If there has been a silver lining to the recent security breaches at Sony, it’s that they have exposed how insecure major websites, to which consumers entrust their personal information, can be. They show that users should always take their own security seriously.
Another silver lining is that the tens of thousands of usernames and passwords exposed by hackers give us an opportunity to see just how seriously we’re taking security. The answer, sadly, is not very.
The group LulzSec announced last week that it had stolen over 1 million username and passwords from Sony and that Sony had kept this confidential user information in unencrypted plaintext, a major security blunder.
To prove it had the booty it claimed, LulzSec made available on BitTorrent a sample set of over 40,000 username and passwords. Now security researcher Troy Hunt has taken this database and performed an extensive analysis that shows us how well we’re choosing our passwords.
Some results:
1. Half of the passwords are less than eight characters long, the minimum length one should even consider when choosing a strong password. The longer a password the better, yet 93% of all the passwords analyzed were between six and ten characters long.
2. A strong password also makes use at least three of the four character types available on your keyboard: numbers, uppercase letters, lowercase letters, and symbols like punctuation. Only four percent of the passwords analyzed did this. The vast majority only used one character type, such as all lowercase letters or all numbers.
3. Randomness is also key to password strength. That means using something like “qp}Edhg!13evTOI” rather than “JustinBieberRocks”. So it’s interesting that over a third of the passwords analyzed could be found in a common password dictionary. The most frequent passwords use included: seinfeld, password, 123456, purple, princess, maggie, peanut, shadow, ginger, michael, buster, sunshine, tigger, cookie, george, summer, taylor, bosco, abc123, ashley, and bailey.
4. Finally, if there’s one thing you should do to protect yourself from the possibility that one of your trusted sites is breached, it’s to never use the same password at two different websites. That way, if one of your user accounts is compromised, it won’t affect any other account. To test password uniqueness, Hunt compared the Sony data to a database of Gawker usernames and passwords, which were hacked and released late last year. He found that of those accounts that used the same email address on both sites, 67% used the same password on both systems.
If there’s overlap between these compromised Sony and Gawker databases that are freely available on the Net, “there’s a statistically good chance that the majority of them will work with other websites,” Hunt says. “How many Gmail or eBay or Facebook accounts are we holding the keys to here?”
So how are you supposed to remember a random, 21-character, mixed-character-type password for the dozens of websites you frequent? It takes a little effort, but it’s not that difficult.
Use a password management program like 1Password or LastPass, or create and remember a password recipe or simple padding pattern. You can’t trust third parties to keep your secrets secret, so if they matter to you, you have to take responsibility for your own security.
Jerry Brito is a contributor to TIME. Find him on Twitter at @jerrybrito. You can also continue the discussion on TIME’s Facebook page and on Twitter at @TIME.
More on TIME.com:
Hackers Who Hit Sony Last Week Hit Sony Again This Week
Now Nintendo Admits It Was Hacked, Says No Customer Data Stolen