Thursday, November 21. 2013
I keep telling people in my PHP security seminars that they should not allow weak passwords for user accounts. There are numerous ways to check for weak passwords, from preg_match to ext/cracklib.
I usually take passwords like “password” or “123456” as an example, because anecdotally, these are notorious examples for bad passwords. However, I always felt in the back of my head that empirical evidence for these examples was a little bit lacking.
The recent breaches at Adobe (which contained encrypted or hashed passwords, we don’t really know) unveiled a treasure trove of over 150 million passwords and clear-text password reminders, which some clever people reverse engineered to find out the most common passwords. The list at the end of this entry contains the top 100 passwords and is from the Stricture Group (see this link). I’m afraid it might be DMCAed down at some point, so I’m mirroring it here.
So, let’s see what we have here:
Oh...kay... About two million, that’s about 1.5% of the total user base, chose “123456” as their password. We can assume that this is a percentage which is fairly close to the actual, statistical, internet-wide value (since, if anything, Adobe users are probably a bit more tech-savvy than the average Internet surfer, although this list makes me doubt that assumption).
In other words, if you log in to any given web site with any given credential and try the password “123456”, there is a 1.5% chance you have guessed right at the first try.
There are a couple of great password choices in that Top 100, for example over 21,000 people who like to type “fuckyou” in their Adobe login.
Another fairly recent breach is from Cupid media, an australian dating site, and Brian Krebs has a very good write-up on this breach.
This might be because the Cupid websites are accessed more via mobile devices which, with their often rather crude keyboard, make alphanumeric passwords harder to type than simple numbers.
Here’s the full top100 from adobe, with thanks to the Stricture Group.
Top 100 Adobe Passwords with Count
Display comments as (Linear | Threaded)
I do agree with all the ideas you have offered on your post. They’re very convincing and will certainly work. Still, the posts are very quick for newbies. Could you please prolong them a little from subsequent time? Thank you for the post.|
I think the most important lesson we’ve learnt from this leak is “soccer beats football” (52 vs 59).