Analysis of 32 Million Breached Passwords

An anonymous reader writes "Imperva released a study analyzing 32 million passwords exposed in the Rockyou.com breach. The data provides a unique glimpse into the way that users select passwords and an opportunity to evaluate the true strength of these as a security mechanism. In the past, password studies have focused mostly on surveys. Never before has there been such a high volume of real-world passwords to examine." Most interesting to me was that in the sample, less than 4% used any non alpha-numerics in their #$#%'ing passwords.

Password strength vs. how often you change it

My company wants me to change my pass every 2 months. Guess what happens to the password strength over time.

Re:Password strength vs. how often you change it

[WuphonsReach]

My company wants me to change my pass every 2 months. Guess what happens to the password strength over time.

It's a leftover idea from a bygone decade.

The primary advantage of a required monthly or bi-monthly change is that if a password is compromised, it's only useful for about 1/2 of the expiration period. So it's a way of reducing risk in the case of accidental or nefarious disclosure.

But the big downside is that it requires users to be constantly learning new passwords every month or so. And unless these passwords are automatically assigned, users WILL pick weaker and weaker passwords over time or passwords that fit into an easily remembered sequence. So you really end up back where you started.

Forced password renewal is a valid strategy in a small number of cases. Such as a system which protects billions of dollars in assets or is super super critical to the business. But in those cases, there should be 2-factor authentication in play anyway and the passwords probably only need to be changed every 3-6 months and should be randomly assigned.

For end users? Limit their permissions, force complex passwords, but don't require them to change frequently (*maybe* once every 2 years). Tell them to go ahead and write the passwords down and store them in their wallet next to their credit cards. Which is at least a huge step up from putting it under the keyboard or stuck to the monitor.

Longer passwords are also easier to remember if they are used frequently (at least daily). But for some users, it may take as long as 2-3 weeks for them to remember it without looking.

Re:Password strength vs. how often you change it

[Ploum]

That's highly annoying. Even more if this is a web proxy password and that, each month, you have to change the proxy password for every f*** application that connect to the web (That Windows OS is really really bad).

I took another approach :

1) informing the computer dpt that it's a very bad idea. Here are some links:
http://www.cerias.purdue.edu/site/blog/post/password-change-myths/
http://ploum.frimouvy.org/images/dilbert.png
http://ploum.frimouvy.org/?177-le-gilet-de-sauvetage-et-le-tgv (in french)

2) of course, they won't change. So consider : what will you loose if you password is corrupted ? Nothing personal. Only stuffs from the company that didn't want to hear you. Should you have a more complicated life because they are too dumb ?

3) if the answer is no, simply change your password to :
yearmonth. That makes it : january2010. Easy to remember and will change all the time.

4) Share the tip with your collegues. Anyway, they should have access to my files, you are working together, isn't it ? Guess what ? Most thought it's a good idea and do the same.

Result : easier work for everybody.
Security ? You tried to improve it, you were not listened. That's their problem now.

PS: of course, be careful to analyse what you are sharing and what are the risk. I will never do that for my personal stuffs.

PPS: even better solution. Try to think about systems that cannot change their password, like the backup system. Usually, that login/password has access to everything in the company, doesn't change and is really easy to find if you know where to look. (and is, 99%, something like "permanent_pass" or "autologin"). That's make your life even more easier.

Re:Password strength vs. how often you change it

.., followed by "1111" then "2222" then "3333" and so forth...

Dont you mean so 4444th.

Re:Password strength vs. how often you change it

[Opportunist]

Hey, I used to use a password that could be found on my coworker's monitor, in plain view. I had the idea when they required me to come up with a secure, 10-digit-or-more password containing alphanumeric characters and his monitor's serial number fit the bill.

Why does password strength matter?

[geekmux]

...Most interesting to me was that in the sample, less than 4% used any non alpha-numerics in their #$#%'ing passwords.

Er, does it REALLY matter anymore the strength of your password with the FBI using post-it notes as a search warrant? I mean I hate to say that, but seriously.

On a related note, what pisses me off even more is going to a website and trying to use a strong password and their system doesn't allow it.

Why surprising?

[argStyopa]

"Most interesting to me was that in the sample, less than 4% used any non alpha-numerics in their #$#%'ing passwords."

Not surprising at all, because the rules for what you CAN use as passwords are so inconsistent. Some places REQUIRE non alphanumerics, but have a limited choice of what you can use. Some don't accept ANY non alphanumerics, some will accept them but again it's different from site to site.

I don't know about you, but I've probably got 100 different passwords rattling around in my brain. I'd guess most people are like me in that they see passwords as a necessary evil but otherwise a giant pain in the ass, and so accept the slight increase in security risk by using a system that changes predictably (at least for me) from site to site. So I'm not going to use a base-password or base-concept that includes any characters that might be disallowed on some other site.

Too often is bad too.

[suso]

I dealt with a bank once that expected its customers to change its passwords every 2 weeks. So obviously what happened is every time a customer needed to check their bank account, probably once a month, they were locked out. Now this isn't necessarily the problem here. The problem is that with people having to call in every time to reset their password, it becomes such a norm that it probably drastically increases the potential for social engineering.

Obligatory Spaceballs Reference

[Pollux]

Roland: One.
Dark Helmet: One.
Colonel Sandurz: One.
Roland: Two.
Dark Helmet: Two.
Colonel Sandurz: Two.
Roland: Three.
Dark Helmet: Three.
Colonel Sandurz: Three.
Roland: Four.
Dark Helmet: Four.
Colonel Sandurz: Four.
Roland: Five.
Dark Helmet: Five.
Colonel Sandurz: Five.
Dark Helmet: So the combination is... one, two, three, four, five? That's the stupidest combination I've ever heard in my life! The kind of thing an idiot would have on his luggage!

-----

President Skroob: What's the combination?
Colonel Sandurz: 1 - 2 - 3 - 4 - 5.
President Skroob: 1 - 2 - 3 - 4 - 5?
Colonel Sandurz: Yes.
President Skroob: That's amazing! I've got the same combination on my luggage!

Re:Have they released the list anywhere?

[QuantumRiff]

Post it here, I'll check it for you.. Don't worry, Slashdot blanks your password.

My password is *******

See, blanked out!

Re:Password strength vs. Validation Rules

[wwwillem]

It is not just the mandatory password changes that increases the mess. It is also that each and every site has different validation rules. If I could use one-and-only strong password for many sites, then I could remember that. However, some sites _require_ special characters, while others _forbid_ it, etc, etc. So each time you end up inventing something on the spot, and then two months down the road you've forgotten it.

I guess that I've 50 passwords to remember, so if I can't do that with just a few (I don't use the same password for my online banking as for my slashdot login :-) then it quickly becomes Post-it time again. Or worse, that little file on the PC desktop with a list of userid/passwd combo's.