The hacking of a web site last month that resulted in the theft of 32 million passwords has offered security analysts a rare opportunity to study password-selection patterns. A hacker breached the firewall of RockYou, a site that offers widgets and applications for social-media networks, and harvested the passwords. Later the hacker posted the passwords online without identifying the users.
When Imperva, a California-based data-security firm, analyzed the passwords, it found that users made alarmingly simple choices. The most popular password was 123456, which was chosen by 290,731 users. Another 61,958 users chose Password as their password, while 17,542 chose abc123.
Other unsophisticated passwords included iloveyou, qwerty and the name of the site, rockyou.
Danger From Brute Force
While the data on RockYou may not be an identity thief's dream, Imperva, in a white paper released Thursday, cited studies that show "about half of users use the same (or very similar) password to all web sites that require logging in."
Simple passwords using sequential numbers or letters are a hacker's delight, Impreva said, because they are easily vulnerable to a brute-force attack, in which the invading computer enters multiple randomly chosen passwords until it hits the jackpot.
"The combination of poor passwords and automated attacks means that in just 110 attempts, a hacker will typically gain access to one new account every second, or a mere 17 minutes to break into 1,000 accounts," Imperva said.
Imperva recommends that users follow NASA guidelines, which suggest passwords longer than eight characters with letters (uppercase and lowercase), numbers and symbols, and without using a slang word, a name or word in the dictionary, or any part of the user's e-mail address.
The hacking caused some red faces at RockYou, formerly called RockMySpace. The site now carries an advisory telling users to change their passwords for e-mail and other online accounts if they are the same as those on RockYou. It said the hacked database containing the unencrypted passwords "had been kept on a legacy platform dedicated exclusively to RockYou.com widgets. After learning of the breach, we immediately shut the platform down to prevent further breaches."
The company pointed out that it does not collect user financial information associated with its widgets.
Easy Passwords 'Crazy'
Graham Cluley, chief technology officer for the London-based global data-security firm Sophos, said surveys have consistently shown that users like simplicity in their passwords.
"That is, quite frankly, crazy," said Cluley. "Very few computer users seem to have woken up to the risks of using weak passwords and the same ones for every site they visit. With social-networking and other Internet accounts now even more popular, there's plenty on offer for hackers, and by using the same password to access Facebook, Amazon and your online bank account, you're making it much easier for them."
Cluley said financial institutions are taking the lead in requiring security questions in addition to passwords, but added that this isn't ideal protection against hackers.
"Think how many people are asked by a web site for their mother's maiden name and then tell the web site their real mother's maiden name, a matter of public record that anyone could research and find out," said Cluley. "People should claim their mother is Xena Warrior Princess or something made-up instead."
While the technology already exists, and is in heavy use in the corporate world, to authenticate users through hardware such as fobs, fingerprints or retina scanners, Cluley said it's unlikely they will be in widespread consumer use anytime soon.
"Hardware solutions are expensive for the web sites who have to supply them to customers," said Cluley. "Furthermore, all the web sites would need to agree on what authentication system they wanted to use -- otherwise you could end up with dozens of different devices plugged into your laptop."
In the meantime, he concluded, "users must choose sensible hard-to-guess passwords and ensure that their computers are properly defended from attacks."
Cluley has a video on YouTube that offers tips on selecting a password that is both hard to hack and easy to remember.