Hackers use strong passwords on things they want to protect. No need for strong password on some public site with unimportant data. Even more if those third party sites get compromised, your main security focus is not compromised.
I thought this as well. "My virus needs to log into my irc channel" is most likely a weak password situation. If someone is analyzing the binary code of this virus, the game is over anyways. No matter how strong your password is, the program needs to be able to decrypt it to use it and so it might as well be plaintext and weak.
You might be surprised that they often not only use a weak password in that case, but also use a weak password for their IRC sysop account. And in some cases it is the exact same password. :)
As another datapoint, I have a weak password for sites that I wouldn't care at all if they were compromised. For everything remotely important I use a separate random password at the max length allowed.
Another datapoint: my computer is just as good in remembering strong passwords as it is in remembering weak ones, so I use strong ones almost everywhere. My weakest password is the one that opens my keychain, but that one never leaves my computers (at least, I trust it doesn't. That probably is the weakest part of my password management)
Yeah, clearly the message here is: hackers understand that passwords are mostly useless security features if you don't trust the site you're using them on. Better to make them easier to put in than use something high security and have it compromised. Using your bank password on, say, GitHub, is a bad idea.
I would like to see LastPass et al add this to their interface: auto-detect max length, allowed characters, etc. it would be for user convenience but they could even phone those characteristics home and start shaming services that employ poor practices.
Same here - Any account I don't care about has a password that can be easily typed using only my left hand. Everything else has a large randomized password that I don't even know.
Hackers who use a password manager use strong passwords for all sites. Why bother with weak passwords if strong passwords are the default?
(The main issue with using a password manager is that most sites don't support your strong passwords, i.e., you have entered a 50-character password but they still insist on a capital letter or a number …)
>I looked at 40,000 samples of hackers’ passwords and found that nearly 2,000 were unique and 1,255 of those were in plain text. Another 346 passwords were easily cracked from MD5 hashes, because they were shorter than 9 characters. That gave me a total of 1,601 passwords and 300 hashes
If a significant fraction of his sample is "hashes he could easily crack" isn't a biased sample? Because it seems likely that the longer, properly hashed passwords are more likely to be the stronger ones...
Well, he's saying that he has a sample of 40k hackers' passwords stored up somewhere, and between them there are 2000 unique strings, ~1200 of which were in plain text and didn't need to be cracked at all. So if this sample of 40k hacker passwords is a random sampling, then essentially he has a random unbiased sample of 1200 unique passwords, plus a biased set of 300 more.
He's not super clear about where the 40k passwords came from, so they may be a random sample, but it's quite possible that it's just a sampling of bad hackers - he mentions that he has gathered many examples of bots and shells and such, so you can imagine that he's looking at a sampling of 1. hackers whose bots store their passwords in such a way that he can reverse-engineer where they are stored and 2. hackers who store their passwords in plain-text.
That said, if he has 40,000 passwords that boil down to 2000 unique strings, of which only ~400-500 are either good passwords stored in plaintext or not easily crackable, then that means about 35,000 out of the 40,000 passwords he captured were easily guessable (I'm assuming here that there were no duplicates in the "good" password set), which is about 87.5% of his sample.
>it's quite possible that it's just a sampling of bad hackers - he mentions that he has gathered many examples of bots and shells and such, so you can imagine that he's looking at a sampling of 1. hackers whose bots store their passwords in such a way that he can reverse-engineer where they are stored and 2. hackers who store their passwords in plain-text.
Yes, that's basically my point. The set of hackers who use strong passwords and the set of hackers who don't well-protect those passwords in their bots/viruses/whatever probably doesn't have a lot of overlap.
Also, it sounds like he couldn't crack (and thus couldn't include in the sample) some of the hashed passwords. Passwords that he can't crack or brute-force reasonably are probably strong passwords. Not having those passwords biases the sample - it's like doing a standardized test when all the honors classes are on a field trip, by removing the top-end you downward-bias the sample and make the overall sample look worse.
I agree that the 40k sample is probably biased, but if you assume it's not actually biased, your second point doesn't hold, because the ones he couldn't crack are presumptively strong, so adding in the ones that he knows are strong because he found them in some plaintext form, that leaves about 500 passwords out of 40k that he couldn't find. If anything, the uncracked passwords bias you towards thinking their passwords are stronger, since it's possible that some of them are just weak passwords stored in some non-standard way, or there's a salt included in the program that he missed or something.
It's hard to take this seriously without mention by the OP on whether the weakness of the passwords were affected by the ephemeralness of the usecases here. For example, I use pretty weak passwords to signup for throwaway services or to try out startups that force you to do a nominal login...because I'm not going through the work of creating a "real" password for such one-time use cases. Are the revealed passwords discussed by the OP for utilities that are meant to be throwaway?
Hackers that know what they are doing and care about that particular account use good password policies.
Hackers that don't know any better (perhaps I should use "people who claim to be hackers" to define this sub-set) or really don't care about that particular account, use bad passwords.
I'm wondering how a sample of various back-doors, bots and shells is the equivalent of hackers' passwords. More like malware creators' passwords to me.
Then again the use case of these passwords doesn't really call for secure passwords, so is it really surprising that they're not overly secure ?
I find this article poorly worded and misleading, telling readers "Hackers use weak passwords just like the rest of us." when it's not about hackers and is not about using weak password like the rest of the world, unless the rest of the world suddenly starts coding malware. Using passw0rd as password for a an easy to remember backdoor password is not the same as using "passw0rd" to access you bank account from the web.
Cyber crime is a major source of income for these guys. It's not unlike having a bad password on your bank account.
Also, malware is often configured by the operator. If badguy1337 uses someone else's IRC bot code, they are likely to change the password themselves. Same for poison ivy, china chopper, and every other publicly available backdoor/shell.
realistically once you realize just how easy it is to actually get around passwords and such, you tend to go with something good enough to keep the rabble out and easy to remember. For example, my local windows password is a bit of a joke, because its so absurdly easy to get into a windows machine and do whatever the hell you want. Even easier if you don't care about getting found out. And I am much more concerned with someone getting my facebook or netflix password through social engineering than an actual "hack" anyway.
