Saturday, September 29, 2007

Your Online Security At Risk: Are You Smarter Than A Fifth Grader?

We used to quip that "password" is the most common password. Now it's "password1." Who said users haven't learned anything about security? The reality is that passwords have outlived their usefulness as a serious security device. So, just how good are the passwords people are choosing to protect their computers and online accounts? It's a hard question to answer because data is scarce.

MySpace recently suffered from a phishing attack: 34,000 actual user names and passwords. The attack was pretty basic. The attackers created a fake MySpace login page, and collected login information when users thought they were accessing their own account on the site. The data was forwarded to various compromised web servers, where the attackers would harvest it later. MySpace estimates that more than 100,000 people fell for the attack before it was shut down. The analyzed data showed that while 65 percent of passwords contain eight characters or less, 17 percent are made up of six characters or less. The average password is eight characters long.

While 81 percent of passwords were alphanumeric, 28 percent were just lowercase letters plus a single final digit. Two-thirds of those have the single digit 1. Only 3.8 percent of passwords are a single dictionary word, and another 12 percent are a single dictionary word plus a final digit -- once again, two-thirds of the time that digit is 1. Hmmm.

So, are you this simplistic in your internet security? This list surely has a lot to do with the average age of MySpace users, but if you recognize yourself here, it’s time to change your digits. The top 20 passwords are (in order):

password1
abc123
myspace1
password
blink182
qwerty1
fuckyou
123abc
baseball1
football1
123456
soccer
monkey1
liverpool
princess1
jordan23
slipknot1
superman1
iloveyou1
monkey

The most common password, "password1," was used in 0.22 percent of all accounts. For those who don't know, Blink 182 is a band. Presumably lots of people use the band's name because it has numbers in its name, and therefore it seems like a good password. The band Slipknot doesn't have any numbers in its name, which explains the 1. The password "jordan23" refers to basketball player Michael Jordan and his number. And, of course, "myspace" and "myspace1" are easy-to-remember passwords for a MySpace account. I don't know what the deal is with monkeys.

But for many of you, passwords are getting better. I'm impressed that less than 4 percent are now dictionary words and that the great majority are at least alphanumeric. Writing in 1989, Daniel Klein was able to crack 24 percent of his sample passwords with a small dictionary of just 63,000 words! In 1992 Gene Spafford cracked 20 percent of passwords with his dictionary, and found an average password length of 7 characters. The concept of choosing good passwords is getting through, at least a little.

On the other hand, the MySpace demographic is pretty young. A password study in November looked at 200 corporate employee passwords: 20 percent letters only, 78 percent alphanumeric, 2.1 percent with non-alphanumeric characters, and a 7.8-character average length. Better than 15 years ago, but not as good as MySpace users. Kids really are the future.

Over the years, password crackers have been getting faster and faster. Current commercial products can test tens -- even hundreds -- of millions of passwords per second. At the same time, there's a maximum complexity to the passwords average people are willing to memorize. Those lines crossed years ago, and typical real-world passwords are now software-guessable. AccessData's Password Recovery Toolkit would have been able to crack 23 percent of the MySpace passwords in 30 minutes, 55 percent in 8 hours.

Passwords can still work if you can prevent offline password-guessing attacks, and watch for online guessing. They're also fine in low-value security situations, or if you choose really complicated passwords. But otherwise, security by password alone is pretty risky. I guess it's time to change to password2!