«
»

[Security] 123456 is the most commonly used Password

If you use the online services like email accounts (e.g. Gmail, Yahoo Mail), social networking websites ( e.g. Facebook, MySpace, Orkut), online net banking accounts or services like Paypal, online advertisement accounts ( adwords, adsense) or use credit cards online or run a website ( like me), having a secure and a strong password is a must.

Recently ( In December 2009) , Rockyou.com got hacked and hackers were able to gain access to millions of passwords. Imperva has now published its findings in a report titled “Consumer Password Worst Practices” . The analysis carried out in the reports is really interesting and presents a strong case for stronger passwords. In case of RockYou, the hacker not only got hold of the passwords, but also posted them to the Internet, the full list of the 32 million passwords (with no other identifiable information).

The Imperva Application Defense Center (ADC) analyzed the strength of the passwords released by the hacker.

Key findings of the report released by Imperva ADC

  • About 30% of users chose passwords whose length is equal or below six characters.
  • Almost 60% of users chose their passwords from a limited set of alpha-numeric characters.
  • Nearly 50% of users used names, slang words, dictionary words or trivial passwords (consecutivedigits, adjacent keyboard keys, and so on). The most common password among Rockyou.comaccount owners is “123456”. The runner up is “12345”.

Below is the table which lists down top 20 common passwords in the database list

If you are wondering about, how a hacker can ever make use of this information, well, you might just want to go and google for “Brute-Force attack” and “Dictionary Attacks”.

Password Recommendations for end users

1. Choose a strong password for sites you care for the privacy of the information youstore. Bruce Schneir’s advice is useful: “take a sentence and turn it into a password.Something like “This little piggy went to market” might become “tlpWENT2m”. That nine-character password won’t be in anyone’s dictionary.”

2. Use a different password for all sites – even for the ones where privacy isn’t an issue. To help remember the passwords, again, following Bruce Schneier’s advice isrecommended: “If you can’t remember your passwords, write them down and put the paper in your wallet. But just write the sentence – or better yet – a hint that will help you remember your sentence.”

3. Never trust a 3rd party with your important passwords (webmail, banking,
medical etc.)

Password Recommendation for webmasters and system administrators

1. Enforce strong password policy – if you give the users a choice, it is very likely that they would choose weak passwords.

2. Make sure passwords are not transmitted in clear text. Always use HTTPS on login.

3. Make sure passwords are not kept in clear text. Always digest password before storing to DB.

4. Employ aggressive anti-brute force mechanisms to detect and mitigate brute force attacks on login credentials. Make these attacks too slowly for any practical purposes even for shorter passwords. You should actively put obstacles in the way of a brute-force attacker – such as CAPTCHAs, computational challenges, etc.

5. Employ a password change policy. Trigger the policy either by time or when suspicion for a compromise arises.

6. Allow and encourage passphrases instead of passwords. Although sentences may be longer, they may be easier to remember. With added characters, they become more difficult to break.

Checkout the complete White Paper released by Imperva by clicking here.

Some of the previous articles on Technofriends where i have written about ways to choose secure passwords

1.) [How-To] Choose A Secure Password

2.) Password Chart can help you choose secure passwords

Also Read: Top 10 Password Crackers .. REVEALED.

You can follow me on Twitter at http://twitter.com/vaibhav1981

Do stay tuned to Technofriends for more, one of the best ways of doing so is by subscribing to our feeds. You can subscribe to Technofriends feed by clicking here.

Related posts:

  1. Crack Microsoft Word or Excel Passwords with Free Word password / Excel password
  2. [How-To] Choose A Secure Password
  3. [Security] Fake Facebook Password Reset Email Can Compromise Your Security
  4. [How-To] Reset Windows NT/2k/XP/Vista Admin Password With Offline NT Password and Registry Editor
  5. Safeguard your passwords using Keepass

This entry was posted on Monday, January 25th, 2010 at 11:05 am and is filed under hacking, security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply