This seems to be my week for flagging password-related blogs. Well, there are plenty of stolen password issues around. :(
So here's a blog in stark contrast to Urban Schrott's blog about good password practice in Ireland (which I expanded on here and here). Troy Hunt ran an analysis of the subset of stolen Sony Pictures passwords put out as a torrent by those nice boys at LulzSec, some 37,608 of them. He was looking for four characteristics:
I won't list all his findings: I'd rather you read the blog. However, here's a brief summary of the more easily-determined statistics.
Randomness is a harder characteristic to determine. Hunt tried a couple of approaches to this, but they're not really enough to characterise the whole sample set. Still, they're interesting as far as they go:
Uniqueness is a measure of whether strings are re-used across multiple accounts. His contention is that he can do this because the LulzSec dump contains data from several data sources, including over 2000 accounts where the same email address has been registered on both the "Beauty" and "Delboca" databases. A scary 92% of passwords were found across both systems…
Clearly, if you're one of the victims of the Sony breach(es), it doesn't matter how good your password is, since it's been exposed through no fault of your own. However, you might want to think about how susceptible your passwords are to bruteforcing. Not all attacks can rely on the service provider's incompetence, and sometimes a good password really can save your data from exposure.
David Harley CITP FBCS CISSP
ESET Senior Research Fellow
Author David Harley, ESET