The world’s most popular password? 123456. Duh?
The world’s most popular password? 123456. Duh?
In December 2009, the social media apps and slide show creator, RockYou, suffered a 'security breach' when a hacker posted some 32 million RockYou user passwords on the internet. The passwords had been stored in cleartext and were accessed via a SQL injection vulnerability.
American data security firm, Imperva, saw this unprecedented amount of password data as a unique opportunity to assess the way users select passwords and to analyse the strength of passwords as an IT security measure.
From the Imperva analysis of the 32m+ passwords, these are the most commonly used passwords and their number of users:
|
Rank
|
Password
|
Users
|
|
Rank
|
Password
|
Users
|
|
1
|
123456
|
290 731
|
|
6
|
princess
|
35 231
|
|
2
|
12345
|
79 078
|
|
7
|
rockyou
|
22 588
|
|
3
|
123456789
|
76 790
|
|
8
|
1234567
|
21 726
|
|
4
|
Password
|
61 958
|
|
9
|
12345678
|
20 553
|
|
5
|
iloveyou
|
51 622
|
|
10
|
abc123
|
17 542
|
Should we laugh or cry?
The Imperva study says that a 1990 analysis of Unix passwords shows that the way we choose passwords is strikingly similar to the 32 million RockYou passwords.
Looking at the laughable nature of passwords, SuperVision's Charlie Stewart notes that ‘Babygirl’ came in at number 13, ‘Monkey’ logged at 14 and good old ‘Qwerty’ only managed to get the number 20 spot.
“In recent years there has been a move towards trying to reinforce passwords with so-called strong authentication, scheduled changes and encryption, but at the end of the day, I can give you my not-so-smart card and tell you the PIN – and you can share yours with me in the same way. Fundamentally, nothing’s changed with passwords since bygone days when a scary sentry with a pointy stick shouted out: “Who goes there?”
What definitely has changed is the ability to crack passwords.
Based on the RockYou mega-sample, Imperva’s report summarises the security risks:
“As hackers continue to rapidly adopt smarter brute force password cracking software, consumers and companies will be at greater risk. To quantify the issue, the combination of poor passwords and automated attacks means that in just 110 attempts, a hacker will typically gain access to one new account every second, taking a mere 17 minutes to break into 1 000 accounts.”
According to Imperva's CTO, Amichai Shulman, "Employees using the same passwords on Facebook that they use in the workplace bring the possibility of compromising enterprise systems with insecure passwords, especially if they are using easy to crack passwords like 123456.”
"The problem has changed very little over the past 20 years. It's time for everyone to take password security seriously; it's an important first step in data security.”
“There’s more research on the flaws of passwords than you can shake a stick at”, says Stewart. Whilst he welcomes this type of research as a means to highlight the deep-rooted weaknesses of passwords he feels that, to a certain extent, it’s all rather stating the obvious:
“We all know that it would be dangerous to drive down the wrong side of the highway. We don’t need research to warn us about that. Or do we?”
Full Imperva report: http://www.imperva.com/news/press/2010/01_21_imperva_releases_detailed_analysis_of_32_million_passwords.html