A security researcher who analyzed data from two recently leaked databases concluded that the rate of password reuse is higher than previously believed.Joseph Bonneau, a PhD student with the Security Group at the University of Cambridge Computer Laboratory, analyzed user passwords stolen from Gawker and rootkit.com.
The Gawker user database was leaked by hackers in the first half of December, while the rootkit.com one made its way onto the Internet just recently, after Anonymous hacked HBGary.
The Gawker leak was much bigger, exposing some 1.3 million logins and password hashes, compared to the 81,000 stolen from rootkit.com.
When intersecting the two databases, Bonneau found a number of 522 email addresses registered at both sites. Of those, about 456 were determined to be valid pairs.
"This is about a 1% overlap, small but reasonable given the very different niches of the two websites," he notes.
Both Gawker and rootkit.com employed password hashing algorithms vulnerable to brute forcing attacks. The researcher managed to recover 54% and 44% of the passwords, respectively.
A number of 161 users out of 456 had their passwords cracked in both databases, revealing that 76% used the exact same access code. Furthermore, an additional 6% used passwords that only differed in capitalization.
By accounting for things like the number of non-cracked passwords, and applying some other statistical principles, the researcher came up with a password reuse rate of between 31% (best-case scenario) and 49% (highest estimate).
That's still considerably higher than what previous studies showed. A survey conducted five years ago revealed a rate of 20% and even if we account for a 5% sampling error for the new analysis, there's still at least 6% left unexplained.
"It could be that users are much more likely to reuse a password between Gawker and rootkit.com, since both protect access to forums and are of relatively low value. It could also indicate that password re-use has risen significantly in the past 5 years," Bonneau concluded.