(via Schneier on Security)
If you have ever wondered how well brute-force password attack attempts are, you should check out this bit about a password audit at a popular German dating site (which means the article is in German as well – you can babelfish it for a nearly readable translation). Of particular interest is the number out of roughly 100,000 users with 123456 as their password (1375). Almost 850 others tried to be more clever and used the variations 12345, 12345678, or 123456789 as their password. The good news is that roughly 40 percent of the passwords were unique. The bad news is only about 40 percent of the passwords were unique.
Having done password audits in the past, I’ve seen things like this before. One place I worked used a list of about 30,000 common words (typically dictionary words, names, cities, common numeric sequences, etc), common passwords (NCC-1701 from Star Trek, CPE1704TKS from War Games, Schrodinger or Einstein, etc), and variations on those (backwards, add 1234 to the end, add 1 at the front and 2 at the end, etc). Against less than 1000 user accounts, we got almost 100 passwords guessed in about 4 hours. This was 10 years ago. Today, it would take much less time to get those passwords, and probably more would be guessed, because more common words and more variations could be included.
Good security isn’t easy. Good security involving people is even harder. People are easily the weakest link in security systems, and therefore the mostly common vector of attack.
[tags]Computer Security, passwords, Password audits[/tags]