Gmail users appear to be making some effort to choose more secure account passwords but are still often undone by a weak understanding of how to add complexity, an analysis of recent stolen credentials by Wordpress hosting firm WP Engine has suggested.

Computer hacker security attack

That computer users choose weak passwords is now axiomatic and the firm’s dive into the subject using five million Gmail passwords found on a Russian Bitcoin forum in 2014 and a recently-released but older cache of 10 million gathered by researcher Mark Burnett turned up plenty of terrible examples.

As expected, the 50 most common passwords were all easily-guessed, with the infamous ‘12345’ still in the number one spot with 0.6 of a 3.3 million samples taken from the Burnett cache alone.  

An interesting problem is the large number of users who attempt to improve a password simply by adding a number at the end, typically only two digits. In total 500,000 (8.4 percent) of the Bitcoin cache ended with a number between 0 and 99, with a further 20 percent adding only one number to passwords.

It’s not clear why people are wedded to this approach but WP Engine speculates that users might be using the same password on multiple sites, adding numbers  as variable that create a superficial security difference between them.

As for entropy – complexity in layman’s terms - the average Gmail password is eight characters long and exhibits a relatively low entropy score of 21.6, where zero is no entropy and 100 is a notional very high entropy. There is no single way of measuring entropy but WP Engine used the Zxcvbn estimator suggested by Dropbox engineer Dan Wheeler so the scoring is not being plucked out of the air.

It’s also worth noting that on Wheeler’s scale, apparently modestly entropic passwords such as ‘gue55able’ (nine characters in length and eight different characters) is pretty poor because it uses an easily-guessed pattern – entropy is about avoiding those patterns.

Another bad influence is the qwerty keyboard itself that allows humans to generate all sorts of apparently random characters strings that turn out to be utterly and easily guessed even without a password cracker, for instance ‘qwertyuiop’, ‘asdfghjkl’ or ‘zxcvbnm’. Too many naïve or lazy souls still insist on using these despite their ludicrous weakness.

So what if anything does this tell us that we couldn’t already assume? Passwords have been a pressing issue for ever it seems and we're still going round in circles.

First, the fact that passwords are being dumped with alarming regularity is a concern. Remember that even though Gmail and other passwords are now encrypted inside Google they leak out through other channels not connected to the service when people re-use them or give them up in other ways. That puts even complex passwords at risk.

A second is that according to WP Engine is that it’s not hard to connect a dumped password to a real person without much research, something it managed to do in 78,000 cases.  Many of these were well-known or senior people inside companies, a hint that some of the high-profile celeb account hacks might have this weakness at their root.

No wonder Yahoo has recently decided to abandon passwords altogether in favour of using time-sensitive phone codes every time a user logs in. It’s true that this is far from perfectly secure (criminals will try to attack the phone for a start) but it is surely better than a system based on a credential that even when competently used can be leaked into the public domain.