But you work with what you've got.
Customers don't generally get to choose what authentication a given product or service offers. Sometimes, they don't even get to choose their own password. But if they do, how well do they choose?
Despite all the Irish jokes that were a staple of politically incorrect entertainment a few decades ago, a recent survey carried out by Amárach on behalf of ESET Ireland indicates that IT users in Ireland are actually a little smarter in this context than the global average. At any rate, 38 percent out of a thousand people sampled use an alphanumeric string for their passwords, though only 10 percent used a combination of mixed-case letters, numbers and punctuation. However, a further 10 percent used mixed case letters and numbers. (Again, the service provider often doesn't support all these possibilities, and may limit the length of a password or passphrase.) Demographic factors apart, that does seem to indicate an encouraging move away from the top 5 passwords stolen in last year's attacks on Gawker sites:
- 123456
- password
- 12345678
- lifehack
- qwerty
Or the earlier attacks on Rockyou.com users, as analyzed by Imperva.
- 123456
- 12345
- 123456789
- Password
- iloveyou
- princess
- rockyou
- 1234567
- 12345678
- abc123
By comparison, even a short password like “fjR8n” sounds pretty good. Though, in fact, I've just abstracted that one from a blog on GPU Password Cracking – Bruteforceing a Windows Password Using a Graphic Card, that illustrated how the author, Vijay Devakumar, cracked that one in 24 seconds using Cain and Abel, and in less than one second using ighashgpu, each time in combination with a graphics card. Don't panic: those operations depended on already having the password's NTLM hash, as used for login passwords for modern versions of Windows, so your eight-character banking password didn't just become 18.5 hours away from cracking by LulzSec. In fact, no rational service lets you bruteforce by throwing guesses at it at a rate of 3.334 billion passwords per second: it probably stops you after the third try. Still, if you thought that this kind of processing performance relied on access to NSA mainframes, think again.
Tip of the hat to Urban Schrott for the ESET Ireland survey, to Rick Broida for the naff password list links, and to Paul Ferguson, Valdis Kletnieks et al for discussion on the Funsec GPU thread.