CNET también está disponible en español.

Ir a español

Don't show this again


Report: Net users picking safer passwords

Average MySpace password has eight characters, expert says. But no password is secure if you fall for a phishing scam.

A sample of login information from 34,000 members seems to indicate that Internet users are getting better at picking more secure passwords, according to a prominent security expert.

The average password is 8 characters long and 81 percent of those in the sampling consist of both letters and numbers, Bruce Schneier, chief technology officer of Counterpane Internet Security, wrote in an article published on Wired News Thursday. One of the users in the sample even had a 32-character password: "1ancheste23nite41ancheste23nite4."

One problem, though, is that all the passwords Schneier inspected were obtained through a phishing scam. Attackers created a fake MySpace login page and tricked users into thinking they had to enter their credentials to access their account on the social-networking site. Schneier obtained the list via a security industry colleague, he wrote.

The five most common passwords are: password1, abc123, myspace1, password and blink182 (a band), according to Schneier. Only 3.8 percent of passwords are a single word found in a dictionary, and another 12 percent are a word plus a final digit, two-thirds of the time that digit is 1, he wrote.

"We used to quip that 'password' is the most common password. Now it's 'password1'. Who said users haven't learned anything about security?" Schneier wrote. "Seriously, passwords are getting better. I'm impressed that less than 4 percent were dictionary words and that the great majority were at least alphanumeric."

Still, passwords have outlived their usefulness, according to Schneier. Password crackers are so fast that they can test millions of passwords per second. Also, people in general dislike having to remember multiple passwords. Still, passwords continue to be commonplace; even Bill Gates hasn't been able to change that yet.