Password Use Study: massive reuse of passwords

A recent password use study by the German Hasso-Plattner-Institute of roughly 1 billion user accounts concluded that 20% of users were reusing passwords. Additionally, 27% of users used password that were nearly identical with other account passwords.

User accounts and passwords are still the dominating method of authentication both locally and online.

While companies work on replacing passwords with other methods, think password pills and tattoos, or the increasing use of authentication apps and biometric authentication means, nothing is out there that has replaced the good old username and password combination yet.

The authentication scheme has its flaws. Three major ones are that passwords, or their hashes, may be stolen when servers are attacked successfully, that weak passwords are common, and that nothing is keeping users from reusing passwords.

These hacks happen frequently, and they hit smaller and larger companies. It is likely that some are not made public at all, but the list of companies that disclosed successful hacks recently includes Yahoo, Dailymotion, VK, MySpace, Friend Finder Network, or Brazzers.

Password Use Study: massive reuse of passwords

Researchers of the institute analyzed about 1 billion user accounts. The data came from 31 leaks that were made public either by the attackers themselves or by buyers.

About 68.5 million email addresses appeared multiple times in the database; that is about 20% of all user accounts found in the data according to the researchers.

About 27% of all users selected passwords were at least 70% identical to other passwords that the user's used. This indicates minor changes to a core password, for instance by using "princess" as the core password, and variations such as "pr1ncess", "princess1" or "princ3ss".

These variations are sometimes used if a site's password policy requires special characters, numbers, or other characters that are absent in the core password.

The most common passwords are "123456", "123456789", "111111", "qwerty", and "12345678" according to the study.

Check your email address

The institute runs an email checker that you may use to find out if the entered email address appeared in one of the leaks.

All you need to do is enter your email address, click on the check button, and wait for the results to arrive in your email inbox.

If that is the case, it is suggested to change the password immediately to avoid abuse. Also, it is recommended to change the password at other services if you have reused it.

The institute is bound to German (privacy) laws. The (German) press release that announced results of the study is available here.

Now You: How do you handle passwords?