14 DAY TRIAL // A self-confessed white hacker who recently obtained access to a user database containing over 870,000 accounts with passwords stored in plain text has decided to do some password strength analysis. The results revealed that a significant percentage of people are still using insecure passwords that can be easily cracked using brute force attacks.
Tonu Virolaismies Samuel, an Estonian hacker and security enthusiast, has released some password usage statistics after analyzing real world data found in a Web portal's database. According to Mr. Samuel, the database contained information on around 734,000 male users and 139,000 female users from across the globe.
The analysis revealed that almost 3.5% of users set their publicly available first name as password, while 1.6% used their last name to secure their accounts. Ironically, while neither of them are suitable as a strong password, last names should theoretically be more secure as they are harder to guess.
By gender, females seem to favor using first names, 4.4% of them doing this compared to 3.2% of men. The situation is different when it comes to last names, with 1.7% of men using theirs as password compared to 1.4% of women.
Other interesting findings suggest that around 0.5% of people use their first name and last name as password, 0.3% use telephone numbers and 0.1% ZIP codes. However, one of the most dramatic results is that two percent of all users chose to use "123456" as a password. For a string of characters that should theoretically be unique for each individual, that 2% is a massive security fail.
But that's not the only easy-to-guess combination that was chosen by a large number of people, as 4,545 users (0.5%) actually employed the word "password" to login into their accounts. The "12345" string was chosen by 0.4% of individuals, "1234" by 0.33% and "123" by 0.28%. At the same time, the popular, but totally insecure "qwerty" was used as password by 0.2% of users, while 0.17% thought it was appropriate to use the Web portal's name.
"When it comes to choose a password, you should always have such statistics in mind," commented Avira's Dirk Knop. "Dictionary attacks are quite usual – with all permutations like word combination, backwards spelling, capital letters in all positions, ‘leet substitution’ (31337) and also adding numbers," he advised. Because of this, choosing a strong password, containing both uppercase and lowercase letters, as well as numbers and unusual characters, is vital in order to protect your online assets.