Passwords! at 11:43 AM

By now it's a safe bet anyone working in the security space has heard about the leaked passwords from hotmail, yahoo and gmail.

The most interesting thing so far to come out of the leak is the results of an analysis of the passwords exposed. The results are an interesting mix and shed some light on how the message about using strong passwords is being received out there in user-land.

The most common password found was '123456' with '12346789' coming in second. It's enough to keep a security guy up at night!

Amazingly 'password' didn't make the top 20 list, but despite the fact the average password length was 8 characters, 42% of all the passwords listed were lower case only and only 36% were what we commonly consider 'strong passwords' (in complexity if not length). This shows the message is not being heard.

Why is this a concern to the security guy in the enterprise? Well the same users are likely to be in the office and these results show that the password message is not getting through. Not to mention employees with good intentions emailing work documents to themselves @hotmail so they can be diligent and work on them at home. That same hotmail address with the '123456' password....

The good news (comparitively!) is that the passwords have not been gathered due to a flaw in the security of these industry heavyweights, but by via phishing attacks against the users themselves.
The problem though is even when users are diligent and more complex passwords are used there is the problem of those same users being suckered in by phishing attacks. Even the head of the FBI was banned from online banking by his wife for almost falling victim to a phishing email.

A senior security engineer for nCircle recently presented at SecTor the results of a survey both technical and non-technical users that showed while 83% of users checked for the magic padlock in the browser when entering their credit card details, a dismal 41% checked for the same padlock when entering a password. Although the displaying the magic padlock can be easily faked.
Unsurprisingly almost 50% of users also clicked through security warnings without paying attention to them. In this we're paying the price for training end users to 'just click ok' through countless exposures to buggy software.

People can't be relied upon to pick strong passwords or read security warnings. Security guru Bruce Schneier has written about this back in 2006 when 100000 myspace accounts were exposed through a phishing attack. That wonderful password '123456' made the top 20 back then too, but the best performer was 'password1'.

Bruce comments that "We used to quip that 'password' is the most common password. Now it's 'password1.' Who said users haven't learned anything about security?"

He's completely correct and in fact I'd hazard a guess that they've continued to learn and the most common password these days (where complexity rules are applied) is 'Password1'.

What's the answer? Nothing simple comes to mind, but clearly our education of users isn't working today, we need to do better.

And finally a more humourous look at choosing a password...