I suspect that this isn’t really news to most of the people who read this blog, but all the same it’s very important.
Yahoo recent experienced a security breach which resulted in a lot of people’s passwords being exposed – 450,000 in all.
David Harley over on betanews highlights some statistics put together by Anders Nilsson. What these statistics show is that people still use the most basic of passwords:
- 123456 = 1666 (0.38%)
- password = 780 (0.18%)
- welcome = 436 (0.1%)
- ninja = 333 (0.08%)
- abc123 = 250 (0.06%)
- 123456789 = 222 (0.05%)
- 12345678 = 208 (0.05%)
- sunshine = 205 (0.05%)
- princess = 202 (0.05%)
- qwerty = 172 (0.04%)
In other words, with these Top 10 password you get access to 1% of people accounts. That might not sound like a lot but out of the 450,000 password leaked that’s access to 4,500 people’s information, without even trying. Just think how much money that might be if it was 4,500 bank accounts.
The statistics on password length are equally poor:
Password length (length ordered)
- 1 = 117 (0.03%)
- 2 = 70 (0.02%)
- 3 = 302 (0.07%)
- 4 = 2748 (0.62%)
- 5 = 5323 (1.2%)
- 6 = 79610 (17.98%)
- 7 = 65598 (14.82%)
- 8 = 119125 (26.9%)
- 9 = 65955 (14.9%)
- 10 = 54756 (12.37%)
In other words, nearly 20% (19.62%) of people have a password that is 6 characters long or fewer.
I’ve recently had a number of conversations with people about security of email and twitter accounts. In every instance the people blamed Google, Microsoft or Twitter. When I asked them what their password was a number of them told me straight out, of those that told me all of them were short and simple (also, if someone does ask you your password – don’t tell them).
Length of password and complexity of password are both import, but one comes as a result of the other.
Rather that trying to remember a different password for each of the things that I use I have a different regime depending upon how important the site is. There are lots of places that ask for a password for which there would be very limited impact on me if it was revealed. This password is still reasonably long and reasonably complex, but it’s the same one for all of these sites. There are then a small set of sites that are really important to me and the impact of loosing the password would be significant, I treat these completely differently. They have their own password, they have long complex passwords, and I change them reasonably regularly. This regime enables me to focus my attention on the important things.
Other people I know use a password management tool which, itself, generates strong hidden passwords. Examples of these are lastpass and 1Password.
It doesn’t mater how you do it but please make your passwords longer and more complex.
One day in the future passwords won’t be such an issue, but until then…