Monday, June 13, 2011

Another password dump from a big site

I saw in the news this morning that lulsec had posted online about 26,000 passwords from a few porn sites. Article here.

We have seen large dumps of passwords from sites before, and I've blogged about password audits that I've done (with permission) to gauge the effectiveness of a password policy change. And what we've seen is pretty much the same thing from every dump. Thousands of crappy passwords, very low use of multiple character sets, short passwords, etc.

But I have noticed that in all of these password dumps (except mine) we don't get any data about how many passwords were not breakable. How likely is it that we're only seeing the passwords that fall to a dictionary attack? I guess I wonder if we're dragging the bottom of the ocean and concluding that the ocean is made up entirely of muck.

No comments: