CyberKnowledge Technology Blog

Everything tech – reviews, tips, software, news

All tech all the time

Welcome to CyberKnowledge technology blog.

Analyzing 20,000 MySpace Passwords

Posted by Alex Bailey On September - 16 - 2006

In a day where browsers are coming out with anti-phishing tactics, I can’t believe how many people still fall for phishing. It’s all over the news, and most email clients display warnings. I still get those letters from Nigeria saying they need my help transferring millions of dollars out of the country. If nobody was falling for that they wouldn’t be doing that, I’m sure. So when I got an email from “Admin@MySpace.com” I kind of chuckled. It was the usual scam trying to get me to login to their fake MySpace login page. I have course entered in my bogus login details that I don’t have or will ever have. Then I went to the root directory the script was in. Sure enough it was all indexed. 20,000 emails and passwords to go along with it sitting in a plain text file. I downloaded it and looked through it for a bit and started parsing it with .NET and PHP. The results of the parsing were rather interesting. Some passwords were terrible, and others were decent. A lot of them are simply “password”. An odd amount of them also contain the word “poop”. Only goes to show how childish these people are. We’ll start with the most popular email hosts.

Emails

Yahoo, Hotmail, AOL. No surprise there really. I’m surprised AIM didn’t take a bigger piece of the pie. If you’re wondering why it doesn’t add up it’s because their are a lot of random ones with 10-20 that was a waste to include. Next we’ll take a look at how long each person’s password is. Most of them are fairly decent to my surprise, at an average character length of 7 chars.

Number of Chars

Character length means little if your passwords don’t have upper and lower case letters. Most of the passwords were all lower case.

Upper and Lower

There is still hope left for their password though, and that is if they added any numbers and or special characters. Amazingly most people actually did.

Numbers

Next I tested all the passwords for password strength. I used a simple PHP script. It was out of a four point scale. You get one point for having a Lower case letter, one point for an upper case letter, one for a symbol, and one for a number. All of my email/bank passwords I use are a four on this scale. All of my forum and useless passwords are a three. I think it’s a pretty good simple test to get how secure these passwords are.

Strength

PHP code I used:

function CheckPasswordStrength($password) {
$strength = 0;
$patterns = array(‘#[a-z]#’,’#[A-Z]#’,’#[0-9]#’,’/[¬!”£$%^&*()`{}\[\]:@~;\’#<>?,.\/\\-=_+\|]/’);
foreach($patterns as $pattern) {
if(preg_match($pattern,$password,$matches)) {
$strength++;
}
}
return $strength;
}

Most common passwords used:

13 – cookie123
12 – iloveyou
12 – password
11 – abc123
11 – fuckyou
11 – miss4you
9 – password19
9 – clumsy
8 – sassy
8 – summer06
8 – pablobob
8 – boobie
8 – fuckyou1
8 – iloveyou1
8 – tink69
8 – password1
7 – gospel
7 – terrete
7 – monster7
7 – marlboro1
7 – bitch1
7 – flower
7 – space

Summary:

While the passwords weren’t the best, they weren’t exactly terrible. I consider strength two fine for a myspace account. It’s a basic password usually with upper or lower case and a number or symbol. Only 19% of the people had strength one, and for MySpace user’s track record for being computer illiterate, I don’t consider that bad. 46% of their passwords were seven digits, which is fairly long and would take a while to brute force. Combined with a captcha for invalid passwords, there’s no way it would be cracked. The Biggest email hosts were Yahoo, Hotmail, and then AOL. I’m Kind of surprised at that. Would have thought hotmail would have won out. If anyone would like some more tests done, feel free to contact me.


105 Responses to “Analyzing 20,000 MySpace Passwords”

  1. Kurt says:

    One problem- these results are from the people who would enter their password on a bogus site. The people who had level 4 passwords would probably know what a phishing scam is

  2. Hmmm… looks like all the “fuckyou” passwords were directed at the phisher. Who actually knows how many of these are real? Whenever I’m in the mood to mess with a phisher I slam both hands on the keyboard when I enter my password, which could explain the majority of strength 2 results. The numbers are adjacent to the letters. :p

  3. Amp says:

    But then again, the majority of people who would have level 4 passwords wouldn’t be a member of Myspace, I know I’m not.

  4. Bob says:

    Kurt hit the nail right on the head!

  5. Bonekhan says:

    Interesting enough. Take into account that:

    a) It was a phising website; while some of these may actually be passwords, I doubt the majority of them are real (I love to use vulgar or humor to enter into these websites).

    b) Even though MySpace wouldn’t like to admit it, the majority of the people who attend it are more around the age of 9-17. Maturity and age may not be relative, but they would have something to do with it.

    And yes, commenter number 2 is probably right. This is very peculiar, I’d love to run an experiment like this. Of course, phishing is wrong… but still.

    Very nice results, Dugg :D

  6. Rub3X says:

    Most of them are actually valid. The ones that put fuckyou etc have a valid email address. I scrolled through the list and found 2 instances of people saying “Nice try” or something similiar. You’d be surpised how many of these are real.

  7. paul says:

    Well, for the amount of bogus info that is undoubtedly in this list, the reality is that the info is probably still a good indication of the status quo. An interesting exercise. May encourage use of stronger passwords… It’s always convenience vs security(paranoia) Remember, just because you ‘think’ someone is watching you doesn’t mean they aren’t!

  8. bigbob says:

    after myspace got taken to task for their security, they actually started making you put either a number or special character.

  9. automagnus says:

    hi your PHP code doesn’t seem to parse at this line
    $patterns = array(’#[a-z]#’,’#[A-Z]#’,’#[0-9]#’,’/[¬!ӣ$%^&*()`{}\[\]:@~;\’#?,.\/\\-=_+\|]/’);

  10. arunforce says:

    As a hacker myself, I know that most likely that the script did not filter the accounts already logged, and not record them, so my guess is that it recorded the same one and an idiot probably with the same account tried logging in 13 times with the same account and password. I don’t find it any more conclusive, and find “cookies123″ to be more rare than “password” because in my hacking exploration, I have ran across people who have used the word password as a password.

  11. Max says:

    Very interesting results. Could you post a link to that fake login page? I would like to see how well it was made to impersonate myspace.com. I appreciate it.

  12. Dave says:

    Well, even if you have a strong password, it won’t help you if you enter it at a phishing site.

  13. Rub3X says:

    “hi your PHP code doesn’t seem to parse at this line”

    In case something was messed up in the post, I’ll pastebin it. pastebin.ca/173670

    “Could you post a link to that fake login page?”

    Definitely not, sorry. Not only would MySpace bitch about that, but there is so many emails in there that spammers would use.

  14. Daniel says:

    Myspace requires a certain password length and that you use some kind of character or number. so the passwords you harvested that don’t meet the criteria are most likely fakes as well.

  15. Rub3X says:

    Ok, but I doubt it’s been like that forever. You don’t know how long these users have be signed up for.

  16. mark says:

    Not to forget they’re tons of kids on myspace who don’t have any idea of password security.

  17. psymeg says:

    Of course it doesn’t matter what level of password you use if you fall for a phishing site.

  18. eXevalo says:

    Interesting article. I think some of them are fake but most of them probably wouldn’t be imo.

    Thanks for the PHP script, I’ve been looking for a script that does that.

  19. lexonlexoff says:

    an interesting idea for a study, however anyone who has ever taken a week of any statistics course will tell you that your population is very unreliable for all the above named reasons, therefore your results cannot be applied towards anything other than “passwords found on this specific phishing site”.

    As for the stregnth of the passwords (levels 1-4), I don’t believe myspace tells the user that passwords ARE case sensitive (and generally with that omission, the password is not case sensitive either) and many programs still do not allow special characters as password symbols, so you cannot blame that on illiteracy, but the fact that the website does not encourage the user to include these into the user’s password at the time of sign-up.

  20. vexorian says:

    So, why would the strength of the passwords matter if you can just steal them by phising ?

  21. Jeffrey Marans says:

    Given that phisers are asking for userid/passwd info to get into banking sites, isn’t anyone offering them the equiv of baited accounts to map the packet and currency flow?

  22. Greg says:

    Its pretty bad when your town name is one of the most common passwords marlboro, I always knew the people in my town were stupid

  23. Severed says:

    Should be noted that as of quite a while ago, Myspace force the user to have a number or symbol in their password on signup.

    So this would explain the wide use of numbers in the password.

  24. Jan says:

    I think it would be interesting to run a few wordlists against the passwords to see how many of them can be broken by a dictionary attack.

    Of course it would also be nice to get stats how many of the passwords are valid and how long they stay valid ;-)

    You could send the stupid people mails telling them how stupid they were and that they should think twice before typing their passwords into phishing sites. But IF you do it, use very good anonymization. At least 10% of the people will be angry at you instead of being grateful. (Rade depends on wording of the mail ;-)

  25. Eddy says:

    @Rub3x (comment #16):
    You’re correct. I had an account made over a year ago with a password that was all letters. When I went to change it to something a bit more complicated, I had to have at least one number and one punctuation mark before the password would be accepted.

    I also agree with comments 1 and 2.

  26. good article.
    poster number 2 is probably right though.

  27. sfisher says:

    I wonder how many of those seven digit passwords are phone numbers.

  28. shorty114 says:

    Nice analysis. By the way, I got a CPU quota exceeded page when I tried your site.

  29. Kris says:

    hmm odd. I wonder what hes going to do with this data now hes done his statistics. sell the list on ebay?

    No accuusations but you made statistics on data you shouldnt really have..dont you feel slightly bad?

    maybe not if it helps people but yaknow.

  30. philgrad says:

    Interesting, although your final analysis is resting on a (partially, at least) flawed premise: that complexity in passwords makes more of a difference than password length. It simply isn’t true, mathematically speaking. However, if you are only going to have a 7 character password, then by all means make it complex. Otherwise, length is far superior–at 15-20 characters, even with only all lowercase characters a passphrase is easily the way to go.

  31. LoudMusic says:

    The comments about the “fuckyou” passwords are possibly correct, though I’ve known plenty of people who claimed to use that or variations of that as their regular password. So where the intelligent user (on My Space? …) might catch that it’s a phishing site, there is also a likelyhood that a large number of people actually use “fuckyou” as their password. It types easy and is easy to remember. And if the feds ask you what your password is, “fuckyou” will make you laugh when you tell them.

    (:

  32. Kevin Mesiab says:

    Doesn’t matter how secure your password is if you’re falling for a phishing scam…

  33. “If you’re wondering why it doesn’t add up it’s because their are a lot of random ones with 10-20 that was a waste to include.”

    Standard practice is to include an “Other” category.

  34. Kenny says:

    Hmmm – it’s interesting, but it’s not a very scientific test. Very well presented though. Ta.

  35. Ben says:

    I’ve always wondered if someone is doing this with those free proxy sites that highschoolers often use to go to myspace at school. While it wouldn’t be a huge catastrophe if someaccessed your myspace account it could easily become so with other types of sites that could easily be logged from the host providing the annonymous proxy.

  36. ZeWrestler says:

    Great work. I worked on a paper earlier this year that made a prediction of sites like myspace and facebook becoming phishing targets of the future. You’ve proven me correct with this. thanks.

    I discussed this post in my blog if you want to check it out. Good work, i’ll have to look a little further into this.

  37. I’m curious to find out more about this, especially the line that these “kids” are computer (or at least security) illiterate. While they’re clearly not teaching this stuff in high school, the generation coming up has had the internet as a part of their life since the word go.

    My intuition is that there’s a certain native intelligence that comes with that. Maybe more scores like this will tell us for sure.

  38. Phil says:

    What’s the deal with “pablobob”?

  39. Kyle says:

    Next test: how many use the same passwords for myspace and email?

  40. Anonymous Freak says:

    Since these results come from phishing attempts, the email provider results could be skewed. It could be that they sent the messages out to Yahoo more than AOL. It could be that Yahoo’s spam filter didn’t catch this phishing attempt, while AOL’s caught it part of the time. (Maybe Hotmail caught it every time, and the only people from Hotmail that responded are those that went through their spam folder…)

  41. Rob says:

    My old account was signed up in may a year ago, and it did not require numbers or other characters. The password still works. When I signed a second account up in december, that is when it required at least a number.

  42. Joe says:

    Sometimes when people arent sure if their on a phishing website they will try to put thier actual email address in and match it with some bogus password to see if it returns an incorrect login screen.

  43. The best thing to do is to have a trash account to use in situations like these. It’s simple, and saves your ass everytime!

  44. Underscore says:

    @ Post 38 >

    Frankly, from the ammount of links I get in my ‘bulletins’ on MySpace to phishing sites, I really doubt that most myspace users are computer literate enough to know what’s happening. I have a lot of smart friends, but they have no idea what’s going on as soon as they get on the internet.

  45. m0 says:

    EXCELLENT Article. I like the way you presented with the graphs and how you defined the critical points. People should realize how crucial it is to supply uppercase as well as numbers in their passwords. A friend of mine said “I didn’t know that uppercase would add security” People who are illiterate with comptuers don’t realize the security with those. I will forward this link to many people.

  46. Glassbox says:

    There’s also the consideration that the reduced amount of users coming from, say, Gmail, might be an indication that Gmail’s phishing filter works better (since it automatically shuttles phishing and spam to the spam folder). So maybe the portion coming from gmail was the initial people who got the email before gmail started filtering it.

    So maybe the message there is that AOL/Yahoo/Hotmail both have a high user base, and also fuckin’ suck at filtering out spam.

  47. This was really intersting. Thanks

  48. Mistral says:

    Whats the point in phishing this. As for the majority of people they dont actually care. Somebody steals their account they dont really care. They just go an create another and another. This is the same for most sites.

    Most people i also know have multiple email addresses. One for real stuff and another for crappy sites they can sign up to. They do this because the crappy sites tend to sell their info to spammers. They when they get to much spam they just dumpt he address and sign up to their sites again on a new email address.

  49. blurry says:

    >and for MySpace user’s track record for being >computer illiterate

    Yes, but you could at least make sure you’re standing on solid ground when throwing stones and shoot for correct grammar. Try “…users’ track records…” :-p

    (by the way, myspace is somewhat more tolerable if you use greasemonkey to clean up the worst parts of the mess: for example, this script removes the wowie-neato custom styles designed by retarded kindergarteners with a box of crayons moosoft.co...easemonkey)

  50. Digirat says:

    personally, i always enter a phishing site, and put in my password as “fuckyou”

  51. HockeyInJune says:

    Props

    I have also notice lots of Phishers dont give a shit about their security, but thats how they get caught…

  52. Michael says:

    @ Post 44

    Better than a trash account is not to fall for such things at all. It only took me a few minutes to teach my elderly mother to identify and avoid phishing scams and other deceptive e-mails, so I have to think that if she can learn, almost anyone can.

    But how to reach people with the information they need? Clueless people often ignore whatever they don’t want to be bothered with.

    The most effective approach I can envision would be to spam millions of people with a phishing attempt, let them log in to a specially-crafted site, and then tell them: Hey, you just gave your info to a fake site! Then present a nice tutorial on how not to be taken by such scams in the future.

    Of course, I can’t endorse spamming and tricking anyone, but knowing how people tune things out until it “hits home”, I have to feel it might be the only chance to save some of these too-trusting people from themselves.

    At the very least, the author of this blog would be doing those 20,000-some MySpace users a favor if he’d e-mail them and let them know their information has been compromised. Too bad it would probably backfire and land him in trouble rather than the actual phishers.

    I guess it’s pretty much hopeless. As long as there are people to scam, there will be scammers.

  53. Dave says:

    LOL at assuming Marlboro is a common password because of people in the town of Marlboro (MA?) being stupid. Those guys are probably using their preferred means of contracting emphysema as a password.

  54. Daniel says:

    This is all quite good information, but as many people have stated this information is full of biased and non-factual information. I am sure that some of the passwords are valid, but that is a small percentage, and I would guess like 1% the rest are probably fakes.

  55. Rub3X says:

    You guys say most of the passwords are fake based on nothing. 1%? I bet 1% are fake. You need to stop under-estimating the stupidity of a MySpace user.

  56. raidedguy says:

    These results arnt acurate, for anybody who has tried, mypace requires a NUMBER in the password, many of these passwords didnt have numbers so they are all discrounted as being wrong…
    Also, myspace passwords ares required to be at least 6 characters long….
    that 1% estimate is therfor, WAY OFF… Daniel would be right

  57. Rub3X says:

    Yet another genius that can’t accept the fact that you weren’t always required to use a number.

  58. Snoops says:

    Problem with this data is
    A) we don’t have the actual data (other people, not the writer) to compare it with
    B) we don’t know how many people put fake emails and passwords in

    Without that information, I don’t see where the academic gain would be in such a study..Unless you wanted to script the login to every account and report on the validity of each..

  59. unkilbeeg says:

    Why would anyone use a high quality password on a throw-away account? If I had a Myspace account I’d use what you’re calling a “level 1″ password — what’s more it would probably even contain real words (far more damning than all lowercase.)

    On an important account I would use a more secure password.

  60. BillyBob says:

    I agree that alot of them can be “fake” and I’m shocked people want to phish for myspace accounts?? Why do they want that? so they can spam from “known accounts” till they are banned instead of making new ones.

    If if they phish myspace, I guess they’ll phish deviantART next.

    In responce to #41, I’ve found yahoo’s spam filter to be better than hotmail. Hotmail I normally have 30emails 15 in the inbox and 15 in the spam folder (all 30 of the emails spam). Yahoo normally two or thee junkmail in the inbox and 28 in the junk folder.

  61. Matt Ball says:

    I’ve been interested in statistical password information for a while. My interest mostly lies with estimating the amount of ‘entropy’ within the average password. NIST (National Institute of Standards and Technology) has published a paper that might be of some interest. (See This document).

    In this document, NIST estimates that each character within a password only contributes about 2 bits of entropy (i.e. roughly 4 probable characters), with the first character contributing 4 bits of entropy. NIST awards a special ‘bonus’ of 6 bits for requiring the user to use 1 uppper, 1 lower, 1 number, and 1 special (i.e. a ‘level 4′ password). When required to enter level 4 passwords, users tend to do the simplest thing to meet these requirements. They will capitalize the first character, make subsititions like ‘@’ = ‘a’, then end the password with some numbers.

    The writers of the NIST document mentioned that they didn’t have any good password databases on which to base their estimates. I was thinking that they might be interested in a password collection such as this one. NIST mostly used the work of Claude Shannon, who estimated entropy within text by asking people to guess the next letter when given some number of preceding letters. Using this experiment, Shannon discovered that in short sequences, each letter has something like 2.5 bits of entropy. In long passages, the entropy per character drops to around 1.5 bits.

    I was thinking that with a sufficiently large password database it would be possible to train a password guesser. One idea I was thinking of would be to estimate the probability of a particular character occurring, given some number of preceding characters (like 1-3 or so). Once such a system is setup, I imagine it would be possible to efficiently guess most people’s passwords.

    This information would be very useful in estimating the protection of using a password as an encryption key. I know passwords are weak, but it would be good to quantify this weakness, somehow. I suspect that even level 4 passwords wouldn’t add much protection in the average case, when used as a cryptographic key.

  62. Why do people keep saying they would use a less secure password on such-and-such site because that site isn’t that important? Why use weak passwords at all with anything that is yours? If a crook gets into your things, they can use the resource, and get additional information about you.

  63. Rub3X says:

    Because MySpace is trash. People are telling me that MySpace doesn’t even have case sensative passwords. This tells me their database of 90 million users and emails is unencrypted and in plain text. If they ever get broken in to, they are totally screwed. I don’t want my passwords that I use for important things being unencrypted.

  64. JSBach says:

    Sad truth is that many, many people use the same username/password combinations across a variety of accounts. So myspace username and pass is known now? Great, maybe that combination works on ebay. And before you say “but then stuff gets shipped to the victim, not the attacker”, consider this:

    Attacker acquires valid ebay account. If this person used the same user/pass on two sites, who says they didn’t use it on more? Perhaps their paypal is the same. Perhaps their e-mail is the same. Doesn’t sound likely, but it happens, and once is all it takes. Attacker then buys a bunch of game codes and time cards for popular games (or other non-physical goods), instructing the seller to e-mail the cd-key and/or time serial, as the attacker doesn’t need the actual media. Sadly, some sellers fall for this as well. If the attacker is clever, then they’ll set the victim’s e-mail to forward incoming mail to some junk hotmail account that they have control of.

    The laws of probability state that given a large enough problem space, even an event with only 0.01% chance of happening will indeed happen…

    So if only 1% of these username/passwords are real, and only 1% of those are linked to other useful accounts (ebay/paypal/etc…), then within a problem space of 10,000 victims, someone just got screwed. How much do you think a clever phisher could take in 12-24 hours? My guess is enough to make it worth the effort…

  65. Daniel says:

    It doesn’t tell you any such thing, Rub3X. If I were to implement case insensitive passwords, I’d just make the string the user passed me all lower (or upper) case before I hashed it and evaluated it as a password. I mean, seriously, that’s not a radical suggestion and I don’t feel the need to elaborate how obvious that solution is, either.

    Case insensitive passwords could be implemented in countless ways.

  66. Rub3X says:

    Ehh I suppose that’s true. Guess I jumped to conclusions.
    “As a website, MySpace really sucks, anyway I look at it — from design to features, to the presentation of personal member sites. What really shocked me is that when you retrieve lost password, MySpace emails your original password in plain text. Imagine how secure this website is…100 million users, with all passwords stored in plain text. It’s sad to see such sucky sites advance so far.”

    That was a quote on Digg.com. So I assume it’s in plain text still.

  67. JSBach says:

    The problem with case-insensitive passwords is that you’ve removed 26 possible combinations from the ‘entropy pool’. All lowercase passwords (no numbers/special) have 26^(password length) possible combinations. So a 4 digit password only has 456,976 possible combinations.

    Add in numbers and special characters, and you have 46 to 50-ish raised to the password length. Again, for 4 digits, you’re looking at 4.4 million possible combinations.

    So what about upper and lowercase, with no numbers/special? That’s 52^(password length), or 7.3 million possible combinations for a 4 digit password.

    Add them all in together, however, and you suddenly have 26.8 million possible combinations, and that’s just for a 4 digit password. (going on 72 possible characters)

    That same password strength over 12 characters gives 1.9 x 10^22 combinations.

    Since many sites will only allow ‘x’ failed logins before a predetermined wait period or even locking the account, phishing has become the new “brute force” for password cracks.

    The point is, since you’re willing to convert some characters to others (computers relate ‘a’ to ‘A’ about as much as they relate ‘a’ to ‘&’), why not translate all of the characters to ‘a’ to make it simple? The reason this isn’t done is to keep the ‘entropy pool’ open and available.

  68. Bob Webster says:

    Maybe the author did find the 20,000 passwords, I am guessing most are not MySpace passwords. Myspace requires a number or non-alpha character in the password, but the article lists many that are all alpha.

  69. Rub3X says:

    …All in favor of bold red size 7 font that tells people this security feature was not always in place say “I”.

  70. crazybilly says:

    I. er, ‘aye’.

    Can we pull our heads out of our butts for a second, too, and stop arguing about how unscientific this study is? Come on–the guy pretty much randomly stumbled onto 20,000 email/passwords in a text file on a phishing site, ran a pretty simple php script and stuck some results up on his blog.

    We’re not talking about university-style statistical analysis here. We’re talking about a guy w/ a web browser posting a find that we didn’t know about before.

    “Handy–thanks for the insight,” that’s what I say.

  71. Rub3X says:

    What would you like me to do with them. I’m the author of this unscientific study.

  72. Krick says:

    Ok, for part two, write a script that attempts to log into myspace with each email/password and logs right back out when successful. Then publish some statistics about the ones that succeed.

  73. MickeyM says:

    @ Post 53

    I disagree about setting up a “bogus” phishing site to teach people a lesson. That’s like stealing from people so you can tell them they need to watch their purses more closely.

    On the other hand, I heartily agree that the author should email the 20,000 users and let them know they were conned. He could use a disposable email address – the users that got suckered won’t know to track past that. Or perhaps he should send the site and list to MySpace and let them notify the users?

    Oops, you’ve been slashdotted… Guess this site will be flooded soon!

  74. Hippie Joe says:

    I would be interested in the following test:

    Password Strength vs. Users Email

    Would you find that the average user with a Gmail account is more security conscious then a user with an EarthLink account?

    Don’t mean to offend…and I do realize results would be skewed since the sample includes security unconscious users. However, how informed is the lower end of the barrel?

    Thanks.

    PS. If run, how about including password length, and character placement as additional point values. Ex. password ‘abc123′ vs. ‘a1b2c3′ (no quotes) – could extend the brute force calculations and confuse common-password dictionaries.

    Thanks again.

  75. Robbie says:

    “Maybe the author did find the 20,000 passwords, I am guessing most are not MySpace passwords. Myspace requires a number or non-alpha character in the password, but the article lists many that are all alpha.”

    Myspace only required a non-alpha character as of recently, so if a user created a password last year and hadnt changed it, it could still be, for example, ‘iloveyou’.

  76. Fake says:

    Fake, Article. If not, provide a link to the Phisher Site. I’m doubtful: 1. A phisher would store so many retrieved credentials via flat-file. 2. How would you read a root directory if it’s occupied by an index file.

  77. Rub3X says:

    Indexed as in indexed by apache meaning there is no index file. 20,000 believe it or not is nothing for myspace. I’ve heard of hundreds of thousands being harvested. Link seems to be dead now, and if it weren’t I would not have provided it to you.
    1.) That would piss myspace off.
    2.) Expose all the tools to spam.
    3.) Possibly get me in trouble.
    I really don’t care if you don’t belive me or not, I won’t lose sleep over it.

    “Myspace only required a non-alpha character as of recently, so if a user created a password last year and hadnt changed it, it could still be, for example, ‘iloveyou’.”

    Ding ding. Finally someone with common sense! :)

  78. Observer says:

    I think an analysis of usernames in these responses would be more interesting. Lots seem to do with the size of… something. Compensation?

  79. Ben says:

    Haha the comment box requires your e-mail and says “(will not be published)” but does not say “(will not be phished)”
    Anyway, Hotmail would have been the top e-mail provider here if you would have performed the test a year or two ago. However, when all the e-mail providers started the massive inbox size increases, Hotmail sat on its laurels and was the last of the big e-mail providers to up from its sadistically low quota (2-5MB i think). Who was the first to up their quota? Yahoo. This is perfectly represented in the results you gathered.

  80. Brian says:

    I think myspace requires a numerical character in the password now. That might account for passwords such as “marlboro1″.

  81. Cliff says:

    FYI, I always type fuckyou into phishing websites password box to make their work harder.

  82. Andy says:

    this is pathetic password security, I don’t know about you guys, but my password is the 256-bit SHA-1 hash value of the Linux kernel. Amateurs. :)

  83. LonerVamp says:

    I’ve seen similar sorts of passwords as “fuckyou” on even work systems or other websites. It is more common than many people think.

    Another “test” that is a bit more grey than just grabbing the openly accessible password file is to try those same MySpace passwords against the email account used as the username to see how many people use the same password for both.

    Not sure if that is something one should do, but it is not often you get some good sets of data to perform such tests on.

  84. Johan says:

    @83: Which kernel build?

  85. Rub3X says:

    My TrueCrypt password is 43 characters. Uppwer lower, numbers and half symbols. Beat that :)

  86. shortmail says:

    shortmail.net is an awesome anonymous service.

    you can even delete email and reply to it.

    i like to use a disposable shortmail.net account for my disposable myspace accounts on the disposable internet.

    excuse me, internets. off to go clog some other pipes… darn beans.

  87. Bill says:

    “What would you like me to do with them. I’m the author of this unscientific study.”

    Create a simple script to run through the entire list and delete every single account. Fucking MySpace.

  88. Fred Nurk says:

    Best way to f**k phishing sites is like I do.

    Use a password or dictionary with 40 or 50,000 words in it, then custom write a php script to enter data onto the said phishing site.

    Soon they have a useless 50-500mb data logged file :)

  89. Alex says:

    Agreed… This may be unscientific. But its food for thought.

    Would you consider posting the list of passwords somewhere (not with associated info like usernames)? It would be interesting to see what other unscientific analysis people can do on such info.

    Thanks mate, very interesting.

  90. [...] I recently posted about the MySpace phishing experience I had, so while on that train of thought I will go over two interesting phishing letters I’ve seen. The first one started off as a standard phishing email in the fact that my account is limited. When I clicked the link it was a new way of phishing that I had never seen before. It linked to a domain “www.removefraud.org” with a paypal template page saying the page has been moved. [...]

  91. kaizen says:

    Captain Wesker had the right idea – whenever I come aross a phisher, my password, name, hell even my address quickly becomes some variant of “fuckyou”.

    In fact even on THIS site, my email addy was null@void.com – so while the article is interesting, it’s hardly conclusive.

  92. [...] In a day where browsers are coming out with anti-phising tactics, I can not believe how many people still fall for phising. It’s all over the news, and most email clients display warnings. So when I got an email from “Admin@MySpace.com” I kind of chuckled.read more | digg story digg, del.icio.us, Bookmark this [...]

  93. Lucia says:

    Even though Myspace has required a number in the past few months, it didn’t before, and I don’t belive I was prompted to change my password when that change was made.
    So the passwords without numbers could be real.

  94. CarnivalOfVenice says:

    Funny! The phisher broke the law; so did you.

  95. Rub3X says:

    How did I break the law?

  96. [...] I made a previous post about Analyzing 20,000 MySpace Passwords, and would like to add some new results to the mix. A blogger stumbled upon my site, and decided to do a little examination of some passwords he found. The results were quite similar to mine leading me to believe these are real results, despite what some of you say about them being fake. Anyways, on to the graphs. We’ll start with their age. So now we know 63% of MySpacers are still in high school. The email address results were nearly identical. Most MySpacers are female, which isn’t too surprising. 84% are straight. Most passwords were 7 digits with the number “1″ appended to the end of them. I’m told MySpace forces a number into a password, so this makes perfect sense. Most were level 2 strength. If you aren’t aware of the scale it’s 1 point for cap, 1 for lower, 1 for number, 1 for symbol. [...]

  97. Jaysis says:

    …why did you go through all the trouble of figuring this all out? Wow…lmao. Just, wow man.

  98. lu--cy says:

    This has been a very interesting read — for a long time I used the same login and password combos for all my internet junk, but I wised up, and I use the PasswordMaker extension in FireFox. It makes VERY secure passwords of a custom length and character set and hash method with the option of using l33t.

    After reading this, I am very glad I did that!!!

    I agree with the general idea that if people didn’t get sucked into phishing scams, there wouldn’t be any. Secure or no, you don’t want to give any passwords away…

  99. [...] I made a previous post about Analyzing 20,000 MySpace Passwords, and would like to add some new results to the mix. A blogger stumbled upon my site, and decided to do a little examination of some passwords he found. The results were quite similar to mine leading me to believe these are real results, despite what some of you say about them being fake. Anyways, on to the graphs. We’ll start with their age. So now we know 63% of MySpacers are still in high school. The email address results were nearly identical. Most MySpacers are female, which isn’t too surprising. 84% are straight. Most passwords were 7 digits with the number “1″ appended to the end of them. I’m told MySpace forces a number into a password, so this makes perfect sense. Most were level 2 strength. If you aren’t aware of the scale it’s 1 point for cap, 1 for lower, 1 for number, 1 for symbol. [...]

  100. Mirror says:

    this is pathetic password security, I don’t know about you guys, but my password is the 256-bit SHA-1 hash value of the Linux kernel. Amateurs.

  101. segamanxero says:

    I am 19 years old and use myspace. I know certian people who use myspace my self who use the same password for everything they use (i did until recently). also i know people who have passwords like the ones decribed above. I recently Changed my passwords, I now use a random password generator to generate my passwords. It generates passwords with both letters and numbers. I can’t remember these passwords off the top of my head so I let my browser remember them, which brings me to my question…

    can these phising sites fool my Browser too?

    I do not use internet explorer, but a mozilla variant for a browser… I dislike microsoft for some reason…

  102. Alex Bailey says:

    [quote comment="2972"]I am 19 years old and use myspace. I know certian people who use myspace my self who use the same password for everything they use (i did until recently). also i know people who have passwords like the ones decribed above. I recently Changed my passwords, I now use a random password generator to generate my passwords. It generates passwords with both letters and numbers. I can’t remember these passwords off the top of my head so I let my browser remember them, which brings me to my question…

    can these phising sites fool my Browser too?

    I do not use internet explorer, but a mozilla variant for a browser… I dislike microsoft for some reason…[/quote]

    No, valid question but no. If your browser remembers passwords for the domain “myspace.com” it will not put the password in any other domain IE: phishingsite.com/login.php

  103. elgortiz says:

    just woundering how do you find the root directory of a page or script i would like to test this out myself its very interesting

Leave a Reply