Bruce Schneier reports about data from a MySpace phishing attack and provides interesting data about passwords, such as
“Common Passwords: The top 20 passwords are (in order): password1, abc123, myspace1, password, blink182, qwerty1, fuckyou, 123abc, baseball1, football1, 123456, soccer, monkey1, liverpool1, princess1, jordan23, slipknot1, superman1, iloveyou1 and monkey.”
I’m not surprised.
From my own experience, there are two possible schemes at work in todays real world:
- Strong password policies, changing too often, too complex demands (at least 8 chars, two numerals, two special characters, change every 2 weeks): People just write them down.
- Weak policies: people use favourite words and add increasing numbers, if necessary to comply (password01, password02, …)
This is simply not working. We urgently need to move to a system that eliminates the human element, such as SecurID or other token mechanisms.