Why would a black hat worry about attacking encryption when passwords are readily available for stealing as plain text? The attack of the key loggers again thwarts encryption –Trustwave’s detection of Pony Botnet’s key logger this December 3rd brings this to light.
But having 2 million passwords allows us to see how good people’s passwords are… And (perhaps unsurprisingly) the results are abysmally sad!
Almost 25% of all passwords captured consist of only one kind of text character (say, only numbers, only uppercase, or only lowercase) and also relatively short to very short (9 characters or less). These passwords are, key logger or not, very, very bad. In fact, only 5% of all passwords can be considered good (by using several types of characters and sufficient length).
Do people get better over time? Well, Trustwave SpiderLabs reports that (comparing a similar trove of passwords captured in 2006) the top ten passwords were then 0.9% of the total –and today they report that the top ten passwords account to 2.4% of the total.
So, which are those top ten passwords? The attached list, from SpiderLabs, is here for reference:
For the original article with all the details, click this link to SpiderLabs.