[ISN] MySpace Passwords Aren't So Dumb

From: InfoSec News (alerts@private)
Date: Thu Dec 14 2006 - 22:42:00 PST


http://www.wired.com/news/columns/0,72300-0.html

By Bruce Schneier
Dec, 14, 2006

How good are the passwords people are choosing to protect their 
computers and online accounts?

It's a hard question to answer because data is scarce. But recently, a 
colleague sent me some spoils from a MySpace phishing attack: 34,000 
actual user names and passwords.

The attack was pretty basic. The attackers created a fake MySpace login 
page, and collected login information when users thought they were 
accessing their own account on the site. The data was forwarded to 
various compromised web servers, where the attackers would harvest it 
later.

MySpace estimates that more than 100,000 people fell for the attack 
before it was shut down. The data I have is from two different 
collection points, and was cleaned of the small percentage of people who 
realized they were responding to a phishing attack. I analyzed the data, 
and this is what I learned.

Password Length: While 65 percent of passwords contain eight characters 
or less, 17 percent are made up of six characters or less. The average 
password is eight characters long.

Specifically, the length distribution looks like this:

1-4	0.82 percent
5	1.1 percent
6	15 percent
7	23 percent
8	25 percent
9	17 percent
10	13 percent
11	2.7 percent
12	0.93 percent
13-32	0.93 percent

Yes, there's a 32-character password: 
"1ancheste23nite41ancheste23nite4." Other long passwords are 
"fool2thinkfool2thinkol2think" and "dokitty17darling7g7darling7."

Character Mix: While 81 percent of passwords are alphanumeric, 28 
percent are just lowercase letters plus a single final digit -- and 
two-thirds of those have the single digit 1. Only 3.8 percent of 
passwords are a single dictionary word, and another 12 percent are a 
single dictionary word plus a final digit -- once again, two-thirds of 
the time that digit is 1.

numbers only	1.3 percent
letters only	9.6 percent
alphanumeric	81 percent
non-alphanumeric	8.3 percent

Only 0.34 percent of users have the user name portion of their e-mail 
address as their password.

Common Passwords: The top 20 passwords are (in order):

password1, abc123, myspace1, password, blink182, qwerty1, fuckyou, 
123abc, baseball1, football1, 123456, soccer, monkey1, liverpool1, 
princess1, jordan23, slipknot1, superman1, iloveyou1 and monkey. 
(Different analysis here.)

The most common password, "password1," was used in 0.22 percent of all 
accounts. The frequency drops off pretty fast after that: "abc123" and 
"myspace1" were only used in 0.11 percent of all accounts, "soccer" in 
0.04 percent and "monkey" in 0.02 percent.

For those who don't know, Blink 182 is a band. Presumably lots of people 
use the band's name because it has numbers in its name, and therefore it 
seems like a good password. The band Slipknot doesn't have any numbers 
in its name, which explains the 1. The password "jordan23" refers to 
basketball player Michael Jordan and his number. And, of course, 
"myspace" and "myspace1" are easy-to-remember passwords for a MySpace 
account. I don't know what the deal is with monkeys.

We used to quip that "password" is the most common password. Now it's 
"password1." Who said users haven't learned anything about security?

But seriously, passwords are getting better. I'm impressed that less 
than 4 percent were dictionary words and that the great majority were at 
least alphanumeric. Writing in 1989, Daniel Klein was able to crack 
(.gz) 24 percent of his sample passwords with a small dictionary of just 
63,000 words, and found that the average password was 6.4 characters 
long.

And in 1992 Gene Spafford cracked (.pdf) 20 percent of passwords with 
his dictionary, and found an average password length of 6.8 characters. 
(Both studied Unix passwords, with a maximum length at the time of 8 
characters.) And they both reported a much greater percentage of all 
lowercase, and only upper- and lowercase, passwords than emerged in the 
MySpace data. The concept of choosing good passwords is getting through, 
at least a little.

On the other hand, the MySpace demographic is pretty young. Another 
password study (.pdf) in November looked at 200 corporate employee 
passwords: 20 percent letters only, 78 percent alphanumeric, 2.1 percent 
with non-alphanumeric characters, and a 7.8-character average length. 
Better than 15 years ago, but not as good as MySpace users. Kids really 
are the future.

None of this changes the reality that passwords have outlived their 
usefulness as a serious security device. Over the years, password 
crackers have been getting faster and faster. Current commercial 
products can test tens -- even hundreds -- of millions of passwords per 
second. At the same time, there's a maximum complexity to the passwords 
average people are willing to memorize (.pdf). Those lines crossed years 
ago, and typical real-world passwords are now software-guessable. 
AccessData's Password Recovery Toolkit would have been able to crack 23 
percent of the MySpace passwords in 30 minutes, 55 percent in 8 hours.

Of course, this analysis assumes that the attacker can get his hands on 
the encrypted password file and work on it offline, at his leisure; 
i.e., that the same password was used to encrypt an e-mail, file or hard 
drive. Passwords can still work if you can prevent offline 
password-guessing attacks, and watch for online guessing. They're also 
fine in low-value security situations, or if you choose really 
complicated passwords and use something like Password Safe to store 
them. But otherwise, security by password alone is pretty risky.

-=-

Bruce Schneier is the CTO of BT Counterpane and the author of Beyond 
Fear: Thinking Sensibly About Security in an Uncertain World. You can 
contact him through his website.


_____________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn
 



This archive was generated by hypermail 2.1.3 : Thu Dec 14 2006 - 22:54:05 PST