Analyzing 20000 passwords
- Thread starter mzkhadir
- Start date
ViviTheMage
Lifer
Baked
Lifer
- Dec 28, 2004
- 36,052
- 17
- 81
Analyzing 20,000 MySpace Passwords
In a day where browsers are coming out with anti-phishing tactics, I can?t believe how many people still fall for phishing. It?s all over the news, and most email clients display warnings. I still get those letters from Nigeria saying they need my help transferring millions of dollars out of the country. If nobody was falling for that they wouldn?t be doing that, I?m sure. So when I got an email from ?Admin@MySpace.com? I kind of chuckled. It was the usual scam trying to get me to login to their fake MySpace login page. I have course entered in my bogus login details that I don?t have or will ever have. Then I went to the root directory the script was in. Sure enough it was all indexed. 20,000 emails and passwords to go along with it sitting in a plain text file. I downloaded it and looked through it for a bit and started parsing it with .NET and PHP. The results of the parsing were rather interesting. Some passwords were terrible, and others were decent. A lot of them are simply ?password?. An odd amount of them also contain the word ?poop?. Only goes to show how childish these people are. We?ll start with the most popular email hosts.
Emails
Yahoo, Hotmail, AOL. No surprise there really. I?m surprised AIM didn?t take a bigger piece of the pie. If you?re wondering why it doesn?t add up it?s because their are a lot of random ones with 10-20 that was a waste to include. Next we?ll take a look at how long each person?s password is. Most of them are fairly decent to my surprise, at an average character length of 7 chars.
Number of Chars
Character length means little if your passwords don?t have upper and lower case letters. Most of the passwords were all lower case.
Upper and Lower
There is still hope left for their password though, and that is if they added any numbers and or special characters. Amazingly most people actually did.
Numbers
Next I tested all the passwords for password strength. I used a simple PHP script. It was out of a four point scale. You get one point for having a Lower case letter, one point for an upper case letter, one for a symbol, and one for a number. All of my email/bank passwords I use are a four on this scale. All of my forum and useless passwords are a three. I think it?s a pretty good simple test to get how secure these passwords are.
Strength
PHP code I used:
function CheckPasswordStrength($password) {
$strength = 0;
$patterns = array(?#[a-z]#?,'#[A-Z]#?,'#[0-9]#?,'/[¬!?£$%^&*()`{}\[\]
~;\?#<>?,.\/\\-=_+\|]/?);
foreach($patterns as $pattern) {
if(preg_match($pattern,$password,$matches)) {
$strength++;
}
}
return $strength;
}
Most common passwords used:
13 - cookie123
12 - iloveyou
12 - password
11 - abc123
11 - fuckyou
11 - miss4you
9 - password19
9 - clumsy
8 - sassy
8 - summer06
8 - pablobob
8 - boobie
8 - fuckyou1
8 - iloveyou1
8 - tink69
8 - password1
7 - gospel
7 - terrete
7 - monster7
7 - marlboro1
7 - bitch1
7 - flower
7 - space
Summary:
While the passwords weren?t the best, they weren?t exactly terrible. I consider strength two fine for a myspace account. It?s a basic password usually with upper or lower case and a number or symbol. Only 19% of the people had strength one, and for MySpace user?s track record for being computer illiterate, I don?t consider that bad. 46% of their passwords were seven digits, which is fairly long and would take a while to brute force. Combined with a captcha for invalid passwords, there?s no way it would be cracked. The Biggest email hosts were Yahoo, Hotmail, and then AOL. I?m Kind of surprised at that. Would have thought hotmail would have won out. If anyone would like some more tests done, feel free to contact me.
___________________________________________________________________________
Screen caps -
Page 1
Page 2
Page 3
Page 4
In a day where browsers are coming out with anti-phishing tactics, I can?t believe how many people still fall for phishing. It?s all over the news, and most email clients display warnings. I still get those letters from Nigeria saying they need my help transferring millions of dollars out of the country. If nobody was falling for that they wouldn?t be doing that, I?m sure. So when I got an email from ?Admin@MySpace.com? I kind of chuckled. It was the usual scam trying to get me to login to their fake MySpace login page. I have course entered in my bogus login details that I don?t have or will ever have. Then I went to the root directory the script was in. Sure enough it was all indexed. 20,000 emails and passwords to go along with it sitting in a plain text file. I downloaded it and looked through it for a bit and started parsing it with .NET and PHP. The results of the parsing were rather interesting. Some passwords were terrible, and others were decent. A lot of them are simply ?password?. An odd amount of them also contain the word ?poop?. Only goes to show how childish these people are. We?ll start with the most popular email hosts.
Emails
Yahoo, Hotmail, AOL. No surprise there really. I?m surprised AIM didn?t take a bigger piece of the pie. If you?re wondering why it doesn?t add up it?s because their are a lot of random ones with 10-20 that was a waste to include. Next we?ll take a look at how long each person?s password is. Most of them are fairly decent to my surprise, at an average character length of 7 chars.
Number of Chars
Character length means little if your passwords don?t have upper and lower case letters. Most of the passwords were all lower case.
Upper and Lower
There is still hope left for their password though, and that is if they added any numbers and or special characters. Amazingly most people actually did.
Numbers
Next I tested all the passwords for password strength. I used a simple PHP script. It was out of a four point scale. You get one point for having a Lower case letter, one point for an upper case letter, one for a symbol, and one for a number. All of my email/bank passwords I use are a four on this scale. All of my forum and useless passwords are a three. I think it?s a pretty good simple test to get how secure these passwords are.
Strength
PHP code I used:
function CheckPasswordStrength($password) {
$strength = 0;
$patterns = array(?#[a-z]#?,'#[A-Z]#?,'#[0-9]#?,'/[¬!?£$%^&*()`{}\[\]
~;\?#<>?,.\/\\-=_+\|]/?);foreach($patterns as $pattern) {
if(preg_match($pattern,$password,$matches)) {
$strength++;
}
}
return $strength;
}
Most common passwords used:
13 - cookie123
12 - iloveyou
12 - password
11 - abc123
11 - fuckyou
11 - miss4you
9 - password19
9 - clumsy
8 - sassy
8 - summer06
8 - pablobob
8 - boobie
8 - fuckyou1
8 - iloveyou1
8 - tink69
8 - password1
7 - gospel
7 - terrete
7 - monster7
7 - marlboro1
7 - bitch1
7 - flower
7 - space
Summary:
While the passwords weren?t the best, they weren?t exactly terrible. I consider strength two fine for a myspace account. It?s a basic password usually with upper or lower case and a number or symbol. Only 19% of the people had strength one, and for MySpace user?s track record for being computer illiterate, I don?t consider that bad. 46% of their passwords were seven digits, which is fairly long and would take a while to brute force. Combined with a captcha for invalid passwords, there?s no way it would be cracked. The Biggest email hosts were Yahoo, Hotmail, and then AOL. I?m Kind of surprised at that. Would have thought hotmail would have won out. If anyone would like some more tests done, feel free to contact me.
___________________________________________________________________________
Screen caps -
Page 1
Page 2
Page 3
Page 4
works fine for me. ain't that said? MySpace and such sites rarely send email so it is just stupid users who fall for these scams.
keystroke loggers... you gotta be careful. after I heard this software was out, I was like... holy fvck, I better stop letting other people download garbage on my computer!
wtf do keyloggers have to do with anything? This was a phishing site, dude. And keyloggers have been around since the beginning of time. keylogging HARDWARE has been around for more than a DECADE. They fell out of vogue for mechanisms in viruses and such when the amount of data they started returning to their creators became unmanageable. They're simply specialty tools for attacking specific, known targets these days. Conducting espianage, blackmail, spying on someone, etc.
I know someone whose password is "poop".
That being said, my password for sites are always over 7 characters and also make use of symbols.
That being said, my password for sites are always over 7 characters and also make use of symbols.
DrPizza
Administrator Elite Member Goat Whisperer
I believe Microsoft has a tool for actually testing the quality of passwords... I've always received a high score. Simply come up with 8 characters or so that you can type REALLLLLY fast, and customize the password for each place you go by adding a character or two at the beginning or end... ie. if you can type "A)GF*asd" really fast, for Anandtech, simply add an extra A to it at the beginning or end... then, you only have to remember 1 string that you can type fast, plus remember 1 extra character per password. If someone gets one of your passwords, they're not likely to figure out that the H in front of HA)GF*asd stands for hotmail and to try AA)GF*asd for anandtech...
TRENDING THREADS
-
Discussion Zen 5 Speculation (EPYC Turin and Strix Point/Granite Ridge - Ryzen 9000)- Started by DisEnchantment
- Replies: 25K
-
Discussion Intel Meteor, Arrow, Lunar & Panther Lakes Discussion Threads
- Started by Tigerick
- Replies: 21K
-
Discussion Intel current and future Lakes & Rapids thread- Started by TheF34RChannel
- Replies: 23K
-
-
Facebook
Twitter