February 10, 2011, 9:49 PM — A British security researcher has analyzed password data made public by Anonymous group hacks against Gawker and rootkit.com, and found that many users with accounts at both sites used the same password for their login credentials.
In fact, compared to previous research on the issue, the data suggests more and more people are reusing passwords.
Password reuse across different Websites represents a risk because all a hacker need do is crack one site to be able to access other sites the individual uses.
The requirement by many Websites that users log in with their e-mail addresses makes password reuse an even more serious issue, because it means the same username is used across multiple sites. In most cases, e-mail addresses are not confidential.
Analyzing the data, researcher Joseph Bonneau found that 456 legitimate e-mail addresses overlapped at both Gawker and rootkit.com. All the passwords were hashed (that is, encrypted), which makes decoding virtually impossible, but Bonneau used rainbow tables to uncover 54% of the Gawker passwords and 44% of the rootkit.com passwords. Rainbow tables are massive look-up databases of hashed passwords alongside their plain text versions.
A process called salting can make it much harder for a rainbow table attack to decode passwords but the rootkit.com passwords weren't salted, and the Gawker ones only minimally.
With the new data in hand, Bonneau found that 49% of users whom he was able to match across both sites had the used the same password for their login credentials. Six percent of them differed their passwords by changing capitalization or adding a small suffix (that is, something like "password" and "password1").
Previous studies have shown password reuse rates of between 12 and 20%, so the implication is that Web users are getting lazier. However, it's extremely hard to perform studies of this nature because of limited data sources; no organization will make available their live password data for cracking, and certainly no organization where the passwords protects important data (such as banks, where the question of password reuse is all the more important).