The New York Times reports on an analysis of 32 million user passwords. Someone stole them from RockYou, which helps people use sites like Facebook and MySpace; the list was posted online. As one researcher commented, a list this size is “the mother lode” for examining user habits.
Imperva, a data security firm, has published highlights of its analysis of the passwords. The chart on the right is taken from Imperva’s analysis.
Remember, the group was roughly 32,000,000 — which means that nearly 1% (290,731 individuals) used “123456” for their password.
If you add up all the “123-” variations in the top 10, you have 488,878 people who chose consecutive numbers starting with 1 as a password.
The Times article notes that 20% of the account holders–6.4 million people–used only 5,000 different passwords. (Number 5,000 in terms of popularity was “tigger123.” That’ll keep the hackers away.)
I’m writing this on Thursday night, following a #lrnchat discussion on workgroups with little connectivity or tech-savvy. Granted, the RockYou account holders probably had personal rather than workplace goals in mind. At the same time, I’ll argue that their password selections reflect some of their own tech-savvy… or at least their actual performance, regardless of any theoretical savvy.
Which means that “strong password training” probably won’t solve on-the-job security shortcomings. People might still use weak passwords because:
- They don’t have an easy way to generate strong ones (like this one that includes a mnemonic).
- They have too many different passwords to recall.
- Nothing bad happens immediately after they choose a weak password.
In a work setting, imagine combining the third and first points: a system or website tells you (politely but candidly) that your password isn’t secure, then offers you help in creating one that is. The result probably won’t be “abc123” or “qwerty.” A more practical problem is that the result’s going to be hard to remember, which increases the likelihood that someone will want to write the password down.
I suspect that even the “tech-savvy” are tempted to cycle through maybe five or six pet passwords, in the same way that a lot of people list “regular backups” as part of their digital religion while rarely engaging in the practice.