Analysis of stolen passwords shows that people are idiots

[Ifreann]

http://www.google.com/hostednews/afp/article/ALeqM5jeUc6Bblnd0M19WVQWvjS6D2puvw

WASHINGTON (AFP) — Better think twice before choosing a password for emails, online bank accounts and airline tickets.

Passwords that show no imagination or distinctiveness are easy prey for information pirates, a new US study says.

A statistical analysis of 28,000 passwords recently stolen from a popular US website and posted on the Internet reveals that people often do the easy thing.

It found that 16 percent took a first name as a password, often their own or one of their children, according to the study published by Information Week.

Another 14 percent relied on the easiest keyboard combinations to remember such as "1234" or "12345678." For those using English keyboards, "QWERTY", was popular. Likewise, "AZERTY" scored with people with European keyboards.

Five percent of the stolen passwords were names of television shows or stars popular with young people like "hannah," inspired by singer Hannah Montana. "Pokemon," "Matrix," and "Ironman" were others.

The word "password," or easy to guess variations like "password1," accounted for four percent.

Three percent of the passwords expressed attitudes like "I don't care," "Whatever," "Yes" or "No."

There were sentimental choices -- "Iloveyou" -- and their opposite -- "Ihateyou."

Robert Graham, of the company Errata Security, which did the analysis and published the conclusions, advises that to better protect against cyber intrusions: "choose a password that is longer than eight characters with one capital letter and one symbol."

People use things like "Matrix" and "Ironman" as passwords? The stupid! It burns!

[Dyakovo]

http://www.google.com/hostednews/afp/article/ALeqM5jeUc6Bblnd0M19WVQWvjS6D2puvw

WASHINGTON (AFP) — Better think twice before choosing a password for emails, online bank accounts and airline tickets.

Passwords that show no imagination or distinctiveness are easy prey for information pirates, a new US study says.

A statistical analysis of 28,000 passwords recently stolen from a popular US website and posted on the Internet reveals that people often do the easy thing.

It found that 16 percent took a first name as a password, often their own or one of their children, according to the study published by Information Week.

Another 14 percent relied on the easiest keyboard combinations to remember such as "1234" or "12345678." For those using English keyboards, "QWERTY", was popular. Likewise, "AZERTY" scored with people with European keyboards.

Five percent of the stolen passwords were names of television shows or stars popular with young people like "hannah," inspired by singer Hannah Montana. "Pokemon," "Matrix," and "Ironman" were others.

The word "password," or easy to guess variations like "password1," accounted for four percent.

Three percent of the passwords expressed attitudes like "I don't care," "Whatever," "Yes" or "No."

There were sentimental choices -- "Iloveyou" -- and their opposite -- "Ihateyou."

Robert Graham, of the company Errata Security, which did the analysis and published the conclusions, advises that to better protect against cyber intrusions: "choose a password that is longer than eight characters with one capital letter and one symbol."

People use things like "Matrix" and "Ironman" as passwords? The stupid! It burns!

People also use "password" as a password...

[HC Eredivisie]

Likewise, "AZERTY" scored with people with European keyboards.

My keyboard is not european then?

[Ifreann]

http://www.google.com/hostednews/afp/article/ALeqM5jeUc6Bblnd0M19WVQWvjS6D2puvw

WASHINGTON (AFP) — Better think twice before choosing a password for emails, online bank accounts and airline tickets.

Passwords that show no imagination or distinctiveness are easy prey for information pirates, a new US study says.

A statistical analysis of 28,000 passwords recently stolen from a popular US website and posted on the Internet reveals that people often do the easy thing.

It found that 16 percent took a first name as a password, often their own or one of their children, according to the study published by Information Week.

Another 14 percent relied on the easiest keyboard combinations to remember such as "1234" or "12345678." For those using English keyboards, "QWERTY", was popular. Likewise, "AZERTY" scored with people with European keyboards.

Five percent of the stolen passwords were names of television shows or stars popular with young people like "hannah," inspired by singer Hannah Montana. "Pokemon," "Matrix," and "Ironman" were others.

The word "password," or easy to guess variations like "password1," accounted for four percent.

Three percent of the passwords expressed attitudes like "I don't care," "Whatever," "Yes" or "No."

There were sentimental choices -- "Iloveyou" -- and their opposite -- "Ihateyou."

Robert Graham, of the company Errata Security, which did the analysis and published the conclusions, advises that to better protect against cyber intrusions: "choose a password that is longer than eight characters with one capital letter and one symbol."

People use things like "Matrix" and "Ironman" as passwords? The stupid! It burns!

People also use "password" as a password...

I'll admit to once upon a time committing the dread sin of using my DOB as a password, but I've never used "password". Ugh.

[Ircania]

Likewise, "AZERTY" scored with people with European keyboards.

My keyboard is not european then?

My neither ... i am askiny myself actually which nation has azerty-keyboards... the french?

[United Russian State]

Well I am not an idiot. My passwords are all "Russia". No will ever figure it out!

[Western Dimoniquid]

-Changes password-
Haaa, no one will get my password.

[Antilon]

I use my local chinese menu to create passwords every 6 months or so for all my accounts (PC, email, NS, etc.)

EDIT: I use words like "friedrice" and "generaltsaochicken" and then mix up the order numbers.

[Bears Armed]

On the other paw, if you choose a password of the type that's commonly recommended as being the most secure -- a random string of numbers, letters, and possibly other characters -- then you'll find it difficult to remember correctly, and probably end up by writing it down somewhere which provides a security risk of its own anyway...

[Ifreann]

On the other paw, if you choose a password of the type that's commonly recommended as being the most secure -- a random string of numbers, letters, and possibly other characters -- then you'll find it difficult to remember correctly, and probably end up by writing it down somewhere which provides a security risk of its own anyway...

My idea for a decent compromise is a line from a book or song. Not your favourite, but one you remember. Breakable, but hard to guess, and easy to remember. Beats the fuck out of "password"

[Bottle]

I once needed to log into a friend's email for him, and asked him his password. He said, "It's the order of raid progression in vanilla WoW."

It shames me to remember that my reaction was, "That's stupid, you shouldn't pick something so obvious for your password."

[DaWoad]

On the other paw, if you choose a password of the type that's commonly recommended as being the most secure -- a random string of numbers, letters, and possibly other characters -- then you'll find it difficult to remember correctly, and probably end up by writing it down somewhere which provides a security risk of its own anyway...

If someone can get physical acess to your computer your in a serious amount of trouble anyway securitywise

[Bottle]

On the other paw, if you choose a password of the type that's commonly recommended as being the most secure -- a random string of numbers, letters, and possibly other characters -- then you'll find it difficult to remember correctly, and probably end up by writing it down somewhere which provides a security risk of its own anyway...

Seriously.

My workplace requires such passwords, and also requires that passwords be changed every month, with the result that absolutely everyone has their password on a Post-It in the top drawer of their desk.

[Kryozerkia]

My passwords are hard for anyone to guess because I tend to use transliterated words. In Latin characters, there are a number of ways to write out foreign words. It's all phonetics. Then for good measure, I throw in a number or two.

[Ifreann]

On the other paw, if you choose a password of the type that's commonly recommended as being the most secure -- a random string of numbers, letters, and possibly other characters -- then you'll find it difficult to remember correctly, and probably end up by writing it down somewhere which provides a security risk of its own anyway...

If someone can get physical acess to your computer your in a serious amount of trouble anyway securitywise

I have a strong password to keep my friends from changing my wallpaper to gay porn or donkey cocks. We've all gotten into the habit of switching to the log in screen whenever leaving out laptops unattended after several weeks of such things.

[DaWoad]

On the other paw, if you choose a password of the type that's commonly recommended as being the most secure -- a random string of numbers, letters, and possibly other characters -- then you'll find it difficult to remember correctly, and probably end up by writing it down somewhere which provides a security risk of its own anyway...

If someone can get physical acess to your computer your in a serious amount of trouble anyway securitywise

I have a strong password to keep my friends from changing my wallpaper to gay porn or donkey cocks. We've all gotten into the habit of switching to the log in screen whenever leaving out laptops unattended after several weeks of such things.

lol yah but a serious hacker (or even a semi-serious such as myself) can easily breakinto a computer as long as they can get pyhsical acess to it. i actually have an outdated CSIS program thats worked everytime iv tested it out

[Longhaul]

My idea for a decent compromise is a line from a book or song. Not your favourite, but one you remember. Breakable, but hard to guess, and easy to remember. Beats the fuck out of "password"

I went through a phase a few years back of using ridiculously long pass-strings, made by using the first letter of each word in a song. Since I seem to be able to remember song lyrics for years and years (I suspect that most people are able to do this), it was pretty effective.

I'll do it again, perhaps with a few letters swapped out for numbers, if I ever find myself required to come up with a long password for something.

[Ifreann]

If someone can get physical acess to your computer your in a serious amount of trouble anyway securitywise

I have a strong password to keep my friends from changing my wallpaper to gay porn or donkey cocks. We've all gotten into the habit of switching to the log in screen whenever leaving out laptops unattended after several weeks of such things.

lol yah but a serious hacker (or even a semi-serious such as myself) can easily breakinto a computer as long as they can get pyhsical acess to it. i actually have an outdated CSIS program thats worked everytime iv tested it out

I'm sure. But if a serious and malicious hacker had unattended physical access to my laptop I'd be more worried about him stealing the fucking thing, not putting cocks on my desktop.

---

My idea for a decent compromise is a line from a book or song. Not your favourite, but one you remember. Breakable, but hard to guess, and easy to remember. Beats the fuck out of "password"

I went through a phase a few years back of using ridiculously long pass-strings, made by using the first letter of each word in a song. Since I seem to be able to remember song lyrics for years and years (I suspect that most people are able to do this), it was pretty effective.

I'll do it again, perhaps with a few letters swapped out for numbers, if I ever find myself required to come up with a long password for something.

That's a good idea, actually.

[BunnySaurus Bugsii]

However hard people try, they cannot choose passwords which are both memorable (to them) and unpredictable to others. True random is not something humans do well.

The only way to choose a strong password is to choose something you can't remember. So you have to write it down (mine are written in pencil on my keyboard.)

I invite other posters to try to guess my NSG password. I remember it, it's not that strong. Have a punt.

[DaWoad]

I'm sure. But if a serious and malicious hacker had unattended physical access to my laptop I'd be more worried about him stealing the fucking thing, not putting cocks on my desktop.

lol now thats a very good point

[Sierpinskistan]

I specialized in computer security in college while studying network administration, but the best advice on passwords I ever got was from my dad. He advised me to think of a phrase and use the first letter from each word as the password. For example, "To be or not to be" would be "Tbontb". It's easy to remember, hard to guess, and not a dictionary word.

[DaWoad]

I specialized in computer security in college while studying network administration, but the best advice on passwords I ever got was from my dad. He advised me to think of a phrase and use the first letter from each word as the password. For example, "To be or not to be" would be "Tbontb". It's easy to remember, hard to guess, and not a dictionary word.

(nor a variation of a dictionary word which makes it even better. Adding punctuation is a good thing tho.

[The Urch]

I personally prefer to use VMS and Commodore commands (shit now I have just dated myself)

[Dyakovo]

(shit now I have just dated myself)

Did you put out?
Wait, you didn't mean it that way, did you?

never mind...

[Longhaul]

However hard people try, they cannot choose passwords which are both memorable (to them) and unpredictable to others. True random is not something humans do well.

I disagree (not about the humans being bad at true randomness bit... I'm with you there), but because I believe that It is possible to create and remember strong passwords without writing them down.

For an example using the song lyrics method that I mentioned above, consider the pass-string p4m21m_14m0w4T. It's strong, and unpredictable. Even if the song was known**, capitalising the last character and using an underscore adds to its strength.



(**it's Sympathy For The Devil, for those who were wondering.)