3

I am trying to get some statistics on databases that were a part of data breaches, namely, I would like to be able to find out what percentages of publicly posted databases (from a data breach) had passwords stored in plain text form, hashed, salted hash, and so on, and informally report statistics on the password storage characteristics/practices in publicly posted databases.

Are there any such sources or information currently available?

Anders
  • 64,406
  • 24
  • 178
  • 215
leomercury
  • 33
  • 3
  • 2
    FWIW, results may be skewed by a correlation between security breaches and general bad practice when it comes to security related things. – Alexander O'Mara Jun 20 '16 at 18:37
  • i often see implementation details mentioned in the indivudual reports, or info that allows you to determine what they used, but i've not seen a tallying of such details. i've seen a survey of net admins on the topic somewhere, but they could be exaggerating... – dandavis Jun 20 '16 at 19:54

1 Answers1

1

As a start, try this paper, which assesses 34 password database breaches. It states the following on page 2:

While absolutely no information on how the passwords were stored could be found in 26.5% of the cases, we found 11.8% reported passwords were “Hashed and Salted”, 5.9% used salted MD5, 14.7% used unsalted MD5, 11.8% used salted SHA1, while unsalted SHA1, SHA256 salted, crypt(3) salted, and bcrypt each accounted for 2.9%. Plaintext use was noted in 17.6% of the site breaches.

I'm not aware of a larger scale resource that tracks these figures.

Robbie
  • 233
  • 1
  • 8