Is your password really secure enough? I thought so too, until I happened upon a fascinating analysis by data security company Imperva. Remember the hacker attack at RockYou last December? A publisher/developer of social network applications, RockYou’s widgets are wildly popular on Facebook, MyFace, and other social networks. The attack breached the RockYou database to the tune of 32 million usernames and passwords. Soon after, the breached password list was posted for a short time on a public website, available to anyone…and revealing to the whole wide world how little care most people take in choosing their passwords.
Imperva’s Application Defense Center analyzed the list and compiled their findings in a study entitled Consumer Password Worst Practices, which you can download for free after filling out a form. What the report boils down to is this: most people use passwords that are very easy to crack.
KEY FINDINGS
- Approximately 30% of users chose passwords of six characters or less in length
- Almost 60% of users chose passwords from a limited alpha-numeric character set
- Nearly half used names, slang words, dictionary words, or trivial passwords composed of consecutive digits, adjacent keyboard keys, etc.
Here are the ten most commonly-used passwords:
| Rank | Password | # of Users |
| 1 | 123456 | 290,731 |
| 2 | 12345 | 79,078 |
| 3 | 123456789 | 76,790 |
| 4 | Password | 61,958 |
| 5 | iloveyou | 51,622 |
| 6 | princess | 35,231 |
| 7 | rockyou | 22,588 |
| 8 | 1234567 | 21,726 |
| 9 | 12345678 | 20,553 |
| 10 | abc123 | 17,542 |
The next ten most popular passwords were almost as obvious. From #11 to #20 they are: Nicole, Daniel, babygirl, monkey, Jessica, Lovely, michael, Ashley, 654321, and Qwerty.
According to Imperva, if a hacker had used a list of the top 5000 passwords as a dictionary for a brute-force attack on RockYou users, it would have taken only one attempt per account to guess 0.9% of passwords—which amountsn to a success rate of 1 per 111 attempts. Assuming a DSL connection of 55KBPS upload rate, with each attempt 0.5KB in size, an attacker could have 110 attempts per second, gaining access to one new account every second (less than 17 minutes to compromise 1000 accounts).
And as scary as that sounds, it’s only the beginning. The problem is exponential. After the first wave of attacks, it would only take 116 attempts per account to compromise 5% of the accounts, 683 attempts to compromise 10% of accounts and about 5000 attempts to compromise 20% of accounts. Before long the hackers would be able to screw the lid off the whole jar.
So let’s stop that from happening. Here’s a roundup of tips from three expert organizations that will help you devise passwords that stand a chance of keeping your data unhacked.
HOW TO CREATE A STRONG PASSWORD
Tips from NASA:
- Your password should contain at least 8 characters
- It should contain a mix of four different types of characters: upper case letters, lower case letters, numbers, and special characters such as !@#$%^&* and so on. If you utilize only one special character, don’t make it the first or last character in the password. Note: Only 0.2% of RockYou users had a password that met NASA’s first two requirements.
- It should not be a name, a slang word, or any word in the dictionary. It should not include any part of your name or your email address.
Tips from Imperva:
- Choose a strong password. One way to do this is to take a sentence and turn it into a password. For example, “This little piggy went to market” might become “tlpWENT2m”—a nine-character phrase that won’t be in any dictionary.
- Use a diferent password for all sites, even those where privacy isn’t an issue. If you need to write down the password/s to jog your memory, write down the whole sentence rather than the code you’ve developed.
- Never trust a third party—email, your bank, a doctor, etc.–with your important passwords.
Tips from Microsoft:
- Whenever possible, use at least 14 characters or more.
- The greater the variety of characters in your password, the better.
- Use the entire keyboard, not just the letters and characters you use or see most often.
- Test your password with a password checker, which automatically evaluates its strength. Try Microsoft’s secure password checker.
- Never provide your password via e-mail or in response to an e-mail request. Internet “phishing” scams use fraudulent e-mail messages to entice you to reveal your user names and passwords, steal your identity, and more.
- Don’t type passwords on computers that you don’t control. Computers such as those in Internet cafes, computer labs, kiosk systems, conferences, and airport lounges should be considered unsafe for any personal use other than anonymous Internet browsing. Cyber criminals can purchase keystroke logging devices which gather information typed on a computer, including passwords.
- Don’t reveal passwords to others. Keep your passwords hidden from friends or family members (especially children) who could pass them on to other, less trustworthy individuals.
- Protect any recorded passwords. Don’t store passwords on a file in your computer, because criminals will look there first. Keep your record of the passwords you use in a safe, secure place.
- Use more than one password. Use different passwords for different Web sites and services.
——————
© Suzanne Rodriguez
——————-
Popularity: unranked [?]
