A brief analysis of 40,000 leaked MySpace passwords

Programming stuff

Thursday, November 1. 2007

Posted by sp in Misc

Comments (21)
Trackbacks (0)

148420 hits

A brief analysis of 40,000 leaked MySpace passwords

Over the last days some group released passwords to nearly 45000 MySpace accounts and they announced to release another 30000 passwords in the next few days. I used a few hours before Saturday's lunch to write a small program that analyzes the passwords that were released so far.

At worst the results of this are a useless time-filler, at best it's a case study of what happens if a website forces their users to choose passwords with certain minimum requirements. MySpace demands that every password contains at least one non-alphabetical character (like 0, 1, 2, or !, ?, @). How the users adhered to this requirement can be seen in the tables below.

It is my understanding that the 43713 passwords that were leaked so far come from fishing sites that trapped people to enter their password. This makes the passwords less reliable than a password list hacked straight from the MySpace servers. People could have misspelled their MySpace passwords or they could have entered fake information after they noticed that someone was trying to steal their password. A quick analysis has shown that probably less than 1% of the leaked passwords suffer from these problems.

Let's start with a the Top 10 passwords that can be found in the leaked password list. Password1 being the most popular password is no surprise. Password itself is a very popular password and the MySpace password requirements force people to enter at least one non-alphabetical character. Adding a single 1 at the end of the password seems to be the most popular choice as seen in a later table.

Position	Password	Quantity
1	password1	99
2	iloveyou1	52
3	abc123	47
4	myspace1	39
5	fuckyou1	31
6	summer07	29
7	iloveyou2	28
8	qwerty1	26
9	football1	25
10	123abc	22

The length distribution of the passwords is as follows.

Position	Length	Quantity
1	8	10503
2	7	10161
3	9	8153
4	10	6823
5	6	6318
6	11	1028
7	12	358
8	13	141
9	14	61
10	5	59

The longest passwords were the 32 characters long "dawn2222222222222222222222222222", followed by the 29 characters long "jim33333333333333333333333333", and the 27 characters long "jim333333333333333333333333". A honorable mention goes to the 18 character password "masonÃ¢™Â¥14". I used this SourceForge project to evaluate the strengths of the passwords. It is not a very good program, so the results are not too useful. Basically the program produces a percentage value of how secure it believes a password is but the methods it uses to find this number are questionable. 100% is the best possible value.

Position	Strength	Quantity
1	60	20393
2	50	15477
3	40	4033
4	30	2611
5	70	450
6	80	431
7	20	308
8	90	5
9	0	4
10	10	1

Next I analyzed the general formats of the passwords. The column Wordlist gives the number of passwords I could look up in a word list after the non-alphabetical suffixes or prefixes were stripped from the password. It is curious that not a single password was a characters-only password.

Position	Description	Quantity	Example	Wordlist
1	Letters and Digits in any order	38979	12abc3	-
2	Letters followed by Digits or Characters	36763	abc123.	20661
3	Letters followed by Digits	33836	abc123	-
4	Letters and Characters in any order	2942	abc!!!xxx	-
5	Digits or Characters followed by Letters	2660	123!abc	1740
6	Digits followes by Letters	2515	123abc	-
7	Letters followed by Characters	2168	abc!!!	-
8	Only Letters	475	abc	-
9	Letters and Digits and Characters in any order	123	abc123!!!	-
10	Characters followed by Letters	84	!!!abc	-
11	Only Digits	60	123	-
12	Only Characters	0	!!!	-

Now we get to the point where we see what the result of the MySpace requirement of at least one non-alphabetical character is. The next table shows the most popular numeric suffixes that are attached to alphabetical passwords in order to pass the MySpace password requirement. Most people simply add a "1" to their password.

Position	Suffix	Quantity
1	1	8694
2	2	1548
3	123	1361
4	12	1008
5	3	911
6	7	744
7	07	661
8	11	627
9	4	552
10	5	533

Numeric prefixes to alphabetical passwords are much less popular. I guess that's because MySpace warns you about their password requirement using a Javascript message box after you've entered your password. At this point most people think "oh come on" and quickly add a "1" at the end of the password.

Position	Prefix	Quantity
1	1	530
2	123	108
3	2	99
4	4	41
5	123456	36
6	3	36
7	12	35
8	5	34
9	7	29
10	12345	23

So what are the most popular passwords after the non-alphabetical suffixes are stripped off?

Position	Password	Quantity
1	password	218
2	iloveyou	179
3	love	129
4	soccer	113
5	myspace	101
6	football	94
7	fuckyou	90
8	a	88
9	hockey	79
10	pink	74

Some people choose to add a character instead of a digit to fulfill the MySpace password requirement. The most popular character suffixes of alphabetical passwords can be seen in the following table. Character prefixes to alphabetical passwords are so rare that I did not create a special table for them. The most popular character prefix is ! with 16 occurrences.

Position	Suffix	Quantity
1	!	1032
2	.	610
3	*	108
4	!!	72
5	?	60
6	;	24
7	..	24
8	!!!	23
9	,	20
10	@	20

Last but not least here's the Top 10 email providers that were used by the users of the leaked passwords. Google's mail service GMail is surprisingly low on the list.

Position	Host	Quantity
1	yahoo.com	12108
2	hotmail.com	12083
3	hotmail.co.uk	5419
4	aol.com	4469
5	aim.com	1854
6	msn.com	1054
7	comcast.net	817
8	sbcglobal.net	695
9	gmail.com	657
10	myspace.com	233

Trackbacks

Trackback specific URI for this entry

No Trackbacks

Comments

Display comments as (Linear | Threaded)

good work!

#1 stephan on 2007-11-01 17:45 (Reply)

nice job. can you provide a link to the raw data for others to analyze?

#2 J.C. on 2007-11-29 00:25 (Reply)

No. The potential for abuse is too high.

#2.1 sp on 2007-11-29 13:12 (Reply)

I don't think it's a surprise at all that Gmail users are not that high up. Just compare the constituent demographics. I don't mean any offense to MySpace users or Yahoo or Hotmail, etc. I have an account with most of these services. What I mean is that, generally speaking, Gmail users would be more likely to be on Facebook and MySpace users by their very nature is more likely to be on Hotmail or Yahoo (older, more mainstream). I don't have numbers to support this, but I think it makes sense.

#3 Paul Pick-Aluas on 2008-03-14 08:02 (Reply)

Actually you do have numbers to back your theory now (above). However, I wonder if they're a bit skewed, as a lot of people use their old hotmail and yahoo accounts for spam fodder.

#3.1 Danny on 2008-03-14 22:55 (Reply)

I was about to post almost the same thing but was afraid it'd sound mean...It's not just the age demographic. It has something to do with internet-savvy and what you use the 'net for.

#3.2 Abby on 2008-03-15 00:25 (Reply)

Very interesting, although I've never had a myspace account. Certainly shows how "aware" people are about their privacy and security.

#4 Joe (Homepage) on 2008-03-14 20:47 (Reply)

if they figured out my password i will cancel my account

#5 virginia on 2008-03-15 02:53 (Reply)

A couple of notes:

If the list of passwords indeed are from phising attacks, the email host distribution does not necessarily say anything about the market share of email hosts, or how "internet-savvy" users of different hosts are. Instead, one internet company might be better at identifying and warning users of phising emails than others. (for instance, Gmail might be very good at identifying phishing attempts, which causes gmail users to less often fall into these traps, which causes the gmail rank to drop)

How is it possible that there were 475 passwords with only letters? You mention that myspace require at least one non-alpha character.

Additionally, it is sad to see how common very weak passwords are.. 99 occurences of "password1" means that by just testing different accounts, you've got a 0.2% chance of it having that password. How many such logins can a bot attempt in an hour, I wonder? How many cracked accounts?

#6 Martin on 2008-03-15 12:33 (Reply)

Um... this is ridiculous.

OK, so out of 45,000 passwords... 99 of them were 'password1'. That is statistically insignificant, as are the rest of the 'observations'.

This article makes no mention of proportions and suffers for it. Too bad.

#7 Christian on 2008-03-15 15:13 (Reply)

What do you mean that 99/45000 is insignificant? A sample size of 45000 is quite good.

Let's assume that the real distribution should be for instance 50/45000, and that the extra 49 were just by chance, and doesn't reflect the reality.

A simple chi-square test of significance will then tell you that the probability of seeing 99 such passwords (if it really should be 50) is 0.000000000004. That's pretty damn significant.

Assuming a real probability of 80/45000 gives a probability of seeing 99/45000 of 0.033. That's still less than 5%, and would typically be considered significant.

It's kinda silly to say that something isn't significant when not relating it to an assumed real distribution, but I'm still curious about what real basis you have for saying that 99/45000 isn't significant.

(from the above we can say with really good certainty that for every 45000 myspace users, there will be 50 "password1". We can also say that it's very likely that the number will even be higher than 80.

#7.1 Martin on 2008-03-15 15:41 (Reply)

Out of 45,000 passwords, 99 of them were 'password1'. That is statistically insignificant.

This article makes no mention of proportions and suffers for it. Too bad.

#8 Christian on 2008-03-15 15:16 (Reply)

For the low number of gmail accounts: Gmail-users are pros. Myspace users are noobs. conclusion: gmail users don't use myspace!

#9 Darkstriker on 2008-03-16 22:27 (Reply)

I wouldn't say that G-mail users don't use myspace. As has been mentioned before, a lot of people use their hotmail addresses as spam fodder. So that skews the results.

Also, most of this data has been collected from phishing websites. If we assume that the average gmail user is more technically proficient than the average hotmail user, then more than likely, the gmail user is going to either be able to recognise the phishing site, or have the program to be able to detect it (eg Firefox, IE7), where as the hotmail users are probably using earlier versions of IE which don't have the phishing filter.

Because of this, it does skew the whole data a bit, because it only shows part of the audience, and not the more technically proficient users.

As for the data, I also would've liked to have seen (if possible) a comparison of passwords that use a dictionary based word (eg password1) and a non-password based word (eg J5_83VmN1!B8)

#9.1 Ben C (Homepage) on 2008-03-17 00:34 (Reply)

Letters followed by Digits or Characters
36763 out of 45000

I found that interesting. Most people just have a word followed by a number. So if you know a damn thing about them, start picking words they use to break it.

#10 Digital on 2008-03-16 22:46 (Reply)

The reason gmail is so low is because myspace users are generally to stupid to realise that it is the better email provider. At least 30% must be chavs, another 30% emos, another 30% retarded teens and 10% mildly intelligent people.

#11 Pez (Homepage) on 2008-03-17 00:48 (Reply)

this whole post is worthless, meaningless, undocumented, and most likely fiction

#12 Don on 2008-03-17 01:33 (Reply)

self-reference is funny

#12.1 Volatile on 2008-03-17 17:29 (Reply)

Considering that we have nothing better to work with, and for that matter, that not even a sociologist conducting research could obtain the actual password lists, this is a pretty good attempt. If you don't wish to take part in the discussion, feel free to exclude yourself--quietly.

#12.2 Paul Pick-Aluas on 2008-03-26 21:52 (Reply)

This is very old article, but I doubt about this thing. How do you write that program when the passwords are MD5 hash??? Any proof of this?

#13 Lori Cappozzi (Homepage) on 2009-02-07 12:51 (Reply)

No proof. I think the reason why the passwords were available in plain-text is that they were fished from the individual users, not from the MySpace servers.

#13.1 sp on 2009-02-09 20:39 (Reply)

Add Comment

Name
Email
Homepage
In reply to
Comment	Enclosing asterisks marks text as bold (word), underscore are made via _word_. Standard emoticons like :-) and ;-) are converted to images. BBCode format allowed
	Remember Information? Subscribe to this entry
Submitted comments will be subject to moderation before being displayed.