13:33 «God sex love and secret» or statistics on the use of passwords in social networks | |
| Users do not like to strain and many developers put up with it. Remember the last 10 sites on which you are registered, many of them to check your password on the complexity? But no matter what security measures do not come up with the creators of the system, they may be meaningless if the user can facilitate the work of an attacker. In this article the results of the analysis of ~ 100 000 passwords. I hope this analysis will be interesting and useful to many habralyudyam. A little digressionNo, we do not store passwords in clear text, statistics obtained during the experiment at one of the social networks, through an anonymous data collection and alas, I can not put the resulting dictionary and call this network. WhatAll passwords are checked against the criteria of the presence of digits, special characters, register and sustainability through practices cracklib. DataThe distribution of the lengthThe short password - a symbol of the longest - 63 characters. Over 15 characters quite insignificant value. The complex and simple passwordsAs a result of the run cracklib - easily compromised passwords were 35.5% The presence of specials. characters, numbers and lettersSpec. Symbols - 3% Only digits - 33% Only letters - 24.7% letter-digits - 39.3% Register91.5% - in lower case 3% - in the case vehnem 5.5% - a different register The most popular passwordsWhat can this mean in realityAssume that the attacker has a base 5 most ubiquitous passwords and uses it accounts for the selection of all your service. Top 5 passwords - is 2.9% probability of successful selection for the 5 attempts, but it's 290 people at a total number of users in 10 000 (a little startapchik). Needless to say that these people will lose immediately and icq, and email ... If you consider all the common passwords (occurring more than 5 times), of which only 381, they allow access to ~ 9.2% of accounts. Think about it, almost 10 of your users can be hacked a tiny vocabulary is less than 400 passwords. Top 10 Passwordmost delicious, alas, voiced variants as all the famous movie is not here, everything is trivial, and most habrachelovek not cause surprise.
ConclusionsMembers idiots Without checking the password on the complexity of nowhere. The minimum set of rules defining the password length, the presence of a simultaneous letters and numbers, as well as different registers must be implemented in any registration form (or even better - generates a password for yourself). The form should be a threshold after which the user attempts to stop to let without entering the CAPTCHA (very, very difficult CAPTCHA). My advice - limit the number three attempts. A good idea is to add a counter of unsuccessful attempts to profile for further introduction of the delay between login attempts for each account separately. There really is worth remembering that the user can start the ddos ??that he could not enter into the system, but the state unavailability is much better state of leakage of personal data. I hope this information helps you to make their services better and safer. | |
|
| |
| Total comments: 0 | |