Pathetic passwords and password re-use is a worldwide problem, but recent analysis indicated the United States is a top offender when it comes to poor password security hygiene.
Faizan Ahmad of Fsecurify wanted to know if entire countries had better passwords than others.
Although he didn’t specify which public database breach he used for his analysis, it was a data dump which included IP addresses; he used the IPs to get users’ locations. He then compared passwords used in the U.S., Russia, China, Pakistan and India and graphed the results.
After looking at password length, the use of most common passwords, if passwords contain users’ names or email usernames, and the top 100 password patterns which make brute-force attacks a piece of cake, Ahmad concluded that people in Russia tend to use all-around better passwords.
Password length by country
For each of the five countries, he analyzed the percentage of users with passwords ranging from six to 14 characters. According to his analysis, people in the US “are not very good at having longer passwords.”
The biggest majority of passwords in Russia were 12 characters long, followed by 11 characters.
The biggest majority of US passwords were eight characters; the U.S. and China tied for the same percentage of passwords with nine characters.
Users in India and Pakistan also favored a password length of eight characters, but both countries as well as China had higher percentages of passwords with 10 to 14 characters than in the U.S.
Passwords that can be quickly cracked via brute-force attacks
Do you know how long it would take to crack your password? You can check at sites such as Random-ize.
More than 50 percent of users in Pakistan and the US have passwords from the top 100 password patterns; China had nearly 50 percent, followed by India at 45 percent and then Russia at around 30 percent. The top 100 password patterns came from Ahmad’s previous research about mining password patterns for targeted brute-forcing.
Percentage of passwords containing names and/or email usernames
When it comes to names or email address usernames used in passwords, several countries finally did worse than the US. China was the worst offender with close to 14 percent, followed by India and then Pakistan. In the US, a little more than six percent committed this password sin, compared to a little less than four percent in Russia.
While India and Pakistan tend to have close percentages, India scored a bit better. Ahmad wrote, “This proves the fact that Indian people are indeed better at security than Pakistani people.” Being from Pakistan, Ahmad said, “People here use really, really weak passwords.” He followed that comment with analysis about using the weakest passwords.
Percentage of passwords using the most common passwords
Pakistan did the worst when it comes to using the top 50 most common and therefore worst passwords. The results are in graph form, but it appears as if about 37 percent of Pakistanis use weak passwords. About 25 percent of users in China favor the most common passwords. India and the US are nearly neck-and-neck with around 21 percent using weak, common passwords. Only about 1 percent of passwords in Russia come from the most common list.
Nearly 14.6k passwords allegedly from Sam’s Club leak online
It looks like users from most countries, with the exception of Russia, need to work on cybersecurity by using better passwords. Password reuse and weak passwords can come back to bite you at any time.
For example, ZDNet reported that account details for thousands of Sam’s Club members were leaked online. The passwords had allegedly been stored in plain-text. The Pastebin post with the password dump has been taken down, but Have I Been Pwned noted it contained 14,599 email addresses.
Sam’s Club, which is the “eighth largest retailer in the US by annual net sales,” claims it wasn’t hacked; Walmart spokesperson Dan Toporek told ZDNet:
We've looked into this issue and there is no indication of a breach of our systems. It is most likely a result of one of the past breaches of other companies' systems. Because customers often use the same usernames and passwords on various sites, bad actors will typically test the credentials they obtain across many popular sites. Unfortunately, this is an industry-wide issue.
At the rate that breaches occur, even using a password manager for strong and unique passwords isn’t always enough. A few customers contacted by ZDNet claimed their passwords had been unique and therefore couldn’t have come from a previous data dump.
You should sign up to be notified of data breaches at sites such as Have I Been Pwned, LeakedSource, or ChangePassword. If you receive a notification about your data being leaked, but you don’t even have an account on that site, keep in mind that security researcher Troy Hunt pointed out that your information could have been collected by one site and then sold to another.
Geography may not make much of a difference when it comes to passwords, since users across the world seem to fall into most of the same traps. But please try to do better with your passwords.