New study highlights weak password policies

A recent data breach study has turned up damning evidence on user-selected passwords.

Research firm Imperva conducted the study following a massive data breach at social networking site RockYou that made more than 32 million user passwords public. By analysing the leaked data, researchers concluded that users are still selecting passcodes that are easily guessed.

The study found that roughly one fifth of users had selected passwords which were amongst the 50,000 most common on the web. Among the most common were basic numerical sequences.

Nearly 300,000 of the compromised accounts used "123456" as a password, while an additional 79,078 selected "12345" and 76,790 users had "123456789" as their password. Other commonly used passwords were "password", "iloveyou", and " princess".

By selecting such widely used passwords, users are leaving their accounts easily accessible to data harvesting, Imperva said. The report suggested that by using an automated "brute force" tool based on the 50,000 common passwords list, an attacker could have harvested over 1,000 account credentials in less than 17 minutes.

"This means that the users, if allowed to, will choose very weak passwords even for sites that hold their most private data," said Imperva.

"Worse, as hackers continue to rapidly adopt smarter brute force password cracking software, consumers and companies will be at greater risk."

The report was quickly picked up by authentication vendors such as Verisign to show the need for additional account protections such as randomly-generated codes.

"The shortcomings of weak passwords and the need for stronger authentication solutions are becoming more and more evident," a company spokesperson told V3.co.uk.

"One-time passwords via two-factor authentication provides a critical layer of security to counter such threats.”

Others in the security community suggested stepping up enforcement of best practices. Gartner vice president and Research Fellow John Pescatore suggested in a blog posting that administrators should prod users to strengthen their logins.

"The passwords users create are the equivalent of them choosing front door locks that open with skeleton keys," Pescatore wrote.

"Now, we will be stuck with passwords for a long time and since users will complain no matter what we do to enforce password discipline, this little exercise points out we should focus on annoying users by requiring strong passwords vs. frequently changed passwords."