In the latest issue of 2600 is an article on voicemail passwords. Because of its source it’ll be largely ignored by the mainstream, which is a shame because it actually has some good data. The author had access to a system with 40,000 voicemail passwords which were stored in plaintext and did some analysis on them. I always like having access to real data, especially when it so nicely demonstrates how people actually use security. In this sample, there were no complexity restrictions placed, although passwords had to be between 3 and 10 characters, and were obviously numeric. Some interesting facts:

• The top 17 or so passwords accounted for about 25% of all passwords in use. That means you could crack one out of every four passwords in 17 guesses.
• The most common password (accounting for 9.4% of the passwords in use) was the extension itself.
• Shorter passwords were greatly preferred over longer ones. (This shouldn’t shock anyone).

The most interesting thing though, was the distribution of passwords by length, which I’ve reproduced below:

So, even though shorter passwords are more common, passwords of an even length are more common than the odd number which immediately precedes them. (The one exception is 7-8, where 7 is more common, perhaps because people use a 7 digit phone number as a password). The main question on my mind of course is why – does the human brain find it easier to remember string of numbers in pairs? Do people just like even numbers more?

This entry was posted on Sunday, August 15th, 2010 at 9:48 pm and is filed under Access Control Systems & Methodology. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.