Monday, July 18, 2011

Troy Hunt: The science of password selection

A little while back I took a look at some recently breached accounts and wrote A brief Sony password analysis. The results were alarming; passwords were relatively short (usually 6 to 10 characters), simple (less than 1% had a non-alphanumeric character) and predictable (more than a third were in a common password dictionary). What was even worse though was uniqueness; 92% of common accounts in the Sony systems reused passwords and even when I looked at a totally unrelated system – Gawker – reuse was still very high with over two thirds of common email addresses sharing the same password.
I know people hate coming up with passwords, but the reality is we all need to get a whole lot better at this. Based on all the recent hacks that have exposed password databases, and a bit of statistical analysis it appears that 70% of all passwords chosen fall into pretty predictable patterns. The password cracking tools will be updated to try these patterns first and accounts will be compromised much faster. Personally, I've been using tools to generate random passwords for years (and I won't mention which lest the tool is found to have a bug that that shows it's "random" algorithm is actually predictable), but that's a step most people won't follow.

Click here for the full article.

No comments:

Post a Comment