Sophos Cloud Optix
Note. Please don’t take the results below too seriously. We’re just trying to put a bit of fun into the serious business of choosing passwords, and we’re ending with a touch of optimism about our changing attitudes to security.
Yesterday, we wrote about the breach of Forbes’s 1,000,000-strong user database by the Syrian Electronic Army.
The purpose of that article was threefold:
- To report the news of the breach (sadly, one of many recently), as a reminder that security is important.
- To quantify the risk of what was stolen, because Forbes failed to do so in its own notification.
- To end with a spot of praise for the beleaguered Forbes for storing its passwords satisfactorily, if not actually quite as well-hashed as we’d have liked.
After many public password disclosures, there’s often a good-humoured race amongst security professionals to see who can crack the most passwords the fastest, or who can find the most obscure and amusing passwords from the database.
But, as we explained in yesterday’s article, Forbes was using PHPass Portable hashes, which means that there is a loop of 8193 MD5 hash calculations for each password check.
That’s still quick enough to test a single password against the database efficiently – for example, when a user tries to login – but not so quick that an attacker can try millions, or perhaps even billions, of passwords per second.
The hash-cracking race
So, if you’re wondering why you haven’t seen an extensive password list computed from the Forbes Hack yet: it’s because of the iterations in the hashing process.
What would take you an hour against password data hashed once with MD5 will take you over 8000 hours, or roughly from New Year to Thanksgiving, using Forbes’s approach.
Sadly though, that doesn’t mean that everyone is safe.
If you’ve chosen unwisely, your password may nevertheless quickly be guessable by hackers.
Yesterday, for instance, we extracted data for just over 500 forbes.com staffers from the 1,000,000 records leaked by the SEA.
Then we had a go at their passwords, and within an hour we had recovered close to a quarter of them:
What else can we tell from the data?
A comprehensive crack of all 1,000,000 passwords is out of the question, thanks to the 8193-iteration MD5 loop.
So we decided instead to concentrate on users with known-bad passwords.
Looking through the password data shows that each record has a timestamp, with the first record stamped in 2009, and the last record stamped in February 2014, just before the breach.
Since the earliert records all have forbes.com addresses, and start with an account called “admin”, it’s reasonable to assume those timestamps show the time the each account was created, rather than the time it was most recently used.
That suggests the question, “Is there a difference in password quality from 2009 to 2014?”
Put another way, “Have we learned anything about passwords in the past five years?”
Another possible question is whether there is a difference in password quality between users of different email services.
A count of the email accounts seen in the database shows that the Big Four email domains are pretty much as you would expect:
gmail.com 413,978 (39%) yahoo.com 184,665 (17%) hotmail.com 88,059 (8%) aol.com 25,633 (2%)
That suggests a second question, “Which service had the most passwords exposed?”
Put another way, “Which email users are the smartest about passwords?”
What we measured
We extracted eight files of password hashes to crack, as follows:
FG10K: First 10K Forbes accounts for Gmail users FY10K: First 10K Forbes accounts for Yahoo users FH10K: First 10K Forbes accounts for Hotmail users FA10K: First 10K Forbes accounts for AOL users LG10K: Last 10K Forbes accounts for Gmail users LY10K: Last 10K Forbes accounts for Yahoo users LH10K: Last 10K Forbes accounts for Hotmail users LA10K: Last 10K Forbes accounts for AOL users
For a representative list of commonly-used bad passwords, we used the Top Hundred list from the recent Adobe breach, with six Adobe specific passwords (e.g. adobe1, adobeadobe) altered to suit Forbes (e.g. forbes1, forbesforbes):
Then we cracked each of the sets of 10,000 hashes against our Top Hundred list, which took only a few minutes with multiple processors on the job, despite the PHPass-based hash-stretching.
It was hot work for a summer’s day, as the following htop graph of CPU usage shows:
Which email service has the smartest users?
Before you read any further, why not give way to your own prejudices about users of the various webmail services?
Close your eyes and guess what order they finished in.
Then take a look and see if you were correct.
For the first 10,000 Forbes users listed in the database for each email service, dating roughly from 2009-2012:
AOL users chose most wisely, and Gmail users were the most reckless! (Admit it: you didn’t expect that, did you?)
Here are the top six passwords the reckless users of each email service chose, with the traditional culprits password and 123456 making every list:
For the last 10,000 Forbes users listed in the database for each email service, dating roughly from 2013-2014:
Yahoo users are now the safest. (You didn’t expect that either, did you?)
Here are the passwords chosen by the more recent users.
Don’t be too encouraged that 123456 has fallen off two of the lists: careless AOL and Hotmail users seem to have replaced it with 123456789 and 987654321 instead, which doesn’t improve their security at all:
How well have we aged?
The great news from the figures above is this: Forbes users who signed up more recently seem to have chosen their passwords more wisely.
Here’s the approximate likelihood that more recent Forbes joiners will choose a Top Hundred password, compared to those who joined in 2012 or earlier:
Yahoo users: 11x less likely Gmail users: 9x less likely Hotmail users: 5x less likely AOL users: 2x less likely
Of course, we shouldn’t really say that recent joiners have chosen more wisely, since the hashing slowdown enforced by Forbes means that we’ve only had time to crack obvious passwords.
But we can say that they seem to have chosen less badly.
That’s not quite the same thing, but it’s jolly good news nevertheless.
It strongly suggests that you can change people’s security attitudes for the better! (Admit it: you didn’t expect that, did you?)
For further information
For additional thought-provoking content about passwords, you might like:
- Our Techknow podcast Busting Password Myths
- Our Serious Security article How to store your users’ passwords safely
Don’t forget — Yahoo just had a HUGE security breach and forced all their users to change their passwords.
This isn’t surprising to me. AOL rarely asks users to change their password. But, if you log in from your mobile phone and it registers to a strange location there is a chance that yahoo will say that they detected suspicious activity and force you to change it. Also, I’ve noticed when they do force you to change it, they make you pick a somewhat secure password with one capital and one number. Because they have changed their rules and security over time, the stats have changed as well.
I see there aren’t any upper-case characters in the Top Hundred List. .. Does that mean that those users didn’t include any upper-case characters, or did the password program automatically store them all as lower-case?
…. I suspect that it is still a good idea to mix the case, and include numbers and a few other characters such as &@#$%_ , as long as the resulting password means something to you!
Errr, IIRC, it means there aren’t any upper case characters in the list. it just occurred to me that since the Adobe passwords were reverse engineered from the users’ hints, there might be some case errors in there. (If people said, “My password is the hottest season,” they might have meant “Summer” and not “summer” – but [a] that’s probably not the case and [b] the results stand anyway. As I said, this is more for illuminative fun than as a scientific study 🙂
Mixing up bigs, smalls, digits and wackies (punctuation), and going for a decent length, say 14 characters, keeps you at the “hard” end of the cracking curve…so you are right, DO IT!
May I suggest censoring the expletives on the password list?
You must have looked pretty carefully to find it! BTW, I found only “an expletive,” not “expletives”. Did I miss one?
Because only governments can censor, and because I’m not preventing you seeing it as though it weren’t there, I’m not calling it “censorship.” I familyfriendlified it for you 🙂
However, the presence of that password in the Top Hundred does say something about the love-hate relationship between users and their computers. (Remember that when users choose and then type in a password of “f–kyou,” they’re saying “f–k the computer or the account I am logging into,” rather than “f–k you, the reader of the article.”)
Perhaps the ‘change’ in the smartest users of the respective emails is inline with the years whereby password breaches occurred for those email service providers.
Eg.
http://nakedsecurity.sophos.com/2014/01/31/yahoo-prompts-password-reset-after-mass-attack-on-email-service/
http://www.theguardian.com/technology/2009/oct/06/hotmail-phishing
Kinda tellies with hotmail being in 2nd place from year 2009 – 2012, while yahoo being 1st from year 2013 – 2014 =)
More importantly, what’s the odds that the 7 people who still use AOL would be included in this?
You can write them off…but there are plenty of them there in the Forbes data. The numbers may have dwindled but AOL was still the fourth most prevalent email domain in the breached list.
“The great news from the figures above is this: Forbes users who signed up more recently seem to have chosen their passwords more wisely.”
Is this because of users becoming wiser with their passwords or more stringent password requirements?
Unfortunately, I don’t think you’ve got your stats correct. I don’t know what *is* the right way to do it, but you need to account for the number of users of different email providers in the adobe data.
If there are more Gmail passwords than AOL from Adobe going into the cracking attempt, it makes sense you get more out the other end. 🙂
Still, it’s all a bit of fun and doesn’t really matter!
It’s good to know that people are choosing a *little* more wisely these days.
See the section subtitled “What we measured.”
I stripped out all the aol.com records (25,633 of them), then took the first 10,000 and the last 10,000 by timestamp. Then I did this to get the first and last 10,000 records with yahoo.com, hotmail.com and gmail.com addresses as well. That gave me eight password hash files to crack.
So in each of the eight cracking attempts, I had 10,000 hashes cracked against (the same) 100 passwords.
I chose two tranches of 10,000 for each email provider because:
* There were at least 20,000 records for each provider, so no overlap.
* The cracking time wasn’t excessive, but the sample size felt big enough.
* It’s really easy to compute percentages in your head when the denominator is 10,000 🙂
One thing not brought up – what are the risks of loosing a “Forbes” password if it is not used anywhere else (Likelyhood * Impact)?
Seems like the user make a moderate choice in “Forbes1”. Some steals the password, they get the read Forbes articles for free….. High likelihood, low impact, low risk. What are your thoughts?
I hear you. But most accounts of this sort also let you post comments, and generally make some sort of public reflection of who you are and what you think.
So my own opinion is that even though you can probably convince yourself the risk is lower, it isnt zero, and if it’s an account you don’t use a lot, you are less likely to notice if it gets pwned.
Considering the extent to which we hear that employers, law enforcement and so forth use your public presence on the internet to make inferences about your trustworthiness….why take the chance?
It’s like a seat belt. You may as well wear it every time you get in the car, whether you plan to drive to Timbuktu or to the local shops.
any chance you can crunch out when the password was last changed? Wonder just “old” some of those passwords really are,
I’ve been trying to get into the Forbes site to change my password but keep getting messages that Safari can’t connect. Any suggestions about how to make the needed changes when this keeps happening?
I know these are the easiest to crack, but it still surprises me how reckless people are in choosing passwords. I use the password generator included in my PasswordBox software when I’m creating a new account or updating an old pw, so no excuses for using 123456 anymore.
Any smart user would use a junk password for something like a Forbes password. The bad security people would reuse their strong email and banking passwords, not realizing it is likely to be hacked from one of the websites the create an account for.
In general, using a weak password for non-important accounts like this is a good security practice in my opinion.
Hmm. Only found out about breach of my Forbes account after being spammed on unique email address. I’d used a shared low-security password, which isn’t in word lists and which I use for too many blogs to remember (an OpenID provider I could trust might be good). Nevertheless, I’ve changed password on some other services. Obviously one of the worst things to do is reuse the same password on a website as you use for the associated email account.
I was only mildly surprised by Gmail users not being tech-savvy like the Google image. Given a 39% market share, it’s probably used by more newbies and casual accounts. What does surprise me is the apparent overall behavioural change, from 2% in top 100 in 2007, to 0.2%. Is it not possible that the mass of accounts from 2013 were from spammers or black hat SEO using unlisted or random passwords?
BTW Isn’t it most efficient to hash the 100-word list for each of the 64 possible salt values?