Report on RockYou SQL flaw reveals weak passwords were being used to login to the social networking site

News by Dan Raywood

The most commonly used passwords are often the easiest to remember.

The most commonly used passwords are often the easiest to remember.

Following the SQL flaw in the social networking site that could have allowed hackers to access the 32 million entries of user names plus passwords in the database, Imperva has analysed the passwords used by users in a report to find that they are often easy to guess.

The report identifies the most commonly used passwords are a combination of numbers, such as 123456, ‘password' or ‘rockyou' or a phrase such as ‘iloveyou' or ‘princess'.

The study revealed that the shortness and simplicity of passwords means many users select credentials that will make them susceptible to basic forms of cyber attacks known as ‘brute force attacks'.

Amichai Shulman, CTO of Imperva, said: “Everyone needs to understand what the combination of poor passwords means in today's world of automated cyber attacks: with only minimal effort, a hacker can gain access to one new account every second - or 1,000 accounts every 17 minutes.

“The data provides a unique glimpse into the way that users select passwords and an opportunity to evaluate the true strength of passwords as a security mechanism. Never before has there been such a high volume of real-world passwords to examine.”

He said that it was time for everyone to take password security seriously, stating that it was an important first step in data security.

“For enterprises, password insecurity can have serious consequences,” said Shulman. “Employees using the same passwords on Facebook that they use in the workplace bring the possibility of compromising enterprise systems with insecure passwords, especially if they are using easy to crack passwords like ‘123456'.”

Stephen Howes, CEO of GrIDsure, said: “The findings from this report come as no surprise as we are regularly being told that if people are given the choice will tend to choose an easy-to-remember password rather than a so-called ‘strong password' – in other words they are going for usability over security. So despite all the advice we are given nowadays about choosing strong passwords it is still clear we are still no better than we were 20 years ago.

“The truth is that people simply find it difficult to remember strong static passwords especially when they are being asked to use different passwords for different accounts, so naturally people will go for an easy option to the detriment of their security. However, you cannot put the blame for this entirely on the end-user, as it is natural for people to try and make life easy for themselves.

“As we've been saying for a long time now, fixed static passwords are well past their sell by date and are no longer fit for purpose in a world where people are increasingly using them to protect digital identities and information. So this report should be on the desk of every IT manager in the land because so many people are just not getting the message. What is needed is a solution that is both easy to use but has the strength of ‘one-time' or dynamic passwords which are secure from shoulder surfing, eavesdropping and immune from dictionary and brute force attacks.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews