Study Reveals Weak and Vulnerable Passwords

Juggling passwords for all the different Web sites and network accounts we access these days is an ongoing challenge. Most of us probably fall into the trap of using either weak passwords or using the same password everywhere. But a recent study from security firm Imperva revealed just how fragile and vulnerable the passwords were at one particular Web site.

 

Imperva checked out 32 million different passwords from actual users to uncover their strengths and weaknesses. How could it analyze so many? These passwords were actually revealed last December by a hacker who used a SQL injection attack to extract them from a Web site called Rockyou.com. The hacker then posted the passwords on the Internet, fortunately without including any names or other identifiable information. In seizing the opportunity to review all of the passwords, Imperva uncovered a huge number that were extremely simple and easy to crack, which the company detailed in a report.

 

In general, studies have found that people tend to use passwords that are too short and simple, making them vulnerable to brute force attacks. These attacks are launched by hackers who use password-cracking software that keeps trying until it finds the right password. Even worse, many people use the same or similar passwords for all Web sites and other accounts they access. So if a password is discovered for one account, all of that person's other accounts are vulnerable.

 

Among the 32 million hacked passwords that Imperva analyzed, almost 30 percent of them were six characters or less, while 50 percent were seven characters or less. Around 60 percent of the passwords used a limited set of alpha-numeric characters—specifically, 40 percent of them used only lowercase characters, 16 percent used only digits, and less than 4 percent used special characters such as #%$*&.

 

Further, 50 percent of the passwords were names, slang words, words from the dictionary, or trivial passwords (ones that used consecutive digits typed from the keyboard.) The most common password found on Rockyou.com was 123456. Other popular passwords on the site included 12345, Password, iloveyou, rockyou, and abc123.

 

What lessons can be learned from these weak and vulnerable passwords? Based on its findings, Imperva devised a list of general recommendations for creating good passwords.

 

A strong password should have at least eight characters. Rockyou.com’s minimum password length was only five characters. The password should contain a mix of four different types of characters, including uppercase letters, lowercase letters, numbers, and special characters. If one letter or special character is included, it shouldn’t be the first or last character in the password. A good password should not be a name, a slang word, or any word in the dictionary. The password shouldn't incorporate any part of your own name or e-mail address.

 

Beyond those recommendations, Imperva laid out a few more specific tips.

 

Always choose a strong password for sites where you store private information and use a different password for all accounts. If you have trouble remembering strong passwords, as most people do, turn a sentence into a password. For example, transform the phrase “This little piggy went to market” into the password 'tlpWENT2m.” The Imperva report also suggests that to help you remember your passwords, you write down a phrase or other clue on a piece of paper that you keep with you.

 

IT admins responsible for keeping their users and network safe and secure should also adopt some basic principles governing the use of passwords, advises Imperva.

 

Consider enforcing strong passwords, otherwise your users will stick with weak, simple passwords. Strong passwords can be enforced through Group Policy as well as other domain tools. As part of that policy, make sure you require users to periodically change their passwords. You may also want to allow and encourage your users to use passphrases, e.g., maryhadalittlelamb, instead of passwords. Long sentences are more time-consuming to type, but they’re easier to remember. The longer the sentence, the harder it is to crack.

 

If you manage a Website, ensure that passwords are not sent or stored in clear text. Always use https for pages that require a login. Also, you can better guard against brute force attacks by using features such as CAPTCHAs to ensure that an actual person is trying to log in rather than an automated program.

 

I think Imperva definitely shines a light on a growing problem. As we work with more systems on the job—email, software, Web-based apps, and Websites—we’re forced to juggle more and more passwords. But I don't think that asking people to write down password clues or trying to remember a different password for each account and Website is realistic. Even corporate password policies only go so far in that they can cover network acccounts but not individual Websites.

 

So what can users and IT admins do to strengthen passwords? In my next column, I’ll talk a bit more about password management and offer other ideas for maintaining strong passwords.