A Brief Sony Password Analysis

troyhunt writes "With all this [Sony] customer data now unfortunately out there for public viewing, I thought it would be interesting to do some analysis on password practices. There are some rather alarming (although not entirely surprising) findings including: 36% of passwords appear in a common password dictionary. 50% of passwords are 7 characters or less. 67% of accounts on both Sony and Gawker use the same password. 82% of passwords are lowercase alphanumeric of 9 characters or less. 99% of passwords don't contain a single non-alphanumeric character."

Re:Bad passwords are not always the user's fault.

[gman003]

I have three different passwords I use for everything. The weakest (8 characters, 2 non-alphanumeric and one uppercase, but I sometimes have to strip the & and @ on things that don't allow it) is used on things where I really don't give a shit if someone hacks it. Want to upload stuff to Imageshack in my name? Who cares? Want to hack my Dropbox? I only use it as free file hosting - everything on it is supposed to be publically-viewed, and I have local copies of all the data. Want my Gawker account? Knock yourself out - I don't even try posting anything there, everyone's too retarded. Hell, some sites email it back to me in plain text.

The next password (9 characters, 2 non-alpha, one uppercase, non-dictionary word (unless someone added Esperanto to their password dictionary)) is used for things I actually care about. Steam. Slashdot. User-level logins. Email. Stuff I would be able to recover, but which would seriously inconvenience me. If I hear that one of the systems I use it on has been compromised, or even "maybe" compromised, I change them all. I do have this one written down in a few places, but always under lock and key.

The highest (20 characters, 3 non-alphanumeric, 4 numbers and 6 uppercase, with nothing at all that would appear in any dictionary) is used on things I need actual security on. Root accounts. Bank accounts (or at least I would, if my bank wasn't retarded). And the only place I have this recorded is in one location, which contains only the instructions I used to generate it, which requires knowledge of hexadecimal, early science-fiction, and the arrangement of my keyboard. I consider this one uncrackable - I would be confident setting it as the launch code to a nuclear missile. If I remember, last I checked it would take several years to crack the password - anyone who cracks it will probably have spent more on electricity for their computer than they'd get out of my bank account.

PS: I know about password management programs. Don't trust them, and I have to use public terminals too often to have passwords I can't remember. I've considered using the postfix system (ie. $kurg^is42 would become $kurg^is42_fb on facebook, $kurg^is42_sd on /., etc), but haven't gotten around to actually doing it yet. Probably should.

PPS: That's not my actual password. And several of my descriptions were deliberately false, just to maintain security.