[e-privacy] [schneier: Real-World Passwords]
Anonymous
nobody at remailer.paranoici.org
Sat Dec 23 19:09:43 CET 2006
----- Forwarded message from schneier -----
Subject: Real-World Passwords
From: schneier
Date: Thu, 14 Dec 2006 07:39:07 -0600
How good are the passwords people are choosing to protect their computers
and online accounts?
It's a hard question to answer because data is scarce. But recently, a
colleague sent me some spoils from a MySpace phishing attack: 34,000
actual user names and passwords.
The [1]attack was [2]pretty [3]basic. The attackers created a fake MySpace
login page, and collected login information when users thought they were
accessing their own account on the site. The data was forwarded to various
compromised web servers, where the attackers would harvest it later.
MySpace estimates that more than 100,000 people fell for the attack before
it was shut down. The data I have is from two different collection points,
and was cleaned of the small percentage of people who realized they were
responding to a phishing attack. I analyzed the data, and this is what I
learned.
Password Length: While 65 percent of passwords contain eight characters or
less, 17 percent are made up of six characters or less. The average
password is eight characters long.
Specifically, the length distribution looks like this:
+----------------------+
| 1-4 | 0.82 percent |
|-------+--------------|
| 5 | 1.1 percent |
|-------+--------------|
| 6 | 15 percent |
|-------+--------------|
| 7 | 23 percent |
|-------+--------------|
| 8 | 25 percent |
|-------+--------------|
| 9 | 17 percent |
|-------+--------------|
| 10 | 13 percent |
|-------+--------------|
| 11 | 2.7 percent |
|-------+--------------|
| 12 | 0.93 percent |
|-------+--------------|
| 13-32 | 0.93 percent |
+----------------------+
Yes, there's a 32-character password: "1ancheste23nite41ancheste23nite4."
Other long passwords are "fool2thinkfool2thinkol2think" and
"dokitty17darling7g7darling7."
Character Mix: While 81 percent of passwords are alphanumeric, 28 percent
are just lowercase letters plus a single final digit -- and two-thirds of
those have the single digit 1. Only 3.8 percent of passwords are a single
dictionary word, and another 12 percent are a single dictionary word plus
a final digit -- once again, two-thirds of the time that digit is 1.
+--------------------------------+
| numbers only | 1.3 percent |
|------------------+-------------|
| letters only | 9.6 percent |
|------------------+-------------|
| alphanumeric | 81 percent |
|------------------+-------------|
| non-alphanumeric | 8.3 percent |
+--------------------------------+
Only 0.34 percent of users have the user name portion of their e-mail
address as their password.
Common Passwords: The top 20 passwords are (in order): password1, abc123,
myspace1, password, blink182, qwerty1, fuckyou, 123abc, baseball1,
football1, 123456, soccer, monkey1, liverpool1, princess1, jordan23,
slipknot1, superman1, iloveyou1 and monkey. (Different analysis [4]here.)
The most common password, "password1," was used in 0.22 percent of all
accounts. The frequency drops off pretty fast after that: "abc123" and
"myspace1" were only used in 0.11 percent of all accounts, "soccer" in
0.04 percent and "monkey" in 0.02 percent.
For those who don't know, Blink 182 is a band. Presumably lots of people
use the band's name because it has numbers in its name, and therefore it
seems like a good password. The band Slipknot doesn't have any numbers in
its name, which explains the 1. The password "jordan23" refers to
basketball player Michael Jordan and his number. And, of course, "myspace"
and "myspace1" are easy-to-remember passwords for a MySpace account. I
don't know what the deal is with monkeys.
We used to quip that "password" is the most common password. Now it's
"password1." Who said users haven't learned anything about security?
But seriously, passwords are getting better. I'm impressed that less than
4 percent were dictionary words and that the great majority were at least
alphanumeric. Writing in 1989, Daniel Klein [5]was able to crack (.gz) 24
percent of his sample passwords with a small dictionary of just 63,000
words, and found that the average password was 6.4 characters long.
And in 1992 Gene Spafford [6]cracked (.pdf) 20 percent of passwords with
his dictionary, and found an average password length of 6.8 characters.
(Both studied Unix passwords, with a maximum length at the time of 8
characters.) And they both reported a much greater percentage of all
lowercase, and only upper- and lowercase, passwords than emerged in the
MySpace data. The concept of choosing good passwords is getting through,
at least a little.
On the other hand, the MySpace demographic is pretty young. Another
[7]password study (.pdf) in November looked at 200 corporate employee
passwords: 20 percent letters only, 78 percent alphanumeric, 2.1 percent
with non-alphanumeric characters, and a 7.8-character average length.
Better than 15 years ago, but not as good as MySpace users. Kids really
are the future.
None of this changes the reality that passwords have outlived their
usefulness as a serious security device. Over the years, password crackers
have been getting [8]faster and faster. Current commercial products can
test tens -- even hundreds -- of millions of passwords per second. At the
same time, there's a maximum complexity to the passwords average people
are [9]willing to memorize (.pdf). Those lines crossed years ago, and
typical real-world passwords are now software-guessable. AccessData's
[10]Password Recovery Toolkit -- at 200,000 guesses per second -- would
have been able to crack 23 percent of the MySpace passwords in 30 minutes,
55 percent in 8 hours.
Of course, this analysis assumes that the attacker can get his hands on
the encrypted password file and work on it offline, at his leisure; i.e.,
that the same password was used to encrypt an e-mail, file or hard drive.
Passwords can still work if you can prevent offline password-guessing
attacks, and watch for online guessing. They're also fine in low-value
security situations, or if you choose really complicated passwords and use
something like [11]Password Safe to store them. But otherwise, security by
password alone is pretty risky.
This essay originally [12]appeared on Wired.com.
[13][IMG] [14][IMG] [15][IMG]
[16]link
References
Visible links
1. http://www.infoworld.com/infoworld/article/06/10/27/HNphishingmyspace_1.html
2. http://news.netcraft.com/archives/2006/10/27/myspace_accounts_compromised_by_phishers.html
3. http://www.securiteam.com/securitynews/6O00M0AHFW.html
4. http://www.infoworld.com/article/06/11/17/47OPsecadvise_1.html
5. http://www.klein.com/dvk/publications/#crack
6. http://ftp.cerias.purdue.edu/pub/papers/gene-spafford/spaf-OPUS-observe.pdf
7. http://www.fredstie.com/thesis/survey/survey_report.pdf
8. http://www.lockdown.co.uk/?pg=combi&s=articles
9. http://download.lawr.ucdavis.edu/pub/CambridgePWStudy.pdf
10. http://www.accessdata.com/products/decryption/
11. http://passwordsafe.sourceforge.net/
12. http://www.wired.com/news/columns/0,72300-0.html
13. http://feeds.feedburner.com/~f/schneier/fulltext?a=X8nXeMPk
14. http://feeds.feedburner.com/~f/schneier/fulltext?a=cNpfrCoy
15. http://feeds.feedburner.com/~f/schneier/fulltext?a=qLJYrmlD
16. http://www.schneier.com/blog/archives/2006/12/realworld_passw.html
----- End forwarded message -----
More information about the E-privacy
mailing list