In 2011, over 37,000 users of Sony Pictures and Sony Music were hacked. The alleged perpetrators, LulzSec, published their theft results as a public torrent. Troy Hunt is a software architect who analyzed those hacked accounts, in addition to the December 2010 hack of Gawker Media (where 188,000 accounts were also hacked and published online). Here is a summary of Troy Hunt's findings:
For the Sony Pictures and Sony Music hacks, another sad trend appeared: people would reuse their same password for both accounts. While this habit is convenient for the user, it also means that one account breach translates into multiple account breaches.
If you use the same password and email address for your Gmail, PayPal, online bank account, eBay, and your personal blog, you are inviting hackers to help themselves to your private life.
This is a disturbing trend of poor computer hygiene. 99% of the hacked users at Sony used alphanumeric-only characters for their passwords. That means, 99% of people's passwords look like this:
Alphanumeric-only choices make for poor passwords because they are easily guessed by hacker software programs. These hacker programs, called "dictionaries" or "brute force tools", quickly recombine common English words and numbers to defeat your password through repetitive guessing. The simpler your password, the more quickly a dictionary tool can guess it, often within just a few minutes.
Related: see an example hacker dictionary here.
Yes, believe it or not, Troy Hunt discovered patterns in the hacked accounts of the 37,000 Sony users. While most people did use random words, over 60% of the users' passwords were still found in hacker dictionaries, meaning: most people chose passwords that are very easy to crack.
Troy's findings also showed that the most common passwords at Sony included:
Again: the trend here is that very few people actually use non-alphanumeric characters (e.g. ! % ^ @ # $ [ + ), which makes their uninspired passwords even easier to crack.
Related: see the top passwords used at Gawker Media, 2010
In Troy Hunt's analysis, the bulk of Sony's users have 6-character, 7-character, or 8-character passwords. The next most-common are 9- and 10-character passwords. Very few people use 5 or less, and even fewer people use 12 or more.
As you might expect, shorter passwords are easier for hackers to guess. While it's overkill to create a 20-character password for your email, 8 characters or more is highly recommended to discourage most hackers.
People are lazy with their passwords: they don't make the effort to use special characters like (! % ^ @ # $ [ +. People use uninventive and predictable words like "password" and "purple", and proper nouns like "bailey" or "ashley". To make it even worse: most people use the same predictable passwords for their multiple accounts.
All of these patterns make a hacker's job easier. The simpler your passwords, the more likely you will have your bank account cleaned out.
It is not that difficult to create a complex password that resists hacker dictionary attacks. Let the hackers break into someone else's stuff... keep your own accounts safe by following a few simple password tips here...