Thursday, 21 January 2010

Your Password Sucks


Imperva's Application Defense Center (ADC) recently published their analysis of last month's incident at social application site, in which full details of more than 32 million user accounts were exposed in plain text. The attack was a face-palmingly trivial SQL injection one, and the exposed account data - everything having been stored in the clear - included user credentials, ie names and passwords, for social networks and other partner sites, such as MySpace, and webmail accounts. Nik Cubrilovic wrote about it then, in a TechCrunch article calling the RockYou platform "a Swiss cheese of security vulnerabilities and poor practices", and going on to enumerate the whys; it's a great exposé of its kind.

Anyway, back to this month, and the Imperva study. This analysed the full set of exposed passwords, 32 million and change. Previous studies have been confined to surveys; this is the first time such a large number of real-world passwords has been made available. Some of their main findings are:
  • 30% use 6 characters or less;
  • 50% are names, slang words, dictionary words, or otherwise trivial;
  • 60% use a limited set of alphanumerics.
What is most striking about their analysis, though perhaps unsurprising, is that none of their findings or conclusions are in any way new. A look at one of those earlier studies, dealing with Unix password security some twenty years ago, reveals that little has changed between then and now, when it comes to strength of passwords and their susceptibility to brute force attack. Ten years ago, hacked Hotmail passwords told the same story.

So here's the latest, top ten hottest passwords, as used on the site:
  1. 123456
  2. 12345
  3. 123456789
  4. Password
  5. iloveyou
  6. princess
  7. rockyou
  8. 1234567
  9. 12345678
  10. abc123
Imperva's ADC uses NASA's recommendations as a framework to analyse the exposed password set, presenting their results as a couple of tasty pie charts, a table, and a bar graph, before going on to suggest the familiar recommendations to both users (strong passwords, different for all sites, and kept secret) and administrators (enforce strong password and password change policies, use HTTPS for login, and so on). This weight of evidence strongly suggests that the way to a solution, if there is ever to be one, is in the hands of those administrators.

The full report can be read here:

Hat tip to my colleague Chris, aka Scale This!, for pointing me at this study.

1 comment:

  1. During a recent PASSWORD AUDIT at the Bank of Ireland it was found that Paddy O'Toole was using the following password:


    When Paddy was asked why he had such a long password, he replied:

    'Bejazus! are yez feckin' stupid? Shore Oi was told me password had to be at least 8 characters long, and include one capital.'