News

Analysis of Consumer Breach Reveals Password Weaknesses

Report spotlights ease of attacking consumer accounts; password selection patterns haven’t changed in 20 years

• By James E. Powell
• 01/25/2010

The results of a recently released study from data security firm Imperva examined the 32 million passwords that were exposed in the Rockyou.com breach. The company’s Application Defense Center (ADC) analyzed password strength; it’s report, Consumer Password Worst Practices, is designed to help consumers and Web site administrators (ad IT security administrators, for that matter) “identify the most commonly used passwords they should avoid when using social networking or e-commerce sites.”

The report is available (with no registration required) at http://www.imperva.com/ld/password_report.asp

The top ten commonly used passwords were:

• 123456
• 12345
• 123456789
• Password
• iloveyou
• princess
• rockyou
• 1234567
• 12345678
• abc123

“Everyone needs to understand what the combination of poor passwords means in today’s world of automated cyber attacks: with only minimal effort, a hacker can gain access to one new account every second -- or 1000 accounts every 17 minutes,” said Imperva’s CTO Amichai Shulman in a release.

“The data provides a unique glimpse into the way that users select passwords and an opportunity to evaluate the true strength of passwords as a security mechanism. Never before has there been such a high volume of real-world passwords to examine.”

Among the reports other findings: “The shortness and simplicity of passwords means many users select credentials that will make them susceptible to basic forms of cyber attacks known as ‘brute force attacks.’

“Nearly 50 percent of users used names, slang words, dictionary words, or trivial passwords (consecutive digits, adjacent keyboard keys, and so on). The most common password is 123456.”

For enterprises, such weak passwords can be dangerous. “Employees using the same passwords on Facebook that they use in the workplace bring the possibility of compromising enterprise systems with insecure passwords, especially if they are using easy-to-crack passwords like ‘123456’,” said Shulman.

“The problem has changed very little over the past 20 years,” Shulman continued. He was referring to a 1990 study of Unix passwords; the study revealed a similar password selection pattern. “It’s time for everyone to take password security seriously; it’s an important first step in data security.

The report, available with no registration required) at www.imperva.com/ld/password_report.asp, includes recommendations for users and administrators for choosing strong passwords.