Stolen Sony Passwords Show Weak User Habits

PCMag.Com - Troy Hunt, software architect and Microsoft MVP, took a crack at the password database recently stolen from Sony Pictures to see what kinds of passwords users chose. The results are, as usual with such things, discouraging. First, the biggest security screwup in this affair clearly was made by Sony who, according to the hacking group ("LulzSec"), "...stored over 1,000,000 passwords of its customers in plaintext." Let me repeat that: Sony "...stored over 1,000,000 passwords of its customers in plaintext." This is a rookie crypto mistake of the worst kind. Whenever you store passwords, you have to assume that the stored data will become accessible to unauthorized parties, and therefore you have to follow best cryptography practices to make it as difficult as possible for the thieves to unencrypt it. This piece at stackoverflow.com gives some good practices to follow. But back to the actual passwords: Previous breaches have shown what this shows, that unless they are forced to choose strong passwords, users will overwhelmingly choose weak ones. Click here for some of the lowlights of the research