

A brief Sony password analysis - troyhunt
http://www.troyhunt.com/2011/06/brief-sony-password-analysis.html
So the Sony saga continues. As if the whole thing about 77 million breached PlayStation Network accounts wasn’t bad enough, numerous other security breaches in other Sony services have followed in the ensuing weeks, most recently with SonyPictures.com where a significant portion of the database was publicly disclosed a few days back.<p>With all this customer data now unfortunately out there for public viewing, I thought it would be interesting to do some analysis on password practices. There are some rather alarming (although not entirely surprising) findings including:<p>36% of passwords appear in a common password dictionary.
50% of passwords are 7 characters or less.
67% of accounts on both Sony and Gawker use the same password.
82% of passwords are lowercase alphanumeric of 9 characters or less.
99% of passwords don’t contain a single non-alphanumeric character.
======
lordlarm
Moments after the release I accessed multiple accounts on both gmail, hotmail,
yahoo and facebook using password and usernames found in these files.
Impressivly I got a 'hit' every two-three accounts which I tried - which goes
to suggest that the 'reuse' section of this article indeed are correct.

That said, I want to recognize Facebook's impressive and fast response to this
release - where they 'disabled' all accounts linked to emails in these text
files and made them go though a bunch of tests e.g. when is our birthday, what
is the name of this friend.. etc.

Anyway, scary stuff, and it goes to show that even with the most secure
password - you are not safer than the root user (gawker) / site security
(Sony).

~~~
mkjones
Glad our fast response is appreciated :-). We try to stay on top of leaks like
this and make sure Facebook users aren't affected, even when they share
passwords with the affected sites.

------
thurn
Requiring users to create passwords continues to be an engineering failure in
our industry. There are some promising alternatives, but we need to realize
that users are not at fault for picking poor passwords. We are at fault for
not giving them better options.

~~~
kmfrk
I can attest that entering a ~32-character-long ~base64 password on PSN is a
real pain in the ass. :)

~~~
orofino
This. The problem with secure passwords that I use (I switched to mainly
unique passwords after the gawker incident) is that they are pain to type on
things like xbox, android, etc.

Not only that, but some sites won't accept special characters in the
password... now what do I do? I break out some crappy password that I have a
chance in hell remembering.

~~~
lukejduncan
Case in point, Discover Bank doesn't allow special characters in the password.
Really now?

~~~
mestudent
A bunch of banks don't allow special characters, some people have said it is
so you can enter it over the phone (something I've never come across but I
kind of doubt that.

If that really is the case, they are probably throwing out whether each
character is upper or lowercase as well :/

------
foob
The dip in frequency of passwords with 7 characters is pretty interesting. I
was curious so I checked the frequency of words in /usr/share/dict/words as a
function of their length
([http://chart.apis.google.com/chart?chxl=0:|1|2|3|4|5|6|7|8|9...](http://chart.apis.google.com/chart?chxl=0:|1|2|3|4|5|6|7|8|9|10|11|12|13|14|15|16|17|18|19|20|21|22|23|24|25&chxr=1,0,32380&chxt=x,y&chbh=10,0,5&chs=420x200&cht=bvg&chco=76A4FB&chds=0,32380&chd=t:52,155,1351,5110,9987,17477,23734,29926,32380,30867,26010,20460,14937,9763,5924,3377,1813,842,428,198,82,41,17,5,0&chma=|0,2&chtt=Word+Frequency+vs+Word+Length)).
There's no such behavior in dictionary words as you can see. We can however
see that in both passwords and words that the frequency of length 7 is about
80% of length 8 though. My first guess would be that length 6 gets a boost in
the password data because a large number of people think a password shorter
than that is too insecure. Only 36% of the passwords were dictionary words but
it's still fun to guess about.

~~~
mrvc
I'd suggest that the dip in 7 is natural, but the peak at 8 is the interesting
part. I'd argue the 8 peak is due to some of some of their websites requiring
a minimum of 8 characters. It's possible that such password checks are
inconsistent among their sites/domains, resulting in some passwords being less
(that's why we do see _some_ password of shorter length than 8). If the 8 was
around 6,000 we'd see a natural falloff curve as one would expect.

~~~
foob
Yeah, I think you're right about it relating to reused passwords. I've also
seen a lot of sites having passwords with a minimum length of 6 so the shape
would make sense if there's an exponential fall of from 6 added to a fall of
from 8.

~~~
orofino
Too bad the universe of gawker/sony collisions is so small. I'd be interested
to see if this plays out with real data.

------
jevinskie
Wow, the Gawker and Sony hacks have created an incredible opportunity to
analyze people's use of passwords. Two thirds of the (granted, only 88)
accounts in common between the two hacks used identical passwords!

~~~
eneveu
I often use the same password for sites I don't really care about. This does
not mean I use the same password on my work / banking / eBay / paypal
accounts.

This might explain why so many people used the same password for Gawker and
SonyPictures.

~~~
chriserin
I think this should be the main point. The sites you care about (email,
facebook) should have a unique password. The sites that don't matter can have
a login with your common password.

This is much more reasonable than asking everybody to remember 50 unique
passwords.

------
eddiegroves
"But the really startling bit is the use of non-alphanumeric or characters:
Yep, less than 1% of passwords contained a non-alphanumeric character."

This doesn't surprise me at all. Non-alphanumeric characters are hostile for
users to type in often. Add other peripherals like phones and a PS3 controller
and it's even harder.

~~~
alexqgb
Hostile? Really? How is typing '$' instead of '4' any different from typing
'A' instead of 'a'? They both use the same shift key. Watch, I'll do it again.
How about a seven? See? 7.

Now for the ampersand...just hold the 7 and reach for the shift key... &%$#$
FUCK! The little bastard just BIT ME!

I'm sorry, you're absolutely correct - those non-alphanumerics ARE hostile.

~~~
_delirium
The services/apps are often hostile to it, in my experience. For a while I had
a mental password-generation scheme that involved commas, and about 50% of
websites would reject my password for having an illegal character, sometimes
explicitly, other times just breaking in weird ways. After one site let me
_set_ my password to one involving a special character, but wouldn't let me
_enter_ that same password on the login form, I became wary of using special
characters in passwords. (The site was a bank, not some random forum.)

~~~
mkjones
Nah, they have a great reason - if they restrict you to alphanumeric
characters, it's easier to prevent XSS when they display your password back to
you later on in the flow :-).

------
keeperofdakeys
Those graphs should really be column or row graphs. Their is no such things as
'7.5' characters, so it is kind of misleading. It would also make it much
easier to see interpret information, like the fact that 16 is the longest
password used. As for the Character Types, that data isn't even connected, so
a line graph doesn't fits even less.

------
mikle
Great analysis, but using pie charts with 4 shades of blue is unreadable.

~~~
nplusone
Using pie charts with any color combination is unreadable. See Edward Tufte's
_Visual Display of Quantitative Information_ for a detailed explanation.

------
dave1010uk
To make unique passwords for each site I use a simple formula on the domain
name that I can work out in my head and append it to a "master" password. An
example formula could be "take the last 2 letters of the domain name and shift
them 1 letter forwards".

This means your passwords always have different hashes, which will reduce
brute force attacks. Depending on the complexity of your formula and how much
time the attacker has, it may not be possible to work out your GMail password
from your Sony one.

Another password tip I read was moving your hands up (or right) 1 row when
typing. For example, "a" becomes "q". This adds an extra step to creating a
dictionary for an attack so should secure your password a bit.

~~~
duncanj
The problem with this approach is that you get exposed when a website stores
their passwords as plaintext. Someone who was smart enough to notice the
pattern in your formula could then use that info to get at your other
accounts.

~~~
bigiain
Did you notice one of the passwords mentioned as being found in readily
available rainbow tables was 1qazZAQ! - the leftmost column of keysn a
keyboard down then up-with-shift-held-down. That's an indication that the
password cracking community is perfectly aware of "keyboard pattern"
passwords.

~~~
dave1010uk
It makes sense that attackers are likely to know the steps we take to make
secure passwords but a password that's been "keyboard shifted" would be
_slightly_ more secure as it is an extra variation for a dictionary to
include.

------
ars
Is a Sony contest site really "high security" in the minds of users?

If I were entering I would use an easily guessed password for it because I
don't care that much about the account. Email and banks get much better
passwords.

~~~
FilterJoe
A Sophos survey found that 48% of users use "a few different passwords."

[http://www.thetechherald.com/article.php/200911/3184/Interne...](http://www.thetechherald.com/article.php/200911/3184/Internet-
users-still-using-same-password-for-all-Web-sites)

I have interviewed a few people about their password strategies and quite a
few seem to have a tiered password approach. But that is still an easy setup
to exploit, as I explain here:

[http://www.filterjoe.com/2010/05/14/the-usual-way-to-
manage-...](http://www.filterjoe.com/2010/05/14/the-usual-way-to-manage-
passwords/)

Furthermore, I've noticed in my interviews that few people realize that the
account they need to guard most is their e-mail account. They may have a 3
password strategy but, it goes something like:

worst password: forums, news sites, Sony, etc. better password: email, social
best password: banks, brokerage, commerce

Once someone gets into your main email account, it's usually pretty easy to
break into all the other accounts unless you have a unique password for every
account.

------
canterburry
It is interesting to me that many of the posts contained here, not to mention
the article itself, spends so much time and effort on debating good vs bad
passwords and improved password techniques when the hackers themselves didn't
even need a password to obtain all this information in the first place.

Discussing quality of passwords is only relevant in the context of a system
that has no other weak points that can be easier/faster exploited than the
passwords themselves.

And even then...key loggers, trojans, phishing, script injection etc...they
can all capture passwords of arbitrary length and complexity...

I would be curious to see statistics around break-in where the root cause was
actually hackers reverse engineering/guessing an unknown password vs obtained
access using a password they obtained otherwise or simply bypassed any
username/password mechanisms altogether. I have a feeling the latter two would
comprise 99+%.

~~~
FilterJoe
Regardless of the root causes for how passwords get hacked, having a unique
and strong password for each account helps limit the damage for nearly all
forms of password theft to just one account. The following post (mine)
describes the 9 most common forms of password theft as well as protection and
damage control for each:

[http://www.filterjoe.com/2010/05/14/how-attackers-steal-
pass...](http://www.filterjoe.com/2010/05/14/how-attackers-steal-passwords/)

You'll see that if you simply do the following, it will stop or at least limit
the damage from the most common forms of password theft:

"Use a password manager to assign unique, random 15 character passwords for
all accounts, protecting them with a strong master password."

------
gylgamesh
The safe password rules are simple and well known:

1\. Eight chars minimum.

2\. At least three different types of chars out of these four: small and large
letters, digits and special symbols.

3\. No known words of any language and no names, not even interchanged with
digits like 3 for E, 5 for S, 1 for l or 7 for T.

4\. HTTPS secure login.

5\. Never show or transmit unencrypted passwords.

Unfortunately too many website designers don't even know these rules or don't
care to enforce them on their members. Some sites don't even allow special
symbols or do not have a minimum length requirement.

If your site stores even more sensitive information like credit card data,
SSNs &c. then this requirements and more are even prescribed by industry
standards and in some cases even the law.

It's too bad PSN didn't care about any of this. They could have at least
accepted PayPal payments, so that credit card data would not have been stored
on their servers.

------
bostonvaulter2
Does anyone know the password restrictions that Sony music used? Like minimum
password length and what special characters were allowed?

------
lukejduncan
Very interesting, but lets also consider the source. I personally have a
hierarchy of passwords. Things that are important (e.g. banking) gets unique
random passwords. Sites like sonypictures.com that I'll probably never use
again and don't care if someone gets access to... they get one of my old
passwords that I'll remember.

------
miguelpais
>> "And if the passwords were salted before the hash is applied? Well, more
than a third of the passwords were easily found in a common dictionary so it’s
just a matter of having the compute power to brute force them and repeat the
salt plus hash process."

Well, assuming that you know the hash, because if you don't, things don't get
that easy. I'm assuming systems that salt passwords don't store the salt in a
row of their database, but with security, or the lack of it, everything seems
to be possible.

~~~
jbri
Where else would you store the salt?

If you're storing it in a place more secure than where you're storing the
password hashes, _why not store the password hashes there in the first place?_

~~~
miguelpais
If the salt is the same for all the users you can have it on the source code
that hashes the passwords. Not always being SQL injected means having the
back-end code leaked.

~~~
tedunangst
That defeats the purpose. The whole point is to have a unique salt per user to
force the cracker to spend time on every password.

