2Shrt+2SmplImperva's Application Defense Center (ADC) recently published their analysis of last month's incident at social application site Rockyou.com, in which full details of more than 32 million user accounts were exposed in plain text. The attack was a face-palmingly trivial SQL injection one, and the exposed account data - everything having been stored in the clear - included user credentials, ie names and passwords, for social networks and other partner sites, such as MySpace, and webmail accounts. Nik Cubrilovic wrote about it then, in a TechCrunch article calling the RockYou platform "a Swiss cheese of security vulnerabilities and poor practices", and going on to enumerate the whys; it's a great exposé of its kind.
Anyway, back to this month, and the Imperva study. This analysed the full set of exposed passwords, 32 million and change. Previous studies have been confined to surveys; this is the first time such a large number of real-world passwords has been made available. Some of their main findings are:
- 30% use 6 characters or less;
- 50% are names, slang words, dictionary words, or otherwise trivial;
- 60% use a limited set of alphanumerics.
So here's the latest, top ten hottest passwords, as used on the Rockyou.com site:
- 123456
- 12345
- 123456789
- Password
- iloveyou
- princess
- rockyou
- 1234567
- 12345678
- abc123
The full report can be read here:
Hat tip to my colleague Chris, aka Scale This!, for pointing me at this study.
During a recent PASSWORD AUDIT at the Bank of Ireland it was found that Paddy O'Toole was using the following password:
ReplyDeleteMickeyMinniePlutoHueyLouieDeweyDonaldGoofyDublin
When Paddy was asked why he had such a long password, he replied:
'Bejazus! are yez feckin' stupid? Shore Oi was told me password had to be at least 8 characters long, and include one capital.'