Recently, Imperva released a study (pdf) of the passwords extracted from the December 2009 RockYou security breach that resulted in the compromise of over 32 million user accounts. This study examined some statistics of the passwords retrieved, including the number and variation of characters use to construct them. The results were pretty bad. Here are the highlights: -30% of users had passwords made up of 6 characters or less. Most brute force attempts are moderately successful against short passwords. -Over 50% of passwords were all lowercase, or all numbers. This is bad because the keyspace is reduced. Even a password that is longer than 6 characters is weakened if it has a small character set distribution. On the surface, these[…]

According to a new article on TechTarget, a study by the Ponemon Institute has revealed the cost of a data breach has increased once again, to $204 per compromised record. The study is available for download at after giving away some personal details. The “Fifth Annual U.S. Cost of Data Breach Study,” funded in part by encryption vendor PGP Corp., determines the annual cost of the breach by establishing a company’s cost of lost business as a result of an incident; expenses incurred by notifying individuals and authorities of a breach; costs associated with legal fees and consulting firms and new investments made in technology and employee education. In our down economy, it is interesting that the cost of[…]

Verizon Business has released their 2009 Data Breach Investigations Report [pdf] and an accompanying blog post. 2008 was a crazy year in the world of data breaches… The percentage of breaches in our caseload involving financial service organizations, targeted attacks, and customized malware all doubled in 2008. It’s sure to win me the “Captain Obvious Award” from the Securitymetrics list, but organized crime activity increased and was responsible for over 90% of the 285 million records compromised. The report is sure to be a good read. We linked last year’s report, and this year’s report has some improvements–it is based on more data was collected more often, and goes into a lot more detail than the previous report. 285 million[…]