Bleak News on the Password Front

In December 2009, due to miserable security practices, suffered a data breach that exposed over 32 million user passwords which were then published on the internet.

For a little background, if you use Face Book apps, like Superwall, Speedracing, Likeness, Hugme, or Birthday cards, MySpace apps like Glittertext, Slideshow, Photofx, and many others, as well as Friendster, Orkut, Bebo, and other sites with apps, then you may have had your password stolen.

A company called Imperva got a hold of the password list and did some analysis It seems not much has been learned in the past ten years. Imperva found that the passwords many people are using make it possible to hack 1,000 accounts in 17 minutes. This extrapolates to less than 2 weeks to hack a million accounts that are using poor passwords.

Nearly 50% of the 32 million user passwords were extremely poor with the most common passwords being 123456, 12345, 123456789, Password, iloveyou, princess, rockyou, 1234567, 12345678, and abc123. Tell me that isn’t you!

Half the users had passwords of 7 characters or less and a mere 3.81 percent of users chose passwords with special characters in them. The truth is that as long as you are not only using words, you can have a strong password that has only lowercase letters IF it is long enough.  Long enough, in this case is probably in excess of 20 characters. Even then it isn’t too hard to use numbers and special characters as well.

As a rule of thumb, make your passwords at least 15 characters and don’t use important passwords for more than one site. You’re not going to be likely to remember all of your passwords, but sometimes you don’t have to. For example, if I log onto a site I visit infrequently I’ll often just type a long random password and if I ever need to go back I’ll use the password reset function. For other passwords that I want to be able to use more often, or don’t want to wait for a password reset email I use a program called Password Corral. You can get this program at

The critical thing with password management programs is to backup your passwords and keep them encrypted. Password Corral will allow you to backup in plain text, but I do not recommend it unless you can securely lock that backup away.

Randy Abrams
Director of Technical Education

Author , ESET

  • Zeta Thompson

    I would love to use 20 or more character passwords. Unfortunately many sites restrict them to 10 or 15 characters. Education is needed on the part of the site designers as well as the users

    • David Harley

      Zeta, your point is well taken. Some sites and applications are even more restrictive than that (6-8 characters, alphanumerics only, and so on). Someone suggested an interesting strategy to me that might help in such situations: I’ll blog about it when I have a little time.

  • Patrik

    You are right, the password creation and management performed by users is really bad. That is why I am using Sticky Password. It generates strong passwords and it is secured. For each account I use different password and for a hacker it will be really hard to stole my credentials. 

  • Jimmy Burnett

    This really isn't surprising. We'd all be amazed how much this wouldn't happen if people took the extra .5 seconds to add a number or two to the end of their password. Leave the door open and people will come in. Using passwords like "1234" just isn't smart.

    • David Harley

      Unfortunately, Jimmy, adding a number or two to the end of a password adds a lot less than .5 seconds to the time taken to crack it. Interleaved digits are more effective, though the substitution of “0” for “o”, “3” for “e” and so on doesn’t add much cracking time: not, at any rate, for a password based on a dictionary word.

  • Johan

    No no this is not me, I use a 13 letter long password, wich is not in a number order 123456 etc…. 

  • DarrenD

    I use KeePass as a password safe because it has very strong encryption (can't remember exactly – probably 256 bits) but also because it is available in a Java application on my mobile phone. This means I can use strong passwords and still have access to them when I am away from my home PC, e.g. at work in lunch time – not in a cyber cafe.

Follow us

Copyright © 2016 ESET, All Rights Reserved.