A new study has found that password structure is a key flaw in making login IDs hard to guess.

Security firm Praetorian analyzed 34 million stolen passwords from the LinkedIn, eHarmony and Rockyou breaches and found that 50 per cent of all passwords followed 13 basic structures. This lack of entropy makes it possible to use statistical analysis to make cracking faster and more effective.

A key part of the problem is with the websites themselves, as they don’t go far enough in prompting user security. Just requiring one upper case letter or number is not good enough when too many users go for the same password structure, as Praetorian explains.

When users are asked to create a ‘secure’ password, most sites simply demand things like ‘must contain 1 uppercase letter and one punctuation character.’ But those requirements often lead to users picking exactly 1 uppercase letter, and using it to begin their password. What was intended to increase randomness is instead creating structure that statistical analysis can exploit.

The end result is that too many sites falsely green-light passwords as "strong" that in reality could be cracked in a matter of minutes. A synopsis of Praetorian's study can be found in a blog post here. ®