Poor online password practices

The primary method of authentication online still remains the user-id and password. Of these, the password is the more important component, since it is supposed to be known only to the owner. Is that really the case? And even if it is how easy will it be for someone to obtain it?

In December 2009, there was a breach at RockYou.com that resulted in a hacker netting just over 32 million email-ids and passwords from the site. The site had a SQL Injection vulnerability that was exploited. To compound this problem, the hacker posted the full list of passwords, thankfully with no other identifiable information on the internet.

The biggest thing that bothers me is not the SQL Injection vulnerability. It is the fact that the passwords were stored in clear text in the database. Every industry standard has been shouting from the roof tops for the last several years that passwords should not be stored in clear text. Yet, RockYou was storing it in clear text. There goes the assumption that only the password’s owner knows it.

The site was guilty on at least three counts:

  1. Having a SQL Injection vulnerability
  2. Storing passwords in clear text
  3. Not enforcing strong passwords

So, how do the users fare? Let’s look at the results of the analysis of the passwords.

  1. 49.4% of the passwords were 7 characters or less.
  2. Very few people (0.2%) used strong passwords that were at least 8 characters long and contained a mix of numbers, upper and lower case letters and special characters.
  3. This is what takes the cake: The most popular password (290731 occurrences) was “123456”. This was the most popular password in the Hotmail breach too. The rest of the top 20 most popular passwords weren’t too imaginative either. In fact, there were 502,862 passwords in the Top 20 were just sequential numbers.

Note: The data crunching was done by good folks at Imperva

It does seem to require too much effort to guess or crack someone’s password. Of course, there are other things like account locking after ‘n’ failed login attempts, getting the user-id, etc. But users are not making it too difficult for hackers either. What I would like to know is how many of these users actually went and changed their passwords after this breach.

I have performed assessments of many web applications that have the option of enforcing strong passwords, but do not do it by default. This is prevalent in software that was sold as a service and is either co-branded or private branded. I am sure we will need more high profile breaches for websites to start enforcing strong passwords consistently.

The thing to note here is that users having strong passwords alone is not enough. A strong password is no use if a hacker can get it by launching a SQL Injection on a website. Websites also need to store passwords securely and make sure that they are not vulnerable to attacks such as SQL Injection, XSS, etc.