How Bad Passwords Lead to Breached Accounts

Imperva's analysis of the Dec 2009 breach of 32 million RockYou username & passwords provides a window into the average user's password practices: poor (to say the least). Among the findings listed in the report:
  • The top passwords were: 
    • #1: 123456 
    • #2: 12345
    • #3: 123456789
    • #4: Password
    • #5: iloveyou
  • 30% of users had passwords of 6 characters or less.
  • Almost 50% of passwords were composed of: "used names, slang words, dictionary words or trivial passwords (consecutive digits, adjacent keyboard keys, and so on).
  • Less than 4% of passwords had any special characters.
Given some basic assumptions about an average DSL connection, the report concludes that
a hacker will gain access to one new account every second or just less than 17 minutes to compromise 1000 accounts.
After the first wave of attacks, it would only take 116 attempts per account to compromise 5% of the accounts, 683 attempts to compromise 10% of accounts and about 5000 attempts to compromise 20% of accounts.
One of the recommendations is for administrators to
Make sure passwords are not kept in clear text. Always digest password before storing to DB.
I believe it is irresponsible that some web-based applications are still storing passwords in plain text, and just as bad, to be able to send you your "old" password (meaning the password is either stored in plain text or in a reversible "encryption" format).

Note: emphasis is mine

Src: Imperva report - Consumer Password Worst Practices

1 comment:

Unknown said...

The statistics on password strength are largely consistent with statistics that I gathered for another organisation. I am beginning to suspect that the statistics represent a global constant among English-speaking users in the United States. Although at this point there is only enough data to hypothesis that, not prove it.