Rockyou Breach Analysis Reveals Insecure Passwords

By Brian Prince  |  Posted 2010-01-21 Print this article Print

Database security vendor Imperva released an analysis of 32 million passwords exposed in the breach. What they found is not good.

According to their analysis, the three most commonly used passwords are "123456", "12345" and "123456789." Other common passwords include "Password" and "iloveyou."

Their analysis echoes a paper written by researchers at the University of Wisconsin-Madison and IT University in Copenhagen that found only four percent of 836 people surveyed obeyed best practices for passwords.

"Everyone needs to understand what the combination of poor passwords means in today's world of automated cyber attacks: with only minimal effort, a hacker can gain access to one new account every second--or 1000 accounts every 17 minutes," Imperva CTO Amichai Shulman said in a statement. "The data provides a unique glimpse into the way that users select passwords and an opportunity to evaluate the true strength of passwords as a security mechanism. Never before has there been such a high volume of real-world passwords to examine."

According to the Imperva study, which can be found here, nearly 50 percent of users used names, slang words, dictionary words or trivial passwords such as consecutive numbers. The problem with such passwords is that they are easier for attackers to brute force (guess).

"Employees using the same passwords on Facebook that they use in the workplace bring the possibility of compromising enterprise systems with insecure passwords, especially if they are using easy to crack passwords like '123456'," Shulman said. The problem has changed very little over the past 20 years. It's time for everyone to take password security seriously; it's an important first step in data security."

For those looking for suggestions, here are a few tips to improve password strength:

1)Don't use actual words in any language, including slang, as a password by itself. In other words, "love" is not a strong password. "Love2001c" is better.

2)Don't use personal information such as birthdays, pet names, etc.

3)Don't use obvious number patterns such as "1,2,3,4,5." |

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel