While most of the media attention has been focused on the personalities, egos, and the questionable ethics involved, Joseph Bonneau, a PhD candidate in the Security Group of the University of Cambridge Computer Laboratory, gleaned some surprising information from the leaked rootkit.org database.
In a blog post on Light Blue Touchpaper, the Security Group’s blog, he compares that data with the user database from the recent Gawker incident. He found a rate of password re-use much higher than most previous estimates.
“Of the 456 common users, 161 had their password cracked in both datasets, 46 only had their rootkit.com password cracked and 77 only had their Gawker password cracked, leaving 172 with neither password cracked. Of the accounts for which passwords were cracked at both sites, 76% used the exact same password. A further 6% used passwords differing by only capitalisation or a small suffix (e.g. ‘password’ and ‘password1′).”
He goes on to explain why the 76% is not a valid estimate, but that the real number is somewhere between 31% and 43%. These numbers are a substantial increase over the 12% estimate of Florencio and Herley (Microsoft Research) and the 20% estimate from Gaw and Felten’s user survey at Princeton.
The full blog post is a worthwhile read.
This reinforces my belief that increased consumer education on the dangers of reusing passwords between sites and banning passwords appearing in the rootkit.org top-500 and Gawker top-250 lists would do much more to improve security than setting arbitrary password content standards and forcing periodic password changes.
You can follow the ongoing HBGary soap opera on Ars Technica.