Following the breach of Sony Pictures, the hackers at LulzSec posted a partial file containing the passwords of tens of thousands of users. For Sony Pictures, the allegedly unencrypted password file was an embarrassment. For users of its websites, the leak was an annoyance. But for password researchers, the breach is another data point for analysis.
No wonder then that researchers have hashed, crunched, and otherwise squeezed out a number of conclusions from the file.
Of course, the top conclusion is that users pick bad passwords. In his analysis of the file, security blogger Troy Hunt found that half of the passwords were seven characters or less. In addition, 36 percent of the passwords were included in a password dictionary of commonly used passwords.
Another conclusion: People commonly reuse passwords. Hunt compared the Sony Pictures password file to another password file stolen from the news site Gawker and found 88 email addresses that matched. In two-thirds of those cases, the users used the same password.
Meeting the requirements of using strong -- in other words, long or complex -- passwords and making each one unique is a tall order, so much so that most users have given up and choose easy-to-remember passwords and use them on multiple sites.
"If we acknowledge that passwords of significant length and uniqueness are important, you need to have a password manager," Hunt says. "Because, unless you are a savant, you can't remember that much."
Yet in discussing the breach with other password experts, a different conclusion repeatedly reared its head: Providers, not users, are to blame for bad passwords.
While users can select strong passwords and control their reuse, the only gatekeeper that can force the requirement of password strength is the provider. User have some control over their own fates, but the online service provider has more, says Per Thorsheim, a researcher who has organized two conferences on the subject of passwords. After all, it's the service provider that sets the policy of what is an acceptable password.
"To me, it's simple psychology: If the system accepts my choice of password, then it must be good enough," Thorsheim says. "I expect the service provider to be better at security in their own system than I could possibly be."
