back to article RockYou hack reveals easy-to-crack passwords

Analysis of the 32 million passwords recently exposed in the breach of social media application developer RockYou last month provides further proof that consumers routinely use easy to guess login credentials. Sensitive login credentials - stored in plain text - were left exposed because of a SQL injection bug in RockYou's …


This topic is closed for new posts.
  1. Yet Another Anonymous coward Silver badge

    But they don't

    >If users (as they often do) use the same login credentials for social networking sites and more sensitive accounts

    That's the whole point, people use junk passwords for all those sites that insist on a password for no good reason - and keep the secure ones separate for important uses, like er' reg comments.

    1. Jimmy Floyd

      "People" or "techies"?

      One would like to think that was true - and certainly among Reg readers it probably is - but I'm not so sure about Joe Public. The subtleties of strong passwords might evade them (if they can even be bothered with a complex password), as might the issues surrounding your banking password being at one with your favourite pr0n site.

      Internet banking vs. Internet spanking, if you will.

      Coat. Yep.

    2. Jamie Jones Silver badge


      I'm not going to vote you down, but I think you're wrong for the majority of users out there.

      1. Jamie Jones Silver badge


        My reply above was directed at "Yet another anonymous user"

    3. Anonymous Coward

      What that guy said

      Don't get me wrong... You guys are great (other commenters). I mean we have some terrific discussions on here, and sometimes, well, I just don't know how I would get by without your helpful advice! But, TBH, if my reg account got h4x0r3d... I'd probably just make a new one, and try to get on with my life. I post as AC mostly anyhow.

  2. Bilgepipe

    Security Fail

    So not only was this site open to a SQL injection attack, but the passwords were stored in plain text?


    1. Mark 65

      I stopped at that bit too

      Just imagine how many shiny web 2.0 sites are secured in this way. Even storing a simple password hash with salt makes it orders of magnitude more difficult.

  3. Anonymous Coward

    Shame on (rock) you...

    Most of those passwords would not be allowed if even the most basic restrictions were imposed by RockYou when they were created (i.e. 8 or more characters and containing at least letters and numbers).

    Apparently RockYou weren't even requiring a minimum password length!

    Of course people are stupid and will chose stupid passwords given half the chance, but this still says more about how inept RockYou were as a service provider.

  4. Anonymous Coward
    Anonymous Coward

    Strong passwords are hard

    I once had a project where client (Marketing guy) asked for strong password to be required, so I build a strong password validator for the site; when the client was asked to test it, he said it didn't work.

    It did work, but it was just to hard for him to create a password that was strong :P

    In addition to requiring caps,non-caps, number and symbol,It wouldn't let you use your first or last name, username, email or any sequence like qwerty wertyu asdf in your password.

    My password here on the reg is definitely weak ;)

    1. Anonymous Coward
      Anonymous Coward

      Strong passwords are easy


      There, that's strong.

      Strong passwords are easy if people are given the right mental tool(s).

      Why does this stupid site demand yet another password => wdt55dy4p

      No capitals or symbols, but at nine characters it doesn't really matter. The above is

      good enough. I've been working with some passwords recently that are so "strong" that they are weak - you can neither memorise them nor type them in accurately; hence the only thing to do is store them on a computer. Duh!

      1. Anonymous Coward

        Good passwords.

        Write the password down and store them somewhere safe, eg sealed in an envelope and stuck in a safe.

        Consider using a passphrase rather than a password. For example: 'Red Lorry Yellow Lorry' and then perform a standard substituion eg always replace 'e' with '3'. Really easy to remember but incredibly hard to crack. Or another approach is to use a mnemonic. For example 'I live in Birmingham but work in Stratford' would give you a password of IliBbwiS substitute '1's for 'i's and $ for the all the 's'es and you have a great password.: Il1Bw1$ and easy for you to remember.

      2. Anonymous Coward
        Anonymous Coward

        Overly strong security

        "I've been working with some passwords recently that are so "strong" that they are weak - you can neither memorise them nor type them in accurately; hence the only thing to do is store them on a computer. Duh!"

        That's my biggest gripe. My highest risk online account - a business bank account - has a

        - login name (required as you can have multiple users for a bank account)

        - Login password

        - Authentication password

        - item 4 which i can't even remember

        All of them must be 8 digits or more and it asks for a number of "nth digit"s to validate. Even after a few years with the same credentials theres no way i can achieve anything without them written down in front of me.

        Likewise my work account which has 30 day password expiry (effectively 20 days as that's when it starts nagging you daily that your password will expire). I started off with secure passwords but over a few years they've become steadily less secure to the point where it's now trivial.

      3. TeeCee Gold badge


        "......the only thing to do is store them on a computer."

        Gosh, if only most people were that security-conscious. A post-it note stuck on the screen is rather more common in my experience.

    2. Anonymous Coward
      Anonymous Coward

      True but...

      Horses for courses...

      It's not generally considered necesary to enforce typical 'strong password' rules on social networking sites etc. However, I would at least have expected RockYou to have required a minimum of 8 characters and the use of letters & numbers, which is the general convention for online services which store personal data.

      I own a Hotmail account for which the password is only 6 characters and a dictionary word since it was set up in 1996 before minimum password strength rules became widely used, I don't use the account but keep the password as it is for sentimantality sake ;oP

      1. Steen Hive

        But but

        "However, I would at least have expected RockYou to have required a minimum of 8 characters and the use of letters & numbers, which is the general convention for online services which store personal data."

        Er.. how many accounts were compromised through weak passwords, and how many were compromised by the stupid and completely unnecessary fuckwitty fail of storing CLEARTEXT?

        The mind boggles - just HOW difficult is hashFunc(password) ; on the way into a DB?

        How can anyone that mind-numbingly retarded be expected to mandate any sort of password regime?

  5. John Smith 19 Gold badge

    At least we hope they don't

    Guess it depends how valuable users perceive their personal (and I guess sometimes *very* personal details) to be.

    But yes these are staggeringly trivial.

    But *another* SQL injection attack.

  6. Owain 1

    princess ??!!

    Where did that come from?

    1. LinkOfHyrule

      Where did that come from?

      Diana fanboys maybe?

  7. Anonymous Coward
    Anonymous Coward

    @first poster

    are you actually that naive, or is that sarcasm? maybe the people who read sites like the reg do that, but everyone else?

  8. Paul Hates Handles

    ...passwords stored as unencrypted strings? wtf? :)

    1. Anonymous Coward
      Anonymous Coward


      Nobody encrypts passwords. You hash them.

  9. bittenbytailfly
    IT Angle

    Users are lazy

    I've had experience creating a system requiring a user to create a strong password, and also had problems with users that can't remember their 'overly-complicated passwords'.

    The bottom line is unless you use a password generator (I use Deadbolt Password Generator) to create strong unique passwords for every site or a password safe of some kind (although I don't like storing ALL my passwords in one place) people will always have trouble remembering good passwords and will stick to using weak ones instead.

  10. Mike 68

    What counts as a strong password?

    What if you use a dictionary word but replace certain letters with numbers, leet-style, ie 3 for E etc? Not that that's what I do, I'm just saying. STOP TRYING TO GUESS MY PASSWORD!

    1. Jimbo 6

      That's my policy...

      .... but with the added protection of using a *Welsh* dictionary. (It may as well be a random selection of letters, as far as most people in the world are concerned.)

      Flames, cos we likes to keep the (holiday) home fires burning...

      1. Steve Roper

        Re: That's my policy...

        I'll see your Welsh dictionary and raise you my personal conlang!

        Take words from my conlang like Kaseryndhalan, Dwimmathdene and Khatalinlat, replace the vowels with numbers - K4s3ryndh4l4n, Dw1mm4thd3d3 and Kh4t4l1nl4t - and I have easy-to-remember passwords that nobody's going to guess... :)

        Conlangs are an awesome and uncrackable means of encryption too if you take the time and effort to develop one. For example, I can guarantee that there are only 3 people, including myself, on this planet who would be able to translate this statement:

        Hyarin marhyad thiel ke koyanad kya shariadi adawaya kya khanya kha simain. Saeli tielyad kya kelduran kha sharath kya tunai anlani re shalayneth lamanya dawya gharan.

        1. Anonymous Coward

          RE: That's my policy...

          "For example, I can guarantee that there are only 3 people, including myself, on this planet who would be able to translate this statement:"

          I can guarantee that there are no people who are interested.

        2. Anonymous Coward
          Thumb Up


          Hyarin marhyad thiel ke koyanad kya shariadi adawaya kya khanya kha simain. !!!

          Shalayneth lamanya dawya gharan.


  11. Chris 226

    SQL Injection


    someone. please. for everyone's sake.

  12. The Original Ash


    Passphrase is the way forward.


    1. Someone

      As so often, it’s length that counts

      You can tell the advice from Microsoft and Sophos has come from computer scientists. To remember your passphrase, you need to work through the algorithm you used to generate it, flawlessly. Once a passphrase has been used a few times, most people are much better at remembering a list of words than a list of letters and symbols; words are an intrinsic part of brain function. If you want a stronger passphrase, just add another word. There’s much better advice on The Diceware Passphrase Home Page [1], including a measure of strength.

      Unfortunately, you still come across websites with instructions like “Choose Password (6-10 characters):”

      BTW, your example passphrase may not be as strong as you think. It’s a sentence fragment, not a list of random words, so the words are interdependent


  13. Anonymous Coward
    Anonymous Coward

    Too many pointless passwords

    There are just so many places that need passwords that it is completely unrealistic to expect people to remember a different one for every place. As YAAC said above, most people I know keep one password for serious stuff and another for waste of space passwords that they don't care about.

    Another problem is that best practise really doesn't work in most environments.

    We have access to a government database which every member of the company needs to get into - from directors to pool secretaries, and there's supposed to be full traceability. Its password policy requires each user not only to have mixed alphanumeric 12 digit passwords with no logical sequences and so on, but requires a change every month. Surprise surprise, after the first couple of months no one could remember the passwords they had last come up with, so we spent hours every week on the phone to the govt dept concerned resetting accounts. In the end, we just decided it wasn't worth the bother and told everyone to write the blasted things down. Self defeating password policy. You could blame us for not having superhuman powers of recalling random character strings, but at the end of the day, humans are not machines - and people who come up with password policies need to be realistic.

  14. Gene Cash Silver badge

    Does it matter?

    If the users don't give enough of a shit to use strong passwords, why should anyone cry for them when they get haxx0rzed?

  15. Jamie Jones Silver badge


    I like to think of a random song, then use the initials to the lyrics.

    I had "oidltbbtss" once for a while (oh i do like to be beside the sea-side) - yeah, technically only one s at the end, but when singing it my mind, 2 was easier.

    The problem with ENFORCING overly complicated password is that people end up writing them down

    1. The Beer Monster
      Thumb Up

      @Jamie Jones

      I thought it was only me that did that...

      1. Anonymous Coward
        Anonymous Coward

        Quite common

        I do that as well but with phrases, first sentence from a book, sayings, poetry. Sometimes uppercase the first two letters or the first and last then add an underscore and number on the end.

    2. Anonymous Coward
      Anonymous Coward

      Nothing wrong with writing them down.

      as long as you store them securely.

      All my most important passwords are written down and stored in a sealed envelope inside a safe.

      1. TeeCee Gold badge

        That's a cunning plan.

        Where have you written the combination to the safe?

        1. Anonymous Coward


          it's in a text file which is encrypted with a strong passphrase.

  16. The Indomitable Gall

    Old vs New problem

    "Persuading users to use stronger passwords is an age-old problem that dates back to the dawn of the PC era."

    It's not an old problem, it's a new problem.

    In the old days, you had about 3 passwords; you had to convince the user to make them strong. Once they were strong, you could use them for a long time because they were secure. Because you didn't change them, you could remember them.

    Now, we all have a dozen or so passwords. If we make them strong, they're hard to remember. The harder they are to remember, the more likely we are to reuse them. Because some people use weak passwords, corporate policies add a layer of security by forcing us to change them every few months.

    I can remember every password I had on the computers at uni, because I used them frequently for a long time. My password for the office PC expires so quickly that I've barely learnt it by the time I'm asked to change it. The cognitive load is high, and every time I sit back down and unlock my PC, I have to filter out "noise" from half-a-dozen old and "other system" passwords before I get to log in.

    So my passwords are getting weaker all the time as it's the only way to remember them.

    It is a new problem -- it just looks similar to an old one.

    1. Anonymous Coward
      Anonymous Coward

      too true

      I have so many I have to write them down: in a GPG encrypted document on a USB stick. At least the password for that key is reasonably long

  17. Robert Carnegie Silver badge

    I favour barcodes, on webcam maybe

    Let a reasonably difficult string be printed as a bar code on a convenient small card, or on a label to stick in a book, or a loose leaf binder.

    Then let me show that card to my cheap PC digital camera in order to "type" the password.

    Weaknesses, yes...

  18. Paul Smith

    Strong passwords?

    My employeer (10,000+ employees) introduced "strong" password policy similar to the one AC described, and they force them to be changed every 60 days. The result was that for the next six months, every second desk had a post it note with a weird word/number combination on it. Now days, most people I asked say they use a word that is visible on their desk and sufix with the digits with the month they are forced to change it in. I wonder how many in my company are using Intel01?

  19. Anonymous Coward


    Storing password has become like storing credit card numbers. Outsource it and move on with your core competency...

  20. Anonymous Coward

    Like it

    Now there's a practical idea I will probably use and recommend in future!

  21. Adam Salisbury

    Behaviour Change

    The vast majority of users are completely unaware of the importance of password security, these are casual users or the not-as-IT-literate-as-us users. It's not their fault, we're in an age where you can distinctly seperate users into two groups: those who've grown up with IT and those who've lived most of their lives without it. It's the latter group who're responsible for most of these epic password fails whereas those of us who've been using computers since puberty are well aware of the risks.

    Any organisation who requests a password should attempt at least a basic explanation of how to set a strong password and why it's important, most of these RockYou customers will have no idea that they've left themselves vulnerable.

    Of course some organisations, including my bank (who I won't name for obvious reasons) who don't allow the use of special characters in passwords should be held to account for being so lax.

  22. Mad Hacker

    Why use a strong password?

    If the site isn't storing bank account information why should I use a strong password. I hate sites that require more then 6 characters to protect, well, nothing!

    Use strong passwords on your bank account sites and email but nothing else. Even Amazon won't let you retrieve credit card info. The worst someone could do is order you a product.

    1. Anonymous Coward
      Anonymous Coward

      Re: Why use a strong password?

      As more and more employers are using google to find out about potential employees then it might be wise to ensure that noone can hack their social networking site accounts and update their list of hobbies with something they'd rather not be associated with. You won't even get to the interview stage to explain that your interest in goatse was the result of someone guessing your password and even if you did do you think they'd be impressed by the explantion? So either use a strong password or, like me, stay clear of such sites.

  23. JShel

    Why not ms Vance?

    She wrote the article on this in the NY Times today, conflict of interest, or has she left El Reg?

    1. Jamie Jones Silver badge


      Ashlee Vance is MALE

  24. Shane 8

    Hard passwords are easy to create....

    Think of a colour.....think of an object...capitalize the first letter of each and put it together and swap out a few for numbers, voila!




    the list goes on and i doubt they are in a wordlist....

  25. Hungry Sean

    write 'em down

    I feel like the IT community really brought a lot of this on itself by at some point getting the idea into user's heads that passwords should never be written down. Really, it's all down to your threat model-- which is more probable? Li'l Johnny Hax0r running a script from his bedroom and incidentally hammering my bank account, or someone mugging me/breaking into my house and deciding of all things to abscond with my notebook of passwords? Which is easier for me to detect and react to (e.g. by resetting all my passwords?). And if my password is written down in ink, rather than entered into a spreadsheet on my computer, then I don't need to worry about spyware finding and stealing it.

    What I think I'd like to see would be websites that have a strong password generator built in on the password creation page, you click, it gives you one and tells you to write it down in a notebook. Us humans are bad at creating random data (amanfrommars may be superior to us in this respect), why put the onus on the user when we have great algorithms to let the computer do it?

    1. M man


      Iil just ask him to remember it for me

  26. Ralphe Neill

    ISP don't have a clue, either

    The ISP I use here in Australia enforces a strong password policy ... and then stores the passwords in plain text.

    The database is available to all employees, including the out-sourced "help" desk!

    They insist that there's no security problem.

  27. Anonymous Coward
    IT Angle


    The fact that bothers me is not that users choose primitive passwords (maybe they like them to be close to themselves), but that the admins stored it not encrypted, in days where salted hashing is considered the minimum.

    These people obviously know nothing about their job, hence the icon.

  28. b166er

    AC 16:50

    Pa55word is not secure at all. Any adversary worth their salt (pun not intended) is gonna try 'password' in all its guises (most rainbow tables will have those variants in anyway) and substituting 5's for S's 3's for e's etc is about the most obvious attempt at a cipher. People even employ it to attempt to make their car index plates more personal.

    oidltbbtss is not strong either and would brute force using only lower-case in as much time as it takes me to write this. However, if you typed ohidoliketobebesidetheseaside, you would have a very strong passphrase.

    Unfortunately, because engineers who write password entry boxes are for some reason still pre-occupied with the non-existant shoulder-surfer, you would have a high chance of mistyping it. Fortunately, this attitude is now changing and you can often elect to see the characters as you are typing them, with the best examples being where the character is visible temporarily and is then masked with an asterisk.

    Once this barrier to security is removed, passphrases will be most usable and security increased dramatically. Even then, they still need to be combined with using a mouse to choose a PIN from a list of characters presented in a random order so as to defeat keyloggers.

    This really is trivial to do and some banking institutions are getting close to what is (reasonably) secure, it just need to filter down a bit and hopefully breaches like this will make engineers more thoughtful of the approaches to security.

  29. John H Woods Silver badge

    Reg Campaign Required...

    .... PLEASE ... someone tell the security types that routine password expiry not only provides almost zero protection but actually causes one of the most serious problems: weak passwords.

    1. Anonymous Coward
      Anonymous Coward

      The thing is...

      regardless of whether or not password expiry increases or decreases security the current industry best practice (the standard to which you are held by, for example, IS27001 and the DPA) is that password expiry is required.

      Eg Principle 7 of the DPA ("Secure") requires the use of "Appropriate technical and organisational measures" which, currently, means use expiring passwords (amongst other things) because that's considered to be current best practice ie an "appropriate technical ... measure".

  30. Tony Smith, Editor, Reg Hardware (Written by Reg staff)

    Re: Why not ms Vance?

    *He* left the Reg 18 months ago to become a full-timer on the NYT.

  31. Shippers

    Wot no hash?

    Ugh - there should be laws against systems that store peoples' passwords in such an insecure manner. Rather than store the passwords, a secure hash of the password should be stored instead. If, at login, I can produce a password that results in the same digest as the one stored in the database then access is granted. At worst, an SQL injection attack would result in the database spewing out a load of hash values.

    OK, so someone could still calculate a hash of "12345" and see whose username matches it, but at least those with relatively obscure passwords would still be afforded some additional protection.

    1. Anonymous Coward
      Thumb Up

      There are.

      This would definately fall foul of European data protection legislation (eg the UK's Data Protection Act) because storing passwords in the clear falls well short of industry best practice i.e. the appropriate technical measures required by principle 7..

  32. Anonymous Coward
    Anonymous Coward

    Not just users to blame

    I'm pretty good with my passwords (no two are the same, but I have a system that allows me to remember pretty much all of them).

    However, what pisses me off is when I am confronted with shite like this:

    Your password must be between 8 and 10 characters

    You cannot use spaces in your password

    You cannot use non alphanumeric characters in your password

    It means that I can't use one of my 'systems' (or any of my preferred other password choices) and instead I'm forced to use some crappy password that I will invariably forget because I was so constrained in what I could choose.

    If users are to be encouraged to use secure passwords, then maybe there shouldn't be so many shite limitations that remove some of the best ways to make passwords secure (length, symbols etc.)

  33. Anonymous Coward
    Anonymous Coward

    Password generators

    I like password generators like PasswordMaker. I use it as a Firefox addon. It generates a password based on one password and the url of the site thus you get a unique password by using only one password which you keep in your head and never use anywhere else.

    The only weakness is keyloggers.

  34. 124Out

    Here we go again...........

    The message here isn't the users who choose weak passwords. The message is the (32million-N) users who wasted their time choosing and remembering strong passwords and had them compromised anyway.

    Users show a better understanding of the risk than most security people:

  35. Charles 9 Silver badge


    You say using the mouse will defeat a keylogger but what if hackers start including screen cap tools and mouseloggers? Macro programs already exist that can mouselog for scripts; malware can employ the same tactic, and screencaps will help to point out where the mouse is clicking.

  36. Anonymous Coward

    Solution presents itself

    We could all use a password to get a key from Verisign and use that when creating accounts - then we wouldn't need to type any passwords...

  37. Nebulo

    Site limitations

    I have to agree with everyone who's irritated by sites limiting your password choice. For example, I really like one site's email (etc.) service, but for their max 12 character passwords. That might have been OK when the site was young, but it's in lookup table territory now. I use better than that on my Yahoo email, ffs.

    You can strengthen your p/w (if you're not subject to such limitations) just by punctuating your passphrase, either properly or idiosyncratically. Those seaside lovers could try ...

    Oh, I DO Like to Be Beside the Seaside!

    or perhaps ...

    Oh, do I like 2B beside the Seaside, (for the artist who knows his pencils and is posting here.)

    And yes, write them down, in a notebook with a lot of totally unrelated guff 'phrases' - you know which ones you've used (we hope). Twice, one in a secret place so you don't lose everything when it gets nicked.

    Mine's the one with the ?N0t3b0Ok! full of guff in the pocket.

  38. Sceptical Bastard

    It's all a 'fail'...

    Rock You, you fail on all levels - SQL injection, clear text storage, no password policy

    But the debate here is about the analysis. Some commentards are gloating that lusers are morons. Yes, yes - we know that. (Actually, of course the majority of computer users may not have finely-honed security skills but they are no more moronic than the population at large... oh, I see what you mean!)

    The problem is not stupidity per se - it's practicality. As others have noted, people can remember words and phrases in their own language better than they can remember meaningless character strings. So we end up with dictionary words. FWIW, substituting numerals for lowercase letters is better than nothing but not much use against a decent Rainbow Table.

    Length, of course, is important (if my passwords were as short as my willie they would have been pwned years ago). The way Windows LAN Manager hash split passwords (until Vista, I believe?) meant that 16 chars became the minimum for the really paranoid and that attitude seems to have stuck among sysadmins. But it's counter-productive if a helldesk instructs lusers to use 16 random chars - virtually no-one has a clear idea of 'random' in this context and virtually no-one can remember 16-char strings.

    As to horses for courses, of course it makes sense to use stronger passwords for banking or business than for wanking about on FaceAche or on Twatter (I wonder if Stephen Fry's password is 'Fat Smug Know-all'?). But human nature being what it is, people simply can't be arsed to remember more than a couple of passwords.

    The taboo against writing down passwords is not always helpful. Obviously in a non-secure office environment sticking a post-it note to the screen with 'Passord: Bgx1#dw"£$' written it is insecure: having it written, perhaps back-to-front, unobtrusively in the back of your pocket diary is far less so.

    So what are my solutions? What insights can I offer you? The answers are 'none' and 'none'. IMO, crap password security is a problem we are stuck with for as long as ordinary people (as opposed to geeks) use computers - in other words for ever

    PS: I recently had to advise a home-office-computer-using client that having their pet's name as a password for everything from log-on to email to online banking (where, to be fair, the bank insisted on other characters as well) *and* as their security question answer was probably not a good idea.

  39. Anonymous Coward
    Anonymous Coward

    top 10 to be expected, actually

    the author says:

    "The trivial nature of the top ten RockYou passwords is bad enough"

    but of course, you wouldn't get any non-trivial passwords in the top ten, would you?

    If "Tyu334&UpW" was the #1 popular password, that'd be news...

  40. This post has been deleted by a moderator

  41. David Spalding

    "Sensitive" passwords? Really?

    I question whether someone's password used on Facebook is "sensitive." It's not like RockYou was a banking app.

    Granted, it doesn't excuse the lousy passwords people use, but I can easily understand people using stoopid passwords for a stoopid app running on the consistently frivolous and stoopid Facebook.

  42. Anonymous Coward
    Anonymous Coward

    Your passwords will be compromised

    Sadly it seems companies will never get it right with storage of passwords. I like to use this method - - click on the password branch tool. I email the webmaster because it does not work well with some European domains, but so far I did not get a reply.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2021