Bruce Schneier on Real-World Passwords

[pne]

Bruce Schneier has an article on real-world passwords—specifically, he analysed username/password combinations (allegedly) phished off MySpace.

One quote I like:

We used to quip that "password" is the most common password. Now it's "password1." Who said users haven't learned anything about security?

Besides that, he has statistics on password length, top 20 most common passwords, and character mix (letters only vs alphanumeric vs digits only vs non-alphanumeric).

And the top-20 list includes a password I use! \o/ (in a couple of places that I don't consider particularly high-security).

As an aside, I wonder how many of those top 20 passwords are in common use on LiveJournal (and how many more were in common use before LiveJournal changed its password policies).

Comments

[asciident]

*wonders why 'monkey' and its variants are so popular*

I use a crappy password on low-security sites, but it's not a popular one (at least, according to this list, and really probably any list...).

monkeys

[pne.livejournal.com]

*wonders why 'monkey' and its variants are so popular*

So did Schneier.

One of the commenters guessed that it's "probably a reference to 'Arctic Monkeys' one of the first bands to use MySpace and make it really big via 'word of mouth' without having a record label at the time."

[pthalo]

none of my passwordss made the list!

my very first password was the last name of the girl i had a crush on. i don't use that password anymore, except for throw away accounts, though usually i vary it in some way with numbers.

i generally pick highly inflected hungarian words and insert random numbers or symbols at odd places in them. for example (not oneo f my real passwords, but a ncie example) the word "love" would be in a dictionary, but the word "i could have love you" (szerethettelek) is less likely to be. i tend to use a phrase though instead of words. something like "elnyeltekasuruvarosok" (the thick cities have swallowed me)

[pthalo]

i just had the thought that someo f the funnier code mixing examples that turn up in my conversations would make decent passwords, things like: azok a deutsche emberek mindig ott are. (Those German people are always there (said by my friend, while pointing at a café). of course, it'd only be a decent password if it's used in places where no one knows that story.

[pthalo]

(and for linguistic geekiness, a word-by-word translation of azok a deutsche emberek mindig ott are: those the german people always there are. The "are" is at the end of the sentence because the primary language of the sentence is Hungarian, so the words are in Hungarian order)

another neat example would be "te szépen el-walking-ozol to my kocsi and get your dob" (you nicely away-walk-[verb maker]-you to my car and get your drum). The -oz verb ending is needed because "walk" doesn't sound like a hungarian verb.

[wingflutter.livejournal.com]

Philip, thank you for the card! :)

[leighbug]

That was interesting! My password isn't on there, but...I use the same password for everything. At one point, I did try to use different ones, but I couldn't remember what password I used for what account, so I ended up locking myself out of my MSN Messenger for awhile, because I also couldn't remember what I used for my secret question.

However, my work does use password as it's password! On top of that, the passwords are taped on the computer monitor.