Slashdot Mirror

← Back to Stories (view on slashdot.org)

A Brief Sony Password Analysis

Posted by CmdrTaco on from the change-it-now-people dept.

troyhunt writes "With all this [Sony] customer data now unfortunately out there for public viewing, I thought it would be interesting to do some analysis on password practices. There are some rather alarming (although not entirely surprising) findings including: 36% of passwords appear in a common password dictionary. 50% of passwords are 7 characters or less. 67% of accounts on both Sony and Gawker use the same password. 82% of passwords are lowercase alphanumeric of 9 characters or less. 99% of passwords don't contain a single non-alphanumeric character."

9 of 276 comments (clear)

  1. As someone who probably fell into some of those by vawwyakr · · Score: 5, Interesting

    My sony account only held the minimal information and some of that not correct. The PW I used was my public throw away password that I only use on sites that require me to register when I just need it to use a basic service and not enter anything not already public knowledge. So I'm not going to burn a good PW or spend my time trying to memorize a new one to use for something I really wouldn't care if they cracked and couldn't use the same PW on a site for which I care about it being cracked.

    1. Re:As someone who probably fell into some of those by Aladrin · · Score: 5, Insightful

      For a situation such as yours, the website owner actually cares more than you do. If your password gets stolen from another site, the hackers will be able to log into your account on your other throw-away sites. This means they have a new spam account that -looks- like a legit account. That's quite valuable to spammers, and painful for admins.

      --
      "If you make people think they're thinking, they'll love you; But if you really make them think, they'll hate you." - DM
  2. lowercase by Njovich · · Score: 5, Insightful

    '82% of passwords are lowercase alphanumeric of 9 characters or less.'

    So what about lowercase? As long as it's random-ish, it's fine. Good luck brute forcing a 9 character lowercase alphanumeric password... Capitals are overrated anyway, if asked to include an uppercase character, in my experience most people will use exactly 1 uppercase character. So, given a password with length 8, it's only 8 times as many possibilities you would check. However, it is still an extra keypress, so if you went for an extra character it would be a lot more effective. Then there is the point that on many phones it's a nuisance to type capital letters, then there is a problem of readability of for instance I (upper i), or l (lower L). Also, when speaking out a password it is annoying. Then, at least for me, it is hard to remember the location of the capital letters.

  3. Re:Is Sony now in the banking business? by Anonymous Coward · · Score: 5, Insightful

    This case underlines the futility of long passwords. Everyone's data was exposed no matter how strong they were.

    It does however underline the importance of compartmentalisation. Don't reuse passwords between sites.

  4. Password Requirements Are Inconsistent by Anonymous Coward · · Score: 4, Insightful

    The whole point of a password is to have something you can memorize (without writing it down) as a security precaution. The problem is that different websites have different password requirements. For example, one website might require at least 8 characters in your password with at least one numeric and one non-alphanumeric character. But then another website might require at least 6 characters (alphanumeric), but DOES NOT ALLOW non-alphanumeric characters. So now you have two different passwords to remember. On top of that, it is recommended that you have a different password for each account. I don't know about you, but I have probably 100 accounts to various websites, games, etc - and there's no way I could memorize that many different passwords containing a mixture of alphanumeric and non-alphanumeric characters.

  5. My password is by Anonymous Coward · · Score: 5, Funny

    '); DROP TABLE Password;

    1. Re:My password is by snookerhog · · Score: 4, Funny

      Bobby, is that you?

  6. Bad passwords are not always the user's fault. by mcmonkey · · Score: 4, Insightful

    The issue is I have, at last count, 13 systems with separate passwords. There's a network account, elevated privileges account for server admin, HR systems, online learning systems, expenses system, which is not the same as the travel booking system, etc.

    With the company's computer, I can't just install any software I want, so one of the password tracking programs is not an option. So I use the same password for all 13 systems.

    So the next issue, not all those systems have the same password requirements. There is one system which does not allow the use of special characters. So while my password always has lower case, upper case, and numeric, I'm always going to be in that 99% with no non-alphanumeric characters. Oh, and I think the max characters limit is around 12.

    Of course, writing down passwords is such a bad practice. But there's no way I can afford to burn the cycles to memorize 13 new passwords every 90 days, so I use the same password for all work systems. The same bad password.

    1. Re:Bad passwords are not always the user's fault. by KMitchell · · Score: 5, Insightful

      Of course, writing down passwords is such a bad practice. But there's no way I can afford to burn the cycles to memorize 13 new passwords every 90 days, so I use the same password for all work systems. The same bad password.

      Nothing inherently wrong with writing down passwords. You move from "something you know" to something you have, As long as you properly secure "what you have", it's still decent single-factor authentication. Just write your passwords on a $100 bill, and you're fine.