How good are our passwords?
Wired News (which I read assiduously) had a pretty interesting article in their “Security Matters” section recently that talked about an analysis done of MySpace account passwords (“MySpace Passwords Aren’t So Dumb“). It makes for a pretty interesting read, so check it out. While you are at it, check out whether you have a password that falls into the list of “most common passwords”. Particularly interesting to me was the following statement:
Another password study in November looked at 200 corporate employee passwords: 20 percent letters only, 78 percent alphanumeric, 2.1 percent with non-alphanumeric characters, and a 7.8-character average length. Better than 15 years ago, but not as good as MySpace users. Kids really are the future.
Makes you think, doesn’t it? Why is it that corporate passwords are easier than the passwords teens are using to protect their MySpace accounts? Does it point to the perceived value of these accounts to their owners, the lack of a sense of ownership, or the same old issue of “too many passwords”?
It would be interesting to see if there is a similar study on the complexity of SSO passwords. Let me know if you happen to come across one.
About The Author
I think a 7.8 character alphanumeric password is pretty good average score for the corporate environment, actually — considering there are typically lots of different systems, each imposing its own policies but also its own restrictions.
Many traditional apps (as well as more than a few “modern” web apps) cannot handle non-alphanumeric characters, for instance, or have length restrictions.
I think you hit the nail on the head – the difference between MySpace and corporate accounts is “too many passwords”. Teens have a MySpace account, one or two e-mail accounts, and maybe one or two other web accounts requiring passwords. Most of my users have at least two e-mail accounts, several database accounts, maybe one account on a server, plus several web accounts. Fortunately for us, our corporate LAN and e-mail uses the same passwords, as do most SQL Server accounts. For us IT folks it is far worse – I need passwords to the “oracle” account, and sometimes the “root” account on six servers, plus passwords to SYS and SYSTEM on my Oracle databases, plus passwords to some other schemas.