Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
Security IT

Analysis of 32 Million Breached Passwords 499

Posted by CmdrTaco
from the trust-no-1 dept.
An anonymous reader writes "Imperva released a study analyzing 32 million passwords exposed in the Rockyou.com breach. The data provides a unique glimpse into the way that users select passwords and an opportunity to evaluate the true strength of these as a security mechanism. In the past, password studies have focused mostly on surveys. Never before has there been such a high volume of real-world passwords to examine." Most interesting to me was that in the sample, less than 4% used any non alpha-numerics in their #$#%'ing passwords.
This discussion has been archived. No new comments can be posted.

Analysis of 32 Million Breached Passwords

Comments Filter:
  • The Top 10 (Score:5, Informative)

    by goldaryn (834427) on Thursday January 21, 2010 @08:48AM (#30845078) Homepage

    1. 123456
    2. 12345
    3. 123456789
    4. Password
    5. iloveyou
    6. princess
    7. rockyou
    8. 1234567
    9. 12345678
    10. abc123

    By a massive coincidence, these happen to be the passwords for their respective /. userids!

  • by naz404 (1282810) on Thursday January 21, 2010 @08:52AM (#30845120) Homepage
    Does anyone have the list of passwords itself?

    It would be fun to perform one's own statistical analysis of the list :)
    Here's the top 20 most common passwords used according to the report:
    Rank Password # of Users
    1 123456 290731
    2 12345 79078
    3 123456789 76790
    4 Password 61958
    5 iloveyou 51622
    6 princess 35231
    7 rockyou 22588
    8 1234567 21726
    9 12345678 20553
    10 abc123 17542
    11 Nicole 17168
    12 Daniel 16409
    13 babygirl 16094
    14 monkey 15294
    15 Jessica 15162
    16 Lovely 14950
    17 michael 14898
    18 Ashley 14329
    19 654321 13984
    20 Qwerty 13856
  • by Rockoon (1252108) on Thursday January 21, 2010 @08:54AM (#30845136)
    My company (over 10,000 employees, not in the computer industry) does the same thing, but the really annoying part..

    ..it must be EXACTLY 2 letters, followed by EXACTLY 4 digits.

    So even allowing for upper case (which I am not sure that it differentiates), the total password space is only 2704000000.

    The size of this space can conveniently fit into a 32-bit value, which is probably what they are doing: storing passwords in an integer field.

    Did I mention that they pay our IT department $11/hour?

    Yeah, all my coworkers do the same thing: use the same 2 letters every time they need to change it, followed by "1111" then "2222" then "3333" and so forth...
  • by Dun Malg (230075) on Thursday January 21, 2010 @09:00AM (#30845192) Homepage

    Most interesting to me was that in the sample, less than 4% used any non alpha-numerics in their #$#%'ing passwords.

    Why is it any surprise that people tend to approach passwords as a pass-WORD? It has to be something they can remember, and remembering a string of characters they can't pronounce is far more difficult than remembering (say) their favorite basketball team and the year they graduated high school.

  • by Megane (129182) on Thursday January 21, 2010 @09:37AM (#30845610) Homepage

    There's no reason something can't be both pronounceable and secure. Start with two nonsense syllables, and add a special character between them. Not quite as "secure" as a completely random password, but much less likely to be written down, plus some of the letters can be l33t3d for variant forms. Make three base words for various levels of usage (one for regular web stuff, one for login passwords, and another rarely used for important stuff), and you can even keep around hints for rarely used passwords with one letter and a bunch of ## or @@ symbols for the parts that change.

    A good way to make something pronounceable is with the old "D&D character name generator" type of program, making a CVCCVC name. So you get, for instance, DORLOT (FWIW, I cheated just now and used an alpha D20), and don't tell me you can't pronounce that. Then some variant passwords from that would be "dor%lot", "d0r##lOt", and "D0r:*!o+". They're still "dorlot", but the result is a lot more secure than picking a dictionary word and puts you into that tiny wedge on TFA's pie chart. And while they're all similar, they're different enough that a compromise in one place won't let someone get into every account you have anywhere.

  • by Synn (6288) on Thursday January 21, 2010 @09:51AM (#30845794)

    Or worse, that little file on the PC desktop with a list of userid/passwd combo's.

    Just use a password store utility instead of a text file. They encrypt a file that stores the passwords.

  • by nickyj (142376) on Thursday January 21, 2010 @10:12AM (#30846082) Journal

    KeePass is an excellent utility, available for Windows, Linux, and other platforms. It's simple, quick to use, and configured correctly, you will only have to learn one password the one to unlock the encryption file.

  • Passwords (Score:5, Informative)

    by Stooshie (993666) on Thursday January 21, 2010 @10:18AM (#30846168) Journal
    I worked for a company that ran a birth/death/marriage certificate site. People were having problems logging in, so we kept a log of passwords that did not result in a successful login.

    We found that one of the most commonly typed passwords that was denied was "case-sensitive".

    Needless to say, we soon took off the "Your password is case-sensitive" text from the login page.
  • by clodney (778910) on Thursday January 21, 2010 @10:19AM (#30846190)

    It may narrow the nominal keyspace, but it almost certainly increases the average keyspace that needs to be searched. Without the complexity requirements most people will use a dictionary word or something like that. And the company wants to keep all the accounts secure, so it has to care about the average password.

    And think of it this way - in a keyspace that requires 10 numeric digits, what percentage of the total keyspace is consumed by anything containing less than 10 digits? seems to me you have only given up 10% of the space, and an even smaller percentage if you consider the full printable range of characters instead of just numerics.

  • by mnslinky (1105103) * on Thursday January 21, 2010 @12:04PM (#30847684) Homepage

    I've been playing around with the password file, and there are some gross errors in the report.

    First, their top 20 list has many passwords with capital letters, where none actually exist in the 'real' top 20. Also, their numbers are off. I am guess they used a case-insensitive match, which for most passwords will not work. The 'real' top 20, which case respected is:

    290729 123456
    79076 12345
    76789 123456789
    59462 password
    49952 iloveyou
    33291 princess
    21725 1234567
    20901 rockyou
    20553 12345678
    16648 abc123
    16227 nicole
    15308 daniel
    15163 babygirl
    14726 monkey
    14331 lovely
    14103 jessica
    13984 654321
    13981 michael
    13488 ashley
    13456 qwerty

    You can download my list of all common passwords used by more than 1000 people at http://www.secure-computing.net/files/count_gt_1k.txt [secure-computing.net] (1KB file) which maintains case. A file without the counts is at http://www.secure-computing.net/files/gt_1k.txt [secure-computing.net] for use with john, etc.

  • by Carnildo (712617) on Thursday January 21, 2010 @03:44PM (#30850862) Homepage Journal

    I wish someone (ISO? NIST? DOHS?) would establish an honest-to-god STANDARD for what makes a strong password.

    That's impossible. A password's strength is related to its Kolmogorov complexity [wikipedia.org], and Kolmogorov complexity is incomputable.

There's no sense in being precise when you don't even know what you're talking about. -- John von Neumann

Working...