New Revelation: How Weak Government and Civilian Passwords Are?

WebGuard Thread Lab has publicly exposed in their latest research that 50% of military and government employee LinkedIn passwords are easy to break. Passwords that are very weak to a point that a two-days worth of brute force attack is enough to crack it. The research has been produced by careful analysis of the LinkedIn data that went public due to a data breach in 2012.

As per Webguard’s analysis, the leaked data alone contains user information belonging to 355,023 government and military agencies. This is a small portion of the total 117 million stolen credentials from Linkedin, half of which were successfully brute forced in just 48-hours. Government and military LinkedIn accounts are only 2% better with their password complexity test compared to civilian LinkedIn users.

It is a common understanding that users should never use easily guessed and pattern-based passwords, as they are vulnerable to both dictionary attacks and brute force. However, the leaked data confirmed that multiple users had used “111111”, “LinkedIn”, “123456”, “sunshine” and even “password” as the password. But knowing that old habits are hard to die, even with a 6-year-old data, it is still valid to claim that many users don’t care about creating a complex password that is harder to crack.

Many large organizations give specific advice to new users about how to select a ”good password.” A good password, in terms of the above discussion, should aim to be reasonably long, use a reasonably large character set, but still be easy to remember. There are some subtleties about whether the attacker is going to try many passwords over a network or whether she’s obtained a copy of the password file and is cracking it offline, but we propose to ignore these for the purposes of the present study.

A reasonably secure password should consist of mixed characters or special characters, and should not consist of words found in the dictionary. It should not be written down in an easily accessible place and especially not next to login. It may either be all in capital or small type letters. Good passwords appear to be random characters. The wider the variety of characters the better. Mixing letters with numbers is better than letters alone. Mixing special characters with number and letters is better still.

Users should be instructed to choose a mnemonic based passwords as these are just as memorable as naively selected passwords while being just as hard to guess as randomly chosen ones. So they give the best of both other options. Entropy per character also matters. Users should be told to choose passwords that contain numbers and special characters as well as letters. If such a lead isn’t given, then most of them will choose passwords from a very small subset of the total password space.

“In 2012, LinkedIn lost over one hundred million hashed passwords. This quarter the Threat Labs team performs new analysis on that leaked database to learn how well government and military users select passwords. Avoid making password mistakes by learning from the bad practices of others,” said WebGuard Thread Lab’s representative.