The recent break-in at RockYou, where a massive 32 million accounts were compromised (e-mail addresses, account names and passwords), has been thoroughly debated online since it became publicly known. They still have an "Important security notice" link from their homepage, admitting the compromise and stating the (obvious) actions they will take to ensure the safety for their users. I presume some information/marketing people has also been involved in that statement.
The password list (at least) has become more or less publicly available on the Internet, allowing everyone interested to do statistical analysis of these "real-world" passwords at a scale never seen before. Why the quotation marks on real-world, you might ask? I'll get back to that later on.
Personally i like the analysis that Matt Weir has on his blog, although that didn't create much attention in the media. However, when Imperva released their white paper with their statistics, they got quite a bit of media coverage. Their white paper doesn't impress me much;
- Simple statistical summaries of "media friendly" information
- an obsolete link to NASA for defining what a good password should be (page 3)
- the paper doesn't really present benchmarks, recommendations or opinions by Imperva themselves
As such i find it hard to see this as much more than marketing hype. But hey, congratulations to Imperva for getting a lot of attention on this! :-)
So, to explain my use of quotation marks on "real world" above, we do not know any of the following:
- the age of the passwords (password last set), compared to various password policies
- if any accounts were deleted, after being disabled/removed from originating sites (Facebook etc)
- the technically enforced password policies from the various sites using/linking to Rockyou
- how any changes in password policies may have been enforced upon existing users/passwords
- if any accounts/passwords were created by bots, mass registrations etc.
Although 32 million passwords is a massive amount of data to analyze, there are just so incredibly many factors that may affect the statistical results. You're pretty close to no information whatsoever about the data your analyzing!
So here's the deal. WHY would users create complex passwords on free services that in many cases doesn't represent any economical value to them? WHY would users create complex passwords when they are not enforced to do so? After all, we all expect providers of different services to provide a decent level of security, don't we? Even if those services are provided for free? Of course we all expected the passwords to be stored in a rather secure way, we believed that a risk analysis at RockYou had shown that their password policy was adequate etc. A little naive, i know, but there is an element of trust here that is important to me. Somebody has to be trusted in this world! (suggestions most welcome...)
In my experience most users do not care more about security than expecting their service providers to maintain good security, without being able to explain to anyone what "good security" should be. It's like outsourcing; one reason to do it could be "leave the tech stuff to the professionals". RockYou doesn't exactly appear as "professional" in this case.
In the case of RockYou my personal opinion is that they most certainly not did implement or maintain "best practice" security, but blaming them alone for what happened would also be wrong. I've written about the (in)security of passwords other social networking sites earlier, and i think there are many to blaim here.
If RockYou survives after this incident, AND they do what they should have done in the first place, will it be possible to enforce a password change for ALL users? Will that eventually be enough to prevent massive break-ins in the future? No. Sorry guys, you lost. Too bad users won't realize that - and will continue to use RockYou services.
I'm not defending RockYou in any way, but we need to look beyond this company and this particular incident and start looking at the broader perspective. I'll get back to that in later posts.