? Feb 26, 2013 21:03 |
|
|
I'll throw out a plug for 1Password. It's a little pricey, but by far the best password manager I've ever used. I switched to it a while back after the whole PSN hack and I haven't looked back.
|
| # ? Feb 26, 2013 21:04 |
|
|
I am confused and afraid. Only having one email address and using the same password for everything might not be the best idea, but I live with it. Does this mean someone else can post as me here? Might be interesting...
|
| # ? Feb 26, 2013 21:04 |
|
|
Thanks for letting us know about this list of passwords that was published two years ago, OP! You're truly providing a valuable service keeping us up to date on these things!
Vatek fucked around with this message at Feb 26, 2013 around 21:08 |
| # ? Feb 26, 2013 21:05 |
|
|
The cover article for Wired recently was about ~the death of the password~ and how the writer had his password hacked. On the cover, it had a bunch of passwords that had been released (it might have been this list, actually) and the writer's password was highlighted in red--which happened to be one of those XKCD-style string of words. So I guess don't put too much confidence in that particular technique. Instead, you should really rely on a different randomly-generated 26-character string for each login you have, changed every month 
|
| # ? Feb 26, 2013 21:10 |
|
|
For anything important I just use a long phrase that is easy for me to remember but slightly insane in general and I never had a problem.
|
| # ? Feb 26, 2013 21:11 |
|
|
AtomikKrab posted:For anything important I just use a long phrase that is easy for me to remember but slightly insane in general and I never had a problem. Same, but I also mix in words from three different languages. Don't know how much of a difference that makes, but the logons I use it for have never been compromised. And the OP's post makes sense outside of that random enhanced license rant at the end.
|
| # ? Feb 26, 2013 21:17 |
|
|
I guess this is a good thread to ask in. I was goofing off with ochashcat the other day on my own computer and I used it to brute force my 8 character alpha numeric windows logon password in 45 minutes. That's at 1.5 billion checks per second. If you add an extra character the time it takes to crack jumps up to 7 hours. Add in a single uppercase letter and it jumps to like 7 days. I'm just going off of memory so that probably isn't exact. The example weak password in the xkcd comic is more than 8 characters contains upper case, lower case, numbers and a special character yet it would only take 3 days to brute force at 1000 checks per second? Go here, http://howsecureismypassword.net/ enter Tr0ub4dor&3 and you will see it takes 44 years at 4 billion checks per second. Who's right and who's wrong?
|
| # ? Feb 26, 2013 21:18 |
|
|
treiz01 posted:
What is the "bits of entropy" he's talking about there and why do parts of a password with no caps or special characters have more of them than those that do?
|
| # ? Feb 26, 2013 21:22 |
|
|
I use obscene and violent phrases as mnemonics. 2FuMw1S!! "To gently caress your mom with a shovel!!" I have no problem remembering that for some reason.
|
| # ? Feb 26, 2013 21:22 |
|
|
Denim Dude posted:I guess this is a good thread to ask in. I was goofing off with ochashcat the other day on my own computer and I used it to brute force my 8 character alpha numeric windows logon password in 45 minutes. That's at 1.5 billion checks per second. If you add an extra character the time it takes to crack jumps up to 7 hours. Add in a single uppercase letter and it jumps to like 7 days. I'm just going off of memory so that probably isn't exact. The example weak password in the xkcd comic is more than 8 characters contains upper case, lower case, numbers and a special character yet it would only take 3 days to brute force at 1000 checks per second? Why would anyone type their password into a site that claims to check the security of your password?
|
| # ? Feb 26, 2013 21:23 |
|
|
"Not at all, now you've entered it into some other website, you stupid bastard."
|
| # ? Feb 26, 2013 21:24 |
|
|
BAKA FLOCKA FLAME posted:OK so apparently what the OP is referring to is something that occurred in June 2011. Maybe he's just on really, really slow dialup. That would explain the descent into madness that is the second half of his post, somebody probably picked up the phone and some line noise got in there.
|
| # ? Feb 26, 2013 21:25 |
|
|
raditts posted:What is the "bits of entropy" he's talking about there and why do parts of a password with no caps or special characters have more of them than those that do? Without getting technical, every bit of entropy doubles the difficulty of guessing a password. Add a bit of entropy and you double the cracking time. 10 extra bits increases the cracking time by about a factor of 1000, 20 extra bits by a factor of a million. The answer to your other question is also complicated, but the short version is that adding caps and special characters to your password doesn't make it much harder to guess at all, if you put them in the same places everyone else puts them (and where they're easy to remember): a single capital letter at the beginning of the word, and then a number and/or a punctuation mark at the end. Changing A's to 4's and I's to 1's and O's to 0's in the word also isn't worth the effort. Ashenai fucked around with this message at Feb 26, 2013 around 21:31 |
| # ? Feb 26, 2013 21:29 |
|
|
Ars Technica has a really interesting article on the leaps and bounds that password cracking has made recently. With all of the large password dumps that have come out in the past few years crackers have created better and better algorithms for predicting how people make their passwords that can drastically cut down on cracking time. Add that on top of GPUs being super efficient at processing this kind of data and password cracking has grown considerably easier. V Exactly, most people put the capitals or numbers at the beginning or end of the password, so new cracking algorithms just start there, it decreases cracking time ridiculously.
|
| # ? Feb 26, 2013 21:29 |
|
|
Denim Dude posted:I guess this is a good thread to ask in. I was goofing off with ochashcat the other day on my own computer and I used it to brute force my 8 character alpha numeric windows logon password in 45 minutes. That's at 1.5 billion checks per second. If you add an extra character the time it takes to crack jumps up to 7 hours. Add in a single uppercase letter and it jumps to like 7 days. I'm just going off of memory so that probably isn't exact. The example weak password in the xkcd comic is more than 8 characters contains upper case, lower case, numbers and a special character yet it would only take 3 days to brute force at 1000 checks per second? Every time someone mentions/uses that website I like to mess with them and tell them it records the passwords they put in and installs a tracker. I tell them I'm messing with them, sometimes after they change their password or run a few scans though. blackflare posted:Why would anyone type their password into a site that claims to check the security of your password? That one actually is secure believe it or not. More people should have that healthy skepticism though.
|
| # ? Feb 26, 2013 21:29 |
|
|
Woops, quote is not edit.
|
| # ? Feb 26, 2013 21:30 |
|
|
A good video on passwords from mozilla: http://www.wimp.com/strongpasswords/ I kind of do this but in my own way. You always use different passwords but it's still easy to remember them.
|
| # ? Feb 26, 2013 21:31 |
|
|
blackflare posted:Why would anyone type their password into a site that claims to check the security of your password? So don't enter your password in to it. Type in a password with the same characteristics as the one you use. Or just type in the password from the xkcd comic? Wouldn't mind an answer to the original question.
|
| # ? Feb 26, 2013 21:34 |
|
|
Denim Dude posted:I guess this is a good thread to ask in. I was goofing off with ochashcat the other day on my own computer and I used it to brute force my 8 character alpha numeric windows logon password in 45 minutes. That's at 1.5 billion checks per second. If you add an extra character the time it takes to crack jumps up to 7 hours. Add in a single uppercase letter and it jumps to like 7 days. I'm just going off of memory so that probably isn't exact. The example weak password in the xkcd comic is more than 8 characters contains upper case, lower case, numbers and a special character yet it would only take 3 days to brute force at 1000 checks per second? Guessing algorithms that aren't retarded aren't just based on length and possible characters. Guessing english words is easy, guessing common substitutions for their letters is also easy. Assuming there is a common symbol and 1-2 digit number at the end in any order is also easy. Combining the three does not make an effective password. Doing something that is truly random as far as the guessing algorithm knows is far more effective. Strings of random words isn't a bad start. Strings of random words in random languages would be even better. Strings of random medical terms in random languages combined with the chromosome locus of your favorite gene on your least favorite animal is pretty much ideal. Ideal would, for the record, be if you were the only one who had ever sequences the particular animal's genome. And it was extinct. Or never existed. As far as any computer would know, that would be truly random, and also long. E: Good luck guessing my least favorite fake animal's genome 
SlimPickens fucked around with this message at Feb 26, 2013 around 21:39 |
| # ? Feb 26, 2013 21:35 |
|
|
Denim Dude posted:I guess this is a good thread to ask in. I was goofing off with ochashcat the other day on my own computer and I used it to brute force my 8 character alpha numeric windows logon password in 45 minutes. That's at 1.5 billion checks per second. If you add an extra character the time it takes to crack jumps up to 7 hours. Add in a single uppercase letter and it jumps to like 7 days. I'm just going off of memory so that probably isn't exact. The example weak password in the xkcd comic is more than 8 characters contains upper case, lower case, numbers and a special character yet it would only take 3 days to brute force at 1000 checks per second? Apparently at about 165 characters your password would take infinity years to crack. The ultimate password 
|
| # ? Feb 26, 2013 21:36 |
|
|
SlimPickens posted:Guessing algorithms that aren't retarded aren't just based on length and possible characters. Ok so basically, The cracker could figure that the vast majority of people only use a single capital letter at the beginning of the password. Numbers are usually attached at the end and so are special characters. I looked around ochashcat for options to set it up so that it does that but maybe that is just a limitation of ochashcat or maybe it's just an obscure option I don't see/they haven't officially added to the GUI. That makes sense, thanks for the answer.
|
| # ? Feb 26, 2013 21:40 |
|
|
raditts posted:What is the "bits of entropy" he's talking about there and why do parts of a password with no caps or special characters have more of them than those that do? My guess is that longer passwords, especially made of random words, are going to be longer to decrypt by an order of magnitude than a short password made of random variables. Even with the 26 variables of the English alphabet versus 128 variables of the full 7-bit ASCII alphabet, "correcthorsebatterystaple" is going to take 1.8x10^62 tries, over a ten-thousand times more complex than cracking "Tr0ub4d0r&3" (which is takes 1x10^58).
|
| # ? Feb 26, 2013 21:40 |
|
|
They XKCD lists 1000 passwords generated per second in a brute-force attack. That might apply to, say, an encrypted file on a computer, but if it takes: 10ms to transmit (network latency) 5ms to check a password 10ms to send a response (network latency) Per password, that means you can really only check 40 passwords per second. Can you really hit a website with 1000 password/username combinations per second? I have a feeling there's something key (pardon the pun) that I'm missing here. In addition, wouldn't most competently programmed web services nowadays also lock out an account (with either a time delay or something that requires an administrator's action) after so many bad passwords are attempted?
|
| # ? Feb 26, 2013 21:46 |
|
, but it reflects poorly on the forums. 
|
I dunno what's going on itt but a password safe program like KeePass et al is a convenient way to make sure no-one is going to access your accounts without physical access to your computer. At least it's better than using the same goddamn password on every site (you know who you are)
|
| # ? Feb 26, 2013 21:47 |
|
|
Denim Dude posted:I guess this is a good thread to ask in. I was goofing off with ochashcat the other day on my own computer and I used it to brute force my 8 character alpha numeric windows logon password in 45 minutes. That's at 1.5 billion checks per second. If you add an extra character the time it takes to crack jumps up to 7 hours. Add in a single uppercase letter and it jumps to like 7 days. I'm just going off of memory so that probably isn't exact. The example weak password in the xkcd comic is more than 8 characters contains upper case, lower case, numbers and a special character yet it would only take 3 days to brute force at 1000 checks per second? raditts posted:What is the "bits of entropy" he's talking about there and why do parts of a password with no caps or special characters have more of them than those that do? I think what he's basically going off is the idea that most people have a word as their password. If you have to include a mix of upper and lower case characters, usually this will just mean that the password is probably just a word with a capital letter at the start. If you need to put a non-alphanumeric character in the password, it's probably going to be a word with a non-alphanumeric character at the end. And if there's a number in it, chances are that the password is a word with a number at the end, or it's a word in which an O has been replaced with a 0, an A has been replaced with a 4, or an E with a 3. So if you want to hack someone's password, and you know that the password contains Upper case, lower case, numbers and punctuation, while a simple brute force of that sort of password seems like it should take forever, you can crack most humans' passwords using a slightly more complex dictionary attack. According to the comic a standard dictionary attack requires you to find the correct word in the dictionary, the correct word (in this case) being "troubador" which is encoded as 16 bits. The password might be capitalised, so you can add another bit since it could be a "T" or a "t". If the password has A E I or O, some or all of these letters may be numbers, since troubador has three of those letters, that's another 3 bits of uncertainty. The password probably has a punctuation mark at the end, so you can add four bits to your hack attempt to account for all the valid password punctuation symbols. The password probably has a single digit at the end too, so add three bits (rounded down) to represent all the valid digits. Then add one more bit of uncertainty because you don't know which way round the digit and the punctuation mark will be. If you assume an 11 character password is any random combination of case-sensitive letters, numbers and characters it takes a long, long time to crack. But if you assume that any 11 character password is probably a capitalised 9 or 10 digit word with a number or punctuation mark at the end (or both) then the task of cracking it is much simpler, as long as your assumption is correct--which it probably will be. By comparison, a password that consists of four words is very long, so I suppose that it would be hard to do a brute force attack due to length, and hard to do a dictionary attack because you don't just need to check every word in the dictionary, to get this password you'd need to check every combination of four words in the dictionary, which I guess would be prohibitively difficult? Disclaimer, I have no loving clue if what the comic is saying is actually in any way correct, but that's what it seems to be saying.
|
| # ? Feb 26, 2013 21:47 |
|
|
Apparently the password I use would take 12 trillion years to crack.
|
| # ? Feb 26, 2013 21:51 |
|
|
|
| # ? May 18, 2013 18:14 |
|
|
Reveilled posted:Oh, and you have to change it every 60 days. Don't write the password down! I absolutely hate this poo poo, because it makes people use TERRIBLE passwords. When people are using multiple systems like this, they just end up using something retarded like Passw0rd01! and then just incrementing the number every time they have to change it. Great job, IT security: you're making your system less secure and giving people grief!
|
| # ? Feb 26, 2013 21:53 |
|
