Three more bloggers have weighed in with an analysis of the 62,000 passwords that LulzSec released recently. These three analyses take a look at the structure of the passwords and have some interesting details that I hadn’t seen before.
Aviv Ben-Yosef and Rafe Kettler take a look at the complexity of the passwords. As you might expect, the results are not encouraging, although the average length is 7.63, which is higher than I would have thought. Here are some startling results from Kettler
- 43.108% of the passwords were all lower case
- 19.536% of the passwords were all numeric
- 36.914% of the passwords had some mixture of lower case, uppercase, numbers, and symbols (although not necessarily all of those types)
Over at R-bloggers, Colin Gillespie takes a slightly deeper look. He considers those passwords that would not fall to a simple dictionary attack and investigates their structure. It’s fairly intuitive that some characters will be used more than others and he drills down on that. Among other things, he discovered that
- 20 characters (out of 78) cover 25% of the passwords
- 27 characters cover 50% of the passwords
- 31 characters cover 80% of the passwords
As Gillespie dryly remarks, if you’re trying to crack passwords, it’s clear that brute force is not the way to go. We users can also take away a lesson from this. If you want passwords that are hard to crack, it might be worthwhile using the less popular characters.
There are lots of other interesting results in these posts so if you’re interested in this sort of thing you should take a look.