How good are MySpace passwords – better than expected

Mr. Bruce Schneier reports at his latest Crypto-Gram Newsletter:

It’s a hard question to answer because data is scarce. But recently, a colleague sent me some spoils from a MySpace phishing attack: 34,000 actual user names and passwords.

Even 25 % of users had a password of eight characters and 17 % logged in with a password of nine characters.

There was some 32-character passwords as well.(!)

The entry continues that 28 % were just lowercase letters plus a single final digit — and two-thirds of those have the single digit 1. The report lists passwords like password1, myspace1, qwerty1, 123456, princess1 etc, however. But there is that ’1′ added!

Some older references included too.

Have a safety weekend!
Juha-Matti Laurio

Share
  • http://prozacville.com Prozacgod

    This may seem off subject, but what exactly is the legality of spoofing the page directly, not explicitly using it to steal passwords, but just the laws regarding the page design/layout, Perhaps copyright or trademark infringement, I suppose.

    I have too many young friends who hand out their passwords to spoofed pages on a regular basis, so many so that I remove them from my “friends” if their bulletins start posting spam.

    I asked that question simple because I pondered writing a page that would take the passwords, login to myspace with them, then change that users password to something random. Then tell them the damage done, and lesson learned. If they provided myspace with a proper contact email, the situation could be fixed with a simple “forgot my password” click and they are back in. A minor nuisance to those few. And hopefully a lesson learned to prevent the nuisance from spreading to people who get bulletins about the latest xxx website.

  • http://myspace delma

    i was trying to find my daughters new passcode for myspace. She has several accounts and i need to find out her whereabouts and the things she’s doing/ I was wondering if someone could hack it for me. I don’t know if this is going to cost, but i will do anything to try to get it. her name is REMOVED, and she’s go’s by different names, REMOVED, REMOVED, i beleive her email is REMOVED, REMOVED, or she may go by just any name at this time
    I need to know will you contact me asap. thank you

    Adminitrator note: I am unsure if this above comment should be deleted for providing with private information and on a minor at that (putting her at risk) or should be kept here so that one day she can know her mother’s silliness. What really bothers me is that we can’t tell if this is really her mother or some stalker. Hmmm, yes, I will “censor”!