In December 2009, a major password breach occurred that led to the release of 32 million passwords. Further, the hacker posted to the Internet the full list of the 32 million passwords (with no other identifiable information). Passwords were stored in cleartext in the database and were extracted through a SQL Injection vulnerability. The data provides a unique glimpse into the way that users select passwords and an opportunity to evaluate the true strength of these as a security mechanism. In the past, password studies have focused mostly on surveys. Never before has there been such a high volume of real-world passwords to examine.
The Imperva Application Defense Center (ADC) analyzed the strength of the passwords and here is what they found:
- About 30% of users chose passwords whose length is equal or below six characters.
- Moreover, almost 60% of users chose their passwords from a limited set of alpha-numeric characters.
- Nearly 50% of users used names, slang words, dictionary words or trivial passwords (consecutive digits, adjacent keyboard keys, and so on). The most common password among Rockyou.com account owners is "123456".
NASA provides the following Recommendations for strong password selection:
- It should contain at least eight characters.
- It should contain a mix of four different types of characters – upper case letters, lower case letters, numbers, and special characters such as !@#$%^&*,;" If there is only one letter or special character, it should not be either the first or last character in the password.
- It should not be a name, a slang word, or any word in the dictionary. It should not include any part of your name or your e-mail address.
After the analysis of that over 32 mln exposed passwords, iMPERVA came to the following conclusion:
Almost all of the 5000 most popular passwords, that are used by a share of 20% of the users, were just that – names, slang words, dictionary words or trivial passwords (consecutive digits, adjacent keyboard keys, and soon).
Below are the top 20 common passwords in the database list:
| Rank | Password | Number of Users with Password (absolute) |
|---|---|---|
| 1 | 123456 | 290731 |
| 2 | 12345 | 79078 |
| 3 | 123456789 | 76790 |
| 4 | Password | 61958 |
| 5 | iloveyou | 51622 |
| 6 | princess | 35231 |
| 7 | rockyou | 22588 |
| 8 | 1234567 | 21726 |
| 9 | 12345678 | 20553 |
| 10 | abc123 | 17542 |
| 11 | Nicole | 17168 |
| 12 | Daniel | 16409 |
| 13 | babygirl | 16094 |
| 14 | monkey | 15294 |
| 15 | Jessica | 15162 |
| 16 | Lovely | 14950 |
| 17 | michael | 14898 |
| 18 | Ashley | 14329 |
| 19 | 654321 | 13984 |
| 20 | Qwerty | 13856 |
And finally here are the Recommendations.
-
USERS
- Choose a strong password for sites you care for the privacy of the information you store. Bruce Schneir's advice is useful: "take a sentence and turn it into a password. Something like "This little piggy went to market" might become "tlpWENT2m". That nine-character password won't be in anyone's dictionary."
- Use a different password for all sites – even for the ones where privacy isn't an issue. To help remember the passwords, again, following Bruce Schneier's advice is
recommended: "If you can't remember your passwords, write them down and put the paper in your wallet. But just write the sentence – or better yet – a hint that will help you remember your sentence." - Never trust a 3rd party with your important passwords (webmail, banking, medical etc.)
-
ADMINISTRATORS
- Enforce strong password policy – if you give the users a choice, it is very likely that they would choose weak passwords.
- Make sure passwords are not transmitted in clear text. Always use HTTPS on login.
- Make sure passwords are not kept in clear text. Always digest password before storing to DB.
- Employ aggressive anti-brute force mechanisms to detect and mitigate brute force attacks on login credentials. Make these attacks too slowly for any practical
purposes even for shorter passwords. You should actively put obstacles in the way of a brute-force attacker – such as CAPTCHAs, computational challenges, etc. - Employ a password change policy. Trigger the policy either by time or when suspicion for a compromise arises.
- Allow and encourage passphrases instead of passwords. Although sentences may be longer, they may be easier to remember. With added characters, they become more difficult to break.
What are your or the company you work for policies on this question?
Please share your thoughts and experience.
Why is Jessica the 15th most populat password? That doesn't make sense as it's not even a common name.
My apps generate a random non-dictionary, but pronounceable password for new users. You can't trust users to choose a secure password and many would choose the same password they use for other websites. So that makes it easy for a bad webmaster or dba to try a user's password out on other websites.
A good developer would always store a hash of the password, never the actual password itself. So wherever that leak of 32 million passwords came from should be hung out to dry. If they had done their job properly the hacker would have no more than a big list of useless hash codes. But on the plus side lots of people can learn a massive amount from this leak and the analyses. Thanks for flagging this up, Ed. Lovely monkey. Iloveyou princess. Rockyou. ;-)
i totally agree on the hash usage. What about Jessica... to me the other names getting such a high place was a surprise too. But maybe this is something specific to the site that left the passwords go in free swim.