Analysis of 32 Million Breached Passwords

An anonymous reader writes "Imperva released a study analyzing 32 million passwords exposed in the Rockyou.com breach. The data provides a unique glimpse into the way that users select passwords and an opportunity to evaluate the true strength of these as a security mechanism. In the past, password studies have focused mostly on surveys. Never before has there been such a high volume of real-world passwords to examine." Most interesting to me was that in the sample, less than 4% used any non alpha-numerics in their #$#%'ing passwords.

Password strength vs. how often you change it

My company wants me to change my pass every 2 months. Guess what happens to the password strength over time.

Re:Password strength vs. how often you change it

At my work we are all required to logon with Smart Card and PIN. Nobody has these "passwords" of which people speak. Shoulder surfers don't have my Smart Card, so lots of luck if they think getting my PIN was very important.

Re:Password strength vs. how often you change it

[WuphonsReach]

My company wants me to change my pass every 2 months. Guess what happens to the password strength over time.

It's a leftover idea from a bygone decade.

The primary advantage of a required monthly or bi-monthly change is that if a password is compromised, it's only useful for about 1/2 of the expiration period. So it's a way of reducing risk in the case of accidental or nefarious disclosure.

But the big downside is that it requires users to be constantly learning new passwords every month or so. And unless these passwords are automatically assigned, users WILL pick weaker and weaker passwords over time or passwords that fit into an easily remembered sequence. So you really end up back where you started.

Forced password renewal is a valid strategy in a small number of cases. Such as a system which protects billions of dollars in assets or is super super critical to the business. But in those cases, there should be 2-factor authentication in play anyway and the passwords probably only need to be changed every 3-6 months and should be randomly assigned.

For end users? Limit their permissions, force complex passwords, but don't require them to change frequently (*maybe* once every 2 years). Tell them to go ahead and write the passwords down and store them in their wallet next to their credit cards. Which is at least a huge step up from putting it under the keyboard or stuck to the monitor.

Longer passwords are also easier to remember if they are used frequently (at least daily). But for some users, it may take as long as 2-3 weeks for them to remember it without looking.

Re:Password strength vs. how often you change it

[Ploum]

That's highly annoying. Even more if this is a web proxy password and that, each month, you have to change the proxy password for every f*** application that connect to the web (That Windows OS is really really bad).

I took another approach :

1) informing the computer dpt that it's a very bad idea. Here are some links:
http://www.cerias.purdue.edu/site/blog/post/password-change-myths/
http://ploum.frimouvy.org/images/dilbert.png
http://ploum.frimouvy.org/?177-le-gilet-de-sauvetage-et-le-tgv (in french)

2) of course, they won't change. So consider : what will you loose if you password is corrupted ? Nothing personal. Only stuffs from the company that didn't want to hear you. Should you have a more complicated life because they are too dumb ?

3) if the answer is no, simply change your password to :
yearmonth. That makes it : january2010. Easy to remember and will change all the time.

4) Share the tip with your collegues. Anyway, they should have access to my files, you are working together, isn't it ? Guess what ? Most thought it's a good idea and do the same.

Result : easier work for everybody.
Security ? You tried to improve it, you were not listened. That's their problem now.

PS: of course, be careful to analyse what you are sharing and what are the risk. I will never do that for my personal stuffs.

PPS: even better solution. Try to think about systems that cannot change their password, like the backup system. Usually, that login/password has access to everything in the company, doesn't change and is really easy to find if you know where to look. (and is, 99%, something like "permanent_pass" or "autologin"). That's make your life even more easier.

Re:Password strength vs. how often you change it

[nine-times]

..it must be EXACTLY 2 letters, followed by EXACTLY 4 digits.

That's retarded.

I've thought about this sort of thing before, where password policies also have the effect of narrowing the number of possible passwords. For example, it's pretty standard for a company to have a policy like, "Your password must be at least 10 characters, contain at least one capital letter and one lower case letter, contain at least 1 number and one non-alpha-numeric character." And yes, it's true that keeping these policies has the effect of increasing the number of combinations, but it also is simultaneously narrowing the combinations.

If a hacker knows this policy and were to try a brute-force attack, they would be able to disregard any possible passwords made of 7 characters or less. They would be able to get rid of all combinations that were all lower-case, all upper-case, or even all alphanumeric. I haven't done the math and I'm sure that requiring some of these things are still a net gain, but it struck me as funny. Like if someone were to try a very clever brute-force attack that didn't bother trying all-alphanumeric passwords, then "password" would in that case be a safer password than "*pQQ\K6"XSiM". It might take him a million years to get to "*pQQ\K6"XSiM", but he'd never try "password".

Re:Password strength vs. how often you change it

[rickb928]

Funny.

People familiar with Windows won't be recommending a command available on Windows. Your example is several commands. Which one?

Seriously, strong passwords require some creativity and of course some investment by the user. If you've administered a fairly large (or even small) corporate network for any length of time, you know users generally are not overly concerned about security until they are personally inconvenienced. Then they blame everyone else.

This is a corporate issue, as important as financial controls and marketing. Some corporations, of course, suck at those functions too, so no surprise. But security is a core process nowadays. If you value your job, you will be diligent at your password management. If not, well, you take the change that you will be reading about the reasons for the demise of your employer while you search for your next I Hate Passwords job.

Where I work, I currently have 12 unique passwords, used on 27 differnet systems. My personal passwords are a different matter, when I use over 50 unique passwords for various online stuff.

I use combinations of

- variations on a theme; like password1, password2, password03, passwordH, passordT%
- reversed passwords; carrot, torrac, trouble, elbuort
- word-sounding passwords; c@rr0T, St!ck, b@g3!, myb!rtH@^, these are bad examples.

Since my eBay account was compromised about 2 years ago, I've gotten harder about passwords.

Now my wife, she seems to cling to passwords like lost children. I'm working on her.

Passwords are as necessary as rain.

Re:Password strength vs. how often you change it

And this is why people hate passwords.

People just want to get to their info / do their work. They don't want to have to be a mathlete to do their simple mind-numbing data entry job.

2-factor logins on secure, network unreachable devices is the best way to go. Or 3 factor with biometrics or something.

Spending 20 minutes generating the password to your slashdot account is not time well spent.

Why does password strength matter?

[geekmux]

...Most interesting to me was that in the sample, less than 4% used any non alpha-numerics in their #$#%'ing passwords.

Er, does it REALLY matter anymore the strength of your password with the FBI using post-it notes as a search warrant? I mean I hate to say that, but seriously.

On a related note, what pisses me off even more is going to a website and trying to use a strong password and their system doesn't allow it.

Re:Why does password strength matter?

[AndersOSU]

Well it doesn't matter (and it never did) if you're selecting passwords so the FBI can't read your secret diary.

If, on the other hand, you're concerned about someone in Russia gaining access to your credit card it still matters.

Re:Why does password strength matter?

[Omegium]

Do you really think that the FBI is your greatest enemy online?
IT IS NOT.
It is nice to think that you are enemy of the state nr 1 and that everybody cares about your secrets, but that's not the case. You should worry about phishers and other criminals, not about law enforcement. And they don't use search warrants. They need to crack passwords

Given the sample set, is it a surprise?

I vary the strength of my passwords based on the importance of them being secure.

More secure passwords are typically harder to remember. My financial related passwords are much more secure than my Facebook password because I really don't give a damn if someone breaks into my facebook account.

Re:Limited in Password size and chars

[Scutter]

The report makes it painfully obvious that passwords are an ineffective way to secure information because too many people find strong passwords cumbersome. Maybe we need to come up with something better.

Look at the user base for RockYou...

[adosch]

RockYou is a MySpace photo/video sharing site (from what I could gather from googling, never used it myself) and it's certainly no excuse that people implement bone-head password choices such as the 10 shame shame list FTFA. However, I didn't really see the article address or even consider that their target users on the RockYou site aren't generally what geek, wanna-be security folks on /. are security conscious. I'm glad the analysis and study was done, but I'm really not surprised. If people are picking '123456' as the #1 password, as much as we have a PEBKAC situation on our hands, fault RockYou for not implementing some sort of semi-secure password standard.

Keep in mind, this is RockYou.com

[tunabomber]

Is it even worth the effort of coming up with a secure password for that site? If I had for some reason found it necessary to register with such a vapid site I would have just re-used one of my low-security passwords (which many other sites have access to). It isn't too surprising that nobody cares whether someone else is using their account to steal their noisy, eye-burning flash videos. What is far worse is if people are re-using passwords from much more important sites. In this case, it doesn't matter if your password is a random string of letters, numbers and special characters.

Not really suprising

[jmauro]

Since most sites have a bunch of silly restrictions (no special characters, no more than 8, etc) most systems if the don't enforce strength, randomness, etc will degrade down to the lowest level where the password will work on all the systems.

Re:The Top 10

Is there a reason to have a really strong password on "rockyou.com"?

Maybe since it integrates with facebook and the like?

I'm really annoyed when all I want to do listen to some online music (ie pandora, etc) and the web site gets pissy because I choose pandora as my password.

Why should I care?

Why surprising?

[argStyopa]

"Most interesting to me was that in the sample, less than 4% used any non alpha-numerics in their #$#%'ing passwords."

Not surprising at all, because the rules for what you CAN use as passwords are so inconsistent. Some places REQUIRE non alphanumerics, but have a limited choice of what you can use. Some don't accept ANY non alphanumerics, some will accept them but again it's different from site to site.

I don't know about you, but I've probably got 100 different passwords rattling around in my brain. I'd guess most people are like me in that they see passwords as a necessary evil but otherwise a giant pain in the ass, and so accept the slight increase in security risk by using a system that changes predictably (at least for me) from site to site. So I'm not going to use a base-password or base-concept that includes any characters that might be disallowed on some other site.

Too often is bad too.

[suso]

I dealt with a bank once that expected its customers to change its passwords every 2 weeks. So obviously what happened is every time a customer needed to check their bank account, probably once a month, they were locked out. Now this isn't necessarily the problem here. The problem is that with people having to call in every time to reset their password, it becomes such a norm that it probably drastically increases the potential for social engineering.

repost from my comment on nyt:

[circletimessquare]

intelligent password management:

pick something you will always remember say "frankie45"

lets say the website you are visiting is facebook.com

so your password there will be "frankie45face"

and your password at twitter.com would be "frankie45twit"

in other words, you want to use what's called an algorithm

make your ALGORITHM unique, not your password. so maybe your algorithm would be "'twenty23' plus the second through fifth letters in the website's name plus my daughter's birthday" or whatever

the point is: having one password across all websites is a vulnerability, and having simple passwords is a vulnerability. so instead, don't remember a password, remember an ALGORITHM that you can use to recreate your password for any site on the fly

by the way, i got this idea from a slashdot thread, and it was an eureka moment for me, and i went about resetting all my passwords

i forget the thread or the user id of whoever made the comment, but it was a password related subject matter and i think it was in the last 6 months or so

whoever you are, and i hope you read this: thank you!

Re:repost from my comment on nyt:

[Culture20]

pick something you will always remember say "frankie45" lets say the website you are visiting is facebook.com so your password there will be "frankie45face" and your password at twitter.com would be "frankie45twit"

And if you use the same username on all of the sites, all it takes is one unscrupulous (or incompetent) site manager to quickly have your other accounts accessed.

Re:repost from my comment on nyt:

When a hacker gets access to an unencrypted database of one site's passwords (like in the case the story is about), he has your password to all other sites if he can link your usernames (Your Slashdot alias is "circletimessquare", your gmail address is "circletimessquare@gmail.com"...). The scheme you propose is hardly better than using the same password everywhere.

One had to dig deep for this gem...

[pongo000]

I don't know if anyone bothered to read the full report, but I found this recommendation tucked in at the end of the report:
ast character in the password. (pg. 3)

Allow and encourage passphrases instead of passwords. (pg. 5)

And I say amen, amen to that. I've done quite a bit of personal research in this area, and have found passphrase systems to be far superior in terms of security and ease of use/recall over random combinations of characters. For years I've used the list provided at Diceware to generate my passphrases, and I have no problem still recalling little-used 5- or 6-phrase passphrases years later.

The idea that random sequences of characters is somehow superior to a passphrase of equal entropy is a myth borne of ignorance and a resistance to change. So long as companies that know better keep forcing their minions to adhere to a strict range of letter/number combinations, we'll continue to be saddled with the problem presented by the Rockyou.com crack.

Re:Same problem as 20 years ago

[CaroKann]

The article concludes that after 20 years of dealing with this problem, "It’s time for everyone to take password security seriously". That is the wrong conclusion. If things have not improved after 20 years, then they are not going to improve ever.

The password concept needs to be replaced with a better concept. I think the password idea has been proven to be a bad concept due to human nature.

Re:Password strength vs. Validation Rules

[wwwillem]

It is not just the mandatory password changes that increases the mess. It is also that each and every site has different validation rules. If I could use one-and-only strong password for many sites, then I could remember that. However, some sites _require_ special characters, while others _forbid_ it, etc, etc. So each time you end up inventing something on the spot, and then two months down the road you've forgotten it.

I guess that I've 50 passwords to remember, so if I can't do that with just a few (I don't use the same password for my online banking as for my slashdot login :-) then it quickly becomes Post-it time again. Or worse, that little file on the PC desktop with a list of userid/passwd combo's.

security now had a show about this

[jollyreaper]

I understand why you don't want to use dictionary words for passwords, too easy to brute-force. Though how likely is it that servers these days would sit still while a single account fails login ten thousand times? I know once the hacker is in, he can then run the hash file against the dictionary and back into the passwords of other accounts. But wouldn't even a dictionary word with a number or two after it be fine? duck1234 should be just as secure as duck!@#$, right?

I'm running through the ways you can get hacked and what a secure password would mean.

1. Guessing by a person sitting at your computer, brute force hacker from outside, running the dictionary against the hash -- strong is good.
2. Your PC gets rooted, your keystrokes are captured -- strength doesn't matter a bit, you typed it in for the hacker and he won't even have to touch the keyboard when his scripts hit your account and drain it.
3. Data breach and your password is stolen -- Why was it stored in plaintext? Regardless, they have it and can copy and paste if they use it.

The consensus on security now was that draconian policies on the part of IT without any seeming rhyme or reason to the employee will simply foster non-compliance and animosity towards IT.

Design your own coding system

[aussersterne]

so that you don't need to be sitting in from of your own Linux command line to remember your passwords. I use a base of two nonsense pairs (things like AkB and jzQ) and then use positions 4 and 5 in the password as a code for the type of site and "rank" in terms of frequency of use, for example (these aren't mine but you get the idea):

! (shift-1) = social networking
@ (shift-2) = banking
# (shift-3) = utilities / bill payments

1 = site in this category I use most
2 = second most used site
3 = third most used site

and so on. So the base for something like Facebook using a system like this might be A@B!1jzQ, for Twitter maybe AkB!2jzQ, and for my primary bank account AkB@1jzQ (invariant components AkB and jzQ, with @ [for banking] and 1 [for most used] sandwiched in between them).

Then, I postfix the password with the number of the instance of the password.

A = first use
B = first mandated change
C = second mandated change
D = third mandated change

and so on. So after the third change, my primary banking password at a bank might be:

AkB@1jzQD

After they ask me to change it again, it will increment to:

AkB@1jzQE

and so on.

This way, there is always a base of predictability to my passwords (usually enough to get it within three tries) and the variable information is context-based in a way that is only meaningful to me and no two sites will ever share the same password.

The only place this falls down is when sites mandate their own password structure (max or min length, etc.) but it usually works (includes uppercase, lowercase, symbols, and numbers, which is enough to make most of them happy) and the few sites that don't allow such passwords are far enough between to stand out in my memory, meaning that I don't forget the specially-formed exceptions that I created for those sites.

A system like this won't work for everyone, but for most people with a reasonable IQ, it's good enough, once you can get them to buy into the need for password security and for them to design their own system.

Stupid

[Kral_Blbec]

There is a very simple way to prevent 100% of brute force attacks. Permenant/temporary lockout after 3 failed attempts. Its a lot harder to make 100 million guesses when you can only make 3 per day.