Guess what? It’s happened yet again… people’s personal information, this time on yahoo, has been captured and disclosed. Nearly half a million users’ email addresses and passwords published on the Internet for all to see, admire and use however they want*.
What does this tell us?
- That the people who published these details online are super ninja like Internet assassins who are proving just how clever they are?
- That the company that holds user details in question has poor user security which allows the hackers to grab this important data?
Well yes both of those things and more… it tells us just how blind internet users are when it comes to password security.
Of the 442,837 passwords that were published, the top ten passwords were:
With the age old favorite ‘qwerty’ (the first six letters appearing on the top left letter row of a US keyboard, read left to right) coming in at number 11.
The number of numbers is incredible!
Despite their obvious weakness, numeric only passwords still appear popular and make up nearly 6% of the total with nearly 25% of those being a list of numeric values on the keyboard in order from 1 – 0 such as 123456 or 1234.
Over 220 passwords were single digit passwords and over 90% of those were the number zero.
A similar number of six digit passwords were also ‘very’ obvious such as 121212, 111111, 112233, 123123 and the ingenious 123321.
Oh my word!
The majority of passwords were alpha or ‘letter only’ passwords and a good proportion of those comprised single generic words or names of people.
Many such passwords seem to fall under a variety of themes such as:
• Relationships – Iloveyou, luvu4eva, lovers, precious, #1cheater, Ihatemen
• Sports – Baseball, basketball, football
• Nicknames and names – tigger, babygirl, ginger, booboo
• Religion – Jesus1, iloveallah, blessed, 2jehova, all4jesus, blessingsofallah, blessme
• Exclamations & expletives – whatever!, F**kyou, A**hole
• Advice – trustno1, ingoditrust, no12trust, paymenow
• Challenges: Guesswho, guessthis, youllneverguess, 2hard2guess
And it’s maybe not surprising that nearly 100 passwords were something to do with James Bond 007.
Our favorites were 1stinkyman and dabiggestfoolinport.
Three lessons to be learned
Any security expert will tell you the rules for strong passwords, over and over again, ad infinitum but just because they tell you repeatedly doesn’t mean you can ignore it! Here is a radically abridged version:
- Mix up letter and numbers
- Use a minimum of eight characters
- Do not use real words or sequential numbers e.g. password 1234 5678, but if you must - mix them up e.g. p1a2s3s4w5o6r7d8.
Written by Andy Churley, Marketing Director, NetNames
17 July 2012
*Note: The leaked password file was used by NetNames solely for the purposes of statistical analysis and was securely deleted following completion of the analysis.