Security firm Imperva of Redwood Shores, Calif., found a unique way to gage the quality of the passwords that Web users select: they analyzed the 32 million passwords in the unencrypted file of passwords that miscreants stole from the servers of RockYou.com in December and posted on the Internet.
RockYou creates and distributes entertainment widgets that work with social networking networks.
What they found wasn’t good, according to their report.
— About 30% of users chose passwords whose length is equal or below six characters.
— Moreover, almost 60% of users chose their passwords from a limited set of alpha-numeric characters.
— Nearly 50% of users used names, slang words, dictionary words or trivial passwords (consecutive digits, adjacent keyboard keys, and so on).
The most common password among Rockyou.com account owners is “123456”.
They also found that things hadn’t improved much in 20 years.
“In 1990, a study of Unix password security revealed that password selection is strikingly similar to the 32 million breached passwords. Just ten years ago, hacked Hotmail passwords showed little change. This means that the users, if allowed to, will choose very weak passwords even for sites that hold their most private data. Worse, as hackers continue to rapidly adopt smarter brute force password cracking software, consumers and companies will be at greater risk.”
The unusually concise and well-written five-page Imperva report could be really handy for user education. It also contains links to other studies and articles on password security.