Thursday, December 21, 2006

Passwords in the hands of users.

I've talked a couple of times about passwords, how strong they should be, how to strengthen them for that matter, etc. But when it comes to the average user what does he use as a password and how does he understand the whole concept?

There's an interesting article by Bruce Schneier on his weblog. The moment I saw it I had a deja vu. At first I quickly searched through this blog to see if I've already talked about it but no. So I guess it's because this is a constant issue that's been around for years.

The article is based on a research done by some guys who set up a fake MySpace login site and harvested actual user passwords. Then they ran a couple of tests on them and presented the results.

So 23% and 25% of them where 7 and 8 characters long which is good, meaning that people have realized that just because your password is secret to everyone else doesn't mean it has to be three letters long since the attacker can always start guessing.

Also, an impressive 81% are using both letters and numbers although 28% of them are just lowercase letters followed by a single digit. That might have been sufficient enough if over 90% of them weren't dictionary words or names followed by a number like "book2", "label7", etc.

Finally, the most common password was "password1" which is relatively good considering that a few years back it was just "password". So things are slowly getting better :)

At this point I feel obligated to rise a question: do we need stronger passwords or just an alternative to all of this?

Think about it. I'll get back on this...

No comments: