RockYou Hack Reveals the Worst 20 Passwords
-
Haven't read the article (because it took so long to load that I got bored and went away), but to be honest any site which stores a password in any form other than one-way encrypted or SHA hashed is not one I realy want to visit.
All those who believe in psycho kinesis, raise my hand.
OriginalGriff wrote:
any site which stores a password in any form other than one-way encrypted or SHA hashed is not one I realy want to visit.
With at least one exception, I suppose? Hint: Code Project ;)
My .NET Business Application Framework My Home Page My Younger Son & His "PET"
-
The article doesn't actually say that they don't. Given the passwords, the list could have been constructed by a bot hacking accounts with a bot using a dictionary attack, but I suspect your assumption that they just stored the passwords either clear text or with reversible encryption is correct. 5 for the observation, which I heartily agree with.
-
from the article: By far, the most popular password on the site was "123456," apparently satisfying a minimum character limit on the site's password restrictions, but doing little for security. A full 290,731 users used this password, far more than the runner-up, the slightly less complex "12345, which attracted 79,078 uses. clickty[^] I have learned a simple trick to create mid-to-strong password by simple substitution. Let us take "codeproject" as case example, it goes as follows - first let us capitalize some letters => CodeProject - substitute "o" with "0" => C0deProject - upper case e (E) can be imagined as mirror image of 3 => C0d3Pr0j3ct - let us sprinkle some chars (SHIFT 3 = # on the US layout keyboard) => C0d#Pr0j#ct - Finally P can be imagines as mirror image of 9 => C0d#9r0j#ct So we went from codeproject => C0d#9r0j#ct and I can use Code Project as my password hint. :cool: The cool part is there is no limit to the imagination and the resulting password can be as close as random characters. How do you create your password?
Yusuf May I help you?
I use A real simple forty-two character password
Need custom software developed? I do custom programming based primarily on MS tools with an emphasis on C# development and consulting. A man said to the universe: "Sir I exist!" "However," replied the universe, "The fact has not created in me A sense of obligation." --Stephen Crane
-
from the article: By far, the most popular password on the site was "123456," apparently satisfying a minimum character limit on the site's password restrictions, but doing little for security. A full 290,731 users used this password, far more than the runner-up, the slightly less complex "12345, which attracted 79,078 uses. clickty[^] I have learned a simple trick to create mid-to-strong password by simple substitution. Let us take "codeproject" as case example, it goes as follows - first let us capitalize some letters => CodeProject - substitute "o" with "0" => C0deProject - upper case e (E) can be imagined as mirror image of 3 => C0d3Pr0j3ct - let us sprinkle some chars (SHIFT 3 = # on the US layout keyboard) => C0d#Pr0j#ct - Finally P can be imagines as mirror image of 9 => C0d#9r0j#ct So we went from codeproject => C0d#9r0j#ct and I can use Code Project as my password hint. :cool: The cool part is there is no limit to the imagination and the resulting password can be as close as random characters. How do you create your password?
Yusuf May I help you?
Just how important is a very secure password when the site you are using gets hacked and exposes your PW in plain-text?
Need custom software developed? I do custom programming based primarily on MS tools with an emphasis on C# development and consulting. A man said to the universe: "Sir I exist!" "However," replied the universe, "The fact has not created in me A sense of obligation." --Stephen Crane
-
from the article: By far, the most popular password on the site was "123456," apparently satisfying a minimum character limit on the site's password restrictions, but doing little for security. A full 290,731 users used this password, far more than the runner-up, the slightly less complex "12345, which attracted 79,078 uses. clickty[^] I have learned a simple trick to create mid-to-strong password by simple substitution. Let us take "codeproject" as case example, it goes as follows - first let us capitalize some letters => CodeProject - substitute "o" with "0" => C0deProject - upper case e (E) can be imagined as mirror image of 3 => C0d3Pr0j3ct - let us sprinkle some chars (SHIFT 3 = # on the US layout keyboard) => C0d#Pr0j#ct - Finally P can be imagines as mirror image of 9 => C0d#9r0j#ct So we went from codeproject => C0d#9r0j#ct and I can use Code Project as my password hint. :cool: The cool part is there is no limit to the imagination and the resulting password can be as close as random characters. How do you create your password?
Yusuf May I help you?
Yusuf wrote:
How do you create your password?
Take a poem, song lyric, quote, etc, and use the first letter from each word. You can get 20-30 characters easy. That other stuff is just too hard to remember.
"One man's wage rise is another man's price increase." - Harold Wilson
"Fireproof doesn't mean the fire will never come. It means when the fire comes that you will be able to withstand it." - Michael Simmons
-
I have the free version but the generated passwords are hard to remember. By the way who am I :confused:
-
Just how important is a very secure password when the site you are using gets hacked and exposes your PW in plain-text?
Need custom software developed? I do custom programming based primarily on MS tools with an emphasis on C# development and consulting. A man said to the universe: "Sir I exist!" "However," replied the universe, "The fact has not created in me A sense of obligation." --Stephen Crane
Ennis Ray Lynch, Jr. wrote:
Just how important is a very secure password when the site you are using gets hacked and exposes your PW in plain-text?
Well said.
Yusuf May I help you?
-
I've read a few more articles about the breach. Plaintext passwords in the DB and a simple SQL injection attack were involved.
3x12=36 2x12=24 1x12=12 0x12=18
Oooo! I love the smell of professionalism in the morning!
All those who believe in psycho kinesis, raise my hand.
-
Haven't read the article (because it took so long to load that I got bored and went away), but to be honest any site which stores a password in any form other than one-way encrypted or SHA hashed is not one I realy want to visit.
All those who believe in psycho kinesis, raise my hand.
even if they are hashed, you can find out who uses "123456" by generating the hash for "123456" and finding the matches in your list of hashed pwds.
-
even if they are hashed, you can find out who uses "123456" by generating the hash for "123456" and finding the matches in your list of hashed pwds.
Good point!
All those who believe in psycho kinesis, raise my hand.
-
I have the free version but the generated passwords are hard to remember. By the way who am I :confused:
djj55 wrote:
By the way who am I
Tonight on America's Dumbest Criminals, we deal with Identity theft. My name's ...????
"WPF has many lovers. It's a veritable porn star!" - Josh Smith
As Braveheart once said, "You can take our freedom but you'll never take our Hobnobs!" - Martin Hughes.
-
Good point!
All those who believe in psycho kinesis, raise my hand.
-
from the article: By far, the most popular password on the site was "123456," apparently satisfying a minimum character limit on the site's password restrictions, but doing little for security. A full 290,731 users used this password, far more than the runner-up, the slightly less complex "12345, which attracted 79,078 uses. clickty[^] I have learned a simple trick to create mid-to-strong password by simple substitution. Let us take "codeproject" as case example, it goes as follows - first let us capitalize some letters => CodeProject - substitute "o" with "0" => C0deProject - upper case e (E) can be imagined as mirror image of 3 => C0d3Pr0j3ct - let us sprinkle some chars (SHIFT 3 = # on the US layout keyboard) => C0d#Pr0j#ct - Finally P can be imagines as mirror image of 9 => C0d#9r0j#ct So we went from codeproject => C0d#9r0j#ct and I can use Code Project as my password hint. :cool: The cool part is there is no limit to the imagination and the resulting password can be as close as random characters. How do you create your password?
Yusuf May I help you?
Don't forget to include a couple of :-) in you pwd. (or :-( for your online banking).
-
Yusuf wrote:
How do you create your password?
Take a poem, song lyric, quote, etc, and use the first letter from each word. You can get 20-30 characters easy. That other stuff is just too hard to remember.
"One man's wage rise is another man's price increase." - Harold Wilson
"Fireproof doesn't mean the fire will never come. It means when the fire comes that you will be able to withstand it." - Michael Simmons
Passwords are just a giant PITA tho. It bugs me that just about any site or organisation I go to that requests I use a password, all have a completely different policy on how the password is composed, some accept all alphanumeric characters, some don't, some specify a number at the start of the string, others at the end, it leads me to having a multitude of passwords, that, more often than not, I have to go through the rigmarole of resetting a password everytime I visit a site, because I cant remember the exact sequence of characters for that specific sites password. Now surely that is defeating the object of having a password in the first place. With that in mind, you can see why some people just use strings like "123456" as at least it is easy to remember. I wish someone would invent another way to protect access to your stuff on line.....
-
even if they are hashed, you can find out who uses "123456" by generating the hash for "123456" and finding the matches in your list of hashed pwds.
-
from the article: By far, the most popular password on the site was "123456," apparently satisfying a minimum character limit on the site's password restrictions, but doing little for security. A full 290,731 users used this password, far more than the runner-up, the slightly less complex "12345, which attracted 79,078 uses. clickty[^] I have learned a simple trick to create mid-to-strong password by simple substitution. Let us take "codeproject" as case example, it goes as follows - first let us capitalize some letters => CodeProject - substitute "o" with "0" => C0deProject - upper case e (E) can be imagined as mirror image of 3 => C0d3Pr0j3ct - let us sprinkle some chars (SHIFT 3 = # on the US layout keyboard) => C0d#Pr0j#ct - Finally P can be imagines as mirror image of 9 => C0d#9r0j#ct So we went from codeproject => C0d#9r0j#ct and I can use Code Project as my password hint. :cool: The cool part is there is no limit to the imagination and the resulting password can be as close as random characters. How do you create your password?
Yusuf May I help you?
-
I use A real simple forty-two character password
Need custom software developed? I do custom programming based primarily on MS tools with an emphasis on C# development and consulting. A man said to the universe: "Sir I exist!" "However," replied the universe, "The fact has not created in me A sense of obligation." --Stephen Crane
Where do *you* bank. :)
Currently reading: "The Prince", by Nicolo Machiavelli
-
even if they are hashed, you can find out who uses "123456" by generating the hash for "123456" and finding the matches in your list of hashed pwds.
> even if they are hashed, you can find out who uses "123456" by generating the hash for "123456" and finding the matches in your list of hashed pwds. What you do is include a "salt" value when you create the hash. This is a known random value, stored with the hash. You apply it with the password when creating the hash to see if it matches, but is really difficult to apply in the reverse direction. So a simple dictionary-style comparison won't work.
-
even if they are hashed, you can find out who uses "123456" by generating the hash for "123456" and finding the matches in your list of hashed pwds.
That is why you use the user name and a private string to salt the hash, so no two users with the same password will have the same hashed password. Because of the private string you can not even generate a hash and inject that into the database.
-
> even if they are hashed, you can find out who uses "123456" by generating the hash for "123456" and finding the matches in your list of hashed pwds. What you do is include a "salt" value when you create the hash. This is a known random value, stored with the hash. You apply it with the password when creating the hash to see if it matches, but is really difficult to apply in the reverse direction. So a simple dictionary-style comparison won't work.
AndreasMertens wrote:
his is a known random value, stored with the hash.
yes, i know what a salt is. but, even if a salt value was used, it's sitting right there in the DB along with the hash. and you already know the target password, so the problem of finding who used that password remains trivial.
