

What do Sony and Yahoo have in common? Passwords - troyhunt
http://www.troyhunt.com/2012/07/what-do-sony-and-yahoo-have-in-common.html

======
omni
This guy only used 302 from a dump of 453,491 passwords to come to these
conclusions. I can imagine no reason why he'd intentionally invalidate his
analysis by using such a low sample size unless this conclusion doesn't
actually hold when you use a significant sample. I am highly skeptical.

~~~
troyhunt
The emphasis should have been on "common" - there were only 302 emails out of
the full sample which appeared in both breaches. I would have like a larger
sample size, but that's all there was.

~~~
omni
Ah, my mistake. Thanks for clarifying!

------
Zenst
This could of been from a hack done years ago, milked for all entirity in
secret and then released years later. Alot of passwords would still be the
same, people habitualy if not controlled to change there passwords every N
days will not bother unless some event dictates thay should and then if they
can avoid it then alot will sadly. Sadly the human finger fits perfectly into
the human ear and this is how alot of people handle alot of problems.

Now that all said if you look at any password system you will find common
passwords and if you allow your user to use things like football teams, there
own username and words like "god" "jesus" etc then you will get a standard
statistical spread. The only conclusion you can make is if you get a million
needles and chuck them in the air and do it twice that in pile A and pile B
you will find some that point north, its the way it goes.

So what does sony and yahoo have in common - passwords picked by humans, used
by humans - just like alot of password systems, be they hashed, tripple hashed
or plain old text.

------
CWuestefeld
_Less than 1% of passwords contained a non-alphanumeric character, only 4%
actually used more than two character types_

I think we're past the paradigm of gobbledy-gook passwords now. As we learned
from xkcd [1], it's possible -- in fact, easier -- to construct a secure
password that's also readable as needed.

[1] <http://xkcd.com/936/>

~~~
jackalope
That comic is misleading. Depending on the method of attack, the suggested
password can be easier to crack. Attackers aren't constricted by the number of
characters, but by the number of tokens. Are you sure that one of those
passwords comes from a higher number of permutations?

~~~
CWuestefeld
Yes. If you choose your four words from a dictionary of, say, 2000, then there
are 1.6e13 combinations -- about 44 bits of entropy.

~~~
troyhunt
The comic is amusing, but it only works if you can apply it uniquely across
accounts. Once you start creating unique passwords of that length you can't
remember them. Get a password manager and forget about patterns - the XKCD
approach doesn't work without serious compromise.

------
patdennis
_the early evidence is that Yahoo! kept their passwords in the clear and
certainly the dump appears to support this_

Wait, what? I'm no security expert, but how does that happen?

~~~
sp332
I don't think so. The only evidence that the passwords were stored in the
clear is that some "strong" passwords were broken. But if you look at the
LinkedIn dump (which was hashed) there are plenty of strong passwords that
were broken.

~~~
sk5t
The author, Troy Hunt, keeps extensive lists of actual passwords (millions
upon millions gathered mostly from other disclosures). Many "strong looking"
passwords turn up in these lists... all sorts of keyboard patterns, numbers
tacked onto permuted words in various languages, etc.

Of course it's difficult to verify the genuineness of most disclosures like
this, unless the victim company decides to fess up.

------
jackalope
I think focusing on password length as an attribute of strength reveals an
intrinsic weakness of passwords in general. We're reaching a point where any
password that is humanly memorable is not in the set of strong passwords. It's
a tragic flaw that all permutations available from an entropy pool aren't
equally strong. The fundamental problem of identity assurance needs to solved,
and it's sad that passwords represent both the state of the art and its
weakest link.

------
unreal37
I think this article jumps the gun a little.

There's no evidence that this is indeed from Yahoo Voice, no evidence how old
it is, no evidence how Yahoo stored their passwords... And he's only found 300
accounts that existed in both Sony Systems and Yahoo. Quite a leap from some
random file someone posted to the web to this.

~~~
troyhunt
Yahoo! have confirmed the breach:
[http://news.cnet.com/8301-1009_3-57471178-83/yahoos-
password...](http://news.cnet.com/8301-1009_3-57471178-83/yahoos-password-
leak-what-you-need-to-know-faq/)

------
michaelt
It's surprising to me that 60% of people don't appear to have changed their
compromised passwords.

Is there something wrong with how we tell people their passwords have been
compromised - do you think we aren't making it clear enough what they need to
do, or how important it is that they do it?

~~~
CWuestefeld
I think his pie chart drives us to an incorrect conclusion here. It's not that
people haven't changed their compromised passwords. The problem is actually
that people choose inane passwords, like "password" and "123456". When people
are doing that, you're bound to see significant overlap between the two sets.

