The New York Times reports on an analysis of 32 million user passwords. Someone stole them from RockYou, which helps people use sites like Facebook and MySpace; the list was posted online. As one researcher commented, a list this size is “the mother lode” for examining user habits.
Imperva, a data security firm, has published highlights of its analysis of the passwords. The chart on the right is taken from Imperva’s analysis.
Remember, the group was roughly 32,000,000 — which means that nearly 1% (290,731 individuals) used “123456” for their password.
If you add up all the “123-” variations in the top 10, you have 488,878 people who chose consecutive numbers starting with 1 as a password.
The Times article notes that 20% of the account holders–6.4 million people–used only 5,000 different passwords. (Number 5,000 in terms of popularity was “tigger123.” That’ll keep the hackers away.)
I’m writing this on Thursday night, following a #lrnchat discussion on workgroups with little connectivity or tech-savvy. Granted, the RockYou account holders probably had personal rather than workplace goals in mind. At the same time, I’ll argue that their password selections reflect some of their own tech-savvy… or at least their actual performance, regardless of any theoretical savvy.
Which means that “strong password training” probably won’t solve on-the-job security shortcomings. People might still use weak passwords because:
- They don’t have an easy way to generate strong ones (like this one that includes a mnemonic).
- They have too many different passwords to recall.
- Nothing bad happens immediately after they choose a weak password.
In a work setting, imagine combining the third and first points: a system or website tells you (politely but candidly) that your password isn’t secure, then offers you help in creating one that is. The result probably won’t be “abc123” or “qwerty.” A more practical problem is that the result’s going to be hard to remember, which increases the likelihood that someone will want to write the password down.
I suspect that even the “tech-savvy” are tempted to cycle through maybe five or six pet passwords, in the same way that a lot of people list “regular backups” as part of their digital religion while rarely engaging in the practice.
changing P/W’s used to drive me nutz…
Until an old Army buddy of mine asked me to recite the serial number of my Basic(1976)Training rifle…
Now I have about a dozen 7 character-mixed-number/letter (more if you add weapon types or year of issue) passwords that I could NEVER (even though Ive tried, Lord knows I’ve tried!)forget, with great secure hints like “FallEx’81”, or “Sandman”.
Point of all that gipe is that it might be more effective to help people identify strong memories themes that will create good passwords than generate strong paswords for them.
Mountains you’ve climbed…
Types&displacements of the engines of cars you’ve owned…
Camera/filmspeed/Fstop of a picture you took…
The sequence of the notes in a favourite guitar lick…
What are the things you’ll never forget?
Ian, I think those are all good approaches. They involve the individual in the creation of the password, which increases the likelihood that it’ll be remembered. Combining that with other strong-password techniques (mixed case, non-alpha characters) and you can go far. Even better if you speak another language and can work that into the mix: 6!crWth , for instance, is my way of saying there are six (six!) strings on the crwth, a Welsh harp.
I read an interview with a ‘leading security expert’ (sorry, this is vague but I can’t remember who or where – they were not famous all over the world, apparently) who said that we’ve got all of our password security stuff back-to-front.
At work we’re told, “Don’t write down your password!”
His point: we’ve a couple of hundred years of experience of writing down secrets and keeping them safe. I use my Slavic education to come up with my passwords (and I guess my kids will use Japanese) but I could just as easily write them down, I suppose.