The passwords say a lot about each site's userbase.
singles.org users commonly use passwords with religious meaning, like "jesus", "pastor", and so on. Apparently this is a site that appeals to the religious folks.
phpBB has things like "phpbb" and "password". Their forums force people to create an account they don't want, so they pick a dumb password. (I had to ask a phpbb question once. I think I used 1234 as my password.)
Finally, Myspace is Myspace, and has commonly-ocuring gems like "poop" and "nigger1". Ah, high school kids...
I just use the same username and password for all sites I don't care about that much. That way if I ever come back again I can just log in easily, and the process of signing up is so familiar I could do it in my sleep.
No, the real issue is password questions. "What is your mother's maiden name?" "In what city were you born?. Those always seem like a security hole, so I choose a random question and just remember that the answer to all my security questions is "the landed gentry". That's fairly secure, right?
That's what my XP hint did, and my password contains an accented character (áéíóú/ÁÉÍÓÚ) as I noticed password breakers tend not to use these characters by default, but a lot of programs and services accept them. To say just hitting 'Alt Gr' can prevent any password breaker, I thought it was a pretty good safety measure.
Might be an interesting white-hat idea to have a service that gets into a social network and spiders out, collecting thousands of user names. Then attempt library login attempts. In the event they are successful, the service contacts the user and warns them that they have a weak password.
Unfortunately this is so similar to standard phishing attacks that I'm afraid the good would be offset by the bad of reinforcing user behaviors that its ok to click through on 3rd party notices like this.
I dunno, seems weird. 163k hits on google? Doesn't even seem like a particularly common Nigerian name. And there aren't many other given names on the list.
I have recently started generating all my passwords using a Markov chain script I wrote in Python. They're much more secure and, since they sound very similar to English words, easier to remember than, say, &&364e7forty-two88()l.
Until I read this, I always wondered why the keyboard was called QWERTY. As soon as I saw it on the list, I instantly realized the reason. I feel ignorant.
Having a closer look at the list shows that password rules like "alpha + numericals" don't add much of security in real world scenarios: In approx 95% people seem to add one or two digits at the end of a string.
I don't like password requirements - It restricts the number of possibilities and for crackers who know the restrictions it makes life a lot easier for them.
41 comments
[ 14.0 ms ] story [ 436 ms ] threadsingles.org users commonly use passwords with religious meaning, like "jesus", "pastor", and so on. Apparently this is a site that appeals to the religious folks.
phpBB has things like "phpbb" and "password". Their forums force people to create an account they don't want, so they pick a dumb password. (I had to ask a phpbb question once. I think I used 1234 as my password.)
Finally, Myspace is Myspace, and has commonly-ocuring gems like "poop" and "nigger1". Ah, high school kids...
Some of the other ones are puzzling. "trustno1" is from the X-Files, but does anyone know where "letmein" came from?
No, the real issue is password questions. "What is your mother's maiden name?" "In what city were you born?. Those always seem like a security hole, so I choose a random question and just remember that the answer to all my security questions is "the landed gentry". That's fairly secure, right?
The best protection is not a good password. It's having something that's not worth stealing.
Unfortunately this is so similar to standard phishing attacks that I'm afraid the good would be offset by the bad of reinforcing user behaviors that its ok to click through on 3rd party notices like this.
interesting.
At the moment all I do is insist on a minimum length but it doesn't seem as though it would be all that difficult to add checks for common passwords.