|(Screenshot from Swedish PTS on Sunday 28, Nov 2010)|
In February this year I wrote a blog post named "Never Trust Password Meters", after a tweet from @mikkohypponen at F-Secure. One of the password meter services I commented on was "testalosenord" (test your password) from the Swedish Post and Telecom Agency. I e-mailed them the same day, just to inform them about my blog post. On November 18 I received a reply.
Not that I expected any answer of course, I write about my personal opinions and I'm just happy whenever I get any feedback. It's a short reply from PTS, but they gave me a link to a page displaying statistics about the passwords tested through their online service. Oh, and they use Cracklib for testing all passwords submitted. The statistics are interesting, the screenshot on top of this blog post is taken from this page.
Yes, I know it's in Swedish. I'm here to help. :-)
Passwords shorter than 8 characters (90.27%)
No surprise really. My guess: most people will test one or more of their passwords, most probably personal passwords not used at work. Even if they do test their work passwords, very few organisations are at length 8 or higher in their password policies.
Passwords without digits (88.07%)
Well, digits doesn't have to be a requirement for making "secure" passwords. I guess this really cannot be interpreted as "bad" passwords, as we do not have any info on length, use of upper/lower and/or specials.
Passwords without UPPERCASE letters (90.56%)
To me this really indicates that passwords tested are personal passwords, not subject to a "professional" password policy, that will usually require complexity requirements (3 of 4 characters groups must be used). The typical outcome of such complexity requirements are easily illustrated by me this way:
|(Click image to see full size)|
Now this is really surprising! In a real corporate environment I would expect lowercase letteers in pretty close to ... 99.9% of all passwords or something like that. Of course, with 123456 probably being the most common passwords out there, you could blame some of the statistics on that one, but 86.05% is still surprising!
Passwords without special characters (92.25%)
In a corporate environment I would usually expect this percentage to be lower, meaning more specials in passwords. However, for personal passwords most probably not originating from corporate environments with complexity requirements turned on, this makes sense to me.
Passwords found in the PTS wordlist (16.58%)
Well, I don't know if they are using a standard Cracklib wordlist, or if PTS has edited such a list themselves. I have also questioned what we all consider to be a "wordlist" in a previous blog post named "What's a wordlist?". In any way I really can't see much usefulness in this one, at least for my purposes.
Passwords without any letters (4.65%)
Could simply be user clicking Testa! (submit), or the common 123456 password, or the slightly less common 12345 password of course. In a complexity environment I will usually expect most "complex" passwords to be on the format UllllllDD (Uppercase, multiple lowercase, 2 or 4 digits at the end).
Again; interesting statistics, but I'm afraid statistics LIE. A lot. In fact, not only should you never trust password meters, but I would suggest that you should be very skeptical of password statistics as well.
Oh.... Seems as if I just told you not to trust my statistics either. Well, be skeptical at least. Ask questions, like I do. For Passwords^10, I'll try to use the tedPAD in order to create a fantastic presentation with my password statistics. :-)
(If you haven't seen the 6-minute talk on tedPAD, you should do so now! It's fantastic!)