Password leak reveals that users are still the weak link
The publishing of nearly 10,000 Windows Live Hotmail account passwords online recently sparked a lot of debate, but perhaps the most obvious finding is that the weakest link in the security chain is the users themselves -- being prepared to hand-over their details to a third-party website seemingly without questioning its authenticity. A second list of 20,000 passwords gathered from AOL, Google, Yahoo! accounts and others indicated the extent of the problem.
Much was made of the fact that the most common Hotmail passwords were "123456" and "123456789", hardly the most creative of options. However, together these accounted for less than 1% of the total entries, and web application security specialist Acunetix said that 90% of passwords on the list were unique. It was also noted that the passwords were not authenticated, so some of the "123456" entries may be false, from users aware of the scam deliberately feeding false data into the system.
The average password was eight characters in length, with almost half (42%) being lower case alpha-only passwords - although 30% used a mixture of alpha and numeric characters.
Bearing in mind that these passwords were selected by users without the need to meet corporate requirements, the data actually shows a fair mix of passwords, with different attributes and a high degree of uniqueness. In addition, the lack of awareness of phishing attacks seems to indicate that it was less IT-savvy users who were compromised, and therefore the increased instance of "easy" passwords may be understandable. By adding a few requirements for corporate compliance, such as mandating alphanumeric passwords and lower and upper case use, IT departments can actually be confident of a relatively high degree of security.
But underlined is the fact that users are still unaware of the dangers of phising attempts - the 10,000 plus passwords were gained from customers who willingly handed over their information. (There was some speculation that the information was gathered by a Trojan which logged keystrokes or something similar, but Google, Microsoft and Yahoo! have indicated that they believe phishing was the source.) Corporate IT policies need to reinforce the fact that passwords must not be handed over to anyone, internal or external, to underline the need to keep them secret, and "password sharing" between colleagues must also be prohibited.