And the most popular password is...
Summary: Analysis based on 32 million passwords from last month's RockYou.com server breach, shows that millions of people continue using weak passwords.
It is "123456," based on the analysis of 32 million breached passwords, obtained from last month's RockYou.com server breach, from which researchers from Imperva were able to analyze the insecure practices used by millions of users when choosing their passwords.
What did their analysis conclude? Short passwords, lack of lower-capital-numeric characters mix, and trivial dictionary words, which every decent brute forcing/password recovery application can find out in a matter of minutes.
Key findings include:
- In just 110 attempts, a hacker will typically gain access to one new account on every second or a mere 17 minutes to break into 1000 accounts
- About 30% of users chose passwords whose length is equal or below six characters
- Moreover, almost 60% of users chose their passwords from a limited set of alpha-numeric characters
- Nearly 50% of users used names, slang words, dictionary words or trivial passwords (consecutive digits, adjacent keyboard keys, and so on). The most common password among Rockyou.com account owners is “123456”
The rest of the passwords rated by popularity:
It's important to point out that, the same password “123456” also topped a similar chart based on statistical analysis of 10,000 Hotmail passwords published in October, 2009.
What actions on behalf of RockYou could have prevented this systematic practice of allowing end users to register with weak passwords?
Enforcing the use of stronger passwords as a long-term strategy, or borrowing short-term tricks from Twitter's, such as the "banned passwords" list consisting of 370 passwords that are not allowed to be used during the registration process. And “123456” is at the top of the list.
For starters, the 32 million passwords were stored in an unencrypted format, according to RockYou.com's announcement, and even if they weren't, the fact that the users were allowed to register with such weak passwords, makes it possible for someone to brute force them in a very short period of time once they gain access to the database.
Consider going through the recommendations offered in the analysis, but keep in mind that strong passwords as just as weak as weak passwords in general if you're logging in from a malware-infected computer.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
Epic Fail
That's Amazing!!!
President Skroob - <i>Spaceballs, The Movie</i>
:)
LOL, classic! (NT)
that's !
and followed by Dark Helmet's first reply about this password:
"123456! that's a password idiots uses to protect their luggage!".
I liked . . .
RE: And the most popular password is...
RE: And the most popular password is...
No.
Complete waste of resources; much better to let natural selection run its course.
Problem 2)
The passwords shouldn't be being stored in plain text where the admin (or attackers) can view them. That is a horrible design flaw. They should be stored as salted hashes.
Totally agree
retrievable format. Should always be salted
with something (persistent) from the users
account and something app specific.
Admins MUST NEVER be allowed to retrieve users
passwords.
Even draconian lameness filters will be
circumvented. I bet those who came up with
654321 though they were being really smart. A
seemingly strong password like 1qaz@WSX may
pass a lameness filter. But look at your
keyboard and how those letters are arranged.
Crackers know this.
The core of this problem is passwords
themselves. We need a better two-factor system
(something you know and something you have) and
we need federated and anonymized access.
ssh (disable passwords) use keys
Change the port from 22 to another high
level port number.
People go away once they find out you know
how to secure systems.
Also, when you use secure email server
software other than MS, you enforce strict
passwords and force them to expire and
not be re-used.
If you run your own mail server, and do so only for your own use, sure.
be able to use email.
It might work at LANL, but not most places.
Other than MS?
Make passwords simpler
Take on a token, and finger print to this short password and it's even better.
Natural selection is for [i]nature[/i]
That would be like..
didn't force me to lock the door, or if I got into
an accident because they didn't force me to obey
the speed limit. Absolutely ridiculous.
Not a great analogy on your part.
Remember: These people [i]did[/i] lock the door, so to speak. It's not like they don't have passwords. What happens here is more akin to jimmying open a car door with a slim jim (lockout tool), or, more crudely, breaking the window to get to the lock. It's not reasonable to blame users if they're going by your password requirements. But it [i]is[/i] reasonable to be blamed by users if the specs you set for passwords don't keep them secure. It'd certainly be [i]nice[/i] if users knew more about security, but it's hardly reasonable to expect them to know more than the admins who set the password requirements.
My analogy was right..
makers are responsible for how strong the lock
is. Lock strength would be equivalent to how
hard it is for someone to hack into your account
(not trick you into letting them have it).
Choosing a retarded password that anyone can
guess is the same as not locking it at all, or
locking it with a key that everybody has. Not
the maker's fault.
You're ignoring one critical aspect.
guess is the same as not locking it at all, or
locking it with a key that everybody has. Not
the maker's fault.[/i]
It's the maker's fault if they can [i]limit[/i] what kind of keys the user can use.
If you're capable of preventing a user from using a "retarded password", and you [i]don't[/i] prevent them from using it, then that's mostly on you, because you, as the admin, should've [i]known[/i] better. To most end users, a "brute force attack" is getting mugged, not something to do with computers.
Which is the same as saying that..
removed) the users ability to disobey the speed
limit, or start the car without a seatbelt on, or
leave their car without locking it, in order to
prevent accidents/injuries/thefts, and that they
are responsible for these problems since they
didn't prevent them.