Forgot your password?
typodupeerror
Privacy Security Social Networks Your Rights Online

75% Use Same Password For Social Media & Email 278

Posted by CmdrTaco
from the my-password-is-trustno1 dept.
wiredmikey writes "Over 250,000 user names, email addresses, and passwords used for social networking sites can easily be found online. A study of the data collected showed that 75 percent of social networking username and password samples collected online were identical to those used for email accounts. The password data was gathered from blogs, torrents, online collaboration services and other sources. It was found that 43 percent of the data was leaked from online collaboration tools while 21 percent of data was leaked from blog postings. Meanwhile, torrents and users of other social hubs were responsible for leaking 10 percent and 18 percent of user data respectively...."
This discussion has been archived. No new comments can be posted.

75% Use Same Password For Social Media & Email

Comments Filter:
  • Use Password Hasher (Score:5, Informative)

    by mbuimbui (1130065) on Monday August 16, 2010 @01:24PM (#33265510)

    Use firefox extension's password hasher (http://wijjo.com/PasswordHasher). Then you only need to remember one password but can use it for a variety of sites. If any one site's passwords get leaked, you dont have to go around an update your password for all other sites.

  • by bradgoodman (964302) on Monday August 16, 2010 @01:33PM (#33265624) Homepage
    Password hashing let's you enter the same password for several sites, but changes it (i.e. hashes it) along with the domain name of different web sites - which means you are actually using a different password for every site

    Furthermore, since the passwords are seemingly random characters (not words, or anything sensable) - they are generally quite strong.

    "pwdhash" is the foremost system for doing this - there are several browser extensions and other tools for automating it

    See: http://cynix.org/tools/superpwdhash [cynix.org]

  • Re:"Leaked"? (Score:4, Informative)

    by Securityemo (1407943) on Monday August 16, 2010 @01:47PM (#33265832) Journal
    Link to full description of the experiment: http://www.malwarecity.com/blog/the-limits-of-privacy-is-this-your-password-865.html [malwarecity.com]
  • by N0Man74 (1620447) on Monday August 16, 2010 @01:58PM (#33265988)

    I've been involved with tech support, and have been asked for help from family and friends. Many non-computer savvy people see these registrations and think that they are *supposed* to use their email address password there. When people (including my mother) have asked me for help to setup for random online accounts where they give their Yahoo email address (for example), they frequently ask, "so I should put my yahoo password in here?"

    Even if they realize it's a second password, they will often use the same one anyway, which is often something as simple as their own first name in all lowercase. I told one family member that this was a very bad idea, and that good passwords are a combination of letters and numbers, so she began adding 123 to the end of her passwords...

    These people don't realize how some accounts *can* be abused. Sure, many of us take security for things like social media sites less seriously, but don't forget that having an insecure Facebook account opens the door for someone getting access to your account and bombarding everyone you know with things like porn spam, phishing schemes, links to infect people with malware, people posing as you to commit fraud (such as posing as you to ask people for financial assistance for some personal emergency), or social sabotage.

    Passwords are a mess, in general. Only a small minority exercise proper password security practices, there are too many sites that require passwords, and even those that of us that want to practice good password security (and realize the importance of it) are burdened with the mess of having 30 different logins and passwords for different sites.

  • Re:"Leaked"? (Score:5, Informative)

    by plover (150551) * on Monday August 16, 2010 @02:02PM (#33266044) Homepage Journal

    It's not so much about trusting a person. Although that's an exploitable component for social engineers, social engineering is fairly rare, and it doesn't scale well. It's really about the machines in which we place that trust, and how those machines can be hacked. That's the easy part to scale up.

    Hackers (specifically criminal types) operate on statistics. They don't care so much "which" websites they break open, they care about breaking into "some" sites and harvesting what can be found there. They also harvest the easy stuff: cleartext passwords, cleartext account numbers, etc. They won't run a deep password cracker on a million accounts, but they might run a simple /usr/dict/words kind of scan.

    Of course once you've broken a thousand passwords on socialsite.com, you can try correlating those to majorbank.com and amazon.com and all the other potential sources of money. Again, you don't care if 900 out of a thousand fail, because you can still effectively steal from the 100 that remain.

  • by defaria (741527) <Andrew@DeFaria.com> on Monday August 16, 2010 @02:11PM (#33266136) Homepage
    Not necessarily. In a word - LastPass.

At the source of every error which is blamed on the computer you will find at least two human errors, including the error of blaming it on the computer.

Working...