Features Podcasts Family Video Comics Music Tech Science Books Film & TV Games ✚

Jill

Crummy passwords from Yahoo users

Cory Doctorow at 2:20 pm Thu, Jul 12, 2012

— FEATURED —

Science

Making sense of the confusing Supreme Court DNA patent ruling

Book Review

The 'Geisters: spooky, scary novel

Science

Ants and Stars: Bruce Sterling and Jasmina Tesanovic visit the Sardinia Radio Telescope in Italy

Feature

The Snowden Principle

— FOLLOW US —

Boing Boing is on Twitter and Facebook. Subscribe to our RSS feed or daily email.

 

— POLICIES —

Except where indicated, Boing Boing is licensed under a Creative Commons License permitting non-commercial sharing with attribution

 

— FONTS —

Tweet
Kindle

The dump of 450,000 Yahoo passwords by a group calling itself "D33ds Company" has been analyzed by Anders Nilsson (apparently these passwords were stored in the clear). Here's the topline:

Total entries = 442773
Total unique entries = 342478

Top 10 passwords
123456 = 1666 (0.38%)
password = 780 (0.18%)
welcome = 436 (0.1%)
ninja = 333 (0.08%)
abc123 = 250 (0.06%)
123456789 = 222 (0.05%)
12345678 = 208 (0.05%)
sunshine = 205 (0.05%)
princess = 202 (0.05%)
qwerty = 172 (0.04%)

Top 10 base words
password = 1373 (0.31%)
welcome = 534 (0.12%)
qwerty = 464 (0.1%)
monkey = 430 (0.1%)
jesus = 429 (0.1%)
love = 421 (0.1%)
money = 407 (0.09%)
freedom = 385 (0.09%)
ninja = 380 (0.09%)
writer = 367 (0.08%)

Password length (length ordered)
1 = 117 (0.03%)
2 = 70 (0.02%)
3 = 302 (0.07%)
4 = 2748 (0.62%)
5 = 5323 (1.2%)
6 = 79610 (17.98%)
7 = 65598 (14.82%)
8 = 119125 (26.9%)
9 = 65955 (14.9%)
10 = 54756 (12.37%)
11 = 21219 (4.79%)
12 = 21728 (4.91%)

Statistics of the "450.000 leaked Yahoo accounts". (via Waxy)

I write books. My latest is a YA science fiction novel called Homeland (it's the sequel to Little Brother). More books: Rapture of the Nerds (a novel, with Charlie Stross); With a Little Help (short stories); and The Great Big Beautiful Tomorrow (novella and nonfic). I speak all over the place and I tweet and tumble, too.

MORE:  passwords • security • web semantics

More at Boing Boing

Ants and Stars: Bruce Sterling and Jasmina Tesanovic visit the Sardinia Radio Telescope in Italy

The Snowden Principle

  • https://twitter.com/PhoetrySlam Cyran0

     ”Password length (length ordered)

    1 = 117 (0.03%)

    2 = 70 (0.02%)

    3 = 302 (0.07%)”

    I’m seriously shocked and appalled that Yahoo! would even allow someone to register using a password that vulnerable.

    • novium

      I don’t think they do- maybe it’s been grandfathered in?

  • RedShirt77

    This isn’t really that bad, out of nearly 450,000 there seem to be less than 10,000 moronic passwords.  I would have guess it would be much worse than that.

    Clearly the biggest issue with internet security is not passwords, rather its that hackers keep stealing hundreds of thousands of passwords.    Someone in IT probably couldn’t remember all their incredibly complicated passwords and saved them all in a text file…..

  • http://twitter.com/spockosbrain Spocko

    If I’m cracking in the field how can I remember all these common passwords. With this mnemonic device.

    My password? First I welcome a qwerty monkey to my home and ask, “Does Jesus love money, freedom, ninjas or writers?” Answer in 1,2,3,4,5,6,7,8,9. Come on Princess, while the sun is shining! It’s as easy as abc123.

  • http://twitter.com/nagmay Gabriel Nagmay

    ^ Looks like Clifford’s yahoo account was one of those hacked.

  • https://twitter.com/PhoetrySlam Cyran0

     An unsolicited and totally legit work-from-home internet post?

    I smell a Clifford the Big Red Herring . . .

  • Boundegar

    Does this mean “monkey jesus love money” is a bad password?

    • http://artdonovan.typepad.com Art

      Here’s a better password!

      Heather Dorindens 600 meter race
      Heather Dorindens 600 meter race
      Heather Dorindens 600 meter race
      Heather Dorindens 600 meter race
      Heather Dorindens 600 meter race
      Heather Dorindens 600 meter race

  • http://twitter.com/KEdwardK Keith Edwards

    What’s even more shocking is that there are nearly half a million people still using Yahoo!.

    • http://twitter.com/yytnim mintyy

      It doesn’t say that these are of current users. They could be accounts inactive since 2003. Maybe even YOUR old account!

    • sigdrifa

      For me, not so much shocking (as in: you can only be shocked the first time you hear something) but exasperating — every time I get an e-mail from one of my two friends who don’t want to start over somewhere else. At least the chat situation isn’t too bad — thank you, Pidgin.

  • Shibi_SF

    I thought that this was a dump of just Yahoo Voice users’ passwords.  Is it ALL Yahoo users?  (Mr. Shibi’s Yahoo email addresses were compromised at about 3am this morning — and he is not a Yahoo Voice user, but this could be unrelated to that.)

    • RedShirt77

       Who uses yahoo voice?

      • Shibi_SF

        Not us.  I don’t know what it is.  I try to only go to reputable sites to look at reputable things like cats with poorly spelled captions or indifferent cats in awkward situations with naked folks.

    • sigdrifa

      Isn’t that the same login as for every other Yahoo service?

  • http://segonmedia.com/ Seg

    Even more interesting is when you cross-reference the leaked PSN accounts from a year ago with the Yahoo leak. Of the 302 accounts with the same usernames, 60% were the same passwords.

    http://www.troyhunt.com/2012/07/what-do-sony-and-yahoo-have-in-common.html

    • RedShirt77

      This does at least point at the bigger problem more than the few qwerty users out there.

      Why do we allow the discussion of security to be hijacked by this mocking of people we think are stupid?

      If you started logging into accounts by guessing the common stupid passwords, your rate of success would be well below 1%.  and the act of guessing on so many accounts would probably raise a red flag somewhere.  Meanwhile fishing and large scale theft are common and the reusing the same password everywhere seems to be the result of having ever increasing complexity and rotation of passwords

      • sigdrifa

        Unfortunately, that is something it’s particularly hard to convince non tech-savvy people of. Most of my friends fall into that category, and trying to switch them to a solution as simple as, e.g, Keepass — of which there are versions for all major OSes — seems to be an impossible task.

  • RioMcT

    and yet my old Flickr password of 45rpm7″Single! is just as secure as “password” after Yahoo got hacked.

    • Henry Pootel

      Yup.  Kinda like, why bother?

    • iondiode

      Correct! I mean analyzing this is all very well and good, but these passwords weren’t obtained through brute force.  They were available in the clear. boo.
      I think email is pretty dumb anyway, but it seems to de rigur for provding an identity on the internet. I guess it’s better than facebook, but comeon people there has to be a better way!

  • http://www.facebook.com/JohnJoeHickey John Hickey

    What sites lets you use a 0ne character password. something seems wrong here.

  • nvlady

    Yahoo!, that’s cute.
    I have 3 passwords of different levels of complexity I use from everywhere to photobucket, to amazon to my bank and 401k. I change them every 6 months. I know if I cant remember one, then it’s gotta be one of the three. :)

  • Pirate Jenny

    I use my Yahoo email account for shopping, mailing lists, and anything else that’s likely to result in spam (because the spam filter is pretty good, and this keeps my personal email account from being overrun with less important stuff). So this is pretty annoying to me. How many more times does this have to happen before companies learn to lock that shit down?

  • http://www.facebook.com/Daniel.Baron Dan Baron

    I am disappointed that the most common four are not love, secret, sex, and god.

    • Coderjoe

       Here are the counts for those as the entire password. (they do occur as part of a more complex password a lot, however)

           52 secret
           46 love
            3 god
            2 sex

  • http://twitter.com/LennStar_de LennStar

    I always wonder why it is 123456 and not 12345 or 1234567 and why it is not 987654321 which is much easier to type for right hand people (with your left hand running over the keys and hit enter or click with right) than say 123456, the most common one. (And it is “saver” ;))

  • noah django

    where is this list of passwords?  I wanna ctrl-f it and see if I’m on it, but all google gives me is Ars Technica’s coverage and everyone else citing Ars, including BB’s first post.

    FUCKING LINK, PLEASE!

    • sigdrifa

      I was thinking the same thing; when it said in the Ars article that they were not posting the link but that, at the time of writing, it wasn’t too hard to find. I didn’t even bother to search, I went and changed my Yahoo password right away. I only use Yahoo for chat (with some people I can’t convince to switch) and I never used their voice service (not even sure if it’s available in Europe; probably not) but I though it wouldn’t hurt.

  • Uthor

    I’d imagine a lot of the weak passwords come from people treating it as a throw away account.  I have tons of logins in places I don’t care about, usually registered so I could post a single comment on a webpage, that have a weak password that’s probably easy to hack.

  • Sparrow

    Fortunately, I couldn’t find CorrectHorseBatteryStaple on the list, so my password is safe for now.

  • jrs505050

     i have a yahoo account with the password as “password.” I don’t use it except for when I don’t want to use my real email.

  • Rossi

    I’m gratified that Jesus is just beaten out by monkey.