Passwords

Started by okrìsti, June 26, 2011, 01:25:09 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Print
Go Down Pages1
User actions

okrìsti

June 26, 2011, 01:25:09 AM
Hi everyone,
you probably heard of recent news of an infamous cracker group which is attacking various platforms etc.
Just not many hours ago a list with access data from a beta phase of a game got released. Since I used to play it I was wondering if I finally was affected.
That's why I grabbed that file and examined it a bit.

It is basically ~550k rows, looking like "username"; "a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6".

The second part is a hash, more precise a 128-bit long MD5 Hash of the users password.
Out of curiosity I analyzed it further, and made a list with most "same passwords". I also (reverse)looked those up which had more than 100 (Yes, HUNDRED) matches (number of people who used the same password).
There were 2588 who used "123456" as their password, 710 with "password" as password, 559 "qwerty", and many many more with such stupid passwords...
In total there are more than 15000 of those in groups larger than 100 with the same password.

Why on earth are people using some fancy patterns of keys, like 1q2w3e4r or 1qaz2wsx as password (equal things on the numpad)?

There were only 380k unique (as far as md5 concerns, since collisions are possible) out of 550k users, in other words 170k with reoccurring passwords!

I really can not believe my eye, though I heard people using such weak passwords, but really that many?

Not even considering the fact that the hashes were not even salted. :s

What do you think about such matters?
dA | nga tsun oehu pivlltxe fa skype: c4duser
awngeyä wìki sìltsan lu
txopu lu fya'o ne vawma pa'o – nawma karyu Yotxa

guest2859

#1
June 26, 2011, 01:55:31 AM
I think some people can't come up with a password easily, because I have to work on it. I just find a theme and develop codes off of that, but it's typically hard.

But for 170,000 people having a recurring password? Surely there's something stupid behind that.

akiwiguy

#2
June 26, 2011, 03:40:39 AM
LulzSec did it. Idiots.

All of my passwords are 32 characters, mixed case, random numbers, letters, and symbols. And people who write login stuff without using salts are stupid.

bommel

#3
June 26, 2011, 09:14:58 AM
I use keepass to store all my passwords in an encrypted container. Just have to remember one password (though this is a long and complex one). I can really recommend this tool - and it's free / open source!

Sіr. Ηaxalot

#4
June 26, 2011, 05:46:52 PM
Don't forget everyone thats using the same password as their email. If anyone get access to your email your basically f*** since they can get access to pretty much all sites you have registered on that email via password restore..

Niwantaw

#5
June 26, 2011, 06:05:18 PM
I'm guilty of using a variant of the same password for most things but it's a jumble of letters that don't mean anything so I'm not too worried.
Only mostly AWOL.

archaic

#6
June 26, 2011, 08:17:42 PM
Mine are a mixed bag. Low security are embarrassingly simple (I'd forget the otherwise), higher security are more sophisticated (post it notes on the monitor), but probably all are vulnerable.
Pasha, an Avatar story, my most recent fanfic, Avatar related, now complete.

The Dragon Affair my last fanfic, non Avatar related.

'Oma Tirea

#7
June 27, 2011, 12:40:27 AM
Generally I try to use as much variety in my passwords as possible, and definitely salt & pepper them up every time!

[img]http://swokaikran.skxawng.lu/sigbar/nwotd.php?p=2b[/img]

ÌTXTSTXRR!!

Srake serar le'Ìnglìsìa lì'fyayä aylì'ut?  Nari si älofoniru rutxe!!

Human No More

#8
July 01, 2011, 08:38:17 PM
Mine are strong.

PS. not that kind of salt :P

https://secure.wikimedia.org/wikipedia/en/wiki/Cryptographic_salt
In cryptography, a salt consists of random bits, creating one of the inputs to a one-way function. The other input is usually a password or passphrase. The output of the one-way function can be stored rather than the password, and still be used for authenticating users. The one-way function typically uses a cryptographic hash function. A salt can also be combined with a password by a key derivation function such as PBKDF2 to generate a key for use with a cipher or other cryptographic algorithm.

Without one, it is possible to use a rainbow table to break simple hashed passwords.
"I can barely remember my old life. I don't know who I am any more."

HNM, not 'Human' :)

Na'vi tattoo:
1 | 2 (finished) | 3
ToS: Human No More
dA
Personal site coming soon(ish

"God was invented to explain mystery. God is always invented to explain those things that you do not understand."
- Richard P. Feynman

'Oma Tirea

#9
July 02, 2011, 12:39:58 AM
Tsolatsam, irayo

[img]http://swokaikran.skxawng.lu/sigbar/nwotd.php?p=2b[/img]

ÌTXTSTXRR!!

Srake serar le'Ìnglìsìa lì'fyayä aylì'ut?  Nari si älofoniru rutxe!!

okrìsti

#10
July 02, 2011, 11:32:25 AM Last Edit: July 02, 2011, 11:34:14 AM by okrìsti
Even if they passwords are stored salted, it is no excuse to use secure passwords.

I had another table looking like this:
idusernamepasswordsalt...
1337I am a DAUe4ebb2f6bd1e62fe9a39f9806f2f845cEC2cwCsHusrMA...
A simple selection like SELECT * FROM users WHERE password = MD5(CONCAT(MD5(salt),MD5(username))) yielded into hundreds of hits.
Also it is not protected against dictionary attacks.

:o
dA | nga tsun oehu pivlltxe fa skype: c4duser
awngeyä wìki sìltsan lu
txopu lu fya'o ne vawma pa'o – nawma karyu Yotxa

Hufwe ta'em

#11
December 21, 2011, 12:25:13 PM
i draw a cat face on my keyboard as a password !

Print
Go Up Pages1
User actions