Comparative analysis of leaked Sony and Gawker passwords

While it's pretty awful that a million Sony users' passwords and 0.25 million Gawker passwords were published online, it has made for an interesting comparative analysis of the weaknesses in password protection, a subject near and dear to many security researchers' hearts.

Troy Hunt has published one such analysis, and it's a fascinating read, full of real, verifiable stats about the problems users have managing their passwords (for example, 67% of users with accounts on both Sony and Gawker used the same password for both).

In short, half of the passwords had only one character type and nine out of ten of those where all lowercase. But the really startling bit is the use of non-alphanumeric or characters:
Yep, less than 1% of passwords contained a non-alphanumeric character. Interestingly, this also reconciles with the analysis done on the Gawker database a little while back.

A brief Sony password analysis (via Some Bits)

I write books. My latest is a YA science fiction novel called Homeland (it's the sequel to Little Brother). More books: Rapture of the Nerds (a novel, with Charlie Stross); With a Little Help (short stories); and The Great Big Beautiful Tomorrow (novella and nonfic). I speak all over the place and I tweet and tumble, too.

More at Boing Boing

Ants and Stars: Bruce Sterling and Jasmina Tesanovic visit the Sardinia Radio Telescope in Italy

The Snowden Principle

Antinous / Moderator

I’ve been hacked, identity thefted or whatever you want to call it three times. In each case, it was done by physical theft of a physical receipt (two credit card accounts) or physical mail (bank account). I just can’t bring myself to worry about someone hacking my comment account at the fancy goldfish forum.
Thebes

What sort of fuckwit decides to store a million passwords as plaintext?
That takes a special kind of stupidity.
Anonymous

Why would you be surprised by this? Unless a site has my credit card details or other private information, I use the same weak password. I don’t really care if someone can post comments using my boingboing account, for example. Even facebook doesn’t matter that much.
- Ronald Pottol
  
  That is what I used to do, then I switched to lastpass. Now I used a good unique pw everywhere.
  
  But they recently had a security incident. In theory, they are a zero knowledge set up, so I should be fine.
Anonymous

Not really a representative sample. I subbed a numeric for non-alphnumeric for my playstation password because it’s difficult to enter punctuation on a Playstation controller.
Rindan

The best security is sometimes no security. A lot of websites that I use, BoingBoing included, have simple all lower case passwords. A dictionary attack won’t get it, but it would be rejected by my company’s security policy for multiple failures. So what? If you care enough to hack my BoingBoing account, what exactly are you going to do? Troll in my name? I can live with that. If I had a Sony account, it would have gotten that junk password. My Sony password and my e-mail account is completely useless. At best, you might be able to troll a few forums in my name. I can live with that.

The only sites worth having real security on are ones that matter. My banking password and my Amazon account have strong passwords. My Google account, which could potentially give you ALL of my passwords has 2-step encryption so that you would not only need to know my password, but also have my phone. At that point, it means you have a gun to my head and I’m probably not going to fret if you break into my bank account.

Frankly, the password obsession is a bit much to begin with. The difference between a 6 letters all lower case (300 million combinations) password that can’t fall to a dictionary attack and one that is 32 random characters is pretty minimal and not worth thinking about except in truly high security situations. It is better to have something you can remember and don’t have to write on post-it notes that can be “hacked” by someone looking at the post-it note. The only reason to enforce any sort of password standard is to prevent people from doing “boobs” as a password.

Far more important is to have some sort of 2-step authentication on things that are worth locking down. It isn’t a perfect defense. Someone can always take a security token and put a gun to your head, but for most people, a cell phone and a password is security enough. I give big props to Google for doing a really good job on their 2-step encryption for gmail.
sabik

Far more important is to have some sort of 2-step authentication on things that are worth locking down.

Ah, two-factor authentication. Something you know, and something you stole while working for RSA.
Chrs

Well agreed with many of these comments; Gawker password? Not worth my time to burn one of my good memorized ones. I’ve got a relatively shitty default for unimportant site logins. Gmail? That there is a strong fucking password.
Anonymous

Umm, just a quick question. How could you analyze the passwords if they where encrypted. Are you admitting that the gawker password database stores passwords in plain text?

ouch.
Antinous / Moderator

Also, it’s really easy to turn a date into a strong password that you can easily memorize. You’ve already got upper and lower case, plus numbers. Add a NAN character and create an ordering system that you use for all your passwords.
wrybread

Why would anyone use a strong password for a Gawker or Sony account or anything so insignificant? If someone wants to hack either of those accounts, i say have fun with it, you’ve earned it, and it’ll make a good story for me.

Email and banking on the other hand…
AitchJay

I read a really easy way to make strong passwords on lifehacker: make a sentence for each site you visit “I made this 1 sentence for my BoingBoing password” and use the first letter of each word “Imt1sfmBBp”.

It’s a good mnemonic, and easy to use.
nosehat

For me, one of the more surprising facts about this is that 2/3 of the users who have both a Sony account and a Gawker account have the same password.

I’m not surprised at all that most people reuse their passwords.

The surprising twist here is that the Gawker data was released 5 months ago. That means that 2/3 of the Gawker victims kept using the same password for multiple accounts even after they knew this password had been published on the web with their email addresses for months!.

Does Boing Boing store our passwords as plain text? If so, I’m going to change mine to something rude and humorous.
SamSam

Another “is this password safe” question:

A few months ago I switched from having 2-3 strong passwords for my 6-7 Important Accounts (banks, etc) to having 1 strong password with small variations on it for each account.

So I now have an 10-character strong “base” password (mixed-case alphanumeric) with 3 extra unique characters bracketing it for each of the 6-7 important websites.

How secure is this strategy?
- ganman
  
  SamSam, if your “base” password is followed by, say, “aol” as your variation for your AOL account, your three-letter OneWest Bank variation would be easy as hell to pick off. In fact, one could argue that strategy is _worse_, as it provides a simple key for every other password if one is compromised. .
  - SamSam
    
    Yes, if someone works out the system (which is slightly more complex than your suggestion, but only slightly).
    
    But the idea was that each site had a cryptographically very secure password (14 alphanumeric mixed-case characters), and each site had a different password, all while being extremely easy to commit to memory.
    
    So it would take a long time for someone to crack one of them, and even if one of the sites has a horrendous breach of security and was storying plain-text passwords (mine couldn’t be rainbow-tabled), the hackers would need to be looking at all hundreds of thousands of passwords by hand, see mine and guess there was a system to it, rather than doing any of the kind of automated processing in the article above.
    
    At least that was the idea.
Cowicide

I think the main lesson is don’t use the same passwords everywhere. That’s, of course, easier said than done unless you use something like 1Password (which I love).
GyroMagician

Punctuation symbols move on different keyboard layouts (letters too, but not so much, unless it’s French). Is the keyboard I’m using UK, US or Swiss? And no, often the keyboard layout doesn’t always match the keyboard appearance. I discovered this the hard way, trying to login from an Icelandic keyboard when my password contained a Â£ sign. My first requirement for a password is that I can use it to login, security actually comes second.
Anonymous

This is my password, how secure is it?

klqwf43hfpo3uh4p;o4h4oif;3nfkjwen’f3xr80[8u09
Mitch_M

It takes three touches on a picture of a key to type some characters on an iPad, and the layout of the pictures of keys changes between applications. That and hearing “Oh, you have an iPad! That’s sooo cool!” are the biggest annoyances of using an iPad for work. I did set up my password for something that I use only at work without special characters because of the multiple “keystrokes” per character feature.
quicksand

There’s definitely a tradeoff with password crackability. How likely is it that someone will actually attack your password, versus just getting it off the server, or through a keylogger, or by raiding ‘saved passwords’ or some other method. How valuable is that access anyway?

For most people, keeping difficult passwords – right or wrong – just doesn’t seem worth the effort.
HotNachos

Passwords are tools & if this many people are unwilling or unable to use them “properly”, maybe the problem lies not with the users but with the tools offered to them. A system that requires human users to memorize & have perfect recall of multiple unique, long & complex passwords is a broken system.
- RedShirt77
  
  Thank you.
  
  I once worked on a campaign that was really concerned about security so they put the three main passwords all employees used to access important data on a 1 month rotating schedule. It wasn’t like they all switched on the same day either.
  
  The net result was that everyone put a post it note on the front of their computer with their current passwords.
  
  Security Fail
  
  Any system designed to work in complete opposition to human nature is a moronic system.
IshMEL

PasswordMaker is still my go-to solution — I enter my “easy” password, it hashes it with the site URL and produces a strong password.
splint

Fat lot of good it did those 1 per centers with the complicated passwords.
- Brainspore
  
  My thoughts exactly. What’s the point of coming up with a password that looks like you had a stroke while typing if the company you entrust it to can’t keep it secret? Better to have a password like “boobs” with a company that has some decent security measures in place.
  - gabrielm
    
    Better to have a password like “boobs”
    
    That’s amazing. I’ve got the same combination on my luggage.
  - robulus
    
    That was supposed to be @brainspore…
  - grimc
    
    “boobs”, “b00bz” or “80085″?
  - Anonymous
    
    I’ve always been partial to:
    55378008
    An awsome elementary school LCD calculator giggle. There are many more.
    - akwhitacre
      
      I typed that into the attorney’s calculator at my house closing and slid it across to my wife.
      
      She didn’t find it nearly as funny.
Anonymous

i use my social security number for all my passwords.
it’s 9 digits long, and can’t be easily guessed by hackers.
- teapot
  
  So a PC running a keylogger will give instant access to everything? Bad idea.
  
  Funny seeing this article when I just read this last night:
  http://www.schneier.com/blog/archives/2007/01/choosing_secure.html
  
  In the bad-old days many passwords could not contain special characters which is why I think some users today instinctually avoid their use.
- Anonymous
  
  Better idea, use a book title, replace o’s with 0′s
  
  Neur0mancer
  
  What a better password? Pick a favorite book, one you can Google the first few pages for, say Fahrenheit 451. Take your favorite sentence off the first page. I’ll take the first sentence for example “It was a pleasure to burn.” Lets chop off the period, Keep the capitals, and you have a password that will be quite strong against brute force etc, but say you have a site that doesn’t allow spaces. It*was*a*pleasure*to*burn, you worried about needing numbers sure overkill but why not, It*w4s*4*ple4sure*to*burn.
  
  Keep the same pattern and you won’t forget the passwords.
RedShirt77

I have a written list of some 30+ sites and the usernames and passwords I use for them.

I use all the tips for creating the passwords that need the highest security but its just impossible to maintain dozens and dozens passwords all with letters numbers and punctuation, all unique and hard to crack.

And as others have pointed out. its all a waste of time because you quickly discover that your password only really gets hacked 2 ways.

a phishing site tricke you into entering it in.

someone steals it online or some moronic employee takes everones data somewhere and loses it.
Seg

Another interesting aspect is the input device used to enter in these passwords.

While you can access a PSN account though a web browser, it also needs to be entered though devices such as PS3 and portable devices. While a keyboard can be used on a PS3, a gamepad controller is the default and likely input device. That’s a significant factor in behavior where getting to alphanumeric characters.

Gawker’s passwords are predominately though devices with full keyboard input devices, so I find the input differences just as interesting with this research.
Sisuile

There are still places that will not allow people to use a non-alphanumeric character in their passwords. I ran into it again last week. And if that’s the case, a lot of people will pull that special character out of their ‘default’ password simply so that they don’t have to remember too many variations.
- dargaud
  
  What do you mean no alphanumeric passwords allowed ? You mean I can’t have ‘; DROP DATABASE; ‘ as a password ?
quickbrownfox

I have an honest question that maybe someone here could answer: If I use a password that is not a real word and is ten characters long, how much incremental gain in security do I get from including numbers or other characters?
- Daniel Friesen
  
  “I have an honest question that maybe someone here could answer: If I use a password that is not a real word and is ten characters long, how much incremental gain in security do I get from including numbers or other characters?”
  A lot of people use all lowercase passwords, so naturally a password cracker will try to brute force all lowercase combinations before they jump into any symbols. The difference in entropy between all lowercase is from 26 possible options for each character, to 69 possible options for each character. The search space jumps from 146,813,779,479,510 possible passwords to 2,482,167,502,723,212,150 possible passwords.
  
  Going by a hypothetical scenario where someone managed to get an online service’s database, but that online service managed to at least hash the passwords, and assuming the cracker has the capability to make one hundred billion password guesses per second (which isn’t unreasonable since someone built a homebrew rig that could make 33.1 billion password guesses per second) the 10 char alphanumeric password would take 24.47 minutes to guess. Replacing one character with a digit and another with a symbol changes that to taking 9.47 months to guess that single password. Pad that to 15 and it’ll take 8.52 hundred million centuries.
  
  Steve Gibson came up with a really good way to make secure and easily memorable passwords which I’d recommend using: https://www.grc.com/%5Chaystack.htm
  
  Course you wouldn’t want to reuse the same pattern on random websites since if one was cracked and had plaintext they could look at your padding pattern. So I’d recommend using it in combination with something like LastPass or KeePass.
- Anonymous
  
  Honestly, not all that much. As this whole ordeal demonstrates, most passwords are compromised not through decryption or brute force, but stealing them.
  
  If you’re choosing a password for an admin account or a role account on a server, or something that’s likely to see a lot of exposure, making it a target, it really doesn’t make much of a difference. For end-user stuff, as long as you pick something relatively arbitrary that has no personal connection, it won’t get guessed, even by a script.
  
  As someone who’s been a sysadmin at various times, I can say that it’s far safer to encourage people to choose simple, hard to guess passwords and encourage them to change them frequently than it is to enforce draconian password policy. If you force them to use difficult passwords, they’ll just get frustrated and write them down, share them with others, etc.
  
  It boils down to this simple fact: hackers probably don’t want your data. Your computer is more useful as a node in a botnet than as a source of data. If they do want it, it’s far less work for them to trick you into giving it to them than trying to extract it via technical means. Having safe passwords is less about syntactic complexity than it is about good stewardship.
- AnthonyC
  
  Assume, for simplicity, the following.
  1) The service you’re using is otherwise secure. That is, no one is going to simply steal your password and username out of their database.
  2) The service is susceptible to (and only to) brute-force attempts. That it, it will not lock you out after some number of false passwords. Some banks and such only only a few wrong guesses before locking you out. In some cases you then have to wait and get a letter in the mail before re-setting the password.
  
  In that case, the difficulty of cracking your password grows exponentially with length. There are 26 lower and 26 upper case letters, and 10 digits. The number of possible length-n alphanumeric passwords is then 62^n. That is 1.2^n times more than letter-only, and 2.4^n times more than lower-case only
  A truly random bit string, using all possible ASCII characters including some you can’t normally type, would give a password space of size 256^n. For a nine character password, this would be a billion time more difficult to guess than lowercase-only.
  
  My premises are, of course, unreasonable. Hacking a server is much easier than guessing individual passwords. Taking advantage of password re-use is quite effective as well, I’d expect.
- teapot
  
  The link I posted is somewhat relevant to your question. Provided you use the RIGHT numbers or special characters, they can make your password secuity much more robust.
  
  From the article:
  PRTK (Password Recovry Tool Kit) also runs a four-character-string exhaustive search. It runs the dictionaries with lowercase (the most common), initial uppercase (the second most common), all uppercase and final uppercase. It runs the dictionaries with common substitutions: “$” for “s,” “@” for “a,” “1″ for “l” and so on. Anything that’s “leet speak” is included here, like “3″ for “e.”
  
  The appendage dictionaries include things like:
  All two-digit combinations
  All dates from 1900 to 2006
  All three-digit combinations
  All single symbols
  All single digit, plus single symbol
  All two-symbol combinations
robulus

Strong passwords are better. Assuming the passwords are encrypted in storage, the hacker has to decrypt them with a rainbow array or similar strategy. Essentially, you can’t just reverse the encryption a password is stored with, but you can come up with a long list of possible alternatives. If one of those is ’9G;oW%]fe3′ and one of them is ‘boobs’, guess which one gets selected as the most likely candidate?
- robulus
  
  “Assuming the passwords are encrypted in storage”
  
  Except according to the article (which I just read) Sony had these passwords stored as plain text, which is, frankly, fucking unbelievable. And in that case you make a good point.
  
  In the case of almost every other website in the world, including the website your local primary school set up to advertise their annual fete, passwords stored in the database would be encrypted.
  
  Sony should switch to WordPress, for Christ’s sake.
- Brainspore
  
  Strong passwords may be better than weak ones but poor password choice is still not how most people get hacked. How long would it take to successfully hack 1.25 million individual “weak” passwords if Sony and Gawker had been doing their jobs?
  
  Unless you’re a particularly interesting individual (rich, celebrity, corporation etc.) it’s highly unlikely that any hacker is going to dedicate a lot of time and effort on you personally.
  - robulus
    
    I guess its a question of incentive, so if there’s money involved it pays to use a strong one because someone might well spend the time on cracking it.
    
    I do get your point though that you wouldn’t want to waste a secure password that you have committed to memory on a website that treats your privacy with complete contempt, ie stores them in plain text in a public directory. Like Sony did.
Nylund

My gawker password “sucks” according to these rules as well. Its lowercase letters and some numbers (random, non-words), but its also just gawker. Its not the password I use for email, and its most definitely not the one I use for banking, work, etc…all of which have unique and complicated passwords. Guess what? I also use a pretty simple password for boingboing. Having someone hijack my gawker/boingboing commenting identity is pretty low on the list of things that keep me up at night.

You know what also really sucks? The lock on my basically empty tool shed. Oh my god, but don’t I know there are guys who can pick those locks in like 10 seconds?! I’m such an idiot! They may steal my rake and shovel and bag of soil!
- geekd
  
  I clicked through to the comments to say basically the same thing. You beat me to it, so, I guess I’ll just say: +1
  
  :)
tylerkaraszewski

I have my random password generator set to generate 10-character alphanumeric passwords because then when something tells me “no special characters” I don’t have to run it again. None of these passwords has ever been cracked to my knowledge.

It barely matters anyway, though. The only time anyone has the opportunity to even attempt a dictionary attack against your password is after something like these Sony or Gawker incidents. People don’t even know *why* they’re supposed to have “strong passwords”, and it’s to prevent against an attack that’s only even possible in extreme cases like this. Even if your online banking password is “boobs” it’s pretty unlikely that someone is going to guess it in the five tries they get before the bank locks them out, anyway.
Nylund

To reiterate a point made by others, I have a very great password for banking. It goes above and beyond the standards required by IT back during my days of top secret gov’t clearance. But a few months back my bank sent me a letter notifying me that an IT person “lost” a hard drive that contained all my information. The bank was nice enough to automatically sign me up for identity theft insurance (on their dime of course), but the point is, a lot of good my fancy password did me. I’m more worried about lost hard drives, paper records thrown into dumpsters, etc. than I am about whether my password has the proper mix of upper and lowercase, numbers, and special characters.
teapot

*tries to log into robulus’ BB account with the pw “9G;oW%]fe3″*
- robulus
  
  Hah! As if I’d be that stupid. I use password1 for my BB account, it’s the ’1′ at the end that fools them.
CpnCodpiece

Huh, I’ve often wondered what kind of things were in a ‘dictionary attack’ – with the link to the txt file in that article I was able to check out and see if any of my passwords I regularly use was in there (yes, I reuse my passwords, except for very important accounts like my gmail, but I do at least use one password for sites I trust, one for sites I’m unsure of and others for sites I don’t trust). Anyway, it turns out a password I use on one site was in the list, this on the only account that I have had hacked (afaik) and have therefore changed the password recently, as it turns out to a vulnerable one.