Analyzing 20,000 MySpace Passwords

In a day where browsers are coming out with anti-phishing tactics, I can’t believe how many people still fall for phishing. It’s all over the news, and most email clients display warnings. I still get those letters from Nigeria saying they need my help transferring millions of dollars out of the country. If nobody was falling for that they wouldn’t be doing that, I’m sure. So when I got an email from “Admin@MySpace.com” I kind of chuckled. It was the usual scam trying to get me to login to their fake MySpace login page. I have course entered in my bogus login details that I don’t have or will ever have. Then I went to the root directory the script was in. Sure enough it was all indexed. 20,000 emails and passwords to go along with it sitting in a plain text file. I downloaded it and looked through it for a bit and started parsing it with .NET and PHP. The results of the parsing were rather interesting. Some passwords were terrible, and others were decent. A lot of them are simply “password”. An odd amount of them also contains the word “poop”. Only goes to show how childish these people are. We’ll start with the most popular email hosts.

Yahoo, Hotmail, AOL. No surprise there really. I’m surprised AIM didn’t take a bigger piece of the pie. If you’re wondering why it doesn’t add up it’s because their are a lot of random ones with 10-20 that was a waste to include. Next we’ll take a look at how long each person’s password is. Most of them are fairly decent to my surprise, at an average character length of 7 chars.

Character length means little if your passwords don’t have upper and lower case letters. Most of the passwords were all lower case.

There is still hope left for their password though, and that is if they added any numbers and or special characters. Amazingly most people actually did.

Next I tested all the passwords for password strength. I used a simple PHP script. It was out of a four point scale. You get one point for having a lower case letter, one point for an upper case letter, one for a symbol, and one for a number. All of my email/bank passwords I use are a four on this scale. All of my forum and useless passwords are a three. I think it’s a pretty good simple test to get how secure these passwords are.

PHP code I used:

function CheckPasswordStrength($password) {
$strength = 0;
$patterns = array(‘#[a-z]#’,’#[A-Z]#’,’#[0-9]#’,’/[¬!”£$%^&*()`{}\[\]:@~;\’#<>?,.\/\\-=_+\|]/’);
foreach($patterns as $pattern) {
if(preg_match($pattern,$password,$matches)) {
$strength++;
}
}
return $strength;
}

Most common passwords used:

13 – cookie123
12 – iloveyou
12 – password
11 – abc123
11 – fuckyou
11 – miss4you
9 – password19
9 – clumsy
8 – sassy
8 – summer06
8 – pablobob
8 – boobie
8 – fuckyou1
8 – iloveyou1
8 – tink69
8 – password1
7 – gospel
7 – terrete
7 – monster7
7 – marlboro1
7 – bitch1
7 – flower
7 – space

Summary:

While the passwords weren’t the best, they weren’t exactly terrible. I consider strength two fine for a myspace account. It’s a basic password usually with upper or lower case and a number or symbol. Only 19% of the people had strength one, and for MySpace user’s track record for being computer illiterate, I don’t consider that bad. 46% of their passwords were seven digits, which is fairly long and would take a while to brute force. Combined with a captcha for invalid passwords, there’s no way it would be cracked. The Biggest email hosts were Yahoo, Hotmail, and then AOL. I’m Kind of surprised at that. Would have thought Hotmail would have won out. If anyone would like some more tests done, feel free to contact me.