Password1 21 Dec 2006
Bruce Schneier examines around 100,000 actual MySpace passwords (gleaned from a phishing scam) and concludes that real-world passwords are getting better. The most popular password is no longer "password"; it's now the much more secure "password1"!
Shneier concludes that passwords have finally outlived their usefulness as a security device. User experience experts have long known about the users' fondness for weak passwords like the above, but the technology available to unscrupulous parties has traditionally been too slow (and not intelligent enough) to crack them efficiently. This is no longer the case however:
"Current commercial products can test tens - even hundreds - of millions of passwords per second. At the same time, there's a maximum complexity to the passwords average people are willing to memorize. Those lines crossed years ago, and typical real-world passwords are now software-guessable. AccessData's Password Recovery Toolkit - at 200,000 guesses per second - would have been able to crack 23 percent of the MySpace passwords in 30 minutes, 55 percent in 8 hours."
[via Daring Fireball]