Or the lack of it… website rockyou.com was recently cracked and its entire user password file, containing 32 million of them, was published. Imperva got hold of it, did some stats work on it, and made a short report. Most you need to know about it, however, is the 10 most common passwords contained, in order:
- 123456
- 12345
- 123456789
- Password
- iloveyou
- princess
- rockyou
- 1234567
- 12345678
- abc123
In regards to password length, 49,4% of the passwords were less than 8 characters long. 18,51% was 10 chars long or more (iow, of decent strength).
A similar finding was published last summer for Hotmail passwords. Even then, it’s nothing new; lax attention to password strength has been common for at least since the wider popularization of the web, and this central to the security nightmare that being hooked up to the net can be if you’re a provider of some sort.
I’m not opposed to service providers of whatever sort demanding recovery fees for folks who compromise their accounts using idiotically weak passwords, the same way I’m not opposed to insurers denying to compensate houseowners who consider a bar on the door as having secured their home sufficiently when they leave and later come home to find it burgled.