Study Reveals Easy-to-Hack Passwords Are Still a Major Issue

A major password breach in December 2009 from RockYou.com resulted in 32 million passwords being posted on the Internet. Analysis of those passwords reveals that the use of insecure, weak passwords has changed very little over the past 20 years

A major password breach in December 2009 from RockYou.com resulted in 32 million passwords being posted on the Internet, with no other identifiable information. The passwords were extracted through a SQL Injection vulnerability. The Imperva Application Defense Center (ADC) conducted a study (PDF) and analyzed the strength of the passwords. The top ten passwords Imperva found among those that were compromised in the attack were 123456, 12345, 123456789, Password, iloveyou, princess, rockyou, 1234567, 12345678 and abc123. All Those Passwords are Easy to Crack If any of those look familiar, as noted by PC World, please stop reading this story and change your password now. All those passwords are easy to crack using simple brute-force automated methods. Since the list has been published, anyone trying to crack an account manually will most likely try every one of them. According to Imperva's study (PDF), about one half of the users use the same -- or very similar -- password to all websites that require logging in. That problem has changed very little over the past 20 years. ADC also notes "To quantify the issue, the combination of poor passwords and automated attacks means that in just 110 attempts, a hacker will typically gain access to one new account on every second or a mere 17 minutes to break into 1000 accounts." The Most common Password Among RockYou.com Users is "123456" Key findings in Imperva's report include: About 30% of users chose passwords whose length is equal to or below six characters. Moreover, almost 60% of users chose their passwords from a limited set of alpha-numeric characters. Nearly 50% of users used names, slang words, dictionary words or trivial passwords (consecutive digits, adjacent keyboard keys, and so on). The most common password among RockYou.com account owners is "123456." Recommendations for Strengthening Passwords Imperva included a list of password best practices that were created by NASA for strong password selection. Password best practice recommendations include: It should contain at least eight characters. It should contain a mix of four different types of characters -- upper case letters, lower case letters, numbers, and special characters such as !@#$%^&*,,." If there is only one letter or special character, it should not be either the first or last character in the password. It should not be a name, a slang word, or any word in the dictionary. It should not include any part of your name or your email address. Only 2% of RockYou.com Users Had Strong Passwords The ADC analysis found that half of the RockYou.com passwords contained seven or less characters and 30% of its users chose passwords whose length was equal to or below six characters. ADC's analysis also showed that almost 60% of RockYou.com users chose their passwords from within a limited set of characters. Only 2% of RockYou.com users used a password that could be considered as a strong password. Almost all of the 5,000 most popular passwords, used by 20% of RockYou.com's users were names, slang words, dictionary words or trivial passwords consisting of consecutive digits, adjacent keyboard keys, and so on. 123456 was the most common password among RockYou.com account owners. Turn a Sentence Into a Password Computer Security Specialist Bruce Schneier offers some other advice for creating a strong password: Take a sentence and turn it into a password. For instance, something like "this little piggy went to market" might become "tlpWENT2m." Mr. Schneier also advises that "if you can't remember the passwords, write them down and put the paper in your wallet. But just write the sentence -- or better yet -- a hint that will help you remember your sentence." Use a different password for all sites. Never trust a 3rd party with your important passwords. Tips for Administrators can also be found in the ADC's report (PDF). More information on protecting and creating strong passwords can also be found in this article from PC World.