We All Suck at Passwords

You're mad at Sony. We get it. But it turns out that users really aren't much better at abiding by best security practices, according to software architect Troy Hunt's quick parse of the account info released by LulzSec.

Of the 37,608 released passwords, only 4% had three or more character types, with half made up of just one character type. Of that half, 90% used all lowercase. Less than 1% of all users used even a single a non-alphanumeric character. Among the accounts that made appearances in both Sony directories, 92%(!!) reused their password. And to hammer home the point, Hunt makes a callback to Gawker's brush with the Hacker Kingdom to report that a full 67% of shared users used an identical password in the Gawker and Sony systems.


Thanks for bringing back the fuzzy memories, Troy. Now if you'll excuse me, I have a date with a random character generator. [Troy Hunt via Hacker News]


*sigh* No discussion on how complex the passwords actually are? What is the average length? How many of those passwords are made up of dictionary words?

An even *cooler* comparison would be to check and see how many of those passwords were listed in popular downloadable rainbow tables, or which are particularly susceptible to dictionary-based attacks.

Personally, I just like to use *really long* passwords that are made up of all lowercase letters. 26^15 is much, much more complex than 8^96. (My current password is 15 characters long, all lowercase. That's compared to an 8 character password that uses a combination of symbols, upper and lower case, and numbers, to force a potential brute forcer to need to check against every typeable character.)

But no. Every single security site out there seems to agree that the trick to a secure password is just to increase the character set without increasing the length. What good is a complex password that I have to write down because I can't remember it, or that I have to use some offline password-remembering program for? That's just one more easy way for someone to steal my password.

If it's in my head, they can't very well steal it from me, so I'll always prefer to use long, but relatively simple passwords that (1) I can remember easily, (2) I can modify to match the site I'm on based on some simple criteria, and (3) are mostly nonsense that other people would not logically associate with me based on personal criteria. Can't that be enough?