Feeds

back to article RockYou hack reveals easy-to-crack passwords

Analysis of the 32 million passwords recently exposed in the breach of social media application developer RockYou last month provides further proof that consumers routinely use easy to guess login credentials. Sensitive login credentials - stored in plain text - were left exposed because of a SQL injection bug in RockYou's …

COMMENTS

This topic is closed for new posts.

Page:

Silver badge

But they don't

>If users (as they often do) use the same login credentials for social networking sites and more sensitive accounts

That's the whole point, people use junk passwords for all those sites that insist on a password for no good reason - and keep the secure ones separate for important uses, like er' reg comments.

9
3
Coat

"People" or "techies"?

One would like to think that was true - and certainly among Reg readers it probably is - but I'm not so sure about Joe Public. The subtleties of strong passwords might evade them (if they can even be bothered with a complex password), as might the issues surrounding your banking password being at one with your favourite pr0n site.

Internet banking vs. Internet spanking, if you will.

Coat. Yep.

2
0
Bronze badge

Mr.

I'm not going to vote you down, but I think you're wrong for the majority of users out there.

1
1
Badgers

What that guy said

Don't get me wrong... You guys are great (other commenters). I mean we have some terrific discussions on here, and sometimes, well, I just don't know how I would get by without your helpful advice! But, TBH, if my reg account got h4x0r3d... I'd probably just make a new one, and try to get on with my life. I post as AC mostly anyhow.

0
0
Bronze badge

Mr.

My reply above was directed at "Yet another anonymous user"

0
0
FAIL

Security Fail

So not only was this site open to a SQL injection attack, but the passwords were stored in plain text?

Fail.

4
0
Silver badge

I stopped at that bit too

Just imagine how many shiny web 2.0 sites are secured in this way. Even storing a simple password hash with salt makes it orders of magnitude more difficult.

0
0
Flame

Shame on (rock) you...

Most of those passwords would not be allowed if even the most basic restrictions were imposed by RockYou when they were created (i.e. 8 or more characters and containing at least letters and numbers).

Apparently RockYou weren't even requiring a minimum password length!

Of course people are stupid and will chose stupid passwords given half the chance, but this still says more about how inept RockYou were as a service provider.

1
0
Anonymous Coward

Strong passwords are hard

I once had a project where client (Marketing guy) asked for strong password to be required, so I build a strong password validator for the site; when the client was asked to test it, he said it didn't work.

It did work, but it was just to hard for him to create a password that was strong :P

In addition to requiring caps,non-caps, number and symbol,It wouldn't let you use your first or last name, username, email or any sequence like qwerty wertyu asdf in your password.

My password here on the reg is definitely weak ;)

3
0
Anonymous Coward

Strong passwords are easy

Pa55word!

There, that's strong.

Strong passwords are easy if people are given the right mental tool(s).

Why does this stupid site demand yet another password => wdt55dy4p

No capitals or symbols, but at nine characters it doesn't really matter. The above is

good enough. I've been working with some passwords recently that are so "strong" that they are weak - you can neither memorise them nor type them in accurately; hence the only thing to do is store them on a computer. Duh!

0
1
Anonymous Coward

True but...

Horses for courses...

It's not generally considered necesary to enforce typical 'strong password' rules on social networking sites etc. However, I would at least have expected RockYou to have required a minimum of 8 characters and the use of letters & numbers, which is the general convention for online services which store personal data.

I own a Hotmail account for which the password is only 6 characters and a dictionary word since it was set up in 1996 before minimum password strength rules became widely used, I don't use the account but keep the password as it is for sentimantality sake ;oP

0
1
FAIL

But but

"However, I would at least have expected RockYou to have required a minimum of 8 characters and the use of letters & numbers, which is the general convention for online services which store personal data."

Er.. how many accounts were compromised through weak passwords, and how many were compromised by the stupid and completely unnecessary fuckwitty fail of storing CLEARTEXT?

The mind boggles - just HOW difficult is hashFunc(password) ; on the way into a DB?

How can anyone that mind-numbingly retarded be expected to mandate any sort of password regime?

1
0
Go

Good passwords.

Write the password down and store them somewhere safe, eg sealed in an envelope and stuck in a safe.

Consider using a passphrase rather than a password. For example: 'Red Lorry Yellow Lorry' and then perform a standard substituion eg always replace 'e' with '3'. Really easy to remember but incredibly hard to crack. Or another approach is to use a mnemonic. For example 'I live in Birmingham but work in Stratford' would give you a password of IliBbwiS substitute '1's for 'i's and $ for the all the 's'es and you have a great password.: Il1Bw1$ and easy for you to remember.

0
0
Anonymous Coward

Overly strong security

"I've been working with some passwords recently that are so "strong" that they are weak - you can neither memorise them nor type them in accurately; hence the only thing to do is store them on a computer. Duh!"

That's my biggest gripe. My highest risk online account - a business bank account - has a

- login name (required as you can have multiple users for a bank account)

- Login password

- Authentication password

- item 4 which i can't even remember

All of them must be 8 digits or more and it asks for a number of "nth digit"s to validate. Even after a few years with the same credentials theres no way i can achieve anything without them written down in front of me.

Likewise my work account which has 30 day password expiry (effectively 20 days as that's when it starts nagging you daily that your password will expire). I started off with secure passwords but over a few years they've become steadily less secure to the point where it's now trivial.

0
0
Gold badge

Storage?

"......the only thing to do is store them on a computer."

Gosh, if only most people were that security-conscious. A post-it note stuck on the screen is rather more common in my experience.

0
0
Gold badge
WTF?

At least we hope they don't

Guess it depends how valuable users perceive their personal (and I guess sometimes *very* personal details) to be.

But yes these are staggeringly trivial.

But *another* SQL injection attack.

1
0
Alert

princess ??!!

Where did that come from?

1
0
Silver badge

Where did that come from?

Diana fanboys maybe?

0
0
Anonymous Coward

@first poster

are you actually that naive, or is that sarcasm? maybe the people who read sites like the reg do that, but everyone else?

0
1
FAIL

..er...

...passwords stored as unencrypted strings? wtf? :)

1
0

Hash

Nobody encrypts passwords. You hash them.

0
0
IT Angle

Users are lazy

I've had experience creating a system requiring a user to create a strong password, and also had problems with users that can't remember their 'overly-complicated passwords'.

The bottom line is unless you use a password generator (I use Deadbolt Password Generator) to create strong unique passwords for every site or a password safe of some kind (although I don't like storing ALL my passwords in one place) people will always have trouble remembering good passwords and will stick to using weak ones instead.

0
0

What counts as a strong password?

What if you use a dictionary word but replace certain letters with numbers, leet-style, ie 3 for E etc? Not that that's what I do, I'm just saying. STOP TRYING TO GUESS MY PASSWORD!

1
0
Flame

That's my policy...

.... but with the added protection of using a *Welsh* dictionary. (It may as well be a random selection of letters, as far as most people in the world are concerned.)

Flames, cos we likes to keep the (holiday) home fires burning...

0
0
Silver badge
Go

Re: That's my policy...

I'll see your Welsh dictionary and raise you my personal conlang!

Take words from my conlang like Kaseryndhalan, Dwimmathdene and Khatalinlat, replace the vowels with numbers - K4s3ryndh4l4n, Dw1mm4thd3d3 and Kh4t4l1nl4t - and I have easy-to-remember passwords that nobody's going to guess... :)

Conlangs are an awesome and uncrackable means of encryption too if you take the time and effort to develop one. For example, I can guarantee that there are only 3 people, including myself, on this planet who would be able to translate this statement:

Hyarin marhyad thiel ke koyanad kya shariadi adawaya kya khanya kha simain. Saeli tielyad kya kelduran kha sharath kya tunai anlani re shalayneth lamanya dawya gharan.

0
0
FAIL

RE: That's my policy...

"For example, I can guarantee that there are only 3 people, including myself, on this planet who would be able to translate this statement:"

I can guarantee that there are no people who are interested.

0
0
Thumb Up

LOL

Hyarin marhyad thiel ke koyanad kya shariadi adawaya kya khanya kha simain. !!!

Shalayneth lamanya dawya gharan.

Cuttlefish!

0
0
Stop

SQL Injection

DROP DATABASE ROCKYOU.

someone. please. for everyone's sake.

0
0
FAIL

Pass*word*?

Passphrase is the way forward.

cantbruteforcethisitstoolong.

0
0

As so often, it’s length that counts

You can tell the advice from Microsoft and Sophos has come from computer scientists. To remember your passphrase, you need to work through the algorithm you used to generate it, flawlessly. Once a passphrase has been used a few times, most people are much better at remembering a list of words than a list of letters and symbols; words are an intrinsic part of brain function. If you want a stronger passphrase, just add another word. There’s much better advice on The Diceware Passphrase Home Page [1], including a measure of strength.

Unfortunately, you still come across websites with instructions like “Choose Password (6-10 characters):”

BTW, your example passphrase may not be as strong as you think. It’s a sentence fragment, not a list of random words, so the words are interdependent

[1] http://www.world.std.com/~reinhold/diceware.html

0
0
Anonymous Coward

Too many pointless passwords

There are just so many places that need passwords that it is completely unrealistic to expect people to remember a different one for every place. As YAAC said above, most people I know keep one password for serious stuff and another for waste of space passwords that they don't care about.

Another problem is that best practise really doesn't work in most environments.

We have access to a government database which every member of the company needs to get into - from directors to pool secretaries, and there's supposed to be full traceability. Its password policy requires each user not only to have mixed alphanumeric 12 digit passwords with no logical sequences and so on, but requires a change every month. Surprise surprise, after the first couple of months no one could remember the passwords they had last come up with, so we spent hours every week on the phone to the govt dept concerned resetting accounts. In the end, we just decided it wasn't worth the bother and told everyone to write the blasted things down. Self defeating password policy. You could blame us for not having superhuman powers of recalling random character strings, but at the end of the day, humans are not machines - and people who come up with password policies need to be realistic.

9
0
Silver badge
Grenade

Does it matter?

If the users don't give enough of a shit to use strong passwords, why should anyone cry for them when they get haxx0rzed?

0
1
Bronze badge

Mr.

I like to think of a random song, then use the initials to the lyrics.

I had "oidltbbtss" once for a while (oh i do like to be beside the sea-side) - yeah, technically only one s at the end, but when singing it my mind, 2 was easier.

The problem with ENFORCING overly complicated password is that people end up writing them down

1
0
Thumb Up

@Jamie Jones

I thought it was only me that did that...

0
0
Anonymous Coward

Quite common

I do that as well but with phrases, first sentence from a book, sayings, poetry. Sometimes uppercase the first two letters or the first and last then add an underscore and number on the end.

0
0

Nothing wrong with writing them down.

as long as you store them securely.

All my most important passwords are written down and stored in a sealed envelope inside a safe.

0
0
Gold badge
Coat

That's a cunning plan.

Where have you written the combination to the safe?

0
0
Happy

Obviously

it's in a text file which is encrypted with a strong passphrase.

0
0
Bronze badge

Old vs New problem

"Persuading users to use stronger passwords is an age-old problem that dates back to the dawn of the PC era."

It's not an old problem, it's a new problem.

In the old days, you had about 3 passwords; you had to convince the user to make them strong. Once they were strong, you could use them for a long time because they were secure. Because you didn't change them, you could remember them.

Now, we all have a dozen or so passwords. If we make them strong, they're hard to remember. The harder they are to remember, the more likely we are to reuse them. Because some people use weak passwords, corporate policies add a layer of security by forcing us to change them every few months.

I can remember every password I had on the computers at uni, because I used them frequently for a long time. My password for the office PC expires so quickly that I've barely learnt it by the time I'm asked to change it. The cognitive load is high, and every time I sit back down and unlock my PC, I have to filter out "noise" from half-a-dozen old and "other system" passwords before I get to log in.

So my passwords are getting weaker all the time as it's the only way to remember them.

It is a new problem -- it just looks similar to an old one.

5
0
Anonymous Coward

too true

I have so many I have to write them down: in a GPG encrypted document on a USB stick. At least the password for that key is reasonably long

0
0
Bronze badge

I favour barcodes, on webcam maybe

Let a reasonably difficult string be printed as a bar code on a convenient small card, or on a label to stick in a book, or a loose leaf binder.

Then let me show that card to my cheap PC digital camera in order to "type" the password.

Weaknesses, yes...

0
0

Strong passwords?

My employeer (10,000+ employees) introduced "strong" password policy similar to the one AC described, and they force them to be changed every 60 days. The result was that for the next six months, every second desk had a post it note with a weird word/number combination on it. Now days, most people I asked say they use a word that is visible on their desk and sufix with the digits with the month they are forced to change it in. I wonder how many in my company are using Intel01?

0
0
Pirate

OpenID?

Storing password has become like storing credit card numbers. Outsource it and move on with your core competency...

0
0
Happy

Like it

Now there's a practical idea I will probably use and recommend in future!

0
0
Boffin

Behaviour Change

The vast majority of users are completely unaware of the importance of password security, these are casual users or the not-as-IT-literate-as-us users. It's not their fault, we're in an age where you can distinctly seperate users into two groups: those who've grown up with IT and those who've lived most of their lives without it. It's the latter group who're responsible for most of these epic password fails whereas those of us who've been using computers since puberty are well aware of the risks.

Any organisation who requests a password should attempt at least a basic explanation of how to set a strong password and why it's important, most of these RockYou customers will have no idea that they've left themselves vulnerable.

Of course some organisations, including my bank (who I won't name for obvious reasons) who don't allow the use of special characters in passwords should be held to account for being so lax.

0
0
FAIL

Why use a strong password?

If the site isn't storing bank account information why should I use a strong password. I hate sites that require more then 6 characters to protect, well, nothing!

Use strong passwords on your bank account sites and email but nothing else. Even Amazon won't let you retrieve credit card info. The worst someone could do is order you a product.

1
1
Silver badge

Re: Why use a strong password?

As more and more employers are using google to find out about potential employees then it might be wise to ensure that noone can hack their social networking site accounts and update their list of hobbies with something they'd rather not be associated with. You won't even get to the interview stage to explain that your interest in goatse was the result of someone guessing your password and even if you did do you think they'd be impressed by the explantion? So either use a strong password or, like me, stay clear of such sites.

0
0

Why not ms Vance?

She wrote the article on this in the NY Times today, conflict of interest, or has she left El Reg?

0
0
Bronze badge
FAIL

Mr.

Ashlee Vance is MALE

0
0
FAIL

Hard passwords are easy to create....

Think of a colour.....think of an object...capitalize the first letter of each and put it together and swap out a few for numbers, voila!

R3dAer0plane

Gr33nB1ke

Purp1eB0ard

the list goes on and i doubt they are in a wordlist....

0
0

Page:

This topic is closed for new posts.