A great Password Study.

I am assuming that everybody knows LulzSec releases. Starting from this data Troy Hunt made a great work analyzing all the disclosed passwords. Some of the most interesting findings are the following ones:




As usual click on image to make it bigger.

So, lets focus on some results:
  1. 14% of the disclosed passwords are derived from the username.
  2. 8% of the disclosed passwords are derived from place names.
  3. 25% of the disclosed passwords even if are not places neither names are derived from dictionaries.
  4. 14% of the disclosed passwords are just numbers (variable length .. but composed only by numbers).
  5. 2.7% of the disclosed passwords are made from two words linked together.
  6. 2.6% of the disclosed passwords are derived from email addresses.
  7. 1.3% of the disclosed passwords are derived from short phrases.
  8. 0.7% of the disclosed passwords are derived from keyboard patterns (what is it ? A keyboard pattern is for example: “asdf” or “1234” ).
  9. 0.4% of the disclosed passwords are derived from the url or the site where they have been used.
  10. 31% of the disclosed passwords have no patterns at all.
Alright, what can we learn from that ? The answer is pretty easy … A common brute forcer (and I am not talking about FPGA brute forcer or Advanced GPU brute forcer) equipped with a common CPU running a simple tool like John The Ripper or whatever he prefers might be able to break the 69% of the passwords in less than a day !! In fact passwords derived from usernames, passwords derived from keyboard patterns and passwords derived from email addresses are the first passwords to be tested from brute forcers like John (if used in hi-bird mode). Everything else derived from dictionary takes just some more hours. The Troy’s works underlines how security is poorly implemented from common users and the need of having a much security educated governance. I hope to be able to transfer this message over my next conferences besides the technicalities of my papers that are useful and important but not essential like this message.

“It’s not really important having the most innovative intrusion detection system if the network users adopt weak passwords.”

If you are interested on more detailed results check out the original post here.