rootninja

Analysis of 32 million breached passwords by Imperva in the Rockyou.com breach discovered some interesting facts about real world passwords. Until now, only password surveys have been analyzed, and I knew the results would be almost useless when compared to a real dataset of passwords because who in their right mind would donate one of their own passwords, or anything like it, to a survey about password statistics?

The Consumer Password Worst Practices report is available on Imperva’s website.

Most interesting were the top ten used passwords:

123456
12345
123456789
Password
iloveyou
princess
rockyou
1234567
12345678
abc123

I wonder what the set of passwords looks like from a system that requires a mix of upper, lower, numeric, and symbols? If I were a betting man, I would wager they’re only minimally complex. Letters and numbers in close proximity on the keyboard are most likely used often. I bet numbers and letters are segregated, meaning passwords that look like asdf123 would be more common than something like af2v83s7.

It’s definitely time for a replacement for passwords. This old tech is becoming nearly useless. Forcing users to change passwords often and ensuring complexity can only take us so far. Maybe it’s time for three or four-factor authentication!?