1. password (Unchanged) (Down 6) (Unchanged)14. sunshine (Up 1) (Unchanged)15. master (Down 1) 4. abc123 (Up 1) (Up 4) 5. qwerty (Down 1)17. welcome (New) 6. monkey (Unchanged)18. shadow (Up 1) 7. letmein (Up 1)19. ashley (Down 3) 8. dragon (Up 2)20. football (Up 5) (Up 3)21. jesus (New) 10. baseball (Up 1)22. michael (Up 2) 11. iloveyou (Up 2)23. ninja (New) 12. trustno1 (Down 3)24. mustang (New) 25. password1 (New) compiled from files containing millions of stolen passwords posted online by hackers.
*eight hundred thirty nine quadrillion, two hundred ninety nine trillion, three hundred sixty five billion, eight hundred sixty eight million, three hundred forty thousand, two hundred twenty four
Copyright Pearson Prentice-Hall
15
ItemMean Number of Sites105.7 Number of Unique IDs6.6 Number of Unique passwords4.7 Number of Unique log-in credentials11.8 ID re-use ratio19.1 Password re-use ratio29.2 Log-in credentials re-use10.5 % of used unique log-in credentials45.6%
ItemMean Inclusiveness0.94Use the same log-in credentials Largest component nd largest component (cumulative) 3 rd largest component (cumulative) Vulnerability Index most frequently used log-in combinations use in 81% of sites vs unique log-in credentials VI = expected proportion of sites subject to potential breaches if a breach at one site occurs Larger values of VI indicate higher levels of vulnerability
Basic8Survey Password must have a minimum of 8 characters 18 bits of entropy To link your survey response Basic8 Password must have a minimum of 8 characters To update from breach Basic16 Password must have a minimum of 16 characters 30 bits of entropy To update from breach Dictionary8 Password must have a minimum of 8 characters Password can NOT be a dictionary word 24 bits of entropy To update from breach Comprehensive8 Password must have a minimum of 8 characters Password can NOT be a dictionary word Must have 1 upper, 1 lower, 1 numerical, 1 special character Must not contain a dictionary word 30 bits of entropy To Update from breach
Fixes: Binding Mechanisms Allow a new site/app to remind in the future to update my credentials Secure Defaults I say use a password manger User Friendliness Make credentials easier for humans Face recognition vs character string memorization Incentives Discount for using strong passwords Costs for not – Why are CC companies responsible for your lack of a strong password?
Use Password Manager 1Password Roboform Password Based Key Derivation Function Version 2 (PBKDFV2) Systems using PBKDFV2 Copyright Pearson Prentice-Hall
Copyright Pearson Prentice-Hall
Copyright Pearson Prentice-Hall
39
"There [were] a lot of variations of the word pass and root and also hax was used many times, but if I omit one common 4- letter word, the most frequently used word in this dictionary is hack," Hýža wrote. "It is worth mentioning that many PHP shells I analysed had only default passwords like r57, c99, password or yourpass."