RockYou affair reveals shabby password strength

Darren Allan

January 21, 2010

Remember the RockYou security blunder last month, in which hackers got hold of some 32 million username and password details?

Well, the passwords themselves have been analysed by Imperva, a security firm, with worrying results.

Put simply, the level of password sophistication uncovered is dangerously low.

The most commonly used password on these accounts was – wait for it – the old chestnut: “123456”.

Followed by, in second place, “12345”. Sigh…

Simple strings of numbers, and passwords such as “password” or “qwerty” were also relatively common. As was the name of the site, “rockyou”.

We’ve no idea how many people used the password “I am an idiot please compromise my account”, but we suspect it might be a few.

The Imperva report also found that 30% of users had a weak password length (six characters or less), and almost 50% used names, slang words, or consecutive strings of numbers or characters as we’ve already mentioned.

Only a mere 0.2% of users could be considered to have a strong password (eight characters or more, with a mix of symbols, numbers, and different case letters).

What’s worse still is the fact that people will re-use these passwords for all their online accounts, giving a hacker access to everything in one fell swoop.


Comments in chronological order (1 comment)

  1. Anonymous says:

    If anyone knows anything about how the internet works, and web servers… They’ll know the problem here isn’t users making easy passwords, it’s the lazy programmers.

    You could make a seriously difficult password, but if you can inject a SQL query into the table that holds the password strings, you could reveal everyone’s passwords, and then even the most difficult of passwords will be revealed in plain text.

    The problem of easy passwords is only a problem on servers, when stored as a hash. Which, due to lazy programmers, is few and far between.

Post a comment

Your email address will not be published. Required fields are marked *

Visited 2023 times, 1 so far today