Quick: What’s your password? Is it 123456? Is it password? Is it abc123? Is it your first name? Surprisingly, for a large number of users, those are the types of words being picked to safeguard private accounts. Not surprisingly, that’s a bad thing.
About a week ago open source forum project phpBB had their site hacked. About 20,000 passwords from users of the site were published to the Internet. Though that’s definitely not a good thing, for security researchers it offered a unique opportunity to study how real users create passwords.
Robert Graham, of Dark Reading, published some findings about the patterns used in the hacked passwords last week. The list of the top 20 passwords from the phpBB data set is not very encouraging. The number one password — used by over 3% of accounts — was ‘123456.’ Number two on the list was ‘password.’ Number three was ‘phpbb.’ In fact, almost all of the top 20 most used passwords were variations of those simple themes: numbers in sequential order, keyboard combinations (like ‘qwerty’), or common words or names.
Graham found that between 65% and 94% of passwords were common dictionary words (the latter number being for dictionaries that include commonly used proper nouns, such as “Xbox” or “Pokemon”), and that on average, the words tended to be simple words like “apple” or “orange” rather than more complex words.
16% of passwords matched a person’s first name. 14% of passwords were patterns on the keyboard. 4% were variations of the word “password.” 5% referenced pop-culture, and 4% likely described things nearby to the user when picking a password (such as “samsung,” “viewsonic,” or “compaq”).
The passwords from the hacked phpBB accounts seem to demonstrate a similar pattern found in passwords from a similar breach at MySpace 2 years ago, in which about 34,000 user names and passwords were made public. The top twenty from that attack included password1, abc123, myspace1, password, qwerty1, 123abc, 123456, jordan23, and iloveyou1.
The implications of this are that breaking into many user accounts, for those so inclined, might be a lot easier than people think if they’re using such insecure passwords. Coupled with a January 2008 study by digital communications agency @www that found that 61% of people use the same password for every account they own, you can begin to realize what a potentially huge problem this is.
The reason for both the insecure passwords and the use of the same password over and over again is likely the same: password fatigue. People now have so many account credentials to remember, that it borders on the absurd. In order to keep track of so many different accounts, it appears that most people reuse the same passwords over and over, and often choose easy to remember, insecure phrases. That’s bad form and potentially puts their accounts at risk of being compromised more easily.
One solution, of course, is OpenID. If OpenID were truly universally accepted, then one set of login credentials is all that people would need to remember. Of course, it also means that if your account were compromised, it would give the attacker access to everything at once (though given the current use patterns people exhibit, that’s already the case).
However, if people were to be educated in safe password practices and choose harder to discern random strings of letter, characters, and numbers, and change them often (monthly?), OpenID could make that process easier and more feasible. Thoughts?