Bruce Schneier got his hands on a listing of MySpace user passwords that were the result of a phishing attack. He analyzed them for difficulty in cracking them. Guess what? Kids really are dumb. Just not as dumb as you, me, or the average corporate user when it comes to choosing a password:
I'm impressed that less than 4 percent were dictionary words and that the great majority were at least alphanumeric. Writing in 1989, Daniel Klein was able to crack 24 percent of his sample passwords with a small dictionary of just 63,000 words, and found that the average password was 6.4 characters long.
And in 1992 Gene Spafford cracked 20 percent of passwords with his dictionary, and found an average password length of 6.8 characters. (Both studied Unix passwords, with a maximum length at the time of 8 characters.) And they both reported a much greater percentage of all lowercase, and only upper- and lowercase, passwords than emerged in the MySpace data. The concept of choosing good passwords is getting through, at least a little.
On the other hand, the MySpace demographic is pretty young. Another password study in November looked at 200 corporate employee passwords: 20 percent letters only, 78 percent alphanumeric, 2.1 percent with non-alphanumeric characters, and a 7.8-character average length. Better than 15 years ago, but not as good as MySpace users. Kids really are the future.
If your password roxxors, you won't have dudz in yr accounts, pwning yr dolarz.
Read how here.