Despite repeated reminders to select strong passwords and not to reuse them across Websites and services, online users continue to be frighteningly lax in their password security, according to a recent analysis of leaked passwords.
Software architect and security researcher Troy Hunt analyzed the torrent of files released by LulzSec shortly after the group hacked Sony Pictures and Sony BMG Music and the password lists that another hacker group, Gnosis, leaked in December after hacking Gawker’s commenting database. According to Hunt’s analysis, 88 people were in both data sets with the same email address, and 67 percent of them used the same password.
Admittedly, 88 people is a very small number, considering there were 37,608 accounts in the Sony files and more than 188,000 accounts from Gawker. However, the two sites are pretty independent in terms of the kinds of users they attract, Hunt noted. For skeptics who may not consider this significant, Hunt identified “well over” 2,000 users who had accounts with both Sony Pictures and Sony BMG using the same email address. Hunt found 92 percent of the users had the same password across both accounts.
Based on these findings, it’s reasonable to assume many of these user-name or email combinations with the password could turn out to be the “key” to access other Gmail, eBay and Facebook accounts. “There’s a statistically good chance that the majority of them will work with other Websites,” Hunt said.
Most people either don’t care, or are happily oblivious to the risks of credential re-use.
During new account registration, a strong web-app could probe other sites and services to see if those credentials are being used at, for instance, Hotmail, Gmail, Facebook, and so on, and reject re-used credentials.
And then encrypt the heck out of anything it does keep and store.