Sony password analysis

 The upside of big data breaches involving passwords is that it gives us Security Pros an understanding of what users are actually doing when they're selecting their passwords. The cynic in me thinks that we can spend time trying to educate employees, family, friends and neighbours into using strong passwords and changing them frequently - and they'll nod and smile and agree it is important...and then go back to using 'abc123' on their Internet banking.
I've blogged before on past analysis into exposed passwords, and now with the recent Sony breach Troy Hunt has posted an analysis of 37,000 of the exposed Sony passwords. Does it contain anything groundbreaking? It's a good bit of analysis that pretty much confirms what my inner cynic suspected - half of the passwords had only one character type (with 90% of these being lowercase only) and 45% of the passwords were numbers only. Only 4% of the passwords analyzed were what is commonly considered 'strong' passwords.

One of the nice things Troy did with his analysis was compare the uniqueness of the passwords across the different Sony databases exposed - a luxury one usually doesn't have when examining breached passwords - 92% of passwords where identical for the 2,000 accounts that had the same email address. Troy even managed to cross reference these accounts against the Gawker data breach and found of the 88 common accounts 67% were the same.
Oh and '123456' and 'password' were once again in the top few passwords used.

In other Sony related news - did Sony really sack a bunch of Security staff just before the data breach? That adds a new wrinkle to this most newsworthy of all breaches this year. I haven't seen it suggested, but could a disgruntled ex-employee have played a part?

0 Response to "Sony password analysis"

Post a Comment

powered by Blogger | WordPress by Newwpthemes | Converted by BloggerTheme