Skip to content
Biz & IT

32 million passwords show most users careless about security

Someone hacked the database that stores RockYou users' passwords, and released …

John Timmer | 60
Story text

We’ve covered this ground before, but never quite on this scale. The best passwords are arbitrary strings that mix letters, digits, and other characters, and are unique to each account. But the human brain isn’t wired to remember arbitrary strings, and the explosion of locations that require a login has only exacerbated the problem. The inevitable result is that various surveys have all indicated that many user accounts are badly insecure.

The latest confirmation of that comes with some pretty significant numbers behind it: 32 million, to be exact. That’s how many passwords were obtained in a recent hack of the RockYou service. The hacker left a file with all the passwords on a public site, and security firm iMPERVA has now analyzed them. The numbers aren’t pretty: about a third are less than six characters, and half are vulnerable to dictionary attacks. The most common password was 123456, and it was followed by 12345, 123456789, and Password. iMPERVA estimates that someone with a slow DSL connection could access one account a second using a dictionary attack.

The one caveat here is that RockYou simply offers widgets for use on social networking sites, so the stakes aren’t obviously that high. By all appearances, the worst thing that could happen if someone got ahold of RockYou login credentials is that they could upload photos to an unsuspecting user’s Facebook account—potentially embarrassing, but not in the same league as banking information.

What iMPERVA doesn’t comment on, but it should be noted, is that RockYou itself seems pretty indifferent to security. Although the site’s security notice about the breach starts by saying, “Our users’ privacy and data security have always been a priority for RockYou,” there’s no way to reconcile that with the fact that the company stored all its user information as plain text in a database that was vulnerable to an SQL injection attack. The company is taking reasonable measures in response to its very public failing, but this is security 101.

Photo of John Timmer
John Timmer Senior Science Editor
John is Ars Technica's science editor. He has a Bachelor of Arts in Biochemistry from Columbia University, and a Ph.D. in Molecular and Cell Biology from the University of California, Berkeley. When physically separated from his keyboard, he tends to seek out a bicycle, or a scenic location for communing with his hiking boots.
60 Comments
Prev story
Next story