A researcher has published the results of one of the largest studies on password reuse to date. To do this, he analyzed a billion leaked credentials. Every 142th password examined is therefore the classic “123456”.
Another number also shows that many users reuse passwords: the one-billion password record only contained fewer than 169 million different passwords. These in turn belonged to just over 393 million different usernames.
Of these, 7 million passwords corresponded to the string “123456”, which is considered one of the weakest passwords. It is the most reused password for the fifth time in a row. The thousand most frequently used passwords also correspond to 6.6 percent of all passwords examined.
The data was analyzed by Ata Hakçıl from Orta Doğu Teknik Üniversitesi in Ankara. He also found that the average password length is 9.48 characters, which often exceeds the minimum requirements. However, security experts usually recommend 16 to 24 characters for a secure password.
According to the study, however, the lack of complexity of passwords is of greater concern. Only 12 percent of the strings examined contained at least one special character. 29 percent of the passwords consisted only of characters, 13 percent only of numbers. This means that 42 percent were susceptible to so-called dictionary attacks, in which passwords are guessed using pre-made lists. The effort for such attacks is very low, so with such passwords the question is not whether they can be cracked, but only when they are cracked.
Another detail that can make it easier to crack passwords: 34.41 percent of all passwords end with a number. But only 4.5 percent of all passwords start with a number.
Meanwhile, experts have waived the requirement for secure passwords – and since the beginning of the year, the Federal Office for Information Security: changing passwords regularly. According to other studies, changing passwords frequently may result in the selection of an insecure password because users find it difficult to remember complex passwords.