A Brief Sony Password Analysis 276
troyhunt writes "With all this [Sony] customer data now unfortunately out there for public viewing, I thought it would be interesting to do some analysis on password practices. There are some rather alarming (although not entirely surprising) findings including: 36% of passwords appear in a common password dictionary. 50% of passwords are 7 characters or less. 67% of accounts on both Sony and Gawker use the same password. 82% of passwords are lowercase alphanumeric of 9 characters or less. 99% of passwords don't contain a single non-alphanumeric character."
Re:Is Sony now in the banking business? (Score:4, Insightful)
not surprising (Score:2, Insightful)
it's a pretty big PITA to enter a secure password, or any complex non-alphanumeric mix of characters using an on-screen keyboard.
lowercase (Score:5, Insightful)
'82% of passwords are lowercase alphanumeric of 9 characters or less.'
So what about lowercase? As long as it's random-ish, it's fine. Good luck brute forcing a 9 character lowercase alphanumeric password... Capitals are overrated anyway, if asked to include an uppercase character, in my experience most people will use exactly 1 uppercase character. So, given a password with length 8, it's only 8 times as many possibilities you would check. However, it is still an extra keypress, so if you went for an extra character it would be a lot more effective. Then there is the point that on many phones it's a nuisance to type capital letters, then there is a problem of readability of for instance I (upper i), or l (lower L). Also, when speaking out a password it is annoying. Then, at least for me, it is hard to remember the location of the capital letters.
Re:Is Sony now in the banking business? (Score:5, Insightful)
This case underlines the futility of long passwords. Everyone's data was exposed no matter how strong they were.
It does however underline the importance of compartmentalisation. Don't reuse passwords between sites.
Password Requirements Are Inconsistent (Score:4, Insightful)
The whole point of a password is to have something you can memorize (without writing it down) as a security precaution. The problem is that different websites have different password requirements. For example, one website might require at least 8 characters in your password with at least one numeric and one non-alphanumeric character. But then another website might require at least 6 characters (alphanumeric), but DOES NOT ALLOW non-alphanumeric characters. So now you have two different passwords to remember. On top of that, it is recommended that you have a different password for each account. I don't know about you, but I have probably 100 accounts to various websites, games, etc - and there's no way I could memorize that many different passwords containing a mixture of alphanumeric and non-alphanumeric characters.
Re:As someone who probably fell into some of those (Score:5, Insightful)
For a situation such as yours, the website owner actually cares more than you do. If your password gets stolen from another site, the hackers will be able to log into your account on your other throw-away sites. This means they have a new spam account that -looks- like a legit account. That's quite valuable to spammers, and painful for admins.
Bad passwords are not always the user's fault. (Score:5, Insightful)
The issue is I have, at last count, 13 systems with separate passwords. There's a network account, elevated privileges account for server admin, HR systems, online learning systems, expenses system, which is not the same as the travel booking system, etc.
With the company's computer, I can't just install any software I want, so one of the password tracking programs is not an option. So I use the same password for all 13 systems.
So the next issue, not all those systems have the same password requirements. There is one system which does not allow the use of special characters. So while my password always has lower case, upper case, and numeric, I'm always going to be in that 99% with no non-alphanumeric characters. Oh, and I think the max characters limit is around 12.
Of course, writing down passwords is such a bad practice. But there's no way I can afford to burn the cycles to memorize 13 new passwords every 90 days, so I use the same password for all work systems. The same bad password.
Strong Password Necessity? (Score:4, Insightful)
Here's how I look at it:
My PSN account is used purely for entertainment. It is not linked to a credit card. I have made one PSN purchase on my credit card. My credit card company offers fraud protection.
Why should I have a 26-character long UTF-8 password that I'm never going to remember? It's about as useful as having a strong password on the hotmail account I use to sign up to websites. Huge pain in the ass, negligible benefit.
My banking site, my PayPal account, my Canada Revenue Agency account - these are the places that I bother to use strong passwords. Elsewhere, I don't care that much.
Re:Bad passwords are not always the user's fault. (Score:5, Insightful)
Of course, writing down passwords is such a bad practice. But there's no way I can afford to burn the cycles to memorize 13 new passwords every 90 days, so I use the same password for all work systems. The same bad password.
Nothing inherently wrong with writing down passwords. You move from "something you know" to something you have, As long as you properly secure "what you have", it's still decent single-factor authentication. Just write your passwords on a $100 bill, and you're fine.
Re:Password Requirements Are Inconsistent (Score:4, Insightful)
So it comes down to sticky notes, or a trusted source to keep all your passwords. I have chosen the latter. I have a password file that I keep on my own domain. However, even that is not foolproof, because I don't host the sever myself, so somebody at the host, or somebody that compromised the host could get in and look at that file (I have permissions set to keep the casual viewer out, but these people would obviously have admin permission). I still have security through obscurity, as they would have to recognize the file for what it was, while wading through thousands of uninteresting files, and then figure out what user and password goes with what site, which is somewhat cryptic, but recognizable by me.
As an aside, why does talking about my file which is hosted on a unix based system make me want to use vi editor keys when typing into slashdot?
Re:lowercase (Score:4, Insightful)
In a way I agree with you, but lets just look at the numbers. A password of n characters long of only lower case letters (in English) is 26^n possible combinations. Adding upper case then give 52^n combinations.
The parent's point was that this isn't actually correct. That is only true if ANY or ALL of those characters could be upper case. Well, they could be, but most likely they aren't. Instead it is probably the case that all but one are lower case. So, the number of possibilities isn't 52^n, but rather n*26^n. That is barely larger than 26^n.
Require 8 characters, of which at least one is upper case and one is a number? Ok, users will go with the minimums on both, so you start with 6 lowercase and 1 uppercase letters, which is 7*26^7. Then you throw in a digit. That could go in 8 positions, and could be any of 10 characters, so multiply that number by 80. If you just check a "1" in the last character position then you don't increase the number of combinations at all and you'll probably nail 80% of the passwords anyway.
If I lose my car keys then a true brute force search would have to cover the entire volume of c * the elapsed time since I last saw them. However, I wouldn't start by searching the moons of Jupiter - the kitchen counter is far more likely to yield dividends.