Sign up to our newsletter
In December 2009, due to miserable security practices, Rockyou.com suffered a data breach that exposed over 32 million user passwords which were then published on the internet.
For a little background, if you use Face Book apps, like Superwall, Speedracing, Likeness, Hugme, or Birthday cards, MySpace apps like Glittertext, Slideshow, Photofx, and many others, as well as Friendster, Orkut, Bebo, and other sites with apps, then you may have had your password stolen.
A company called Imperva got a hold of the password list and did some analysis http://www.imperva.com/docs/WP_Consumer_Password_Worst_Practices.pdf. It seems not much has been learned in the past ten years. Imperva found that the passwords many people are using make it possible to hack 1,000 accounts in 17 minutes. This extrapolates to less than 2 weeks to hack a million accounts that are using poor passwords.
Nearly 50% of the 32 million user passwords were extremely poor with the most common passwords being 123456, 12345, 123456789, Password, iloveyou, princess, rockyou, 1234567, 12345678, and abc123. Tell me that isn’t you!
Half the users had passwords of 7 characters or less and a mere 3.81 percent of users chose passwords with special characters in them. The truth is that as long as you are not only using words, you can have a strong password that has only lowercase letters IF it is long enough. Long enough, in this case is probably in excess of 20 characters. Even then it isn’t too hard to use numbers and special characters as well.
As a rule of thumb, make your passwords at least 15 characters and don’t use important passwords for more than one site. You’re not going to be likely to remember all of your passwords, but sometimes you don’t have to. For example, if I log onto a site I visit infrequently I’ll often just type a long random password and if I ever need to go back I’ll use the password reset function. For other passwords that I want to be able to use more often, or don’t want to wait for a password reset email I use a program called Password Corral. You can get this program at http://www.cygnusproductions.com/freeware/pc.asp
The critical thing with password management programs is to backup your passwords and keep them encrypted. Password Corral will allow you to backup in plain text, but I do not recommend it unless you can securely lock that backup away.
Director of Technical Education
Author ESET Research, ESET