ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

And the most popular password is...

By | January 21, 2010, 5:14pm PST

Summary: Analysis based on 32 million passwords from last month’s RockYou.com server breach, shows that millions of people continue using weak passwords.

It is “123456,” based on the analysis of 32 million breached passwords, obtained from last month’s RockYou.com server breach, from which researchers from Imperva were able to analyze the insecure practices used by millions of users when choosing their passwords.

What did their analysis conclude? Short passwords, lack of lower-capital-numeric characters mix, and trivial dictionary words, which every decent brute forcing/password recovery application can find out in a matter of minutes.

Key findings include:

  • In just 110 attempts, a hacker will typically gain access to one new account on every second or a mere 17 minutes to break into 1000 accounts
  • About 30% of users chose passwords whose length is equal or below six characters
  • Moreover, almost 60% of users chose their passwords from a limited set of alpha-numeric characters
  • Nearly 50% of users used names, slang words, dictionary words or trivial passwords (consecutive digits, adjacent keyboard keys, and so on). The most common password among Rockyou.com account owners is “123456”

The rest of the passwords rated by popularity:

It’s important to point out that, the same password “123456” also topped a similar chart based on statistical analysis of 10,000 Hotmail passwords published in October, 2009.

What actions on behalf of RockYou could have prevented this systematic practice of allowing end users to register with weak passwords?

Enforcing the use of stronger passwords as a long-term strategy, or borrowing short-term tricks from Twitter’s, such as the “banned passwords” list consisting of 370 passwords that are not allowed to be used during the registration process. And “123456” is at the top of the list.

For starters, the 32 million passwords were stored in an unencrypted format, according to RockYou.com’s announcement, and even if they weren’t, the fact that the users were allowed to register with such weak passwords, makes it possible for someone to brute force them in a very short period of time once they gain access to the database.

Consider going through the recommendations offered in the analysis, but keep in mind that strong passwords as just as weak as weak passwords in general if you’re logging in from a malware-infected computer.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Security, Hacking, Password, Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Disclosure

Dancho Danchev

More details on Dancho Danchev's current and past professional affiliations, can be found in his LinkedIn profile.

Biography

Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog sharing real-time threats intelligence data with the rest of the community on a daily basis. More details on Dancho Danchev's current and past professional affiliations, can be found in his LinkedIn profile. You can also follow him on Twitter

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?
Ask a Question Start a Discussion
123
Comments
Add Your Opinion

Join the conversation!

Just In

RE: And the most popular password is...
psykolog13@... 26th Oct
asdfgh
View in thread
0 Votes
+ -
Epic Fail
Cylon Centurion Updated - 21st Jan 2010
Admins need to better monitor passwords. Users who pick something like this need reprimanded or re-trained.
0 Votes
+ -
That's Amazing!!!
JLHenry Updated - 21st Jan 2010
"I've got the same combination on my luggage!!!"


President Skroob - Spaceballs, The Movie


happy

0 Votes
+ -
LOL, classic! (NT)
Loverock Davidson 21st Jan 2010
$
  • Flagged
0 Votes
+ -
that's !
Ceridan 25th Jan 2010
Excacly what I tougth when I saw it...


and followed by Dark Helmet's first reply about this password:

"123456! that's a password idiots uses to protect their luggage!".
0 Votes
+ -
I liked . . .
JLHenry 25th Jan 2010
the look they gave him when he said that about his luggage . . . happy
0 Votes
+ -
RE: And the most popular password is...
linasmith 23rd Aug
@JLHenry That's really good. essay Help | termpaper | custom research paper
0 Votes
+ -
RE: And the most popular password is...
linasmith 23rd Aug
@JLHenry How is it. Custom Assignment | Dissertation Help
0 Votes
+ -
No.
AzuMao 21st Jan 2010
Problem 1)
Complete waste of resources; much better to let natural selection run its course.

Problem 2)
The passwords shouldn't be being stored in plain text where the admin (or attackers) can view them. That is a horrible design flaw. They should be stored as salted hashes.
0 Votes
+ -
Totally agree
honeymonster 22nd Jan 2010
Passwords should NEVER be stored in a
retrievable format. Should always be salted
with something (persistent) from the users
account and something app specific.

Admins MUST NEVER be allowed to retrieve users
passwords.

Even draconian lameness filters will be
circumvented. I bet those who came up with
654321 though they were being really smart. A
seemingly strong password like 1qaz@WSX may
pass a lameness filter. But look at your
keyboard and how those letters are arranged.
Crackers know this.

The core of this problem is passwords
themselves. We need a better two-factor system
(something you know and something you have) and
we need federated and anonymized access.
0 Votes
+ -
ssh (disable passwords) use keys
Use_More_OIL_NOW 24th Jan 2010
with pass-phrase and be done with servers.

Change the port from 22 to another high
level port number.

People go away once they find out you know
how to secure systems.

Also, when you use secure email server
software other than MS, you enforce strict
passwords and force them to expire and
not be re-used.
0 Votes
+ -
If you run your own mail server, and do so only for your own use, sure.
AzuMao 25th Jan 2010
But how can anyone else use it if they don't know what port you're running it on? If all mail servers did this nobody would
be able to use email.
0 Votes
+ -
It might work at LANL, but not most places.
bernalillo 25th Jan 2010
Most businesses wont support the added confusion and there are downsides in addition to that as well, see some of the comments below.
0 Votes
+ -
Other than MS?
A.Sinic 26th Jan 2010
AD and Exchange have very good tools to enforce strict password selection. I know because users complain how hard it is to pick a password.
0 Votes
+ -
Make passwords simpler
voska1 25th Jan 2010
Best thing is allow simple passwords with an extremely short lock out time. So you could have a Password of Cat and 3 attempts. Sure it's easy to crack if you have unlimited attempts but if the account locks after you try 3 times the chances or you guessing Cat the first 3 times in near impossible. Users with a a password as simple as Cat wouldn't for get, would be unlikely to mistype it and would not trigger the 3 attempt lock out. If you see accounts getting locked out all the time you have sure fire alert that something it going on that shouldn't be.

Take on a token, and finger print to this short password and it's even better.
0 Votes
+ -
Natural selection is for nature
bhartman36 26th Jan 2010
You can't let "natural selection" take its course when you're running a business. Yes, the users in question might be idiots, but guess whose neck is on the line if their accounts get hacked? Part of the reason that admins need to care about this is because if they don't have the proper password policies in place, they'll get blamed when their systems are hacked. (There's a certain amount of justice to this, since it is the admins' systems.)
0 Votes
+ -
That would be like..
AzuMao 26th Jan 2010
..blaming Ford if my car got stolen because they
didn't force me to lock the door, or if I got into
an accident because they didn't force me to obey
the speed limit. Absolutely ridiculous.
0 Votes
+ -
Not a great analogy on your part.
bhartman36 27th Jan 2010
The question is, how good is the lock?

Remember: These people did lock the door, so to speak. It's not like they don't have passwords. What happens here is more akin to jimmying open a car door with a slim jim (lockout tool), or, more crudely, breaking the window to get to the lock. It's not reasonable to blame users if they're going by your password requirements. But it is reasonable to be blamed by users if the specs you set for passwords don't keep them secure. It'd certainly be nice if users knew more about security, but it's hardly reasonable to expect them to know more than the admins who set the password requirements.
0 Votes
+ -
My analogy was right..
AzuMao 28th Jan 2010
..yours is the one that is messed up! The car
makers are responsible for how strong the lock
is. Lock strength would be equivalent to how
hard it is for someone to hack into your account
(not trick you into letting them have it).

Choosing a retarded password that anyone can
guess is the same as not locking it at all, or
locking it with a key that everybody has. Not
the maker's fault.
0 Votes
+ -
You're ignoring one critical aspect.
bhartman36 30th Jan 2010
Choosing a retarded password that anyone can
guess is the same as not locking it at all, or
locking it with a key that everybody has. Not
the maker's fault.

It's the maker's fault if they can limit what kind of keys the user can use.

If you're capable of preventing a user from using a "retarded password", and you don't prevent them from using it, then that's mostly on you, because you, as the admin, should've known better. To most end users, a "brute force attack" is getting mugged, not something to do with computers.
0 Votes
+ -
Which is the same as saying that..
AzuMao 30th Jan 2010
..Ford or Toyota could have limited (read:
removed) the users ability to disobey the speed
limit, or start the car without a seatbelt on, or
leave their car without locking it, in order to
prevent accidents/injuries/thefts, and that they
are responsible for these problems since they
didn't prevent them.
0 Votes
+ -
Not quite.
bhartman36 1st Feb 2010
Ford or Toyota could have limited (read:
removed) the users ability to disobey the speed
limit, or start the car without a seatbelt on, or leave their car without locking it, in order to prevent accidents/injuries/thefts, and that they are responsible for these problems since they didn't prevent them.

Again, your analogy doesn't accurately reflect what's going on. If the users kept their passwords to the default one that was on it when it was set up, then it would be analogous to not wearing their seat belts, or not locking their cars, etc. These people chose passwords. They just chose crappy ones, because as end users, they didn't know any better, and no one set decent guidelines. You're basically confusing recklessness (which it would be if they should've known better) with plain old ignorance.

If you don't give people guidelines for what their passwords should be like, they'll pick bad ones, because they aren't security savvy. It's not their job to be. It's the admin's job to safeguard the server.

And what's worse is that it's a total abdication of the admin's responsibility to the other users, whose security could be compromised by the breach.
0 Votes
+ -
"If the users kept their passwords to the default one that was on it"?
AzuMao 2nd Feb 2010
Huh?

To register, you must choose an account name, password, and email.
There is no "default" one to leave it on. You choose a username that
you will be known by, and a password that can be used to prove that
username is yours. Obviously if you give that password to someone
else, or make it easy for someone else to obtain it, they will be
able to use that username. This isn't a problem with the current
system. It isn't a problem at all. It is simply the design.

There is no "guideline" to give. The password provides access to the
account; so if you give it away or make it easy to guess, then it is
directly inferred that other people will have access to your
account. What more is there for an admin to say on the matter?

Obviously the user isn't trying to let strangers use their
account, just like someone driving over the speed limit isn't
trying to kill people, someone in such a hurry (say, getting
someone who is having a stroke to the hospital) that they don't
bother buckling up/putting on a seatbelt/helmet isn't trying
to kill themselves, someone who leaves their car unlocked isn't
trying to let strangers use it, etc. But just because the
users don't intend it, doesn't make it any less their
responsibiltiy.
0 Votes
+ -
It isn't just users...
wright_is 26th Jan 2010
I had one client, they had used an external support company to run their systems. The first thing the external company did was reset the passwords for ALL accounts to 123456!

The users weren't happy, when they got in the next day and couldn't log in, because their passwords had all been changed!
0 Votes
+ -
What kind of retard...
bendib 21st Jan 2010
uses the password "password"??? Oh, wait a second, looks like a large percentage.
0 Votes
+ -
password protection
klogan7717 22nd Jan 2010
Wouldn't need to worry about such things if low life hackers would get a real job and leave other peoples business alone.
0 Votes
+ -
Whine, whine, whine
tikigawd 22nd Jan 2010
Yeah, in a perfect world bad things wouldn't happen. Now get over it and keep yourself as safe as possible.
0 Votes
+ -
Since when is logging in through the standard login page..
AzuMao 24th Jan 2010
..by entering a name and password, "hacking"?
0 Votes
+ -
Dictionary Attack
voska1 25th Jan 2010
It is hacking when you are cycling through couple thousand passwords hoping to hit the right one.

Simple fix though, lock out the account after 3 attempts 10 minutes. That dictionary attack will suddenly take very long time unless you have the the top passwords as shown on this site.
0 Votes
+ -
What if I just try "123456", though?
AzuMao 25th Jan 2010
Does it make me a nerdy little hacker?




What if I try the first two most popular? Three? Four? Where and why does it suddenly become "hacking"?
0 Votes
+ -
RE: What If......
swattz101 26th Jan 2010
As far as I am concerned, you are "hacking" at the point where you are trying to access a system that you haven't been given access to.
0 Votes
+ -
If I know what the username and password is..
AzuMao 26th Jan 2010
..do I not have access?

If I know these because the owner of the account
told them to me or made them trivial to discover,
have I not been given access?
0 Votes
+ -
Exactly...
thebeans 28th Jan 2010
I mean if you give someone your key so they can
feed your cats while you are away, you have
given them access to your house. But that does
not mean I can come to your house and get the
spare key from under that rock beside your back
door and go on in and look around and not be
guilty of breaking and entering just because
you didn't hide your key well enough. If you
try to get into someone's account without their
permission, you are hacking. Period.
0 Votes
+ -
I think you're referring to cracking.
AzuMao 28th Jan 2010
0 Votes
+ -
Want to really laugh?
Rick_K 22nd Jan 2010
At one time I used as a password. At another time I
simply used . I even told someone my password , and they still
could not figure out haw to make it work. So I do understand how
people could used simple stuff like . Simple minds do simple
things.
0 Votes
+ -
MS professionals
GrimmReaperSound 27th Jan 2010
During certified MS courses, the default examples used are:
User:Administrator
PW: password
It seems that some MSPs are lazy enough to actually use this particular combo in a production system. Go figure.
0 Votes
+ -
Depends what your protecting
No_Ax_to_Grind 22nd Jan 2010
I visit a forum for say, boating. They require a user name and password. I could not care less if someone "hacks" the password to the forum so no need of tough password. I usually use "password" itself, easy to remember.
0 Votes
+ -
What you're protecting
boomchuck1 22nd Jan 2010
Problem with a weak password someplace is that many folks use the same password in multiple places. Figure out one and you've got them all.
0 Votes
+ -
Naw, like O said, I don't care
No_Ax_to_Grind 24th Jan 2010
I don't care if someone hacks a weak password when I do not care abotu the content. FOr something I do care about a better password is used.
0 Votes
+ -
Depends ...
eric_s@... 22nd Jan 2010
Then when the attack comes from "your" account
that the hacker compromised, how will your lawyer
mount a defense?
0 Votes
+ -
Some jurisdictions, he can't....
Jeff Dickey 23rd Jan 2010
Friend of mine just got bit by such a case. Judge ruled that because he
failed to exercise due care in securing his account, he was enabling
public access to same, and accepting responsibility for same. In other
words, what the bank's TOS specify. (Interesting coincidence to earlier
post: his pw was '1qazPL' - which he used for numerous other
passwords as well.)
0 Votes
+ -
I could not care less to be honest.
No_Ax_to_Grind 24th Jan 2010
Not my IP address, its not me. Shrug...

Again, these are "accounts" that I son't care at all what happens with them. So many websites require users to "sigh up" for no reason pther than stroking their own ego its plain silly. (Maybe it helps sell ads???)

I would bet that if you could see a list of their "registerd users" 90% used a dead end Yahoo, MSN, Gmail account, a fake name, and a simple password because they don't care about it either.
0 Votes
+ -
True enough
A.Sinic 26th Jan 2010
If a low-value website enforces strict password policy, they risk having people never come back to them as it's too easy to forget the code.

Also, dont forget that a strong password is equally bad if you use it on a good site AND on a bad one.

Better to use something like RoboForm and let it generate a new strong password for every site.
0 Votes
+ -
stupid
s_souche 22nd Jan 2010
qwerty is not a weaker password that hY5fz2 as far
as a password craker is concerned. It is only for
dictionnary based password cracking which is dumb
and for humans trying to guess other's password...
0 Votes
+ -
re: stupid
AAkutagawa Updated - 22nd Jan 2010
I would argue that a password cracker that only
employs dictionary-based cracking does not fall
under the category of brute-force security
exploits; it's merely an automated attempted
logging in system.

Andrea Akutagawa
http://liberate.it/
0 Votes
+ -
'password' only number 4?
Palmetto_CharlieSpencer 22nd Jan 2010
Man, that was my pick for first place.

Remember kids, if you're hacking a grandmother's accounts, always start with the grandkids' names.
0 Votes
+ -
All too frequently websites place restritctions on...
ye 22nd Jan 2010
...the ability to use strong passwords. Often times non-alpha/numeric characters are prohibited and the lengths are limited.

Two factor authentication is the way to go. But I understand it's not possible for every thing.
0 Votes
+ -
you said it
kenw@... 22nd Jan 2010
All too often it's the financial institutions who have the weakest restrictions. I've got a couple of accounts that don't allow anything but alphanumeric characters - and they think it's a "tough" password when it includes at least one number...
0 Votes
+ -
The financial and health institutions were what I had in mind when...
ye 22nd Jan 2010
...I wrote what I did. At least with E-Trade I am able to use a SecurID token to protect my money. Not so much for my health insurer.
0 Votes
+ -
The irony is..
AzuMao 22nd Jan 2010
..those are the ones that should be required by law to provide good security. Go figure.
0 Votes
+ -
RE: And the most popular password is...
stephen.lovelock@... 22nd Jan 2010
Tighten up the required passport input so that only a resistantmix of components can be uysed. With clear guidance upfront - not suck it and see....
0 Votes
+ -
RE: And the most popular password is...
psykolog13@... 26th Oct
asdfgh

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix