A recent security breach exposed the plaintext usernames and passwords of almost 100,000 members of IEEE, the Institute of Electrical and Electronics Engineers. The usernames and passwords were discovered by a researcher in 100GB of log files inadvertently left open to the public on an IEEE FTP server.
Leaving aside for the moment how incredible it is that the IEEE would employ someone so incompetent as to think it’s OK to put passwords in a log file (well-known best practice in the industry is not only that you don’t log passwords, but you’re even discouraged from logging usernames on login forms, because people so frequently type their password accidentally into the username field), I want to instead comment on this graph that ArsTechnica published in their story about the breach:
(The graph was apparently published by Radu Dragusin, the researcher who discovered the breach.)
More accurately, I want to comment not on the graph itself, but rather on the caption which ArsTechnica published beneath it: “A breakdown of the 18 most common passwords exposed by IEEE suggest [sic] that engineers aren’t much better than lay people at choosing secure passcodes.”
In December 2010, the Wall Street Journal published a similar graph in an article about the breach of passwords for 188,279 users at Gawker. “123456” was the most common password there as well. That graph showed that approximately 3,077, or 1.6% of the 188,279 Gawker users chose the password “123456”. In contrast, only 271 of the 99,979 IEEE users, or 0.3%, chose that password.
Contrary to ArsTechnica’s caption, it would seem that IEEE users are “much better than lay people at choosing secure passcodes.”