A recent password use study by the German Hasso-Plattner-Institute of roughly 1 billion user accounts concluded that 20% of users were reusing passwords. Additionally, 27% of users used password that were nearly identical with other account passwords.
User accounts and passwords are still the dominating method of authentication both locally and online.
While companies work on replacing passwords with other methods, think password pills and tattoos, or the increasing use of authentication apps and biometric authentication means, nothing is out there that has replaced the good old username and password combination yet.
The authentication scheme has its flaws. Three major ones are that passwords, or their hashes, may be stolen when servers are attacked successfully, that weak passwords are common, and that nothing is keeping users from reusing passwords.
These hacks happen frequently, and they hit smaller and larger companies. It is likely that some are not made public at all, but the list of companies that disclosed successful hacks recently includes Yahoo, Dailymotion, VK, MySpace, Friend Finder Network, or Brazzers.
Researchers of the institute analyzed about 1 billion user accounts. The data came from 31 leaks that were made public either by the attackers themselves or by buyers.
About 68.5 million email addresses appeared multiple times in the database; that is about 20% of all user accounts found in the data according to the researchers.
About 27% of all users selected passwords were at least 70% identical to other passwords that the user's used. This indicates minor changes to a core password, for instance by using "princess" as the core password, and variations such as "pr1ncess", "princess1" or "princ3ss".
These variations are sometimes used if a site's password policy requires special characters, numbers, or other characters that are absent in the core password.
The most common passwords are "123456", "123456789", "111111", "qwerty", and "12345678" according to the study.
The institute runs an email checker that you may use to find out if the entered email address appeared in one of the leaks.
All you need to do is enter your email address, click on the check button, and wait for the results to arrive in your email inbox.
If that is the case, it is suggested to change the password immediately to avoid abuse. Also, it is recommended to change the password at other services if you have reused it.
The institute is bound to German (privacy) laws. The (German) press release that announced results of the study is available here.
Now You: How do you handle passwords?
Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.
We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats (video ads) or subscription fees.
If you like our content, and would like to help, please consider making a contribution:
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.