A social networking site called Rockyou.Com was hacked a few months ago, and someone was thoughtful enough to tell them about it in December. After some dithering, they announced it to their user community.
Unfortunately, they were trying to do site aggregation stuff - using other site login credentials to link that site to theirs. All very Web 2.0. All very dangerous, especially since passwords were stored in plaintext.
Thus, the attackers collected 32 million
user login credentials: ids, passwords, e-mail addresses. This was courtesy of a cross site scripting vulnerability.
John, a former colleague, sent me a note about a security group named Imperva that analyzed the list of passwords.
The actual report
is poorly drafted - you can't tell how much of the database they really analyzed, or how they chose a set to analyze. However, it seems that they analyzed a sampling of the passwords and compiled a list of the 5,000 most common ones. Which they didn't share. They did
share a list of the 20 most common: the most common word was "Password" while "princess" and "Nicole" were the most common names.
There is a basic defect in this type of analysis: you can't correlate password choices with user activities. We don't know
if people routinely choose weak passwords for social networking sites alone, or if they use exactly the same passwords to protect their bank accounts. We don't know
if the egregiously bad password choices are by casual visitors who made a single visit, or by regular users.
Of the Top 10 Passwords, only four are actual words
. The rest are numeric sequences: 12345 through 123456789, with abc123 thrown in for good measure.
Appropriately, one of the top ten passwords for logging into RockYou.Com was "rockyou."
Why do people choose bad passwords?
People have two types of passwords:
- Those we use regularly - they're the easiest to remember, no matter how tricky they are. I find I don't actually 'know' my usual passwords in terms of words - I'm a touch typist and my fingers remember the passwords, not my brain.
- Those we use rarely - I keep them in an encrypted file on my smart phone. The report also suggests writing them down (or at least a memory jog) and keeping them in your wallet.
Here is the recommended password from the Imperva report: tlpWENT2m
It's based on "This little piggy went to market." Personally, I find this to be a really hard password to remember correctly, unless I use it every day. Even worse, if I left just the phrase in my wallet, I'd never
remember what was a word vs a letter, and what was capitalized vs lower case.
I can't fault them on suggesting ways to produce memorable, but random-looking, fields of characters. Yes, such passwords are harder to guess by trial and error. On the other hand, these logins don't do us any good if we get locked out before we can try all the permutations of a semi-remembered password.