Some user password statistics
August 21st, 2008
So, a thread about stupid user passwords recently came up on a group that I frequent, and I thought I’d post this here.
We store customer information in MySQL, and have to keep a cleartext password for PPP CHAP authentication. A while back, I did some querying to see just how terrible our users’ passwords were.
Here were some of the more interesting/amusing results (remember, in SQL quotes surround literal strings and “%” is a wildcard):
SELECT COUNT(*) FROM customers: 32112
SELECT COUNT(*) FROM customers WHERE password = “password”: 151
SELECT COUNT(*) FROM customers WHERE password = username: 660
SELECT COUNT(*) FROM customers WHERE password LIKE “123%”: 364
SELECT COUNT(*) FROM customers WHERE password LIKE “%321″: 44
SELECT COUNT(*) FROM customers WHERE password LIKE “qwerty%”: 8
SELECT COUNT(*) FROM customers WHERE password LIKE “asdf%”: 11
SELECT COUNT(*) FROM customers WHERE password = “********”: 16
SELECT COUNT(*) FROM customers WHERE LENGTH(password) <= 4: 5151
…and I thought our users were doing surprisingly well — until I executed the last query.