Stories
Slash Boxes
Comments
NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

All the Perl that's Practical to Extract and Report

use Perl Log In

Log In

[ Create a new account ]

masak (6289)

masak
  (email not shown publicly)
http://masak.org/carl

Been programming Perl since 2001. Found Perl 6 somewhere around 2004, and fell in love. Now developing November (a Perl 6 wiki), Druid (a Perl 6 board game), pls (a Perl 6 project installer), GGE (a regex engine), and Yapsi (a Perl 6 implementation). Heavy user of and irregular committer to Rakudo.

Journal of masak (6289)

Wednesday July 29, 2009
02:00 PM

Some Perlmonks password statistics

[ #39373 ]

PerlMonks has been hacked, and someone (or more likely a group of people) will perhaps feel the requisite brand of shame over the fact that a lot of people's passwords were leaked, because they were stored in clear text. Not only does that constitute a poor technological solution, it's also putting other people's entrusted private information, and parts of their digital identity, at risk. With people's privacy comes great responsibility.

Anyway, I took the leaked passwords and ran them through a script to get a bit of statistics on the different types of passwords used by a representative slice of the Perlmonks users:

total                 567  (100.00%)
  alphanumerics-only  517  ( 91.18%)
    digits-only         9  (  1.59%)
    letters-only      233  ( 41.09%)
    letters&u-score     2  (  0.35%)
    letters&digits    277  ( 48.85%)
      letters&1digit  103  ( 18.17%)
      letters&2digits  89  ( 15.70%)
      letters&3digits  39  (  6.88%)
      letters&4digits  36  (  6.35%)
      letters&5digits   9  (  1.59%)
      letters&6digits   1  (  0.18%)
  with non-alnums      50  (  8.82%)
    1 non-alnum        34  (  6.00%)
    2 non-alnums       14  (  2.47%)
    3 non-alnums        2  (  0.35%)

Here's the source code, a simple Perl 6 script. The source data is easy to find, but I'm not going to link to it.

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
 Full
 Abbreviated
 Hidden
More | Login | Reply
Loading... please wait.
  • How many people used a recognizable word, or a name, or a word plus one or more digits; and how many used an (apparently) randomly generated password?
    • The problem is a bit worse than what the data implies. I won't speak for others, but quite some time ago, I received some email implying that someone was trying to get my password. Since I had been bad and reused a password, I immediately changed mine to a unique password. Now, I have a different password management system whereby I have unique, very hard to guess passwords for most critical sites.

      In the case of Perlmonks, I switched mine to pineappl. I really didn't care if that account got hacked and

  • I'd like to draw some attention to the analyzing script.

    Please notice how masak uses regexes and junctions of regexes as matchers, and doesn't need to distinguish them where he uses them.

    Also note that the use of the cross operator 'X' means that he has to use only one loop (instead of two nested loops).

    I really like that code. And I can't think of any Perl 6 feature (at least not off the top of my head) that would make that code even nicer, but is not yet implemented in Rakudo.

    • My reaction at seeing that code was something like horror - like seeing someone whose lips, nose, and eyelids have been cut off. Like you're talking to someone, and all you can think of is their bones underneath that will be left when they've died and rotted away. Surely that's not Perl. Surely!

      Will that feeling ever go away? :) I want it to seem awesome, too.

      • Um, I don't recall having such a reaction when reading Perl 6 code. But OTOH I learned it through the Apocalypses, so I only saw small pieces of it at a time.

        My advice to you is to write something in Perl 6 yourself, and then come back and report whether the feeling seems to subside, or at least lessen somewhat.

  • Just out of curiosity, is anyone with the list of passwords testing it against CPAN authors with the same or similar username or registered email address to make sure the passwords get changed? It seems like it'd be a good idea to regenerate the passwords or lock the accounts of people who don't change their password and have it published. Or, maybe someone should track their updates until they do.
    • I believe that they are emailing CPAN authors

      http://www.dagolden.com/index.php/358/perl-whipupitude-to-the-rescue/ [dagolden.com]

      (Luckly for me the last time I used PerlMonks I had forgotten my password so my password was set to the default forgotten password email's, but I still think I will go and change many of my passwords)

    • I tested the first few passwords that had @cpan.org email addresses. All of the people at the beginning of the list used their perlmonks password as their PAUSE password. After about three of these, I got depressed and stopped.
    • "the same or similar" is a hard test. Work is being done to try to identify any reused passwords (not limited to the published ones).
  • Who uses their good password for a discussion site, though? I can see if this was a list of online bank passwords how it'd be valuable, but honestly, if I could use a blank string as a password for these sites, I would. Who cares if someone posts a message "as me"?

    I liked larry's password the best, ">=6chars". (Presumably in response to a message like, "your password must be greater than or equal to 6 chars". Brilliant!)

  • Your script fails(!) to correctly analyze my old password (and at least one more), because it fails(!) to recognize whitespace. ;-)

    At least two passwords contained embedded whitespace. How many contained leading or trailing whitespace? IIRC, the source data was not formatted in a way that even preserved those, so who knows? :)

    --
    perl -e 'print "Just another Perl ${\(trickster and hacker)},";'
    The Sidhekin proves that Sidhe did it!
    • You're completely right, I didn't take that into account. Nor do I see a way to do so, given the source data.

  • What significance is the strength of a compromised password? A password of "password" is no weaker than a password of "1a$3f&_j2^" if hackers compromise the system. Especially when the passwords are stored in plain text (WTF?)
    • I thought it would be interesting to do some analysis on the leaked passwords, that's all. We all have a pretty good idea of what makes for a strong password, and this was a chance to see how strong passwords some of the more high-profile Perl users out there were using. In that sense, the strength of compromised passwords is significant, because it gives us an unusual insight.

      I don't think I explained that clearly in the blog post. This was my way of generating a marginally useful blog post out of a negati