Moreover, in almost every case in which password researchers have obtained information on users' choices of passwords, the breach occurred because of the provider's poor security, not the user's choice of a bad password. In the more egregious cases, such as Sony Pictures, the password file was stored in plain text, without encryption. When that happens, it no longer matters what type of password a user chose, says Cormac Herley, a principal researcher with Microsoft Research.
"In none of these cases is password strength the reason the breach occurred," Herley says. "People with super, super weak passwords and people with super, super strong passwords had exactly the same fate."
This story, "Don't blame users for dumb passwords," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.