- It's the applications, stupid
- Will a whitelist save personal computing?
- Thousands of Web sites under attack
- To solve the unsolvable problem
- Re-thinking the security of virtual machines
- Security Development Lifecycle trumps code complexity
- Is your Web site FIPS compliant?
- Computer security: Why have least privilege?
- Strategic security: Get a handle on authentication
- Control user installs of software
November 11, 2006 | Comments: (0)
MySpace Password Analysis
Analyzing 34,000 real passwords
A massive MySpace phishing attack allowed hackers to recover over 100,000 MySpace user logon names and passwords. Unfortunately, the hacker's saved their stolen password lists to publicly accessible web locations. For over a day, anyone could download thousands of user names and passwords.
I downloaded over 2 GB of files, and after cleaning up the dupes and trash, recovered over 34,000 real passwords. While the malicious hacking event is unfortunate, it allowed me (and other researchers) to do password symbol distribution analysis on a large number of accounts from a wide population of users. Here are the interesting results:
•As expected, English vowels are the most frequent occurring password symbols (E=48%,A=46%, I=34%, O=33%) by far
•Several other letters were high ranking (R=35%, S=32%, N=31%, L=28%, T=25%, C=21%, and M=21%)
•As expected, the letters Q (1%), X (3%), and Z (3%) were not the popular.
•Numbers were used in well over half the passwords. The number 1 appeared 45% of the time, followed by the numbers 2 (22%), 0 (16%), and 3 (15%). Numbers 4 to 9 appeared roughly 9-11%.
•As I’ve written many times, including in my last column, numbers are most often placed at the end of the password when used. For example, the number 1 only appeared 7% of the time as the first character when it was used, and only 15% of the time in the first four passwords characters.
•The ! (explanation point) at almost 3% was the most commonly used non-alphanumeric character, followed by the . (the period) at 1.6%.
•Almost 1% of the users had the word password as, or as part of, their password.
•Words, colors, years, names, sports, hobbies, and music groups were very popular.
•The color red was twice as likely as blue to be used.
•Sports names (e.g. golf, football, soccer, etc.) were as popular as professional sports teams and college team nicknames.
I'll have more details about the attack and more findings in my next weekly InfoWorld security column due out this coming Friday.
Posted by Roger Grimes on November 11, 2006 04:33 PM
RATE THIS ARTICLE:
-
- COMMENTS
TOP STORIES
HP buys EDS for $13.9 billionCorporate software spending slows
MS targets smartphone market
SOA Software buys LogicLibrary
Phishers scamming IRS rebates
Sun to clarify JavaFX plan
MS' dev tool service packs
Developers' role shifting
MS: SP3 reboots OEMs' fault
Apple: iPhone out of stock
ADDITIONAL RESOURCES
- Application Security: Threats and How to Counter Them
- Why Linux Threats Mean Business
- Minding the Machines: PC Disaster Recovery for the Enterprise
- Protect Your Data with SSL
- Prevent Your Next Microsoft Exchange Outage
- 11 Myths About Microsoft Exchange Backup & Recovery
