Guess what? It's happened yet again… people's personal information, this time on Yahoo!, has been captured and disclosed. Nearly half a million users' email addresses and passwords published on the Internet for all to see, admire and use however they want.
What does this tell us?
That the people who published these details online are super ninja like Internet assassins who are proving just how clever they are?
That the company that holds user details in question has poor user security which allows the hackers to grab this important data?
Well yes both of those things and more… it tells us just how blind internet users are when it comes to password security.
Of the 442,837 passwords that were published, the top ten passwords were:
With the age old favorite 'qwerty' (the first six letters appearing on the top left letter row of a US keyboard, read left to right) coming in at number 11.
The number of numbers is incredible!
Despite their obvious weakness, numeric only passwords still appear popular and make up nearly 6% of the total with nearly 25% of those being a list of numeric values on the keyboard in order from 1 - 0 such as 123456 or 1234.
Over 220 passwords were single digit passwords and over 90% of those were the number zero.
A similar number of six digit passwords were also 'very' obvious such as 121212, 111111, 112233, 123123 and the ingenious 123321.
Oh my word!
The majority of passwords were alpha or 'letter only' passwords and a good proportion of those comprised single generic words or names of people.
Many such passwords seem to fall under a variety of themes such as:
Relationships - Iloveyou, luvu4eva, lovers, precious, #1cheater, Ihatemen
Sports - Baseball, basketball, football
Nicknames and names - tigger, babygirl, ginger, booboo
Religion - Jesus1, iloveallah, blessed, 2jehova, all4jesus, blessingsofallah, blessme
Exclamations & expletives - whatever!, F**kyou, A**hole
Advice - trustno1, ingoditrust, no12trust, paymenow
Challenges: Guesswho, guessthis, youllneverguess, 2hard2guess
And it's maybe not surprising that nearly 100 passwords were something to do with James Bond 007.
Our favorites were 1stinkyman and dabiggestfoolinport.
Three lessons to be learned
Any security expert will tell you the rules for strong passwords, over and over again, ad infinitum but just because they tell you repeatedly doesn't mean you can ignore it! Here is a radically abridged version:
Mix up letter and numbers
Use a minimum of eight characters
Do not use real words or sequential numbers e.g. password 1234 5678, but if you must - mix them up e.g. p1a2s3s4w5o6r7d8.
Note: The leaked password file was used by NetNames solely for the purposes of statistical analysis and was securely deleted following completion of the work.
Please contact email@example.com for further information:
NetNames Head Office - London
241 Borough High Street
London SE1 1GA
Tel: +44 207 015 9200
Fax: +44 207 015 9365
NetNames (http://www.netnames.com/) is part of Group NBT Ltd (http://www.groupnbt.com/). Through its industry leading corporate domain name management, online brand protection, online security, anti-piracy and acquisitions services, the company is responsible for managing and protecting online brands for medium to large organizations, from all types of industries, across the globe.
Following the acquisition of Ascio Technologies and Envisional in 2007, INDOM (France) in 2010 and Cedel (Sweden) in 2012, NetNames has become one of the world's largest corporate domain name management and online brand protection specialist.
The company is headquartered in London with offices in New York, Cambridge (UK), Copenhagen (Denmark), Malmo (Sweden), Munich (Germany), Nice (France), Oslo (Norway), Paris (France), Stockholm (Sweden) and Zurich (Switzerland).