14 DAY TRIAL // An analysis of the user database recently leaked from Sony Pictures reveals that consumers have very poor password habits.
Last week, the Lulz Security (LulzSec) hacking outfit broke into SonyPictures.com and obtained access to a database containing over one million accounts.
The hackers leaked a portion of this database and revealed that Sony Pictures stored user passwords in plain text instead of hashing them.
Security researcher Tory Hunt sorted the information and analyzed the resulting 37,608 accounts and passwords.
One of his first findings was that 93% of passwords were between 6 and 10 characters in length. Furthermore, 50% were made up of 8 characters or less and 30% had under 6 characters.
This means that even if the passowrds would have been hashed, most of them would have been susceptible to brute force recovery within a decent amount of time.
Password diversity wasn't any better. Only 4% of passwords had three or more character types and less than 1% of passwords contained non-alphanumeric characters. Many passwords were words or common combinations that are found in any decent brute force dictionary.
When it comes to password reuse, the researcher compared the Sony Pictures accounts to the ones leaked from Gawker last year. Only 88 of them matched, but two thirds of them had the same password in both Sony's and Gawker's databases. That's a very high password reuse rate, even for a small sample.
"There's a statistically good chance that the majority of them will work with other websites. How many Gmail or eBay or Facebook accounts are we holding the keys to here? And of course 'we' is a bit misleading because anyone can grab these off the net right now. Scary stuff," Hunt says.
Security experts have promoted good password practices for years, but most of these recommendations are not user-friendly because they make access codes hard to remember and manage. This is why two-factor authentication solutions like those recently introduced by Google and Facebook represent a viable alternative.