While the ongoing floods of leaked account credentials from Formspring, LinkedIn et al. are potentially disastrous for the owners of those accounts, analysis of those data doesn't only provide a way of seeing whether our own accounts are at risk. It also provides an incentive for us all to re-examine our own password (and passcode) selection strategies by the insight they give us into whether we are using the same far-from-unique passwords as so many of the victims of these breaches.

My colleague Anders Nilsson's Eurosecure blog  looks at the data from the Yahoo! breach reported by Dan Goodin and refers to some detailed statistics. Rather than reproduce all those data here, I'd recommend that you read his blog, but as I've previously referred here and elsewhere to 'Top Umpteen' lists of insecure, over-used, easily guessed passwords, I can't resist reproducing the top ten he extracted here, as it comes from a more recent source than the Mark Burnett analysis I quoted in my previous post on the subject.

  1. 123456 = 1666 (0.38%)
  2. password = 780 (0.18%)
  3. welcome = 436 (0.1%)
  4. ninja = 333 (0.08%)
  5. abc123 = 250 (0.06%)
  6. 123456789 = 222 (0.05%)
  7. 12345678 = 208 (0.05%)
  8. sunshine = 205 (0.05%)
  9. princess = 202 (0.05%)
  10. qwerty = 172 (0.04%)

The TrustedSec blog suggests that the Yahoo! service from which the credentials were dumped is Yahoo! Voice, and if you have an account there, this would be a good time to change your password, however good it is. But if you're using any of the passwords above anywhere - or if it comes to that, any of the 25 below, as compiled by Burnett - it's a good time to start thinking about using better choices, or maybe looking for a good password manager program.

  1. password
  2. 123456
  3. 12345678
  4. 1234
  5. qwerty
  6. 12345
  7. dragon
  8. pussy
  9. baseball
  10. football
  11. letmein
  12. monkey
  13. 696969
  14. abc123
  15. mustang
  16. michael
  17. shadow
  18. master
  19. jennifer
  20. 111111
  21. 2000
  22. jordan
  23. superman
  24. harley
  25. 1234567

No, number 24 doesn't mean I've flooded online services with logins where I use my own name. As I remarked the last time I published this list: "I've included the top 25 because it amused me to see my own name at number 24. I suspect, though, that has more to do with motorcycles than my own superstar status. ;-)"

If credentials are leaked for a service you use, there isn't much you can do except:

  • Change your password ASAP
  • Pressure the service provider into enhancing its security
  • Consider whether there might be a safer service you can use.

But changing all your passwords to something harder to guess/break is never a bad idea.

http://en.wikipedia.org/wiki/Pastures_of_Plenty

David Harley CITP FBCS CISSP
ESET Senior Research Fellow