Predictable passwords a security threat
What’s being billed as the biggest ever analysis of passwords has revealed that a lack of imagination comes at a price. It shows that many people use the weakest possible passwords across multiple sites.
When the social media site RockYou was hacked last month, it was bad news for the site when it emerged that it had stored passwords in unencrypted form in a database that turned out to be less secure than hoped. For security research firm Imperva, however, the incident had its benefits, giving it a list of 32 million passwords to analyze and identify trends.
The firm put together a list of the most common passwords and, as you might have guessed, the three most popular were strings of numbers (123456, 12345 and 123456789). Fourth place went to the ever reliable “password”), fifth was the less predictable “princess” and sixth was “rockyou”, which would certainly give you a decent show at guessing those user’s passwords on other websites.
It seems human nature doesn’t change much: Inerva notes a similar study from 10 years ago with Hotmail and even a 1990 list of Unix passwords show similar trends.
The problem isn’t just that so many people go for the very most predictable passwords, however. Around 30 per cent of users on the list had chosen a password of six characters or less, which is something of a breeze for a computer simply guessing at random. (Remember that each additional character makes a password not twice as secure, but around 36 times as secure.)
And almost half of people had a password which was either a name, a single word, or a string of consecutive keys on a keyboard (“qwerty” for example). These are all much easier to crack than a “random” password as the hacker’s machine can simply scan through a list of possible matches rather than try every possible combination.
Inerva cites NASA recommendations that passwords should be at least eight characters long and contain all four types of character (upper case letter, lower case letter, number and special character such as *). It found just 0.2 per cent of RockYou users met both these guidelines.
Of course, there is another way round the dumbness of human nature: websites could — and should — insist on lengthier and less predictable passwords.
Related Posts:
