RockYou Hack Reveals the Worst 20 Passwords
-
Yusuf wrote:
How do you create your password?
Take a poem, song lyric, quote, etc, and use the first letter from each word. You can get 20-30 characters easy. That other stuff is just too hard to remember.
"One man's wage rise is another man's price increase." - Harold Wilson
"Fireproof doesn't mean the fire will never come. It means when the fire comes that you will be able to withstand it." - Michael Simmons
Passwords are just a giant PITA tho. It bugs me that just about any site or organisation I go to that requests I use a password, all have a completely different policy on how the password is composed, some accept all alphanumeric characters, some don't, some specify a number at the start of the string, others at the end, it leads me to having a multitude of passwords, that, more often than not, I have to go through the rigmarole of resetting a password everytime I visit a site, because I cant remember the exact sequence of characters for that specific sites password. Now surely that is defeating the object of having a password in the first place. With that in mind, you can see why some people just use strings like "123456" as at least it is easy to remember. I wish someone would invent another way to protect access to your stuff on line.....
-
even if they are hashed, you can find out who uses "123456" by generating the hash for "123456" and finding the matches in your list of hashed pwds.
-
from the article: By far, the most popular password on the site was "123456," apparently satisfying a minimum character limit on the site's password restrictions, but doing little for security. A full 290,731 users used this password, far more than the runner-up, the slightly less complex "12345, which attracted 79,078 uses. clickty[^] I have learned a simple trick to create mid-to-strong password by simple substitution. Let us take "codeproject" as case example, it goes as follows - first let us capitalize some letters => CodeProject - substitute "o" with "0" => C0deProject - upper case e (E) can be imagined as mirror image of 3 => C0d3Pr0j3ct - let us sprinkle some chars (SHIFT 3 = # on the US layout keyboard) => C0d#Pr0j#ct - Finally P can be imagines as mirror image of 9 => C0d#9r0j#ct So we went from codeproject => C0d#9r0j#ct and I can use Code Project as my password hint. :cool: The cool part is there is no limit to the imagination and the resulting password can be as close as random characters. How do you create your password?
Yusuf May I help you?
-
I use A real simple forty-two character password
Need custom software developed? I do custom programming based primarily on MS tools with an emphasis on C# development and consulting. A man said to the universe: "Sir I exist!" "However," replied the universe, "The fact has not created in me A sense of obligation." --Stephen Crane
Where do *you* bank. :)
Currently reading: "The Prince", by Nicolo Machiavelli
-
even if they are hashed, you can find out who uses "123456" by generating the hash for "123456" and finding the matches in your list of hashed pwds.
> even if they are hashed, you can find out who uses "123456" by generating the hash for "123456" and finding the matches in your list of hashed pwds. What you do is include a "salt" value when you create the hash. This is a known random value, stored with the hash. You apply it with the password when creating the hash to see if it matches, but is really difficult to apply in the reverse direction. So a simple dictionary-style comparison won't work.
-
even if they are hashed, you can find out who uses "123456" by generating the hash for "123456" and finding the matches in your list of hashed pwds.
That is why you use the user name and a private string to salt the hash, so no two users with the same password will have the same hashed password. Because of the private string you can not even generate a hash and inject that into the database.
-
> even if they are hashed, you can find out who uses "123456" by generating the hash for "123456" and finding the matches in your list of hashed pwds. What you do is include a "salt" value when you create the hash. This is a known random value, stored with the hash. You apply it with the password when creating the hash to see if it matches, but is really difficult to apply in the reverse direction. So a simple dictionary-style comparison won't work.
AndreasMertens wrote:
his is a known random value, stored with the hash.
yes, i know what a salt is. but, even if a salt value was used, it's sitting right there in the DB along with the hash. and you already know the target password, so the problem of finding who used that password remains trivial.
-
AndreasMertens wrote:
his is a known random value, stored with the hash.
yes, i know what a salt is. but, even if a salt value was used, it's sitting right there in the DB along with the hash. and you already know the target password, so the problem of finding who used that password remains trivial.
Ah, you mean in terms of auditing "weak" passwords, and not in terms of trying to hack into a system...
-
Ah, you mean in terms of auditing "weak" passwords, and not in terms of trying to hack into a system...
Mind though, the problem becomes more complicated - instead of a simple query (PW A generates hash B, select * from table where Hash = "hash a") you now have to do some level of processing against each user's login data.
-
from the article: By far, the most popular password on the site was "123456," apparently satisfying a minimum character limit on the site's password restrictions, but doing little for security. A full 290,731 users used this password, far more than the runner-up, the slightly less complex "12345, which attracted 79,078 uses. clickty[^] I have learned a simple trick to create mid-to-strong password by simple substitution. Let us take "codeproject" as case example, it goes as follows - first let us capitalize some letters => CodeProject - substitute "o" with "0" => C0deProject - upper case e (E) can be imagined as mirror image of 3 => C0d3Pr0j3ct - let us sprinkle some chars (SHIFT 3 = # on the US layout keyboard) => C0d#Pr0j#ct - Finally P can be imagines as mirror image of 9 => C0d#9r0j#ct So we went from codeproject => C0d#9r0j#ct and I can use Code Project as my password hint. :cool: The cool part is there is no limit to the imagination and the resulting password can be as close as random characters. How do you create your password?
Yusuf May I help you?
I've been thinking, for quite some time, on coming up with an algorithm to generate passwords on the spot for any site that would satisfy a few requirements: 1. MUST be simple enough to do in my head (or it will be unusable) 2. Changes predictably from site to site for someone who knows the details of the algorithm (which would be only myself) a. Includes components from the name of the website (ensures different passwords for different sites) b. Includes a random element (my master password, if you will) to ensure that even if someone knew the algorithm, they would still be missing a crucial piece to generate the password 3. Includes some sort of serialization; in the event that I need to change a password, I could generate using the next password off of a set iteration technique 4. Meets standard best password techniques (mixes of upper- and lower-case letters, numbers, and symbols); but is flexible enough to drop one or more of these if the site does not allow them 5. Ditto for password length 6. Can predict the stock market and alter reality, and will cause me to be chased by various governmental agencies and religious societies who want to use the algorithm for various unspecified nefarious or not-so-nefarious purposes.[^] Any suggestions?
-
from the article: By far, the most popular password on the site was "123456," apparently satisfying a minimum character limit on the site's password restrictions, but doing little for security. A full 290,731 users used this password, far more than the runner-up, the slightly less complex "12345, which attracted 79,078 uses. clickty[^] I have learned a simple trick to create mid-to-strong password by simple substitution. Let us take "codeproject" as case example, it goes as follows - first let us capitalize some letters => CodeProject - substitute "o" with "0" => C0deProject - upper case e (E) can be imagined as mirror image of 3 => C0d3Pr0j3ct - let us sprinkle some chars (SHIFT 3 = # on the US layout keyboard) => C0d#Pr0j#ct - Finally P can be imagines as mirror image of 9 => C0d#9r0j#ct So we went from codeproject => C0d#9r0j#ct and I can use Code Project as my password hint. :cool: The cool part is there is no limit to the imagination and the resulting password can be as close as random characters. How do you create your password?
Yusuf May I help you?
-
I've read a few more articles about the breach. Plaintext passwords in the DB and a simple SQL injection attack were involved.
3x12=36 2x12=24 1x12=12 0x12=18
-
Ah, you mean in terms of auditing "weak" passwords, and not in terms of trying to hack into a system...
In terms of both. It won't get you a specific victims account, but testing every users password against the idiot list will let you access a large number of random accounts. Depending on what sort of mischief you're up to that may be sufficient.
3x12=36 2x12=24 1x12=12 0x12=18
-
from the article: By far, the most popular password on the site was "123456," apparently satisfying a minimum character limit on the site's password restrictions, but doing little for security. A full 290,731 users used this password, far more than the runner-up, the slightly less complex "12345, which attracted 79,078 uses. clickty[^] I have learned a simple trick to create mid-to-strong password by simple substitution. Let us take "codeproject" as case example, it goes as follows - first let us capitalize some letters => CodeProject - substitute "o" with "0" => C0deProject - upper case e (E) can be imagined as mirror image of 3 => C0d3Pr0j3ct - let us sprinkle some chars (SHIFT 3 = # on the US layout keyboard) => C0d#Pr0j#ct - Finally P can be imagines as mirror image of 9 => C0d#9r0j#ct So we went from codeproject => C0d#9r0j#ct and I can use Code Project as my password hint. :cool: The cool part is there is no limit to the imagination and the resulting password can be as close as random characters. How do you create your password?
Yusuf May I help you?
Yusuf wrote:
How do you create your password? Yusuf
I like to create passwords using phonetic replacement so take a phrase like: All men are created equal This would become something like: @m3nRCr8ted= even if someone knows the 'gist' of the password (like for instance your pet's name or something) it makes it much more difficult to guess. I like mathematical and boolean operators too, like: power to the people ^2dPpl Candy Apple K&&3@pl -B
-
200,000 users have now changed there password to C0d#9r0j#ct, with a hint that is a link to this thread. :laugh:
hmmm, it'll be the 1 password in dictionary.
Yusuf May I help you?
-
from the article: By far, the most popular password on the site was "123456," apparently satisfying a minimum character limit on the site's password restrictions, but doing little for security. A full 290,731 users used this password, far more than the runner-up, the slightly less complex "12345, which attracted 79,078 uses. clickty[^] I have learned a simple trick to create mid-to-strong password by simple substitution. Let us take "codeproject" as case example, it goes as follows - first let us capitalize some letters => CodeProject - substitute "o" with "0" => C0deProject - upper case e (E) can be imagined as mirror image of 3 => C0d3Pr0j3ct - let us sprinkle some chars (SHIFT 3 = # on the US layout keyboard) => C0d#Pr0j#ct - Finally P can be imagines as mirror image of 9 => C0d#9r0j#ct So we went from codeproject => C0d#9r0j#ct and I can use Code Project as my password hint. :cool: The cool part is there is no limit to the imagination and the resulting password can be as close as random characters. How do you create your password?
Yusuf May I help you?
Think of a sentence that you can easily remember, and enter the first letter of every word in caps then finish off by adding something like: $j1
-
from the article: By far, the most popular password on the site was "123456," apparently satisfying a minimum character limit on the site's password restrictions, but doing little for security. A full 290,731 users used this password, far more than the runner-up, the slightly less complex "12345, which attracted 79,078 uses. clickty[^] I have learned a simple trick to create mid-to-strong password by simple substitution. Let us take "codeproject" as case example, it goes as follows - first let us capitalize some letters => CodeProject - substitute "o" with "0" => C0deProject - upper case e (E) can be imagined as mirror image of 3 => C0d3Pr0j3ct - let us sprinkle some chars (SHIFT 3 = # on the US layout keyboard) => C0d#Pr0j#ct - Finally P can be imagines as mirror image of 9 => C0d#9r0j#ct So we went from codeproject => C0d#9r0j#ct and I can use Code Project as my password hint. :cool: The cool part is there is no limit to the imagination and the resulting password can be as close as random characters. How do you create your password?
Yusuf May I help you?
I let RoboForm choose a truly random password for me. Unfortunately, any semi-mechanical system such as you've outlined makes it easier to attack. There are tools out there right now that will take a list of dictionary words and transform them into l33tSp34k. While that increases the password-space by 3 or 4 times, but that's nowhere near a random password, in which all possible combinations have to be tried. Note: I'm not associated with Roboform, just a satisfied customer.
-
your hint is: "There only only 10 kinds of programmers. Those who get it, and those who do not."
3x12=36 2x12=24 1x12=12 0x12=18
Dan Neely wrote:
your hint is: "There only only 10 kinds of programmers. Those who get it, and those who do not." 3x12=36 2x12=24 1x12=12 0x12=18
Loved you hint! Had me LOL. I guess that's because I'm the 11th type of programmer, the type that gets it. How many bugs can one line of code have?! --- Adar Wesley