We harp on the importance of strong passwords a lot here at Lifehacker and for good reason, it's important and most people consistently use terrible passwords. The analysis of the 32 million user password breach at RockYou certainly highlights that.
Last December the password database of RockYou — a service that lets people create multimedia slideshows and other media creations for social networks like Facebook — was completely compromised. The login and password information of 32 million users was captured by a single hacker who released the passwords — sans matching logins — to the public.
Security firm Imperva went through the entire 32 million entries and analysed the passwords. They published their finding in a small paper "Consumer Password Worst Practices" that highlights the shortcomings of the RockYou user's password selections and laments how little times have changed:
In 1990, a study of Unix password security revealed that password selection is strikingly similar to the 32 million breached passwords. Just ten years ago, hacked Hotmail passwords showed little change. That means that users, if allowed to, will choose very weak passwords even for sites that hold their most private data.
How weak were the RockYou passwords? Almost 300,000 users had the password "123456" and if you count the number of users from the Top 10 section of the password analysis that used variations of numbers like "12345" and "1234567", the number creeps towards nearly half a million. Astoundingly 61,958 users had the password "Password" and 22,588 used the name of the service "rockyou" as their password. Just in case you thought we were overlooking other shockingly bad passwords "Qwerty" was used by nearly 14,000 users.
So what can you do? Imperva highlights some things you can do to create more secure passwords but none of what they're saying is reinventing the wheel. It's the same advice that security experts have been giving for decades and users have been ignoring. None the less, it bears repeating and if you're not doing it right now you need to start:
- Passwords should be longer than six characters and include a mix of uppercase, lowercase and special characters.
- Your password should never be a name, a slang word or any word in the dictionary. It should never include part of your name or your email address.
- Use passphrases instead of passwords. Even if you're limited on the number of characters you can use, turn a long phrase into a jumbled short one. "I like bread and butter, especially at breakfast time." can become "Ilbab$eabt!".
- Use a different password for every single site you access
The last one is extremely important. RockYou stored all their passwords in plaintext which isn't — shockingly! — as uncommon as you would think. If your password is compromised because of the stupidity of the people running the service you use, it doesn't matter if you had an awesome password of enormous length and variety. If you use that awesome password on other services those services have now been compromised.
If you're freaked out about your crappy passwords — and you should be! — now would be a great time to review eight great KeePass plug-ins to master your passwords, and how your passwords aren't as secure as you think.
You can read more about the RockYou password and get more security tips at the link below. Have your own tip or trick for crafting great passwords? Let's hear about it in the comments.