| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <45D9E85C.3000805@caramiel.com> Date: Mon, 19 Feb 2007 19:11:40 +0100 From: Jeremy Saintot <jeremy@...amiel.com> To: full-disclosure@...ts.grok.org.uk Subject: Analysis of Myspace passwords Here is a short analysis of the passwords chosen by myspace users, that some guy has phished a few weeks ago. The analysis is based on a list of 36700 user passwords. The original file contained 56000+ lines, but I removed the blank passwords and those that were 20+ characters length, which were in most cases any kind of personal message from smart users to the phisher... ;) Thus, I can state a first affirmation: Over 34 % of people won't fall in phisher's trap, which is not so bad. First, I chose a very standard password dictionary file found on the internet, which contained about 2300 lines. The file contained 408 (1,2 %) of the passwords picked by myspace users. It's very interesting to see peoples habits when it comes to choose a password. About prefixes/suffixes ----------------------- - 8,3 % used a numeric prefix. - 72,7 % used a numeric suffix. - 54,5 % used a numeric suffix between 0 and 99 (1 and 2 digits) - 7,8 % used a numeric suffix between 100 and 999 (3 digits) - 6 % used a numeric suffix between 1000 and 9999 (4 digits) - 16,6 % used the suffix "1" An amusing thing is that 3,3 % of people use the "!" suffix, and 1,5 % use ".". At this point, I wrote a little script that appended all 1 and 2-digit numbers to my 2300 lines dictionary file. My dict file is now ~2MB, which remains reasonably small. This new file contained 3410 (9,2 %) of the myspace passwords. Here is the top-50 numeric suffixes: 1, 2, 3, 123, 12, 7, 5, 6, 4, 13, 11, 8, 9, 69, 23, 22, 14, 07, 06, 21, 16, 15, 10, 01, 0, 17, 24, 18, 88, 09, 101, 89, 33, 1234, 08, 91, 77, 20, 92, 666, 19, 25, 99, 00, 90, 05, 55, 44, 420, 04. It's obvious that the most popular are the numbers beween 0 and 100. A frequent choice is a suffix between 1990 and 2007, due to the average age of myspace users. For other usage, this should be extended from ~1950 to 2007. About passwords lengths ----------------------- - 24,3 % used a 8 characters length password - 24 % ------ 7 - 18,4 % ------ 9 - 16,2 % ------ 6 - 15,2 % ------ 10 - 3,2 % ------ 11 Other interesting stats ----------------------- - 6,4 % used a loweralpha only password - 83,3 % used a loweralpha-numeric password - 10,9 % used one or more special chars (not in a-z, A-Z, 0-9) - 0,1 % of passwords contained the sequence 'myspace' - 0,2 % of passwords contained the sequence 'password' I hope this information can be useful for anyone. Regards, _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists