Software architect and Microsoft MVP, you’ll usually find me writing about security concepts and process improvement in software delivery.
So the Sony saga continues. As if the whole thing about 77 million breached PlayStation Network accounts wasn’t bad enough, numerous other security breaches in other Sony services have followed in the ensuing weeks, most recently with SonyPictures.com.
As bad guys often like to do, the culprits quickly stood up and put their handiwork on show. This time around it was a group going by the name of LulzSec. Here’s the interesting bit:
Sony stored over 1,000,000 passwords of its customers in plaintext
Well actually, the really interesting bit is that they created a torrent of some of the breached accounts so that anyone could go and grab a copy. Ouch. Remember these are innocent customers’ usernames and passwords so we’re talking pretty serious data here. There’s no need to delve into everything Sony did wrong here, that’s both mostly obvious and not the objective of this post.
I thought it would be interesting to take a look at password practices from a real data source. I spend a bit of time writing about how people and software manage passwords and often talk about thing like entropy and reuse, but are these really discussion worthy topics? I mean do people generally get passwords right anyway and regularly use long, random, unique strings? We’ve got the data – let’s find out.
What’s in the torrent
The Sony Pictures torrent contains a number of text files with breached information and a few instructions:
The interesting bits are in the “Sony Pictures” folder and in particular, three files with a whole bunch of accounts in them:
After a little bit of cleansing, de-duping and an import into SQL Server for analysis, we end up with a total of 37,608 accounts. The LulzSec post earlier on did mention this was only a subset of the million they managed to obtain but it should be sufficient for our purposes here today.
Analysis
Here’s what I’m really interested in:
- Length
- Variety of character types
- Randomness
- Uniqueness
These are pretty well accepted measures for password entropy and the more you have of each, the better. Preferably heaps of all of them.
Length
Firstly there’s length; the accepted principle is that as length increases, as does entropy. Longer password = stronger password (all things else being equal). How long is long enough? Well, part of the problem is that there’s no consensus and you end up with all sorts of opinions on the subject. Considering the usability versus security balance, around eight characters plus is a pretty generally accepted yardstick. Let’s see the Sony breakdown:
We end up with 93% of accounts being between 6 and 10 characters long which is pretty predictable. Bang on 50% of these are less than eight characters. It’s interesting that seven character long passwords are a bit of an outlier – odd number discrimination, perhaps?
I ended up grouping the instances of 20 or more characters together – there are literally only a small handful of them. In fact there’s really only a handful from the teens onwards so what we’d consider is a relatively secure length really just doesn’t feature.
Character types
Length only gives us so much, what’s really important is the diversity within that length. Let’s take a look at character types and we’ll categorise them as follows:
- Numbers
- Uppercase
- Lowercase
- Everything else
Again, we’ve got this issue of usability and security to consider but good practice would normally be considered as having three or more character types. Let’s see what we’ve got:
Or put another way, only 4% of passwords had three or more character types. But it’s the spread of character types which is also interesting, particularly when only a single type is used:
In short, half of the passwords had only one character type and nine out of ten of those where all lowercase. But the really startling bit is the use of non-alphanumeric or characters:
Yep, less than 1% of passwords contained a non-alphanumeric character. Interestingly, this also reconciles with the analysis done on the Gawker database a little while back.
Randomness
So how about randomness? Well, one way to look at this is how many of the passwords are identical. The top 25 were:
seinfeld, password, winner, 123456, purple, sweeps, contest, princess, maggie, 9452, peanut, shadow, ginger, michael, buster, sunshine, tigger, cookie, george, summer, taylor, bosco, abc123, ashley, bailey
Many of the usual culprits are in there; “password”, “123456” and “abc123”. We saw all these back in the top 25 from the Gawker breach. We also see lots of passwords related to the fact this database was apparently related to a competition: “winner”, “sweeps” and “contest”. A few of these look very specific (9452, for example), but there may have been context to this in the signup process which lead multiple people to choose the same password.
However in the grand scheme of things, there weren’t a whole lot of instances of multiple people choosing the same password, in fact the 25 above boiled down to only 2.5%. Furthermore, 80% of passwords actually only occurred once so whilst poor password entropy is looking rampant, most people are making these poor choices independently and achieving different results.
Another way of assessing the randomness is to compare the passwords to a password dictionary. Now this doesn’t necessarily mean an English dictionary in the way we know it, rather it’s a collection of words which may be used as passwords so you’ll get things like obfuscated characters and letter / number combinations. I’ll use this one which has about 1.7 million entries. Let’s see how many of the Sony passwords are in there:
So more than one third of passwords conform to a relatively predictable pattern. That’s not to say they’re not long enough or don’t contain sufficient character types, in fact the passwords “1qazZAQ!” and “dallascowboys” were both matched so you’ve got four character types (even with a special character) and then a 13 character long password respectively. The thing is that they’re simply not random – they’ve obviously made appearances in password databases before.
Uniqueness
This is the one that gets really interesting as it asks the question “are people creating unique passwords across multiple accounts?” The thing about this latest Sony exploit is that it included data from multiple apparently independent locations within the organisation and as we saw earlier on, the dump LulzSec provided consists of several different data sources.
Of particular interest in those data sources are the “Beauty” and “Delboca” files as they contain almost all the accounts with a pretty even split between them. They also contain well over 2,000 accounts with the same email address, i.e. someone has registered on both databases.
So how rampant is password reuse between these two systems? Let’s take a look:
92% of passwords were reused across both systems. That’s a pretty damning indictment of the whole “unique password” mantra. Is the situation really this bad? Or are the figures skewed by folks perhaps thinking “Sony is Sony” and being a little relaxed with their reuse?
Let’s make it really interesting and compare accounts against Gawker. The internet being what it is there will always be the full Gawker database floating around out there and a quick Google search easily discovers live torrents. Gnosis (the group behind the Gawker breach) was a bit more generous than LulzSec and provided over 188,000 accounts for us to take a look at.
Although there were only 88 email addresses found in common with Sony (I had thought it might be a bit higher but then again, they’re pretty independent fields), the results are still very interesting:
Two thirds of people with accounts at both Sony and Gawker reused their passwords. Now I’m not sure how much crossover there was timeframe wise in terms of when the Gawker accounts were created versus when the Sony ones were. It’s quite possible the Sony accounts came after the Gawker breach (remember this was six months ago now), and people got a little wise to the non-unique risk. But whichever way you look at it, there’s an awful lot of reuse going on here.
What really strikes me in this case is that between these two systems we have a couple of hundred thousand email addresses, usernames (the Gawker dump included these) and passwords. Based on the finding above, there’s a statistically good chance that the majority of them will work with other websites. How many Gmail or eBay or Facebook accounts are we holding the keys to here? And of course “we” is a bit misleading because anyone can grab these off the net right now. Scary stuff.
Putting it in a exploit context
When an entire database is compromised and all the passwords are just sitting there in plain text, the only thing saving customers of the service is their password uniqueness. Forget about rainbow tables and brute force – we’ll come back to that – the one thing which stops the problem becoming any worse for them is that it’s the only place those credentials appear. Of course we know that both from the findings above and many other online examples, password reuse is the norm rather than the exception.
But what if the passwords in the database were hashed? Not even salted, just hashed? How vulnerable would the passwords have been to a garden variety rainbow attack? It’s pretty easy to get your hands on a rainbow table of hashed passwords containing between one and nine lowercase and numeric characters (RainbowCrack is a good place to start), so how many of the Sony passwords would easily fall?
82% of passwords would easily fall to a basic rainbow table attack. Not good, but you can see why the rainbow table approach can be so effective, not so much because of its ability to make smart use of the time-memory trade-off scenario, but simply because it only needs to work against a narrow character set of very limited length to achieve a high success rate.
And if the passwords were salted before the hash is applied? Well, more than a third of the passwords were easily found in a common dictionary so it’s just a matter of having the compute power to brute force them and repeat the salt plus hash process. It may not be a trivial exercise, but there’s a very high probability of a significant portion of the passwords being exposed.
Summary
None of this is overly surprising, although it remains alarming. We know passwords are too short, too simple, too predictable and too much like the other ones the individual has created in other locations. The bit which did take me back a bit was the extent to which passwords conformed to very predictable patterns, namely only using alphanumeric character, being 10 characters or less and having a much better than average chance of being the same as other passwords the user has created on totally independent systems.
Sony has clearly screwed up big time here, no doubt. The usual process with these exploits is to berate the responsible organisation for only using MD5 or because they didn’t salt the password before hashing, but to not even attempt to obfuscate passwords and simply store them in the clear? Wow.
But the bigger story here, at least to my eye, is that users continue to apply lousy password practices. Sony’s breach is Sony’s fault, no doubt, but a whole bunch of people have made the situation far worse than it needs to be through reuse. Next week when another Sony database is exposed (it’s a pretty safe bet based on recent form), even if an attempt has been made to secure passwords, there’s a damn good chance a significant portion of them will be exposed anyway. And that is simply the fault of the end users.
Conclusion? Well, I’ll simply draw back to a previous post and say it again: The only secure password is the one you can’t remember.
Update, 7 June 2011:
I’ve cleaned up a couple of the graphs and would also like to clarify some of the points coming through in the comments:
- There does not appear to have been either length or character type restrictions on the databases. There are lengths ranging from 1 to 35 characters and (occasional) uses of non-alphanumerics.
- As far as I know, this database is not directly related to PSN. Sony is a huge media network and LulzSec claims this came from SonyPictures.com. There is no evidence to suggest that these passwords were created using a handheld game console controller.
126 comments:
I just don't get why it is such a big deal when passwords don't have alpha numeric characters.
The requirements for strong passwords only makes sense for the windows/unix log-in case. A website shouldn't allow multiple password failures. A sensible approach is to disable the account after 4-5 failed attempts.
Windows/Unix shouldn't allow multiple password failures either (and usually don't). The problem is the same as with Windows/Unix - what if someone gets the database with password hashes? From there it's trivial to break the insecure passwords unless proper salting is used. Considering so many sites don't even hash, you can't rely on proper salting.
Nice post. The analysis of the 88 email addresses shared between Gawker and Sony is especially interesting. I'm under the impression (both from interviewing people and a couple of studies) that many people have a total of 2 or 3 passwords that are reused across all accounts as follows:
Weakest passwords used for nonessential accounts (would likely include Gawker and Sony).
Somewhat stronger password for for all email and social services.
Strongest password for finance and commerce sites.
But even if it's 3 passwords as opposed to one, this can easily be exploited, as I describe here:
http://www.filterjoe.com/2010/05/14/the-usual-way-to-manage-passwords/
Users have not become better at password management over the past decade. Around the year 2000, Windows users began to collectively realize that virus detection/removal software was a requirement. I think (or at least I hope) we're close to a tipping point where people begin to realize a password manager is necessary.
The biggest barrier I've noticed is that password advice tends to be too complicated. Here's my one sentence formulation that I think can be communicated to the masses:
"Use a password manager to assign unique, random 15 character passwords for all accounts, protecting them with a strong master password."
And here's the guide I wrote to be both accessible and technically accurate. It has a lot in common with your guide:
http://www.filterjoe.com/2011/04/14/passwords-guide-without-distraction/
Nice post. I think the 2nd chart would make more sense as a "column histogram" http://i.imgur.com/Iktzf.jpg
Very interesting post :)
I can't believe that many people use bs like 'seinfeld' or '123456'. A registration system should just do a basic lookup to estimate how attackable a password is, and then FORCE the user to think of a better one.
"A sensible approach is to disable the account after 4-5 failed attempts."
Then you're open to a massive denial of service.
It can help to throttle logins per account, but outright disabling, and you'll have a lot of angry customers to deal with.
What does it matter how good the password is if the website can be hacked and then details put on show for the world?
Abc123 or Thxdh763&hf they both seem weak here!
Does anyone know the password restrictions that Sony used on the sites? Like minimum password length and special character requirements?
@Rich: To avoid the DDoS risk, you only temporarily disable the account after 4-5 failed attempts, e.g. for 30 mins. Also you block any IP addresses which are making lots of failed logon attempts.
@Anonymous: Good point. Security is about the "weakest link", so a strong password gives little benefit if a Website is insecure and stores it in plain text.
Password choice should remain with the user.
Securing of the password should reside with the vendor.
And lockouts should be commonplace. 'seinfeld' would be perfectly reasonable if it was encrypted in the database, and if you got locked out after 3 attempts. If that was the case, none of us would even know that 'seinfeld' was in such heavy use.
The issue with passwords is not a user issue, it's a vendor issue.
Alternately encourage your users to use 1 Password.
But don't ask them for their freakin' banking password when you're some little forum.
My main reason to avoid certain elements in many passwords (>8 characters, non-alnums) is that password systems are often crap and fail in non-predictable ways.
Not cool if you manage to log in _once_ (by going through the registration system) because your passwort contains ":" or "/" and the user management system can't cope with that for some reason (internal string handling or something).
Sadly that happens to the best of us (the example comes from the business site of a high profile semiconductor company)
RE:
Anonymous said...
I just don't get why it is such a big deal when passwords don't have alpha numeric characters.
The requirements for strong passwords only makes sense for the windows/unix log-in case. A website shouldn't allow multiple password failures. A sensible approach is to disable the account after 4-5 failed attempts.
-------
Well back when I was a spotty teenager I used to 'crack' Yahoo accounts. In reality all it entailed was a program that went through a list of users (say god_1 to god_100000) and used a list of common passwords. This way you find a lot of accounts.
If you try to crack a specific account people tend to download a dictionary. Passwords with numbers in won't be in said dictionary.
I think it is just a way to prevent kids getting into your account. If a real 'hacker' wanted to, I doubt any sort of password is going to make a real difference.
Aren't we missing something here? Won't many of these accounts have been created and used exclusively through games consoles, therefore the user interface used to type them is in fact just a game controller with an onscreen "keyboard"? And won't this make selection and use of long complex passwords harder? Users can therefore be forgiven for not using 20 characters with 4 character types, as that may take 5 minutes to "type"!
Salting and hashing is not enough, but salting + hashing + a site key should be. Provided that the site key is stored even more securely than the database of course.
This SO answer is pretty good: http://j.mp/m2Yx6C
What's the difference? Clearly if someone wants your details, they will go after the one million users, not you... And clearly password strength plays no part in them obtaining and using your password. It's just a pity Sony can be so stupid. I'm losing respect for them by the second. Losers
Have you tried some of those password reusers and log into their email accounts they used for registering at sony? I once tried with the rootkit.com database. Picked one at random, google-searched the hash, and logged into yahoo.
For most online accounts (such as when a site asks you to register to see some content or to be allowed to post) the most adequate password security balance for such users would be a blank password - lowest security, but the most usable and easiest to remember.
If that is forbidden by site admins, then 'password' or '123456' are very good options as well.
However, the dangerous and unsecure solution would be to require passwords of 8+ symbols and some nonalphanumerics, etc - since then many people (at least more than 0) would reuse passwords that are used also somewhere where security actually matters (say, their e-mail accounts) and in this way threaten their 'serious' accounts if these worthless accounts get compromised, as has happened now.
Difficult passwords with random characters are prone to mistakes while being entered. But usually you cannot see what you are typing, and you get to see only little black circles. It's like you're driving with a blindfold, and who likes that? How do you know you didn't make a mistake while entering your password? You can't see it. I think that's also a reason for the high frequency of simple passwords. It's easier.
And why the secrecy? How many of you have someone standing behind them when typing in a password? I never do. Allow users to see their password while entering it. Difficult passwords will become more common then.
I think Alan is right... the main problem is that the password is to be created by the gamecontroller. Guess what, no easy to use keyboard to insert your dots, dashes, pound signs etc. (Let alone the fact that you have to enter your console password in an on-screen display!).
Entropy.
You keep using that word. I do not think it means what you think it means.
Sony really should pay for their in-ability to properly protect their customers.... This is a HUGE violation of privacy that was exposed... Whoever is the CEO and top heads in these divisions, deserve to get fired!
I attended a seminar about cracking passwords that was put on by KoreLogic Security. Based on my understanding, if a company stores your password as plain text, having a secure password doesn't help too much.
However, if the company encrypts your password and the encrypted passwords are stolen, you have much more protection if you have a secure password. I've linked my name to my blog post that covers the details what I learned about the topic at that seminar.
Obviously passwords are useless so what do we use instead?
Users are not the problem. Having come up with nothing to make secure keys that people can actually use is the problem.
passwords are the stupidest thing in the world and you help prove it. Why have them? Who cares and even if we did care, who cares about that?!
The group claimed to have found over 1M passwords in plaintext, but then only torrented a small portion of that. I'm wondering if the passwords actually weren't in plaintext & they're just saying that to further shame Sony (not taking sides here, just thinking aloud). Perhaps they were brute forcing passwords & the subset we have access to only includes the ones they could easily crack.
I felt that most of the post was a good wright up. There has been some debate about the need for entropy in passwords (as long as you are out side of the target zone length trumps entropy)
https://www.grc.com/haystack.htm
Lets consider that this is sonypictures.com As a user, if I dont care about a website do I really care about giving it a secure password? That's a lot of effort for one off logins.
IMO part of the reason why the 7 is lower than 6 and 8 is because of date passwords, like 010111 or 01012011 (6 and 8 chars respectively), havent download the file tho.
Eduardo F.
I put little faith in any report that uses pie charts.
I'm not surprised that 99% contain no non-alphanumeric characters. Many websites forbid using non-alphanumerics, and thus even users who want to be secure would tend to gravitate away from using them.
Until engineers learn to understand human nature, this will continue to happen.
I cannot believe commenters (and the writer) are actually still recommending that people adopt even harder to remember paswords. Engineers need to get their heads out of their calculators and see people for what they are.
With the vast number of websites people use, it is IMPOSSIBLE to have a unique password for each one. Password re-use is simply a natural consequence of using the web. Secondly, complex passwords are hard to remember, and people want ease of use and convenience.
Who wants to (or is even able to) remember twenty passwords that look like "sdfgh*7&456#56?7DGBFD"?
Thirdly, people are pretty good at managing risk vs stress trade-offs. The probability of being hacked is low, and the potential loss is low, so why should they stress themselves remembering multiple difficult passwords? Not worth it.
If engineers and security specialists are really so excited about improving security, they should realise they can't change human nature. So instead of berating people for using weak passwords, they should realise the fault is with them for dsigning a system that is not human friendly in the first place.
So come up with something that is actually friendly for people to adopt. Biometrics for example.
Google, Facebook, Paypal, Blizzard (World of Warcraft), etc. are all offering two-factor auth these days because neither users - nor the sites they use - can be trusted not to reuse passwords in ways that cause headaches for all (full disclosure: we offer two-factor auth as a service at Duo Security).
Online password managers are a step in the right direction, but useless against remote access trojans (by now the most popular malware payload) - or when they get hacked.
Quite frankly, a password is not the solution to security. It's at best a hack (old term) to get by until someone thinks up something workable. The users aren't wrong to reuse poor passwords. Insecure, yes, but not wrong.
The "secure" alternatives are remembering a ridiculously complex password for every site, using a password management system that more than quadruples the login time for everything, or not logging in anywhere.
And then those get hacked because they were important enough, or the password management system was on their phone and it got compromised, or someone broke the security on a company's server and got all the passwords, account information, or whatever else you were expecting it to protect, making all that complexity worthless.
Unlike the "install and forget" approach AV provided, password security is an ongoing, constantly time consuming effort, which gives users a feeling of wasted effort every time this happens. We as an industry are the problem, not the 99.99% of users who don't follow "proper" security measures. Passing the blame on the vast majority of people is never a meaningful approach.
Excelent Post..... #PSN
Anonymous said...
I can't believe that many people use bs like 'seinfeld' or '123456'. A registration system should just do a basic lookup to estimate how attackable a password is, and then FORCE the user to think of a better one.
My guess is the "seinfeld" password was the side effect of some light-weight promotion (contest card in a DVD for a free movie ticket?) where the reward for signup was quite small. What Sony really wanted was demographic information from their customer base, they're not about to implement a measure that would cause more than x% of their entrants to give up.
It might be worth considering that the password entry box on the PS3 makes it quite difficult to enter complex passwords.
Nice study, except I think you don't take into consideration the input method. Have you tried to make any kind of complex password input on a PS3 given the interface? As a user I just want to logon and play my games, not necessarily purchase anything (the fact my cached credit card data was stolen is another story...). Maybe instead of blaming users for poor password practices we should examine the system that requires such things. If passwords are really required why not create something totally unique to the individual?
"What does it matter how good the password is if the website can be hacked and then details put on show for the world?
Abc123 or Thxdh763&hf they both seem weak here!"
Re-Read the article. Breaches *will* happen! I mean that! Not just with Sony, and Gawker, but at your Bank, your job, and even government systems will be hacked.
Hopefully the major players will have learned their lessons from Sony and won't store passwords in plaintext, but there's no way for you to be certain that your passwords are salted & hashed on any site, unless *you* personally reviewed the source code and have more than a basic understanding of cryptography.
The point is that while Sony and other companies have a responsibility not to make such boneheaded mistakes; you as a user have to be diligent to mitigate the damage as much as possible when a company you trust does get caught with their pants down.
Your first password is far more vulnerable than the 2nd as it could be easily brute forced even without a breach, and would likely appear in a rainbow table if a site's hash table was exposed. Your latter password would be for all intents and purposes safe from those attacks, but if you re-use that same password everywhere, you're still vulnerable if another Sony type breach occurs.
With different passwords, your Sony login is hosed, but every other site you have a login is still safe!
FYI, you don't use line charts for discrete data points. you use a bar chart. just sayin
It's been said several times and in several different ways, but I'll say it again:
Storing passwords in the clear in any site backend DB is inexcusable. Period. Even for sites that don't store customer credit card and other sensitive identity data. And anyone who's using cleartext password storage for authentication on a site that stores CC data needs to be dragged outside and beaten severely. Sorry, no sympathy for Sony here, they deserved what they got.
I'm not sure why people are stating how hard it is to enter non alpha-numeric passwords with a game console even though these passwords are not from Sony's gaming sites...
How many passwords are the same btw Sony/Gawker? I think you might be able to identify common accounts across the two using common passwords, possibly eliminating common passwords within each set first.
definitive proof that humans hate passwords. time for a new approach.
There's a legacy issue here. Some of us decided on our "generic" password pattern for less important sites back when it was common to not allow special characters, to allow no more than 8 characters etc etc... and have become stuck in that habit. Lazy? Sure, but not stupid.
motmaitre: hits it on the head.
I have some ninety or so different login/password details now in my keepass store.
I long since adopted the policy of having only four passwords in general: two simple 8-char (alpha/lowercase only) which I don't care about - used only for info sites etc, a slightly better one (9 chars including one non-alpha) for things where I like to keep it private, but it wouldn't impact me significantly if discovered (this was the one I used in my Playstation account), and a more complex one including digits etc which I use for all my financial logins and so forth.
Not ideal, but as most financial logins are a three part verification, I reckon it will do for now...
I guess it's pretty hard to remember a different strong password for each service. That's why I build a site which enables me to generate strong passwords and store them encrypted. Anyone can create an account for free and use it. Check it out: https://pwdsafe.com
Nice article, well-thought out. Additional info could be how many words are actual names, and how many are words, maybe sorted by language. Well, this takes time of course :)
For all passwords with numbers and the few with other characters, it'd be cool to see how many follow the
word+suffix pattern.
Simply because crackers such as hashcat and john can generate those based on a wordlist - so one could check if the base wordlist and the permutations offered by those programs is enough to find out more than 90%.
Regarding the discussion about good passwords:
Actually you don't gain as much from adding non-alphanumeric characters, especially if you put them at the end which is what rule-based crackers eat for breakfast.
You gain more from password length - and the thing to generate long passwords is for some reason embedded in your brain - it is your language generator.
Consider a password like:
I like apples
13 characters long; bruteforce-attempts and rainbowtables are already really expensive for that length (energy, storage). Rule based crackers generating prefixes, infixes and suffixes:
also no dice.
However, the above could easily be generated by just using one wordlist and simply generate 3 word combinations from it, so three words is not enough.
It would also be foolish to use quotes which can be found on wikiquotes or compiled from varies websites.
My car really needs a tune-up
Almost thirty characters - for every password cracker which cannot generate sentences, not worthwhile - a single password is never ever worth the output of several coal power plants for years.
However, you can easily crank this up. Although there is no generative grammar which would allow a machine produce sentences at will, simple sentences can be done already.
Make the passphrase a bit more personal makes it easier to remember and maybe you'd be really reluctant to share it with others. Consider:
I wish justin biber in a leather outfit was my science teacher
Over fifty characters - easy to remember - and you sure as hell wouldn't tell people even if pressed.
However, you'd have some explaining to do if you used for a service which stored it in plaintext and got breached like sony.
On the other, forcing people to use short passwords and use non-alphanumeric characters AND change them
every month is a death-sentence for your security; the
result will be:
May1998!
Hello-12
and so on - which is no problem for rule based crackers at all.
Oh - and those looking for secure hashes should check out bcrypt and the different SHA-256 crypt and SHA-512 crypt used by ubuntu.
bcrypt is over ten years old - and still way more computational expensive than even md5crypt.
If you're a radical, you could also look at what Microsoft did with DCCs in Windows7 - have fun :)
I used to use a single 13 character password for everything, but then discovered LastPass. So now a variation on my original is used to log into LastPass, while everything else has a randomly generated password. Most sites I use a 16 character password involving alphabetic, numeric and 'special' characters, but many don't accept special characters and some (worryingly) don't accept passwords longer than 10 characters.
Work (Windoze domain) needs at least two of alpha, numeric, special and demands it gets changed every month. Just before I left uni (2001) the network admins there (Windoze desktops + UNIX servers) got really strict - had to change every month, couldn't use any previous password, and couldn't use: dictionary words forwards/backwords, telephone numbers, registration plates, NI numbers, DOBs. They were so paranoid they even ran a password cracker program that would lock your account if it cracked your password. You'd then have to visit them and unlock your account by choosing a new password, subject to all the rules above.
Hello,
Very nice analysis. The peaks of determined password length is identical to the ones of my earlier analysis[1]: 6 and 8 chars are far more popular than 7 chars.
I gave it a lot of thought and come to the conclusion that people prefer "rhythm" and "symmetry". This seems to be the reason why odd lengths are that unpopular.
Regards,
Marc
[1] http://www.scip.ch/?labs.20110217
When a run of the mill company allows for this sort of stupidity...ok, fair enough. When a comapny like SONY, a supposed technology company allows this ....it is stupidity on a massive scale. No management oversight? No sexurity assement? Even the worst CISA auditor in the world would have picked this up in a Tokyo second!
6 and 8 characters are popular.
Full numbers are popular.
Quick guess : birthday dates can either be written in 6 and 8 numbers
It's funny to see posts at this thread starting with "Anonymous said..." :-)
As several people have hinted, many of these weak passwords may be down to 'throwaway' registrations. I keep a couple of passwords that I only ever use for sites where I'm registering for something a single time, where there is no data I want to keep secure, and which I will never want to go back to. No point generating a secure password for those types of sites.
The difference between complexity versus "crackability" is what drives many to use the same password across several accounts. Sometimes simple is uncrackable. A good analysis is presented here.
http://www.baekdal.com/tips/password-security-usability
The other side of the coin is the password needs to be saved securely by both the user and the host. In the sony attack, the problem isn't with the passwords - even the easily crackable ones. They weren't cracked, they were stored as plain text and stolen. Shame on Sony! Baaad Sony!
9452? That might be the number of the remote.
I would guess that people use 6 or 8 char passwords in a context like this because they are using the same passwords they use elsewhere. Thus this is not a preference of users, but a vestige of some past application(s) that required minimums of either 6 or 8.
Troy: As one of the compromised Sony Pictures accounts is AutoTrader, a company owned by Cox Enterprises here in Atlanta, Georgia, could that mean that Cox stuff could be compromised too?
This post needs logarithmic axes...
Well, I know on more than one of my periodic password reset runs, I have had new passwords rejected for being more than 8 characters and/or being non-alphabetic.
Sort of makes it hard to come up with unique, memorable passwords that are cryptographically strong with those limits.
depending on the nature of the site - in this case a once-off campaign with a limited life span - i would consider the most secure password to be a throw-away, ie something that i would never ever use again.
i would choose something very easy to remember, probably a word with no capital letters or numbers (otherwise i risk fooling myself with trickiness) so this way if it is stolen it means almost nothing to me.
the cumulative worth for someone having stolen my password would in this case be equvalent to them stealing my handkerchief.
I have started to use -- at work -- passwords created from "phrase acronyms." For instance, I'll think of a song title, or phrase, or artist-song combination, or in one case I used the make and model of my son's baseball bat. Then I use the first letters, and change certain of them to numbers or specials:
EstCyc1! which came from Easton Cyclone -11.
Or "I Hate Changing my password every 3 months" which became !HcmPe3m or something like that.
Also at work there are stronger rules about network passwords.
I would do this for multiple websites, too but I re-use because I will fail to remember one or more of them, for sure. Unless I write them down. But reading this, I may decide not to re-use as often.
Not sure if anyone mentioned it, but when you consider the use of non-alphanumeric characters in this case you have to remember the input interface as well.
For most PSN users, they're inputting via a PS3 controller and the shitty phone number style interface provided by Sony. In fact, it's also four button presses on a number just to get to lower/uppercase letters.
I don't think you'll see the same distribution when users have a keyboard and it's a simple shift key press (or less) to get a special character.
Looks to me like the section entitled "Character types" is somehow messed up (editing error, typos -- something). Could it be possible that there were more numbers than letters in the database? Seems SUPER-unlikely, and all examples throughout the rest of this (very good) essay bear that out. Could it be possible that there were more upper-case than lower-case letters in the database? Seems SUPER-unlikely, and all examples throughout the rest of this essay bear that out. I suspect the correct order is (1) lower case (2) numbers (3) upper-case (4) everything else, although (2) and (3) might be reversed.
Thanks.
For people mentioning throw away logins - look at the percentage shared with gawker and think again....that said they could be the stronger ones. Some countries are introducing national identity cards with public private sig support. That becomes the something you have and supplemented by a password something you know and you have a very secure system...that and tying account access to pre-specified devices also helps.
machine salt (not in database), unique user salt, password hashed using a robust and expensive hash function (pref with a configurable work function) would seem to be the only solution that will stand the test of time. Important bit is configurable work function as that allows you to reduce the complexity / length requirements to one people will tolerate.
The issue is not the user password strength. That's not the breach, though an interesting read.
About pw generators. Have you ever lost your HD? Found the tables on your backup?
I would guess that people use 6 or 8 char passwords in a context like this because they are using the same passwords they use elsewhere. Thus this is not a preference of users, but a vestige of some past application(s) that required minimums of either 6 or 8.
6 and 8 characters are popular.
Full numbers are popular.
Quick guess : birthday dates can either be written in 6 and 8 numbers
Regarding the discussion about good passwords:
Actually you don't gain as much from adding non-alphanumeric characters, especially if you put them at the end which is what rule-based crackers eat for breakfast.
You gain more from password length - and the thing to generate long passwords is for some reason embedded in your brain - it is your language generator.
Consider a password like:
I like apples
13 characters long; bruteforce-attempts and rainbowtables are already really expensive for that length (energy, storage). Rule based crackers generating prefixes, infixes and suffixes:
also no dice.
However, the above could easily be generated by just using one wordlist and simply generate 3 word combinations from it, so three words is not enough.
It would also be foolish to use quotes which can be found on wikiquotes or compiled from varies websites.
My car really needs a tune-up
Almost thirty characters - for every password cracker which cannot generate sentences, not worthwhile - a single password is never ever worth the output of several coal power plants for years.
However, you can easily crank this up. Although there is no generative grammar which would allow a machine produce sentences at will, simple sentences can be done already.
Make the passphrase a bit more personal makes it easier to remember and maybe you'd be really reluctant to share it with others. Consider:
I wish justin biber in a leather outfit was my science teacher
Over fifty characters - easy to remember - and you sure as hell wouldn't tell people even if pressed.
However, you'd have some explaining to do if you used for a service which stored it in plaintext and got breached like sony.
On the other, forcing people to use short passwords and use non-alphanumeric characters AND change them
every month is a death-sentence for your security; the
result will be:
May1998!
Hello-12
and so on - which is no problem for rule based crackers at all.
There's a legacy issue here. Some of us decided on our "generic" password pattern for less important sites back when it was common to not allow special characters, to allow no more than 8 characters etc etc... and have become stuck in that habit. Lazy? Sure, but not stupid.
definitive proof that humans hate passwords. time for a new approach.
It's been said several times and in several different ways, but I'll say it again:
Storing passwords in the clear in any site backend DB is inexcusable. Period. Even for sites that don't store customer credit card and other sensitive identity data. And anyone who's using cleartext password storage for authentication on a site that stores CC data needs to be dragged outside and beaten severely. Sorry, no sympathy for Sony here, they deserved what they got.
"What does it matter how good the password is if the website can be hacked and then details put on show for the world?
Abc123 or Thxdh763&hf they both seem weak here!"
Re-Read the article. Breaches *will* happen! I mean that! Not just with Sony, and Gawker, but at your Bank, your job, and even government systems will be hacked.
Hopefully the major players will have learned their lessons from Sony and won't store passwords in plaintext, but there's no way for you to be certain that your passwords are salted & hashed on any site, unless *you* personally reviewed the source code and have more than a basic understanding of cryptography.
The point is that while Sony and other companies have a responsibility not to make such boneheaded mistakes; you as a user have to be diligent to mitigate the damage as much as possible when a company you trust does get caught with their pants down.
Your first password is far more vulnerable than the 2nd as it could be easily brute forced even without a breach, and would likely appear in a rainbow table if a site's hash table was exposed. Your latter password would be for all intents and purposes safe from those attacks, but if you re-use that same password everywhere, you're still vulnerable if another Sony type breach occurs.
With different passwords, your Sony login is hosed, but every other site you have a login is still safe!
Nice study, except I think you don't take into consideration the input method. Have you tried to make any kind of complex password input on a PS3 given the interface? As a user I just want to logon and play my games, not necessarily purchase anything (the fact my cached credit card data was stolen is another story...). Maybe instead of blaming users for poor password practices we should examine the system that requires such things. If passwords are really required why not create something totally unique to the individual?
Anonymous said...
I can't believe that many people use bs like 'seinfeld' or '123456'. A registration system should just do a basic lookup to estimate how attackable a password is, and then FORCE the user to think of a better one.
My guess is the "seinfeld" password was the side effect of some light-weight promotion (contest card in a DVD for a free movie ticket?) where the reward for signup was quite small. What Sony really wanted was demographic information from their customer base, they're not about to implement a measure that would cause more than x% of their entrants to give up.
Until engineers learn to understand human nature, this will continue to happen.
I cannot believe commenters (and the writer) are actually still recommending that people adopt even harder to remember paswords. Engineers need to get their heads out of their calculators and see people for what they are.
With the vast number of websites people use, it is IMPOSSIBLE to have a unique password for each one. Password re-use is simply a natural consequence of using the web. Secondly, complex passwords are hard to remember, and people want ease of use and convenience.
Who wants to (or is even able to) remember twenty passwords that look like "sdfgh*7&456#56?7DGBFD"?
Thirdly, people are pretty good at managing risk vs stress trade-offs. The probability of being hacked is low, and the potential loss is low, so why should they stress themselves remembering multiple difficult passwords? Not worth it.
If engineers and security specialists are really so excited about improving security, they should realise they can't change human nature. So instead of berating people for using weak passwords, they should realise the fault is with them for dsigning a system that is not human friendly in the first place.
So come up with something that is actually friendly for people to adopt. Biometrics for example.
I'm not surprised that 99% contain no non-alphanumeric characters. Many websites forbid using non-alphanumerics, and thus even users who want to be secure would tend to gravitate away from using them.
Lets consider that this is sonypictures.com As a user, if I dont care about a website do I really care about giving it a secure password? That's a lot of effort for one off logins.
The group claimed to have found over 1M passwords in plaintext, but then only torrented a small portion of that. I'm wondering if the passwords actually weren't in plaintext & they're just saying that to further shame Sony (not taking sides here, just thinking aloud). Perhaps they were brute forcing passwords & the subset we have access to only includes the ones they could easily crack.
I attended a seminar about cracking passwords that was put on by KoreLogic Security. Based on my understanding, if a company stores your password as plain text, having a secure password doesn't help too much.
However, if the company encrypts your password and the encrypted passwords are stolen, you have much more protection if you have a secure password. I've linked my name to my blog post that covers the details what I learned about the topic at that seminar.
9452 is a common password due to the Americam IRS form http://www.irs.gov/pub/irs-pdf/f9452.pdf This password was also common in the stolen list of rockyou.com
surprised qwerty isn't a popular password. I mean I us....*whops*
And then when your own computer is compromised they get *all* of your passwords and will know every service which to use them to access. Nice.
It doesn't quite work that way Paul, good password managers like 1Password store all passwords in a cryptographically secure fashion. Accessing the keychain is worthless without the master password which should not be accessible even if the machine is owned.
Right, but that does nothing to keep someone from physically (or legally) coercing me into revealing a master password to unlock my password database and all corresponding systems I have access to. Granted, the alternative is impossible, to remember secure-enough passwords to all the systems I access, but at least this should be acknowledged as a potential concern.
Sure, but that's a far cry from "when your own computer is compromised they get *all* of your passwords".
Look, you're not going to get a 100% "secure" solution so it's a matter of balance. I would argue that the likelihood of someone first owning my machine then grabbing my 1Password keychain and then coercing me into disclosing my master password is infinitesimally small compared to a website where I use a set of credentials being compromised.
PSN refers to the Playstation Network, not the handheld.
its likely that Cox Employees would use the same password on their company network, so yes it could mean that 'Cox stuff' could be compromised by a determined person
I notice that in the netherlands DB their are a number of people using the password foto4U2 and other close approximations. I make the presumption that this must relate to Sony Pictures and wonder if users of other photo websites apply the same password logic.
I think the fact that Sony shut down its entire network for more than month debunks your theory
I assume you're referring to the update at the end of the blog? Yes, I'm aware of that, the point is that if the accounts had come from the PSN service then one could argue the passwords were regularly entered by a handheld controller and concessions might have been made on password strength. But of course that's not the case here, the accounts aren't from PSN.
There has to be some kind of relationship between the "seinfeld" and "bosco" accounts.
"Bosco! Bosco!"
you CAN however create 1 or 2 strong passwords that have say, the first 3 characters "reserved" for a site specific string.
for example
amz21$Flexi%! = amazon
cit21$Flexi%! = citibank
etc. This way the pword is both specific to the site and rememberable (assuming that 21$Flexi%! means something to you.)
It would not be easily hacked unless someone cross referenced hacked databases. If you split it up to 3 strong passwords with flexible strings, you decrease your chances of corrolation.
man, you have a cool blogger template, can i have it for my own blogger.Pleeeeaseee :(
Thanks for the analysis. It always surprises me how many people will go for easy-to-hack passwords. I've always tried to stick to stronger password option (3 characters, no actual words etc), but only in the last year have I used a different password for each login. Thank goodness for password managers, hey?!
Troy, congratulations for this piece! I run a NGO in Mexico promoting safe and responsible use of ITCs, and we know for sure that we must stick to very basic safety recommendations, such as strong passwords, our surveys confirm all this, but having a real-case, so well informed case like this one, is very helpful to our task of showing end users how easy is for their peace of mind to be all broken if a password is not unique.
To other commenters here saying it is impossible to have unique passwords for 20+ web sites and services, and thus reusing is a must, try thinking about having the same key to your car, your wife's car, your house door and your office desk for instance, just because it's "hard" to handle different keys for each keylock. Hummm, the solution is to create a system to build your password, that only you can figure, and that somehow have the site's name intrinsic in it. For example, have your passwords always beginning with capital "A", followed by a "#", then the site name, then your initials, and finally a "99". So, your password for Hotmail could go like "A#hmabc99" (assuming your initials are "abc", and you can easily remember "hm" stands for Hotmail. Your password for ebay could go like "A#ebabc99", for Gmail "A#gmabc99", etcetera.
This way, you don't have to remember much, and have unique passwords for each service.
LAter in time you can switch to passwords begining with "B" and have "90" at the end, but keeping the rest of the building structure for you to remember easily, having passwords that are both unique AND recent.
This have work for me for a long time here in Mexico
BR
Thanks for your feedback Armando. I've seen this approach proposed several times before in response to previous posts and I do have a few issues with it. Firstly, there are still too many sites which are overly prohibitive in the allowable characters and length meaning that patterns involving hashes, punctuation or sometimes even letters won't be allowed. There are a number of examples of this here: http://www.troyhunt.com/2011/01/whos-who-of-bad-password-practices.html
The other issue is that there are times when you either have multiple accounts with one service or you need to change your password. Trusting pure memory muscle in terms of a consistent pattern won't be enough, you then need to apply exceptions.
Finally, and from a pure security standpoint, any sort of pattern always worries me. It sounds like if I had both your Gawker and Sony account I'd have sufficient information to have a very good chance of breaching your other accounts.
Search casino takes time and patience. Do not waste time. Come and play already right now. videopokeri
Key loggers?
what's more common, 'Net DBs (that store cleartext passwords) getting hacked, or Sally User getting tricked into installing a trojan horse?
yeah, but what if something happens to your Windoze installation, and you are required to format without a chance of backup (talking of a random user)... If you lose the 100 passwords you accumulated over the years that you only typed in once (during registration) then you juat lost access to all those sites...
Exactly the same thing happens as when you fail to backup your photos, documents or other important material - you lose it. With login accounts this obviously then means going through the respective reset processes. But really, this is an issue about maintaining backups of important content for which there are many, many solutions available.
I see nothing wrong with reusing passwords across less-meaning accounts, like your favorite online newspaper, or similar - it's just, however, good to have it really random, as in: kol^2evU8#_Hxx - that's a good one, IMHO.
But for sensitive stuff like personal email and online banking or any money related, just as well as health - be sure to use another pass, even better than the usual one.
6 character passwords considered harmful: i think it's time to make the minimum length at least 10 everywhere. under the charsets most people use in practice, that's probably a bare minimum for any serious security.
Not that there's anything wrong with that ...
The true point here is that all websites, especially high profile organizations like Sony, need to keep up with good housekeeping. Cleartext passwords wont do, even if my password is "af3w342ESRGRTH9uh3$#%rfgh4#@$5gfhsrkjnhe8e" As long as all of these sites keep their passwords stored in hashed form, a single secure password can be used for all sites. While the hacker getting one would compromise all of them, the hacker is going to have a hard time getting even 1. And when that keylogger is downloaded on your computer, it doesn't matter if you have unique passwords, because they are all going to be seen as soon as you log in.
In a normal situation no one is looking over your shoulder while you type a password, but this is because it wouldn't do anyone any good, if passwords showed up in cleartext there would be a HUGE spike in shoulder surfing, because it would suddenly be more effective.
Note that in the Gawker breach, the only passwords that were leaked were insecure ones because they were all hashed.
the article wasn't supposed to be about the breach, it was just using the breach as a data source
it is a big deal to use non alpha-numeric characters because ppl are not usually trying to type in your info in the web interface, they are hacking the server, downloading the list, and using rainbow tables to figure out the passwords.
meh... the funniest thing here, given all the security-bods who've commented (including myself) is that passwords are NO LONGER A SOLUTION TO KEEPING DATA SAFE OR KEEPING AUTHENTICATION SECRET.
I agree with the statement that this age-old problem will continue to occur so long as engineers continue to blame users, and users continue to create weak-passwords due to a condition known as "The Human-Element"
Three words help to understand the direction towards a viable and long-term solution....
"Multi Factor Authentication"
This is what's needed going forward. I do not personally use a password manager (I have tried before - Roboform), and I wouldn't use one now either. The same users who create weak passwords aren't going to use a password manager either.
It's simply a case of this type of authentication becoming the norm.... I'm old enough to remember riding in cars when it was optional to wear a seat-belt for godsake! and before BT stuck an 01 in front of all our telephone numbers...
Change is what's needed, not stronger passwords.
Yes multi-factor will require something physical and tangible (similar to the PIN entry calculators the banks have been rolling out..... but why do you think they've been so eager to roll them out....? for free....? because it pushes the RISK associated with your account becoming compromised AWAY from them and FIRMLY TOWARD YOU.
.....and just before there's a barrage of responses saying how unorthodox MFA would be, how people woudn't take it up, how it would never work, what if I lose or don't have my PIN entry-thingamabob with me..... well, let's just look at that shall we...
If I lose my car keys I can't drive my car. If I lose my house keys, I can't get into my home. If I lose or misplace my debit card, I can't quickly and easily draw cash from cash-machines, I need to go into the bank, with two utility bills, something else that positively ID's me, blah, blah, blah....
All of these situations are a ball**** when they occur. Yes I can get new car keys, yes I do eventually gain access to my property; an yes I do still find a way to get my cash out of the bank (but not as easily as it was before I lost my debit card.) As humans, the pain-factor [and for some of us the cost-factor too] associated with replacing car/house keys, debit/credit cards leads us to be more careful with them.
Why should a multi-factor authentication device be any different?
How many of you have lost either your car keys, or your house keys in the last 6-12 months, and for those that answer "Yes", have you lost them again since? Who regularly loses their house or car keys several times a year....?
Exactly.
I'm not saying that a change will occur eventually, I'm saying that a change will eventually *HAVE* to occur, and as a result, and as always, human-behaviour will change [we're generally very good at being compliant] and what was once strange and unorthodox then becomes the norm.
IronKey FTW, it's simple to use, the world most secure USB flash drive, and there ia a built in Idenetity manager "IDM", this save login information to the drive, every one uses pen drives, so using on of these is easy, plus it's got an onboard FF thats been made more secure check out www.ironkey.com and see if this could be your answer, I don't know any of my passwords, I only have to remember one, and you have 10 tries to guess it before the IronKey bricks it's self, and you can't get the data off
I love the idea of IronKey, but unfortunately it's useless on any device which doesn't have a USB port.
Hi, Troy!
One simple method of recourse about the password hacking, would be to get ALL of the developers of web sites, email servers and anywhere an passwords are needed, to think OUTSIDE the box. But, the numbers who might, are probably less and .01% of them all that would, or that would be allowed by management, etc., to make a simple change in the password handling routines. The change? Stop thinking alphanumeric and character entries, as has been the norm since the beginning of computerized passwords. Also STOP forcing users to enter passwords that are only 4-8 chrs in length...only very lousy programmers do that, but stupid is being kind - there ARE sites that expect passwords of 4 chrs, tops! Any way...the way to help solve the problem with password hacking is to merely accept ANY character, including high-level ANSI entries (i.e., [the symbol equals ╪]) AND graphic characters - just take any 8-bit character/symbol. That would put the password hackers on hold for a while...
This way of thinking is normal in MANY programs/utilities that are available today, just as stupid, but in different ways. What is it, you might be wondering... Input limitations of all kinds! The biggest one that everyone should be aware of was the world's worst case of brain dead amongst most all of the major players (Microsoft, Apple, Borland, Adobe...you can just about name most any company that their programmers had not thought of any number past 1999. And the worst part is that the never ending flow of programmers are STILL that brainless. Why is it that these guys/gals think they know what length any input should be!!!?? Just inherent stupidity. Did they fix the problem with entry of years? NO. They simply put a new brick wall up and figured who would ever use a date, in the same fashion, 100 years from now!?, but also added a brick wall to the beginning of the year entries (nobody has any need of setting their system(s) to anything earlier than the 20th century! Take a look at the Microsoft Date & Time settings window. If you set your system date/time this way, you can't set it for any year earlier than 1980, or any year later than 2099...why in the heck is it so hard to bring yourselves to believing we, or computers, wouldn't need to set system dates past 100 years!? This same shortsightedness is found in just about any software, bios, or what have you. Stop deciding what input lengths should be enough and how many years enough, by assuming you know some kind of limit to an entry is what's best for users!! Stop building in these limits - they are not for you to decide! I'm aiming this at programmers...I think most will know who they are...
CU!
The term you are using is incorrect in its context. The ONLY term for people that write code is "Programmers," not "Engineers." ;)
I agree about the use of biometrics; I've used one that reads several fingers, thus supports several users and have been testing one over the last year. I've found that it does a pretty good job and the price for these types of biometric devices is usually within anyone's budget (~$50 and up). The hurdle is finding software written by programmers that know to write with the users' point of view, always, not the programmers'. I'd like to find a compatible program that would be primarily for computer work and Internet travels; one without some of the many studpid features I've run across that are geared more for homeowners' than the workplace.
cu
Oh I totally agree with all of that, in fact I've publicly bemoaned stupid restrictive password practices before: Who’s who of bad password practices – banks, airlines and more
Very unfortunate it's the likes of banks that are the worst offenders, you know, the guys who handle the stuff we want most protected...
Can't we just agree on "code monkey"? :)
I think, if someone is gonna go through the trouble of physically trying to get your computer for the passwords. Then coerce you into giving up the master password. You'ld have to be someone very powerful with secrets worth getting, or very rich to make the risk worth the effect. Something I doubt most common people have to worry about.
Not sure if all places do it, but most places make you enter the password twice on creation. The chances of getting it wrong twice is unlikely. And even less likely if people take there time when entering them in.
The big problem are keyboards with faulty keys that don't always push when you push the key in. But then that would make an error in any type of password, simple or complex.
How did Sony managed to store those passwords? Just asking..
http://www.filmepornoaz.com/porno-cu-brunete
Highly recommanded to read for those who still ignore the necessity of a "strong" password ! saluto !
Only if you were interested in breaching one person's account. A hacker is usually interested in breaching one of many accounts, applying the same tool to each until it works on one--they don't care which.
I'm sure that's frequently the case, but I also know that once disclosures like Gawker and Sony happen and everyone's passwords become public domain, there are plenty of people out there wanting to target individuals (jilted boyfriend, nosy boss). Observable patterns across multiple sources provide a huge advantage in discovering the password for other systems.
Post a Comment