Recent analysis of tens of thousands of breached files reveals lot of information on password psychology and password reset software.

For example, for Sony Pictures, the allegedly unencrypted password file was an embarrassment, wrote InfoWorld.com reporter Robert Lemos. Commenting on the recent conclusions made by password researchers, Lemos wrote that, for Sony users, the leak was an annoyance, while for password researchers, the breach offered data for analysis.

As pointed out by InfoWorld, the top conclusion is that users pick dumb passwords. For instance, security blogger Troy Hunt posted on his blog that half of the passwords analyzed were seven characters or less. And 36 percent of the passwords came from a dictionary of commonly used passwords.

Another Hunt conclusion highlighted by Lemos was that people commonly reuse passwords. In his analysis, Hunt compared the Sony Pictures password file to another hacked website, the Gawker (News - Alert). He found 88 email addresses that matched. In two-thirds of those cases, the users employed the same password, InfoWorld reports.

Asking people to use long or complex passwords in a unique way is a difficult proposal, because many users choose easy-to-remember passwords and use them on multiple sites, says the blogger. "If we acknowledge that passwords of significant length and uniqueness are important, you need to have a password manager," wrote Hunt in his blog. In other words, a strong password reset software is essential.

Discussing the breach problem with other password experts, InfoWorld got a different view. Service providers, not users, are to blame for bad passwords, wrote Lemos. While users can select complex passwords and control their reuse, the only gatekeeper that can force the requirement of a strong password is the provider, according to Lemos.

“After all, it's the service provider that sets the policy of what is an acceptable password,” password research analyst Per Thorsheim told InfoWorld. Users have some control over their own fates, but the online service provider has more, asserts Thorsheim.

To Thorsheim, a researcher who has organized two conferences on the subject of passwords, it's simple psychology. “If the system accepts my choice of password, then it must be good enough," notes Thorsheim. "I expect the service provider to be better at security in their own system than I could possibly be," concludes Thorsheim, as per the InfoWorld report.

According to Lemos, in almost every case in which password researchers have obtained information on users' choices of passwords, the breach occurred because of the provider's poor security and bad password reset software, not the user's choice of a poor password.