Analysis of 32 Million Breached Passwords

← Back to Stories (view on slashdot.org)

Analysis of 32 Million Breached Passwords

Posted by CmdrTaco on Thursday January 21, 2010 @01:42AM from the trust-no-1 dept.

An anonymous reader writes "Imperva released a study analyzing 32 million passwords exposed in the Rockyou.com breach. The data provides a unique glimpse into the way that users select passwords and an opportunity to evaluate the true strength of these as a security mechanism. In the past, password studies have focused mostly on surveys. Never before has there been such a high volume of real-world passwords to examine." Most interesting to me was that in the sample, less than 4% used any non alpha-numerics in their #$#%'ing passwords.

12 of 499 comments (clear)

Min score:

Reason:

Sort:

The Top 10 by goldaryn · 2010-01-21 01:48 · Score: 4, Informative

1. 123456
2. 12345
3. 123456789
4. Password
5. iloveyou
6. princess
7. rockyou
8. 1234567
9. 12345678
10. abc123

By a massive coincidence, these happen to be the passwords for their respective /. userids!
actual list of passwords? by naz404 · 2010-01-21 01:52 · Score: 4, Informative

Does anyone have the list of passwords itself?

It would be fun to perform one's own statistical analysis of the list :)
Here's the top 20 most common passwords used according to the report:
Rank Password # of Users
1 123456 290731
2 12345 79078
3 123456789 76790
4 Password 61958
5 iloveyou 51622
6 princess 35231
7 rockyou 22588
8 1234567 21726
9 12345678 20553
10 abc123 17542
11 Nicole 17168
12 Daniel 16409
13 babygirl 16094
14 monkey 15294
15 Jessica 15162
16 Lovely 14950
17 michael 14898
18 Ashley 14329
19 654321 13984
20 Qwerty 13856

--
http://www.object404.com
1. Re:actual list of passwords? by enbody · 2010-01-21 03:34 · Score: 2, Informative
  
  http://thepiratebay.org/torrent/5232943/RockYou.com_UserAccount-passwords
Re:Password strength vs. how often you change it by Rockoon · 2010-01-21 01:54 · Score: 4, Informative

My company (over 10,000 employees, not in the computer industry) does the same thing, but the really annoying part..

..it must be EXACTLY 2 letters, followed by EXACTLY 4 digits.

So even allowing for upper case (which I am not sure that it differentiates), the total password space is only 2704000000.

The size of this space can conveniently fit into a 32-bit value, which is probably what they are doing: storing passwords in an integer field.

Did I mention that they pay our IT department $11/hour?

Yeah, all my coworkers do the same thing: use the same 2 letters every time they need to change it, followed by "1111" then "2222" then "3333" and so forth...

--
"His name was James Damore."
Why Is That Interesting? by Dun+Malg · 2010-01-21 02:00 · Score: 4, Informative

Most interesting to me was that in the sample, less than 4% used any non alpha-numerics in their #$#%'ing passwords.
Why is it any surprise that people tend to approach passwords as a pass-WORD? It has to be something they can remember, and remembering a string of characters they can't pronounce is far more difficult than remembering (say) their favorite basketball team and the year they graduated high school.

--
If a job's not worth doing, it's not worth doing right.
1. Re:Why Is That Interesting? by Megane · 2010-01-21 02:37 · Score: 2, Informative
  
  There's no reason something can't be both pronounceable and secure. Start with two nonsense syllables, and add a special character between them. Not quite as "secure" as a completely random password, but much less likely to be written down, plus some of the letters can be l33t3d for variant forms. Make three base words for various levels of usage (one for regular web stuff, one for login passwords, and another rarely used for important stuff), and you can even keep around hints for rarely used passwords with one letter and a bunch of ## or @@ symbols for the parts that change.
  A good way to make something pronounceable is with the old "D&D character name generator" type of program, making a CVCCVC name. So you get, for instance, DORLOT (FWIW, I cheated just now and used an alpha D20), and don't tell me you can't pronounce that. Then some variant passwords from that would be "dor%lot", "d0r##lOt", and "D0r:*!o+". They're still "dorlot", but the result is a lot more secure than picking a dictionary word and puts you into that tiny wedge on TFA's pie chart. And while they're all similar, they're different enough that a compromise in one place won't let someone get into every account you have anywhere.
  
  --
  #naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
Re:Password strength vs. Validation Rules by Synn · 2010-01-21 02:51 · Score: 3, Informative

Or worse, that little file on the PC desktop with a list of userid/passwd combo's.
Just use a password store utility instead of a text file. They encrypt a file that stores the passwords.
Re:Password strength vs. Validation Rules by nickyj · 2010-01-21 03:12 · Score: 4, Informative

KeePass is an excellent utility, available for Windows, Linux, and other platforms. It's simple, quick to use, and configured correctly, you will only have to learn one password the one to unlock the encryption file.

--
Causing Chaos Everywhere,
Nik J.
The strange world of a loner, in a populous city, drowning in society
Passwords by Stooshie · 2010-01-21 03:18 · Score: 4, Informative

I worked for a company that ran a birth/death/marriage certificate site. People were having problems logging in, so we kept a log of passwords that did not result in a successful login.

We found that one of the most commonly typed passwords that was denied was "case-sensitive".

Needless to say, we soon took off the "Your password is case-sensitive" text from the login page.

--
America, Home of the Brave. ... .and the Squaw.
Re:Password strength vs. how often you change it by clodney · 2010-01-21 03:19 · Score: 4, Informative

It may narrow the nominal keyspace, but it almost certainly increases the average keyspace that needs to be searched. Without the complexity requirements most people will use a dictionary word or something like that. And the company wants to keep all the accounts secure, so it has to care about the average password.
And think of it this way - in a keyspace that requires 10 numeric digits, what percentage of the total keyspace is consumed by anything containing less than 10 digits? seems to me you have only given up 10% of the space, and an even smaller percentage if you consider the full printable range of characters instead of just numerics.
Faulty Data in Report Linked in Summary by mnslinky · 2010-01-21 05:04 · Score: 2, Informative

I've been playing around with the password file, and there are some gross errors in the report.
First, their top 20 list has many passwords with capital letters, where none actually exist in the 'real' top 20. Also, their numbers are off. I am guess they used a case-insensitive match, which for most passwords will not work. The 'real' top 20, which case respected is:
290729 123456
79076 12345
76789 123456789
59462 password
49952 iloveyou
33291 princess
21725 1234567
20901 rockyou
20553 12345678
16648 abc123
16227 nicole
15308 daniel
15163 babygirl
14726 monkey
14331 lovely
14103 jessica
13984 654321
13981 michael
13488 ashley
13456 qwerty
You can download my list of all common passwords used by more than 1000 people at http://www.secure-computing.net/files/count_gt_1k.txt (1KB file) which maintains case. A file without the counts is at http://www.secure-computing.net/files/gt_1k.txt for use with john, etc.
Re:Password strength vs. how often you change it by Carnildo · 2010-01-21 08:44 · Score: 2, Informative

I wish someone (ISO? NIST? DOHS?) would establish an honest-to-god STANDARD for what makes a strong password.
That's impossible. A password's strength is related to its Kolmogorov complexity, and Kolmogorov complexity is incomputable.

--
"They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.