Some Perlmonks password statistics

masak on 2009-07-29T19:00:50

PerlMonks has been hacked, and someone (or more likely a group of people) will perhaps feel the requisite brand of shame over the fact that a lot of people's passwords were leaked, because they were stored in clear text. Not only does that constitute a poor technological solution, it's also putting other people's entrusted private information, and parts of their digital identity, at risk. With people's privacy comes great responsibility.

Anyway, I took the leaked passwords and ran them through a script to get a bit of statistics on the different types of passwords used by a representative slice of the Perlmonks users:

total                 567  (100.00%)
  alphanumerics-only  517  ( 91.18%)
    digits-only         9  (  1.59%)
    letters-only      233  ( 41.09%)
    letters&u-score     2  (  0.35%)
    letters&digits    277  ( 48.85%)
      letters&1digit  103  ( 18.17%)
      letters&2digits  89  ( 15.70%)
      letters&3digits  39  (  6.88%)
      letters&4digits  36  (  6.35%)
      letters&5digits   9  (  1.59%)
      letters&6digits   1  (  0.18%)
  with non-alnums      50  (  8.82%)
    1 non-alnum        34  (  6.00%)
    2 non-alnums       14  (  2.47%)
    3 non-alnums        2  (  0.35%)

Here's the source code, a simple Perl 6 script. The source data is easy to find, but I'm not going to link to it.


What would interest me more...

bart on 2009-07-29T20:15:30

How many people used a recognizable word, or a name, or a word plus one or more digits; and how many used an (apparently) randomly generated password?

Re:What would interest me more...

Ovid on 2009-07-29T21:17:10

The problem is a bit worse than what the data implies. I won't speak for others, but quite some time ago, I received some email implying that someone was trying to get my password. Since I had been bad and reused a password, I immediately changed mine to a unique password. Now, I have a different password management system whereby I have unique, very hard to guess passwords for most critical sites.

In the case of Perlmonks, I switched mine to pineappl. I really didn't care if that account got hacked and I deliberately chose an easy-to-remember password (why that one would be easy for me to remember for that site is something no one would guess :). However, you'll note that I left off the final 'e' in that word. That's because apparently, passwords are limited to eight characters! That makes hacking passwords much easier.

I also note in reviewing people's passwords that many people have chosen passwords for, um, curious reasons.

Elegant Perl 6

moritz on 2009-07-30T09:20:43

I'd like to draw some attention to the analyzing script.

Please notice how masak uses regexes and junctions of regexes as matchers, and doesn't need to distinguish them where he uses them.

Also note that the use of the cross operator 'X' means that he has to use only one loop (instead of two nested loops).

I really like that code. And I can't think of any Perl 6 feature (at least not off the top of my head) that would make that code even nicer, but is not yet implemented in Rakudo.

Re:Elegant Perl 6

slanning on 2009-07-30T20:04:26

My reaction at seeing that code was something like horror - like seeing someone whose lips, nose, and eyelids have been cut off. Like you're talking to someone, and all you can think of is their bones underneath that will be left when they've died and rotted away. Surely that's not Perl. Surely!

Will that feeling ever go away? :) I want it to seem awesome, too.

Re:Elegant Perl 6

masak on 2009-07-30T21:31:10

Um, I don't recall having such a reaction when reading Perl 6 code. But OTOH I learned it through the Apocalypses, so I only saw small pieces of it at a time.

My advice to you is to write something in Perl 6 yourself, and then come back and report whether the feeling seems to subside, or at least lessen somewhat.

Intersection of PerlMonk and CPAN Credentials

mfollett on 2009-07-30T15:59:19

Just out of curiosity, is anyone with the list of passwords testing it against CPAN authors with the same or similar username or registered email address to make sure the passwords get changed? It seems like it'd be a good idea to regenerate the passwords or lock the accounts of people who don't change their password and have it published. Or, maybe someone should track their updates until they do.

Re:Intersection of PerlMonk and CPAN Credentials

ivanwills on 2009-07-30T20:12:59

I believe that they are emailing CPAN authors

http://www.dagolden.com/index.php/358/perl-whipupitude-to-the-rescue/

(Luckly for me the last time I used PerlMonks I had forgotten my password so my password was set to the default forgotten password email's, but I still think I will go and change many of my passwords)

Re:Intersection of PerlMonk and CPAN Credentials

jrockway on 2009-07-30T23:56:28

I tested the first few passwords that had @cpan.org email addresses. All of the people at the beginning of the list used their perlmonks password as their PAUSE password. After about three of these, I got depressed and stopped.

Re:Intersection of PerlMonk and CPAN Credentials

ysth on 2009-08-02T19:26:29

"the same or similar" is a hard test.

Work is being done to try to identify any reused passwords (not limited to the published ones).

Good passwords?

jrockway on 2009-07-30T23:58:31

Who uses their good password for a discussion site, though? I can see if this was a list of online bank passwords how it'd be valuable, but honestly, if I could use a blank string as a password for these sites, I would. Who cares if someone posts a message "as me"?

I liked larry's password the best, ">=6chars". (Presumably in response to a message like, "your password must be greater than or equal to 6 chars". Brilliant!)

Fail(!)

Sidhekin on 2009-07-31T06:44:08

Your script fails(!) to correctly analyze my old password (and at least one more), because it fails(!) to recognize whitespace. ;-)

At least two passwords contained embedded whitespace. How many contained leading or trailing whitespace? IIRC, the source data was not formatted in a way that even preserved those, so who knows? :)

Re:Fail(!)

masak on 2009-07-31T06:57:59

You're completely right, I didn't take that into account. Nor do I see a way to do so, given the source data.

Who cares?

wolfger on 2009-07-31T14:16:19

What significance is the strength of a compromised password? A password of "password" is no weaker than a password of "1a$3f&_j2^" if hackers compromise the system. Especially when the passwords are stored in plain text (WTF?)

Re:Who cares?

masak on 2009-07-31T15:16:28

I thought it would be interesting to do some analysis on the leaked passwords, that's all. We all have a pretty good idea of what makes for a strong password, and this was a chance to see how strong passwords some of the more high-profile Perl users out there were using. In that sense, the strength of compromised passwords is significant, because it gives us an unusual insight.

I don't think I explained that clearly in the blog post. This was my way of generating a marginally useful blog post out of a negative-publicity event. It was also an excuse to write a Perl 6 script.