

Hackers use weak passwords - Terretta
https://blog.avast.com/2014/06/09/are-hackers-passwords-stronger-than-regular-passwords/

======
ZachPruckowski
>I looked at 40,000 samples of hackers’ passwords and found that nearly 2,000
were unique and 1,255 of those were in plain text. Another 346 passwords were
easily cracked from MD5 hashes, because they were shorter than 9 characters.
That gave me a total of 1,601 passwords and 300 hashes

If a significant fraction of his sample is "hashes he could easily crack"
isn't a biased sample? Because it seems likely that the longer, properly
hashed passwords are more likely to be the stronger ones...

~~~
x1798DE
Well, he's saying that he has a sample of 40k hackers' passwords stored up
somewhere, and between them there are 2000 unique strings, ~1200 of which were
in plain text and didn't need to be cracked at all. So if this sample of 40k
hacker passwords is a random sampling, then essentially he has a random
unbiased sample of 1200 unique passwords, plus a biased set of 300 more.

He's not super clear about where the 40k passwords came from, so they may be a
random sample, but it's quite possible that it's just a sampling of bad
hackers - he mentions that he has gathered many examples of bots and shells
and such, so you can imagine that he's looking at a sampling of 1. hackers
whose bots store their passwords in such a way that he can reverse-engineer
where they are stored and 2. hackers who store their passwords in plain-text.

That said, if he has 40,000 passwords that boil down to 2000 unique strings,
of which only ~400-500 are either good passwords stored in plaintext or not
easily crackable, then that means about 35,000 out of the 40,000 passwords he
captured were easily guessable (I'm assuming here that there were no
duplicates in the "good" password set), which is about 87.5% of his sample.

~~~
ZachPruckowski
>it's quite possible that it's just a sampling of bad hackers - he mentions
that he has gathered many examples of bots and shells and such, so you can
imagine that he's looking at a sampling of 1. hackers whose bots store their
passwords in such a way that he can reverse-engineer where they are stored and
2. hackers who store their passwords in plain-text.

Yes, that's basically my point. The set of hackers who use strong passwords
and the set of hackers who don't well-protect those passwords in their
bots/viruses/whatever probably doesn't have a lot of overlap.

Also, it sounds like he couldn't crack (and thus couldn't include in the
sample) some of the hashed passwords. Passwords that he can't crack or brute-
force reasonably are probably strong passwords. Not having those passwords
biases the sample - it's like doing a standardized test when all the honors
classes are on a field trip, by removing the top-end you downward-bias the
sample and make the overall sample look worse.

~~~
x1798DE
I agree that the 40k sample is probably biased, but if you assume it's not
actually biased, your second point doesn't hold, because the ones he couldn't
crack are presumptively strong, so adding in the ones that he knows are strong
because he found them in some plaintext form, that leaves about 500 passwords
out of 40k that he couldn't find. If anything, the uncracked passwords bias
you towards thinking their passwords are _stronger_ , since it's possible that
some of them are just weak passwords stored in some non-standard way, or
there's a salt included in the program that he missed or something.

------
zv
Hackers use strong passwords on things they want to protect. No need for
strong password on some public site with unimportant data. Even more if those
third party sites get compromised, your main security focus is not
compromised.

~~~
dec0dedab0de
As another datapoint, I have a weak password for sites that I wouldn't care at
all if they were compromised. For everything remotely important I use a
separate random password at the max length allowed.

~~~
niels_olson
I would like to see LastPass et al add this to their interface: auto-detect
max length, allowed characters, etc. it would be for user convenience but they
could even phone those characteristics home and start shaming services that
employ poor practices.

~~~
lcedp
They already do something like that. (Tools -> Security Check)

------
pbhjpbhj
_Crackers_ use weak passwords on shells and such for machines they are
actively exploiting. Pretty different in more than one respect.

------
dspillett
Or more verbosely:

Hackers that know what they are doing and care about that particular account
use good password policies.

Hackers that _don 't know any better_ (perhaps I should use "people who claim
to be hackers" to define this sub-set) or _really don 't care_ about that
particular account, use bad passwords.

Just like the rest of us.

------
bigbugbag
I'm wondering how a sample of various back-doors, bots and shells is the
equivalent of hackers' passwords. More like malware creators' passwords to me.

Then again the use case of these passwords doesn't really call for secure
passwords, so is it really surprising that they're not overly secure ?

I find this article poorly worded and misleading, telling readers "Hackers use
weak passwords just like the rest of us." when it's not about hackers and is
not about using weak password like the rest of the world, unless the rest of
the world suddenly starts coding malware. Using passw0rd as password for a an
easy to remember backdoor password is not the same as using "passw0rd" to
access you bank account from the web.

~~~
anExcitedBeast
Cyber crime is a major source of income for these guys. It's not unlike having
a bad password on your bank account.

Also, malware is often configured by the operator. If badguy1337 uses someone
else's IRC bot code, they are likely to change the password themselves. Same
for poison ivy, china chopper, and every other publicly available
backdoor/shell.

------
meowface
Keep in mind this seems to be an analysis directed more towards script
kiddies, based on the kind of files they were looking at.

------
danso
It's hard to take this seriously without mention by the OP on whether the
weakness of the passwords were affected by the ephemeralness of the usecases
here. For example, I use pretty weak passwords to signup for throwaway
services or to try out startups that force you to do a nominal login...because
I'm not going through the work of creating a "real" password for such one-time
use cases. Are the revealed passwords discussed by the OP for utilities that
are meant to be throwaway?

------
ender89
realistically once you realize just how easy it is to actually get around
passwords and such, you tend to go with something good enough to keep the
rabble out and easy to remember. For example, my local windows password is a
bit of a joke, because its so absurdly easy to get into a windows machine and
do whatever the hell you want. Even easier if you don't care about getting
found out. And I am much more concerned with someone getting my facebook or
netflix password through social engineering than an actual "hack" anyway.

