Join 3,514 readers in helping fund MetaFilter (Hide)


Myspace Passwords
September 18, 2006 1:50 PM   Subscribe

An Analysis of 20,000 Myspace Passwords
posted by matkline (41 comments total) 1 user marked this as a favorite

 
Spesifically the myspace passwords of people who open spam and fall for phshing techniques.
posted by delmoi at 2:00 PM on September 18, 2006


Interesting. Thanks for posting this.
posted by pwb503 at 2:02 PM on September 18, 2006


Don't you mean fishing, delmoi?
posted by weapons-grade pandemonium at 2:08 PM on September 18, 2006


I'm not sure what the point is. I often use simple, easy to remember passwords on bullshit sites. If its my work password or bank password, I'm going to use a apha,numeric,punctuation random password (if allowed). But fuck it if someone finds out my ny times free signup password. More power to them for not having to sign up themselves.
posted by [insert clever name here] at 2:16 PM on September 18, 2006


the link is borked for me, it got slashdotted on sunday, probably been on and off since. In the slashdot comments i found:

a full mirror of the article (with image graph goodness)
and
coral cache of the article ( text only)
posted by Merik at 2:18 PM on September 18, 2006


Huh. Some of those look familiar, from the time I ran crack on a university password file back in the early 90's. Among the most common passwords back then were "password", "iloveyou", and "fuckyou". No doubt "password" will still be the most common password a thousand years from now, but with only 12 hits out of 20000, I guess its popularity has declined somewhat. Adding a "1" to the end of a common word is popular as ever.

Very surprising that no common first names are near the top of the list.
posted by sfenders at 3:06 PM on September 18, 2006


wgp - he means phishing.
posted by bizwank at 3:07 PM on September 18, 2006


I bet having a lousy password correlates well with falling for a phishing scam.
posted by gurple at 3:13 PM on September 18, 2006


I think the analysis is tainted. There's no way of knowing who realized it was a phishing scam, and entered crap information.
posted by crunchland at 3:15 PM on September 18, 2006


In fact, he entered bogus info himself.
posted by goodnewsfortheinsane at 3:18 PM on September 18, 2006


Yes, I know, bizwank.
posted by weapons-grade pandemonium at 3:18 PM on September 18, 2006


Color my less than impressed with his analysis of password strength. He's spouting the same old, "your password must contain upper and lower case, numbers, symbols, Viking runes and squirrel noises" clap trap that corporate security types are so fond of.

If you have a 6 character all lower case password, and I'm trying to guess, I have to enter 150 million random passwords to have a 50/50 chance (26^6/2). If your server doesn't catch on after the first million or so incorrect entries, you really ought to pull the plug and then hang yourself with the cord. (That's you the operator, not you the user.)

Most weak passwords are weak becasue they're your wife's, girlfriend's, kid's, dog's, kitty cat's or favorite band's name or because they are on a post it note that's stuck to your monitor.
posted by Kid Charlemagne at 3:20 PM on September 18, 2006


Most weak passwords are weak becasue they're your wife's, girlfriend's, kid's, dog's, kitty cat's or favorite band's name or because they are on a post it note that's stuck to your monitor.

Or you give them out to random strangers because you think you're logging into myspace.
posted by one_bean at 3:26 PM on September 18, 2006


The best password is not a password, but a simple algorithm or procedure that requires no memorization of letters or numbers, and results in a different password for every site. You just need to figure out and memorize one algorithm.
posted by weapons-grade pandemonium at 3:49 PM on September 18, 2006


Such as?
posted by gottabefunky at 4:04 PM on September 18, 2006


How many people think algorithmically, on average? OTOH, how many people think in chunks?
posted by SeizeTheDay at 4:05 PM on September 18, 2006


Well, a simple example would be to double the first three letters of the site you're visiting, and alternate lower and upper case. Your password for MetaFilter would be mMeEtT. How difficult is that?

If you think for five minutes, you'll develop a very simple algorthim that nobody will ever guess, and your password will vary considerably--it could even vary in the number of characters, if you're clever with the algorithm.
posted by weapons-grade pandemonium at 4:22 PM on September 18, 2006


weapons-grade just gave away all my passwords =(
posted by mmdei at 4:22 PM on September 18, 2006


Well, you missed your last payment.
posted by weapons-grade pandemonium at 4:29 PM on September 18, 2006


The author of the passowrd analysis needs to get a life.

For starters, who cares if a person uses a bullshit password for myspace. It's not the passowrd for your banks website or your credit card issuer's website or nayhting important. It's myspace. That's not intended to demean myspace. It is what it is. I've got an account there too.

The author also seems to feel that it says something derogatory about the myspace users ig they used a yahoo or hotmail or aol account for their myspace email. Well who in their right mind would use a real account like from your internet provider. Yahoo, google and hotmail are perfect for bullshit signups. Now AOL...that's another story. Y'all deserve to be shot at sunrise if you are mixed up with AOL. :>
posted by bim at 4:38 PM on September 18, 2006


So...I hit post instead of preview...hence there are spelling mistakes. Whatever. :)
posted by bim at 4:39 PM on September 18, 2006


Nevertheless, "passowrd" is a much better password than "password". Great algorithm.
posted by weapons-grade pandemonium at 4:42 PM on September 18, 2006


I can imagine the Far Side cartoon:
Dyslexic Code Talkers of World War II.
posted by weapons-grade pandemonium at 5:17 PM on September 18, 2006


Wow, what's with all the hate? I don't recall the writer making very many value judgements at all. He just presented his flawed data and the flawed analysis, and came to a conclusion that said exactly the same thing as bim (AKA Mr. Grumpy Face):

Summary directly from the end of the article:
I consider strength two fine for a myspace account. It’s a basic password usually with upper or lower case and a number or symbol. Only 19% of the people had strength one, and for MySpace user’s track record for being computer illiterate, I don’t consider that bad. 46% of their passwords were seven digits, which is fairly long and would take a while to brute force. Combined with a captcha for invalid passwords, there’s no way it would be cracked. The Biggest email hosts were Yahoo, Hotmail, and then AOL. I’m Kind of surprised at that. Would have thought hotmail would have won out. If anyone would like some more tests done, feel free to contact me.

Bim, why exactly does he need to "get a life?" as you say? I think you need to "read the fucking article", as we say.
posted by muddgirl at 5:42 PM on September 18, 2006


The best password is not a password, but a simple algorithm or procedure that requires no memorization of letters or numbers, and results in a different password for every site. You just need to figure out and memorize one algorithm.

...the problem being of course, if someone gets one password they can potencially get all your passwords by figuring out the algorithm.
posted by MetaMonkey at 6:07 PM on September 18, 2006


Muddgirl -- That's Ms. Grumpy Face to you. ""Assume makes an ass out of me and you", as we say. ;)
posted by bim at 6:11 PM on September 18, 2006


So, what exactly is the point in running a phishing scam for myspace? I was under the impression that the whole idea was to get useful information, like paypal logins or bank details. I don't any reason for a myspace scam.
posted by bob sarabia at 6:22 PM on September 18, 2006


                              Ass           U        ME
to assume makes an ass out of you and me.
(to be an ass about it)
posted by carsonb at 6:34 PM on September 18, 2006


maybe to login, change the password, and then hold the account hostage?
posted by owhydididoit at 6:38 PM on September 18, 2006


oops! in answer to bob sarabia...
posted by owhydididoit at 6:39 PM on September 18, 2006


(slightly more) on topic, I just use my luggage code for everything online:

1 (one, one) 2 (two, two) 3 (three, three) 4 (four, four) five (five, five)

it's the stupidest combination I've ever heard in my life!
posted by carsonb at 6:40 PM on September 18, 2006


off topic again, and in response to bob sarabia, people phish/crack myspace to get account access. then they post ad bulletins from the cracked account. makes it look like your friends are pimpin all this stuff. it recently happened to my sister. =\
posted by carsonb at 6:43 PM on September 18, 2006


What's up with eight people having the password "pablobob", anyway? Or did one person just fall for the scam eight times?
posted by hattifattener at 7:16 PM on September 18, 2006


Well, a simple example would be to double the first three letters of the site you're visiting, and alternate lower and upper case. Your password for MetaFilter would be mMeEtT. How difficult is that?

If you think for five minutes, you'll develop a very simple algorthim that nobody will ever guess


That's pretty good. Until it isn't.
posted by longsleeves at 7:32 PM on September 18, 2006


Do you think this post could have used an NSFW on it? Just axing because I'm not so down with the brown.
posted by dobie at 8:55 PM on September 18, 2006


...the problem being of course, if someone gets one password they can potencially get all your passwords by figuring out the algorithm.

That's pretty good. Until it isn't.


Well, you haven't thought for five minutes, then.
A relatively simple, lateral algorithm can produce passwords that are virtually impossible to reverse engineer. It would be far easier to use a key logger. And nothing's stopping you from having different algorithms for different levels of security, and changing them regularly.

The security at Fort Knox is pretty good until it isn't, also.
Maybe they should spread gold coins all over the country and try to remember where they put them?
posted by weapons-grade pandemonium at 9:23 PM on September 18, 2006


Yes, hatti, they did. I'd rather believe the cookies123 guy fell for the scam 13 times than believe that his password is more popular than password or abc123. Also, MySpace requires you to have a number or special character in your password, so all those that don't can't be real pws.
posted by Mr. Gunn at 9:31 PM on September 18, 2006


I've used algorithms for my passwords for years. Very easy and I never have to remember passwords or write them down.
posted by darkstar at 10:45 PM on September 18, 2006


Mr. Gunn, about every fifth comment on the article seems to be people pointing that out. They didn't require a number or special password until last December or so. People could very well still have simple passwords.
posted by Phantomx at 2:39 AM on September 19, 2006


Among the most common passwords back then were "password", "iloveyou", and "fuckyou".

I got an eBay phishing E-mail the other day (at an address that isn't even connected to an eBay account). Not having anything better to do, I filled in the whole thing with bogus and obscene information. By sheer coincidence, I entered the password "fuckyou."
posted by Faint of Butt at 6:16 AM on September 19, 2006


weapons-grade just gave away all my passwords =(

That's ok, we already got them from the post.

I think a lot of this mostly does depend on the necessity for security. Is myspace something I'd really care people hacked into? No, in fact, my account's just bogus information that I signed up with just so I could meet some sexual predators.
posted by hoborg at 9:16 AM on September 19, 2006


« Older Pre-marital sex!...  |  The Matrix - Muppet Version. (... Newer »


This thread has been archived and is closed to new comments