User Passwords Make Hackers' Job Easy: Report
Data security lifecycle vendor Imperva analyzed the 32 million passwords exposed in a December, 2009 breach of the customer database of RockYou and found that typical customers used very short and simple passwords that would make it easy for hackers to access their accounts.
RockYou, a Redwood City, Calif.-based provider of social Web content distribution, last month reported that one or more people hacked into one of its databases which included user names and passwords for 32 million customers in an unencrypted format.
An analysis of those passwords showed that, when applied to the RockYou database, hackers using the top 5,000 most commonly used could have compromised 0.9 percent of user accounts, or over nearly 300,000 of them, in only a single attempt to hack that database, or 5 percent in 116 attempts and 20 percent in 5,000 attempts.
Of the 32 million passwords exposed, "123456" was the most commonly used, followed by "12345" and "123456789."
The list of the 20 most commonly used passwords, and the number of accounts which used them, includes:
"123456" in 290,731 accounts
"12345" in 78,078 accounts
"123456789" in 76,790 accounts
"Password" in 61,958 accounts
"iloveyou" in 51,622 accounts
"princess" in 35,231 accounts
"rockyou" in 22,588 accounts
"1234567" in 21,726 accounts
"12345678" in 20,553 accounts
"abc123" in 17,542 accounts
"Nicole" in 17,168 accounts
"Daniel" in 16,409 accounts
"babygirl" in 16,094 accounts
"monkey" in 15,294 accounts
"Jessica" in 15,162 accounts
"Lovely" in 14,950 accounts
"michael" in 14,898 accounts
"Ashley" in 14,329 accounts
"654321" in 13,984 accounts
"Qwerty" in 13,856 accounts
Because of the shortness of the passwords and their simplicity, Imperva concluded that users are very susceptible to what it termed "basic, brute force" password attacks.
Users, if allowed, will choose very weak passwords even for their most important data, Imperva said.
"Worse, as hackers continue to rapidly adopt smarter brute force password cracking software, consumers and companies will be at greater risk. To quantify the issue, the combination of poor passwords and automated attacks means that in just 110 attempts, a hacker will typically gain access to one new account on every second or a mere 17 minutes to break into 1000 accounts," the company wrote.
Imperva said that users should follow NASA's recommendations for strong password selection.
The first recommendation is that a password should contain at least eight characters. The Imperva analysis showed that half the passwords in the RockYou breach had seven or fewer characters, and 30 percent of users had passwords of six or fewer characters.
The second recommendation is that passwords contain a mix of four different types of characters, including upper case letters, lower case letters, numbers, and special characters. Imperva wrote that, in the RockYou breach, 40 percent of users used only lower case letters and 16 percent used only digits for their passwords.
Imperva said only 0.2 percent of users had what could be considered strong passwords.
The third recommendation is that passwords should not be a name, slang word, or a word in the dictionary, and should not include any part of a user's name or e-mail address. Imperva wrote that almost all of the top 5,000 passwords in the RockYou database were in violation of this recommendation, or consisted of trivial things like consecutive digits or adjacent keyboard keys.