A password on 142 is “123456”

A password on 142 is "123456" Cybersecurity

In one of the largest studies on the reuse of such passwords, an analysis of more than a billion leaked credentials revealed that one in 142 passwords is the classic string “123456 “.

The study, conducted last month by computer engineering student Ata Hakçıl, analyzed the combinations of username and password that leaked online after data theft from various companies.

These “data dumps” have existed for more than half a decade and accumulate as new companies are hacked.

This data is readily available online, on sites like GitHub or GitLab, or freely distributed via hacking forums and file sharing portals.

Over the years, tech companies have collected this stolen data. For example, Google, Microsoft and Apple have collected leaked credentials to create internal alert systems that warn users when they use a “weak” or “common” password.

In addition, the “Have I Been Pwned” online service also works based on this stolen data.

Study results

Last month Ata Hakçıl, a Turkish student studying at a university in Cyprus, downloaded and analyzed more than a billion stolen credentials. The main finding was that the 1,000,000,000+ credentials data set included only 168,919,919 unique passwords, of which more than 7 million were the string “123456”.

This means that one password out of 142 included in the sample analyzed by Ata Hakçıl was the weakest password known to date: the string “123456” being the password most often reused online during of the last five consecutive years.

The student also discovered that the average length of passwords is generally 9.48 characters. Most security experts recommend using passwords that are as long as possible, and usually between 16 and 24 characters or more.

But the length of the password was not the only problem discovered by Ata Hakçıl. The Turkish researcher said that the complexity of passwords was also an issue, with only 12% of passwords containing a special character.

In most cases, users chose simple passwords using only letters (29%) or numbers (13%). This meant that about 42% of all passwords included in the billion data were vulnerable to dictionary attacks that would allow malicious actors to access accounts effortlessly.

The full results of the study are available on GitHub, with a brief summary below:

  • From 1,000,000,000 + entries from data dumps, 257,669,588 were filtered as corrupted data (in an incorrect format) or test accounts.
  • 1 billion identifiers are divided into 168,919,919 unique passwords and 393,386,953 unique user names.
  • The most common password is “123456”. It covers approximately 0.722% of all passwords.
  • The most common 1,000 passwords cover 6.607% of all passwords.
  • The average password length is 9.4822 characters.
  • 12.04% of passwords contain special characters.
  • 28.79% of passwords are composed only of letters.
  • 26.16% of passwords are in lowercase only.
  • 13.37% of passwords are only numbers.
  • 34.41% of all passwords end in numbers, but only.
  • 4.522% of all passwords start with numbers.

Source: ZDNet.com

Source: www.zdnet.fr

Rate article