Slashdot Mirror

← Back to Stories (view on slashdot.org)

A Brief Sony Password Analysis

Posted by CmdrTaco on from the change-it-now-people dept.

troyhunt writes "With all this [Sony] customer data now unfortunately out there for public viewing, I thought it would be interesting to do some analysis on password practices. There are some rather alarming (although not entirely surprising) findings including: 36% of passwords appear in a common password dictionary. 50% of passwords are 7 characters or less. 67% of accounts on both Sony and Gawker use the same password. 82% of passwords are lowercase alphanumeric of 9 characters or less. 99% of passwords don't contain a single non-alphanumeric character."

4 of 276 comments (clear)

  1. lowercase by Njovich · · Score: 5, Insightful

    '82% of passwords are lowercase alphanumeric of 9 characters or less.'

    So what about lowercase? As long as it's random-ish, it's fine. Good luck brute forcing a 9 character lowercase alphanumeric password... Capitals are overrated anyway, if asked to include an uppercase character, in my experience most people will use exactly 1 uppercase character. So, given a password with length 8, it's only 8 times as many possibilities you would check. However, it is still an extra keypress, so if you went for an extra character it would be a lot more effective. Then there is the point that on many phones it's a nuisance to type capital letters, then there is a problem of readability of for instance I (upper i), or l (lower L). Also, when speaking out a password it is annoying. Then, at least for me, it is hard to remember the location of the capital letters.

  2. Re:Is Sony now in the banking business? by Anonymous Coward · · Score: 5, Insightful

    This case underlines the futility of long passwords. Everyone's data was exposed no matter how strong they were.

    It does however underline the importance of compartmentalisation. Don't reuse passwords between sites.

  3. Re:As someone who probably fell into some of those by Aladrin · · Score: 5, Insightful

    For a situation such as yours, the website owner actually cares more than you do. If your password gets stolen from another site, the hackers will be able to log into your account on your other throw-away sites. This means they have a new spam account that -looks- like a legit account. That's quite valuable to spammers, and painful for admins.

    --
    "If you make people think they're thinking, they'll love you; But if you really make them think, they'll hate you." - DM
  4. Re:Bad passwords are not always the user's fault. by KMitchell · · Score: 5, Insightful

    Of course, writing down passwords is such a bad practice. But there's no way I can afford to burn the cycles to memorize 13 new passwords every 90 days, so I use the same password for all work systems. The same bad password.

    Nothing inherently wrong with writing down passwords. You move from "something you know" to something you have, As long as you properly secure "what you have", it's still decent single-factor authentication. Just write your passwords on a $100 bill, and you're fine.