Mass Password Brute Over 33 million passwords stolen

[thejode 0]

Are you a member of Rockyou.com? You probably know about this (and have most likely deleted your account and sided it with a complaint letter to the company), but 33 MILLION passwords were stolen from the database, and are now floating around in cyberspace. Some people have gotten so ticked, they?ve sued rockyou. Now, you may thing ?It?s not their fault, it was a security breach?. This is a lot worse. They might as well write their passwords on their office building. The passwords were stored in simple text files, UNENCRYPTED.

Now, what is Rockyou? They?ve created social networking applications, such as ?Pieces of Flair?, and ?Superwall?.

Now, here?s kind of the problem with Rockyou?s user database. The most popular user password was ?123456?, followed by ?12345687?. Other incredibly imaginative and secure passwords were closely following these two, including ?Password?, ?QWERTY?, and ?rockyou?.

 

If a hacker used the list of top 5,000 passwords for a dictionary brute force on Rockyou, it would take only one attempt per account to guess about %0.9 of the community?s passwords. At this rate, hackers would gain access to 1 account every second, or 17 minutes to gain access to 1,000 accounts. Now, estimates show that sites like Gmail, Hotmail, AOL, etc. probably carry the same population of people who use these ridiculously easy passwords. But they have a captcha, a computer generated image that displays text and letters at a funky angle and weird colors.

 

(Generated by Google)

 

Other security systems require you to answer a question (?What is the color of the sky??), and complete arithmetic problems via a captcha.

 

Most experts agree that passwords haven?t changed from 20 years ago. Users and businesses are just becoming more careless about security measures. Companies are also worried about employees using the same insecure password they use for social networking sites as they use for their business. This brings a new threat of a mass password hack that could result in millions of dollars lost. Who will suffer? Those who are careless. Beware of ?123456? passwords!

[filmdesire 0]

Are you a member of Rockyou.com? You probably know about this (and have most likely deleted your account and sided it with a complaint letter to the company), but 33 MILLION passwords were stolen from the database, and are now floating around in cyberspace. Some people have gotten so ticked, theyve sued rockyou. Now, you may thing Its not their fault, it was a security breach. This is a lot worse. They might as well write their passwords on their office building. The passwords were stored in simple text files, UNENCRYPTED.

Now, what is Rockyou? Theyve created social networking applications, such as Pieces of Flair, and Superwall.

Now, heres kind of the problem with Rockyous user database. The most popular user password was 123456, followed by 12345687. Other incredibly imaginative and secure passwords were closely following these two, including Password, QWERTY, and rockyou.

 

If a hacker used the list of top 5,000 passwords for a dictionary brute force on Rockyou, it would take only one attempt per account to guess about %0.9 of the communitys passwords. At this rate, hackers would gain access to 1 account every second, or 17 minutes to gain access to 1,000 accounts. Now, estimates show that sites like Gmail, Hotmail, AOL, etc. probably carry the same population of people who use these ridiculously easy passwords. But they have a captcha, a computer generated image that displays text and letters at a funky angle and weird colors.

 

(Generated by Google)

 

Other security systems require you to answer a question (What is the color of the sky?), and complete arithmetic problems via a captcha.

 

Most experts agree that passwords havent changed from 20 years ago. Users and businesses are just becoming more careless about security measures. Companies are also worried about employees using the same insecure password they use for social networking sites as they use for their business. This brings a new threat of a mass password hack that could result in millions of dollars lost. Who will suffer? Those who are careless. Beware of 123456 passwords!

Excellent Post! A lot of information there! I definitely agree! People are becoming less creative with the passwords. I dont even know what my facebook or gmail password is. You know why? Because I barely see it, because I can touch type, I coordinate my fingers to form a pattern on the keyboard (UK keyboard, im screwed in Russia, and seriously twisted in China) but hey it works! If I was battered to a pulp with a spoon I wouldn't be able to think of the password. Everytime I have to check my mail on the phone I have to use my fingers and think very hard of the keyboard layout.

 

Anyway, I think all passwords should follow the same format (maybe not as uptight and with so much paranoia as mine but still) - something that is utterly random, that will take more than 3 attempts for a hacker to use Brute Force, as after three attempts, most applications like googlemail initiate a form of security often in the form of captcha codes and questions.

 

Be careful! AND NEVER use the same password for bank accounts, business networks and school/uni networks. It is highly dangerous depending on the level of information at risk!

 

And when it is advised to use mix characters, uppercase and lowercase & numbers + symbols, be grateful and use it to your advantage!

 

[evilsmiley25 0]

That is why I make my password as secure as I can, to prevent being a victim of a hacker ("wordpass" is ftw). Seriously though, I would be so pissed if this happened to me. Websites need to make sure their systems are encrypted and safe to prevent hackers stealing passwords from the websites user base. At least keep it more secure with adding a captcha question, or whatever they are called, and try to beat the hack bots from mass hacking like these from happening.

[deadmad7 4]

Are you a member of Rockyou.com? You probably know about this (and have most likely deleted your account and sided it with a complaint letter to the company), but 33 MILLION passwords were stolen from the database, and are now floating around in cyberspace. Some people have gotten so ticked, they've sued rockyou. Now, you may thing "It's not their fault, it was a security breach". This is a lot worse. They might as well write their passwords on their office building. The passwords were stored in simple text files, UNENCRYPTED.

Now, what is Rockyou? They've created social networking applications, such as "Pieces of Flair", and "Superwall".

Now, here's kind of the problem with Rockyou's user database. The most popular user password was "123456", followed by "12345687". Other incredibly imaginative and secure passwords were closely following these two, including "Password", "QWERTY", and "rockyou".

 

If a hacker used the list of top 5,000 passwords for a dictionary brute force on Rockyou, it would take only one attempt per account to guess about %0.9 of the community's passwords. At this rate, hackers would gain access to 1 account every second, or 17 minutes to gain access to 1,000 accounts. Now, estimates show that sites like Gmail, Hotmail, AOL, etc. probably carry the same population of people who use these ridiculously easy passwords. But they have a captcha, a computer generated image that displays text and letters at a funky angle and weird colors.

 

(Generated by Google)

 

Other security systems require you to answer a question ("What is the color of the sky?"), and complete arithmetic problems via a captcha.

 

Most experts agree that passwords haven't changed from 20 years ago. Users and businesses are just becoming more careless about security measures. Companies are also worried about employees using the same insecure password they use for social networking sites as they use for their business. This brings a new threat of a mass password hack that could result in millions of dollars lost. Who will suffer? Those who are careless. Beware of "123456" passwords!

Yes, this is really terrrible. So weak passowrds. But this really isn’t surprising. We’d all be amazed how much this wouldn’t happen if people took the extra .5 seconds to add a number or two to the end of their password. Leave the door open and people will come in. Using passwords like “1234″ just isn’t smart.

Talk about "grabbing the wrong end of the stick". People use short passwords because they are easy to remember and enter. I have a short password and I still mistype it. Couple that to the rotating password system that is recommended (replace your password after 6 months) and you are obviously going to pick a short easy to remember (and break) password.Demand a 32 character password for your site and see how many people will bother to log-in! Do you think that corrupt corporations would put up with it taking 10 minutes/day, for their workers to successfully log-in to their user accounts? A simple mechanical key & lock would be more effective!

How many people would use ATMs, if their PIN changed every 6 months?

 

Look at this list for example, it lists the most common of the 32 passwords provided by v-Sync:

 

1. 123456

2. 12345

3. 123456789

4. password

5. iloveyou

6. princess

7. rockyou

8. 1234567

9. 12345678

10. abc123

11. nicole

12. daniel

13. babygirl

14. monkey

15. jessica

16. lovely

17. michael

18. ashley

19. 654321

20. qwerty

21. iloveu

22. michelle

23. 111111

24. 0

25. tigger

26. password1

27. sunshine

28. chocolate

29. anthony

30. angel

31. FRIENDS (yes, all caps)

32. soccer

How many of you are guilty in using these passwords?

Edited January 26, 2010 by deadmad7 (see edit history)

[Quatrux 4]

Personally, on some registration forms, I use passwords like 1234 and etc. just because I don't care about that account, but for the accounts I care I usually use quite good passwords, which are hard to hack..But it's strange for me that those passwords aren't encrypted in the database and can be seen like that, by just getting some data from the database or sometimes it's encrypted with functions which can be decrypted quite easy, for example base64 ;]

[Zagubadu? 0]

Wow what idiot would make there password that? My password for everything is 21 characters long and consists of number and some caps. If someone guessed my password it would be a miracle. Its funny how the most popular one was 12345678. And password seriously?

[H.O.D 0]

Lol this is so funny - how could they even not encrypt their database records?! In this day and age?!! Half of the people use the same set of passwords for each and every site they register to so unless the hacker is stupid he can get access to almost every aspect of the victim's online presence. While keeping weak passwords is the victim's fault, getting hacked isn't entirely the person's fault. In this case, clearly the website and the people who maintain it are to blame - they may have cost losses to hundreds of people in terms of privacy, money, etc

[Baniboy 3]

Wow, I've made some login systems(back in the days when it was warm), and I always use a md5 hash to verify password. How the hell can someone be so 'smart' to save the password itself to the database?! It should be done like this:You have md5 hash of the user's password in the databaseThe user inserts password on loginYou convert the password to md5 and compare with the one in the database, if they match, loginYou have to be a really dumb programmer nowadays to have the passwords themselves saved up there... IN TEXT FILES?! Not even in a dynamic database?! Were they trying to get hacked on purpose?

Edited February 2, 2010 by Baniboy (see edit history)

[rayzoredge 2]

I'm guessing that someone didn't even bother, thinking that it wouldn't be that big of a deal... or that person was "getting around to it." Text files? Do it right the first time and you won't suffer the bad PR that comes with a massive blow to security like this.Even though it was their fault in basically leaving the keys in the car, it goes to show how stupid people really are when it comes to passwords. You trade in security for convenience, and if you're protecting your financial information with these kind of passwords... well, you deserve to have your crap stolen from under your nose if you're that lazy.Good rule of thumb for passwords: letters, numbers, uppercase, lowercase, and symbols. Mix it up and you'll severely reduce your chances of an easy brute force hack. I'm a lazy guy by nature myself, but I still go by that philosophy, and it's relatively simple to stick to it while making it easy to remember.I used to use "ThisSucks11!!" for one of my work stations when I was stationed in Germany. It has two capital letters, the rest lowercase, two numbers, and two symbols to meet DOD standards for passwords, plus it was easy to remember because... well, my job sucked. See how easy that is and how much more of a force it is to be reckoned with compared to "123456?"You can do the same thing too to keep yourself safe. Use a phrase, or a name even. "Michael" can turn into "MichaelJames13!!" "Password" can be something easy as "Pa55word!!" which gives you the effectiveness of adding numbers and symbols to your password, and essentially, it's the same password.Of course, this is all useless if you're the kind of guy who loves to write your passwords down on a sticky-note and stick them to the sides of your monitor...

[sheepdog 10]

Well, I was trying to figure out how on earth qwerty could be an easy to guess and commonly used password and was just going to ask how anybody could come up with that one, then I looked at my keyboard. Duh. Now it makes sense. But I guess I'm a little better, I don't use any of those passwords. I try to make my passwords complicated, but then unless I write them down I will never remember all of them, so if somebody actually got my list I'd be in trouble, but at least it's not on my computer, and they would have to get threw me, my dogs and my 357 to get my list

[Quatrux 4]

To add, passwords like qwerty and asdf are also popular, on some services I also use it, especially on localhost when creating something and like adding users, these passwords are very convenient, it's easy to remember and I don't really care about them on localhost, as with time the database will be flushed..But as I said, for services which people don't care about, they use these passwords, even though it's a bad habit, it's really much better to use hard passwords to guess every time.Also, I think all the services online needs to have the ability to reset password and etc.