Interesting real-world data pertaining to password security has emerged recently, once again shedding light on the importance of having strong password policies in place at your organization. That doesn't stop at, for example, requiring a minimum password length -- but also reminding end-users to be careful about both surrendering and reusing passwords too readily.
The first set of data came from Amit Klein, CTO of Trusteer. He wrote about a study that found about 50 percent of phishing victims give up their password credentials within the first 60 minutes of a phishing attack's launch, and 80 percent of stolen credentials are taken within the campaign's first five hours. Given the way most of us hover around our email clients and smartphones, this doesn't seem all that far off. I mean, if you're going to be fooled, why would you wait a few days before responding to that emergency message "trying to protect you"?
If Trusteer's study holds true for most phishing attacks, it has interesting implications. For one, it probably takes most security vendors from a few hours to a day to help protect their customers against the latest attacks. Even if they block the phishing attack within an hour, half the potential damage is done. This is not to say that defense vendors shouldn't implement the quickest defense they can muster, as protecting half the victims is a very laudable goal.
Another theory: The data simply reflects that vendors are proactively protecting their customers after the first hour. Although I'm not overly convinced of the latter theory, I'll placate myself with it.
The plague of password reuse
Another interesting data point comes from researchers in the Security Group at the University of Cambridge Computer Laboratory, in which two websites were recently hacked and their password hashes stolen. The two sites appeared to have a lot of overlapping customers (based on email addresses). Of the passwords that were cracked, 76 percent of customers used the same password at both sites. The finding isn't surprising, but this is the first time I've seen data supporting the conclusion that people, against all advice, like to reuse passwords between sites.
I learned this lesson early on in the pre-Internet days of dial-up when I was a co-sysop for a popular BBS. One day the BBS wouldn't take my password. I had to call the other co-sysop, and he changed my password to a temporary one so that I could log on. I remember him saying as he viewed my current password (the one that did not work), "Hey, why is your password 'urfucxed'?" (Note: It didn't contain an "x.") I realized then that someone was sending me a message: I had apparently pissed off some other BBS sysop, and he or she had logged on to my site using the password I had reused across hundreds of sites.
Many people choose the same password they use at work for personal websites. In these times, not a single day passes without some major password hacking incident becoming public. At the time of this writing, the outbreak of the day involves eHarmony.