Attention a vos login et pass

Danger XSS c'est pas nouveaux mais ça permet de changer d'habitude ;)

What is you average password and user name length?

That is truly a hard question to answer because data is scarce. But recently, some spoils from a MySpace phishing attack: 34,000 actual user names and passwords revealed some truths.[10]The attack was pretty basic. The attackers created a fake MySpace login page, and collected login information when users thought they were accessing their own account on the site. The data was forwarded to various compromised web servers, where the attackers would harvest it later.[10]

MySpace estimates that more than 100,000 people fell for the attack before it was shut down. The data I have is from two different collection points, and was cleaned of the small percentage of people who realized they were responding to a phishing attack. I analyzed the data, and this is what I learned.[10]

Password Length:

While 65% of passwords contain eight characters or less, 17% are made up of six characters or less. The average password is eight characters long.[10]

Specifically, the length distribution looks like this:

1-4 0.82%
5 1.1%
6 15%
7 23%
8 25%
9 17%
10 13%
11 2.7%
12 0.93%
13-32 0.93%

Character Mix: While 81% of passwords are alphanumeric, 28% are just lowercase letters plus a single final digit — and two-thirds of those have the single digit 1. Only 3.8% of passwords are a single dictionary word, and another 12% are a single dictionary word plus a final digit — once again, two-thirds of the time that digit is 1.

numbers only 1.3%
letters only 9.6%
alphanumeric 81%
non-alphanumeric 8.3%

Make some use of the information we have

We can understand now that it is very probable that the password length 8 characters and if we assume that the user name 7 characters, because an average person types 37 wpm of memorized text and passwords are memorized text that means that:

Username + Password = 15 characters approximately

One word = 5 characters

Which means that Username + Password = Three words so:

37/3 = 1/x => 37x = 1 => x =1/37 Minutes

or x = 1/37 * 60000 Milliseconds = 1621 Milliseconds (I will explain later why you need milliseconds)

Now we know how much time the average user takes to type his user name and password, we also know that he might also press the Tab or Enter key to switch between text fields and sent the form data. So after the user enters the lo-gin page the key logger is going to check time, the Tab key, the Enter key and the length of the password.