Here’s an eye-opening article by computer security expert Bruce Schneier on the lessons learned from a database of stolen passwords: Real-World Passwords.

How good are the passwords people are choosing to protect their computers and online accounts?

It’s a hard question to answer because data is scarce. But recently, a colleague sent me some spoils from a MySpace phishing attack: 34,000 actual user names and passwords.

The attack was pretty basic. The attackers created a fake MySpace login page, and collected login information when users thought they were accessing their own account on the site. The data was forwarded to various compromised web servers, where the attackers would harvest it later.

MySpace estimates that more than 100,000 people fell for the attack before it was shut down. The data I have is from two different collection points, and was cleaned of the small percentage of people who realized they were responding to a phishing attack. I analyzed the data, and this is what I learned.

I recommend reading the whole thing. And then changing your passwords.

UPDATE at 4/26/09 6:29:29 pm:

And just as a point of reference:

Your LGF account passwords are encrypted with a “one-way” algorithm, which ensures that:

1) I can’t learn your password even if I wanted to, and

2) in the highly unlikely event that a malicious person gets access to our database, they can’t learn your password either.

This is why we have a “Forgot your password?” feature, that lets you reset your password if you forget it, in a safe way.

Don’t bother asking me to email your password if you forget it, because I don’t know it, and can’t know it. By design.