Security report: Web users pick passwords that are way too easy to hack
According to a report on Consumer Password Best Practices culled from an analysis of 32 million passwords exposed in the recent Rockyou.com Web security breach, the three most commonly used passwords among users of the Rockyou social networking site turned out to be 123456, 12345, and 123456789.
Also making in into the top ten, in this order, were the following: Password, iloveyou, princess, rockyou, 1234567, 12345678, and abc123.
During the Rockyou breach last month, a hacker exploited a SQL Injection vulnerability to expose 32 million passwords -- which had been stored in clear text in Rockyou's database -- and then posted the passwords, without any other identifying information, on the Web.
In analyzing the results for a report issued today, researchers at the Imperva Application Defense Center (ADC) discovered that even now, people are still relying on the same kinds of "weak" passwords detected in earlier studies of Unix passwords 20 years ago, and Hotmail passwords a decade ago.
About 30% of Rockyou users chose passwords with five or fewer characters, and almost 50% opted for "names, slang words, dictionary words or trivial passwords (consecutive digits, adjacent keyboards keys, and so on)," according to key findings of Imperva's report.
"Furthermore, studies show that about one-half of the users use the same (or very similar) password to all Web sites that require logging in."
What sorts of passwords should people put together instead? Imperva points to standards from NASA calling for "strong" passwords containing seven or more characters, and also made up of mix of four different kinds of characters: upper case letters, lower case letters, numbers, and "special characters such as [email protected]#$%^&*,;" and the like.
About 40% of the Rockyou users chose only lower-case letters for their passwords, 16% used only digits, and less than 4% used "special characters."
Also, your password should not be a name, a slang word, or any word in the dictionary, and it shouldn't include any part of your name or your e-mail address, the researchers note.
"If a hacker would have used the list of the top 5,000 passwords as a dictionary for brute force attack on Rockyou.com users, it would take only one attempt (per account) to guess 0.9% of the users' passwords or a rate of one success per 111 attempts," according to Imperva.
In recommending the use of strong passwords, Imperva gives a tip from security expert and cryptographer Bruce Schneier: "Take a sentence and turn in into a password. Something like 'This little piggy went to market' might become
But what if you don't want to deal with assigning different passwords to the various Web sites you visit? Borrowing another bit of advice from Schneier, Imperva recommends jotting something down on a piece of paper to help you recall them all. "But just write the sentence -- or better yet -- a hint that will help you remember your sentence," Schneier is quoted as saying.
Imperva's report also supplies numbers 11 through 20 in the list of the most common passwords in the hacked Rockyou database, although without giving much explanation for most of them.
Here are the other passwords in Rockyou's top 20:
For their part, Web site administrators should force users to choose strong passwords, as well as to change their passwords "either by time or when suspicion for a compromise arises," according to the study.
Administrators should also make sure passwords are not either transmitted or kept in a database in clear text. Admins should encourage the use of "passphrases" -- such as sentences -- rather than passwords, and they should "employ aggressive anti-brute force mechanisms to detect and mitigate brute force attacks on login credentials," Imperva advises.