20 percent of accounts could be compromised in 5000 attempts.

A recent study of some 32 million pilfered passwords has exposed some revealing lessons on how computer users choose their watchwords.

The analysis conducted by the iMperva Applications Defense Center discovered that 60 percent of users picked passwords from a limited set of alpha-numeric characters. What’s more, 50 percent of the watchwords were names, slang, dictionary words or trivial passwords, such as 123456 or “Password.”

What distinguishes this study from similar research in the past is that, rather than being based on user surveys, this analysis is based on a database of actual user passwords, which were stolen by a hacker and posted to the Internet as plain text.

“The shortness and simplicity of passwords means many users select credentials that will make them susceptible to basic, brute force password attacks,” the researchers wrote in their white paper.

“Ironically,” they added, “the problem has changed very little over the past 20 years. In 1990, a study of Unix password security revealed that password selection is strikingly similar to the 32 million breached passwords.”

When scrutinizing the purloined passwords, the researchers used standards published by NASA for the creation of strong watchwords. Here’s how the words fared against those benchmarks.

NASA recommends that passwords be at least eight characters long. The researchers found that nearly half (49.4 percent) of the filched watchwords contained seven characters or less. What’s more, more than 30 percent of them were six characters or less. By comparison, more than 28 percent of the passwords in the mix were greater than eight characters in length.

In addition to making passwords at least eight characters long, NASA, as well as many security experts, recommend a watchword be a combination of upper and lower case letters, numbers and special characters, such as !@#$%^&*()+. If there is only one special character, it should not be either the first or last character in the password.

Needless to say, the passwords plucked by the hacker were woefully inadequate in the character choice department. Only 36.94 percent of the watchwords used numbers and letters and a mere 3.81 percent had special characters in them. The largest portion of the passwords (41.69 percent) used only lowercase letters. Another 15.94 percent used only numbers, while 1.62 percent limited their choices to only uppercase letters.

Based on length and character composition, only 0.2 percent of the 32 million passwords in the sample met NASA standards and could be considered strong passwords, the researchers said.

But there’s a third standard. It says passwords should not be a name, slang or word in a dictionary, nor should they include any part of the creator’s name or email address. That’s not the case for the 5000 most popular passwords shared by 20 percent of the users in the database studied by the researchers.

If the 5000 top passwords were used by a hacker as the basis for a dictionary to mount a brute force attack, the researchers point out, it would only take one attempt to guess 0.9 percent of the users’ passwords per every 111 attempts. Using a DSL connection with an upload rate of 55KBPS and assuming each attempt is 0.5KB in size, a hacker could perform 100 attempts a second at a site. At that rate, about one account would be compromised every second. In 17 minutes, 1000 accounts could be compromised.

But it gets worse, according to the researchers. “After the first wave of attacks,” they observed, “it would only take 116 attempts per account to compromise five percent of the accounts, 683 attempts to compromise 10 percent of accounts and about 5000 attempts to compromise 20 percent
of accounts.”

What’s a system administrator to do to avoid this kind of nightmare descending on their organization? The researchers made these recommendations.

• Enforce a strong password policy. If you give the users a choice, it is very likely that they would choose weak passwords.
• Make sure passwords are not transmitted in clear text. Always use HTTPS on login.
• Make sure passwords are not kept in clear text. Always digest passwords before storing to a database.
• Employ aggressive anti-brute force mechanisms to detect and mitigate brute force attacks on login credentials. Make these attacks too slow for any practical purposes even for shorter passwords. You should actively put obstacles in the way of a brute-force attacker such as CAPTCHAs, computational challenges, etc.
• Employ a password change policy. Trigger the policy either by time or when a system compromise is suspected.
• Allow and encourage passphrases instead of passwords. Although sentences may be longer, they may be easier to remember. With added characters, they become more difficult to break.