In December, RockYou.com was hacked, and a list of usernames and passwords was exposed to the Web, in plain text. A month later, security analysis firm Imperva has analyzed the most common passwords, and the results are depressing, to say the least.
By far, the most popular password on the site was "123456," apparently satisfying a minimum character limit on the site's password restrictions, but doing little for security. A full 290,731 users used this password, far more than the runner-up, the slightly less complex "12345, which attracted 79,078 uses.
For years, security experts have been arguing that users need to use more complex passwords, especially as the computing power and algorithms behind brute-force password crackers become ever more sophisticated. But 30 percent of the RockYou users picked a password less than six characters in length, and 40 percent used only lowercase letters.
"Assuming an attacker with a DSL connection of 55KBPS upload rate and that each attempt is 0.5KB in size, it means that the attacker can have 110 attempts per second," Imperva wrote in a report released on Thursday. " At this rate, a hacker will gain access to one new account every second or just less than 17 minutes to compromise 1000 accounts."
Of the list of compromised passwords, the usual suspects surfaced: "Password"; the site's name, or "rockyou"; "abc123"; and first names, such as "Ashley" and "Daniel". Imperva published a list of the most popular passwords, all of which are extremely weak from a security sense.
The very first tip that Imperva and other security experts, such as Bruce Schneier, recommend for strong passwords is that users avoid using letter and number combinations that appear in the dictionary. The best solution, they say, is to come up with a password that incorporates both uppercase and lowercase characters, numbers, and special characters, such as "$" or "%".
But in the list of RockYou passwords, "the ADC analysis showed that almost 60% of users chose their passwords from within a limited set of characters," Imperva found. "About 40% of the users use only lowercase characters for their passwords and about another 16% use only digits. Less than 4% of the users use special characters."
The problem is that the habit is hard to break. "In 1990, a study of Unix password security revealed that password selection is strikingly similar to the 32 million breached passwords," Imperva added. "Just ten years ago, hacked Hotmail passwords showed little change. This means that the users, if allowed to, will choose very weak passwords even for sites that hold their most private data."
by Mark Hachman, PC Magazine
Author