Ramblings of an old Doc

 

 

According to a report, most users still haven't answered the call by
security experts to implement more robust passwords. In fact, in a
list of the most easy to hack passwords, simply typing '123456' took a
truly forgettable top prize.

Security firm Imperva recently released its list of the passwords most
likely to be hacked based on 32 million instances of successful
hacking. Imperva named their report "Consumer Password Worst
Practices," and some of the entries near the top are truly simple. Here’s a LINK to the report.

 

Worst Password Practices

The top three passwords all included the simple streaming of numbers:
first '123456' followed by '12345' and then '123456789'. Similar
entries reappeared at eight and nine on a top ten list. However, the
fourth most-hacked password was actually just the word 'Password'
followed by 'iloveyou' and 'princess' at spots five and six. (Source:
computerworld.com)

What the report shows is that people still aren't using effective
strategies to protect their sensitive information online. Using these
kinds of passwords to protect your email account or, worse yet,
banking information, could lead to theft or identity fraud.

Top 10 Worst Passwords

The following is a list of the most predictable passwords, and should
not be used under any circumstances (Source: pcworld.com):

1. 123456
2. 12345
3. 123456789
4. Password
5. iloveyou
6. princess
7. rockyou
8. 1234567
9. 12345678
10. abc123

How to Strengthen Your Passwords

Other key findings in the report: it seems that almost 1 in 3 users
choose passwords comprised of six or fewer characters; more than half
use passwords based on only alpha-numeric characters; and almost 50
per cent used variations on their name, popular slang terms, or simple
strings of consecutive characters from the average QWERTY keyboard --
such as 'asdfg'.

Imperva has made several obvious recommendations, suggesting most
users adopt passwords with at least eight characters and to mix those
characters between upper and lower case letters, numbers, and symbols:

Recommendations

Users:

1. Choose a strong password for sites you care for the privacy of the information you
store. Bruce Schneir’s advice is useful: “take a sentence and turn it into a password.
Something like “This little piggy went to market” might become "tlpWENT2m".
That nine-character password won't be in anyone's dictionary.”


2. Use a different password for all sites – even for the ones where privacy isn’t an
issue. To help remember the passwords, again, following Bruce Schneier’s advice is
recommended: “If you can't remember your passwords, write them down and put
the paper in your wallet. But just write the sentence – or better yet – a hint that
will help you remember your sentence.”

3. Never trust a 3rd party with your important passwords (webmail, banking,
medical etc.). If you can’t remember them all, write them down and keep them in your wallet.

Administrators:


1. Enforce strong password policy – if you give the users a choice, it is very likely that
they would choose weak passwords.

2. Make sure passwords are not transmitted in clear text. Always use HTTPS on login.
3. Make sure passwords are not kept in clear text. Always digest password before
storing to DB.


4. Employ aggressive anti-brute force mechanisms to detect and mitigate brute
force attacks on login credentials. Make these attacks too slowly for any practical
purposes even for shorter passwords. You should actively put obstacles in the way
of a brute-force attacker – such as CAPTCHAs, computational challenges, etc.


5. Employ a password change policy. Trigger the policy either by time or when
suspicion for a compromise arises.


6. Allow and encourage passphrases instead of passwords. Although sentences may
be longer, they may be easier to remember. With added characters, they become
more difficult to break.

Passwords should be simple enough that they won't be too easily
forgotten, but the idea is to make cracking the code virtually
impossible for either an unknown or known hacker.


Comments (Page 1)
4 Pages1 2 3  Last
on Jan 08, 2011

 This can help also.... it is a password strength checker....        

http://www.passwordmeter.com/   ....

on Jan 08, 2011

ZubaZ starts changing all his passwords

Not really.  Of on-line stuff I use LastPass.  I have a very strong pass-phased based logon for that and then I let it generate passwords for me.  I don't know any of my web passwords.

My previeous password policy was jsut to type weak passwords with my unique spelling/typing.  Never got hacked.  

on Jan 08, 2011

My mother uses one password. For everything. Including email, eBay, our router (she made me change it from the randomly-generated alphanumeric string the ISP gave us), and her half of my school web service. I use passwords that are actually made-up words from games, movies, and books- I've recently exhausted the list of enemy creatures in Super Metroid (I try to change passwords pretty quickly) and am now moving into the names of the Ages of D'ni from Myst.

on Jan 08, 2011

Zubaz
Zubaz starts changing all his passwords

Not really.  Of on-line stuff I use LastPass.  I have a very strong pass-phased based logon for that and then I let it generate passwords for me.  I don't know any of my web passwords.

My previeous password policy was jsut to type weak passwords with my unique spelling/typing.  Never got hacked.  

 

Nor understood.

 

and am now moving into the names of the Ages of D'ni from Myst.

I have to admit "Myst" always left me in a bit of a fog.

 

 

 

on Jan 08, 2011

But "Princess" is my nickname!

on Jan 08, 2011

"I have to admit "Myst" always left me in a bit of a fog."

 

Someone hit him, please.....

on Jan 08, 2011

My mother uses one password. For everything. Including email, eBay, our router (she made me change it from the randomly-generated alphanumeric string the ISP gave us), and her half of my school web service. I use passwords that are actually made-up words from games, movies, and books- I've recently exhausted the list of enemy creatures in Super Metroid (I try to change passwords pretty quickly) and am now moving into the names of the Ages of D'ni from Myst.

 

I wish I was half that dedicated.    

on Jan 08, 2011

I use 1 very strong password for every forum and game login (not bank). Remembering 50 passwords is for the birds. I might just try that LastPass. 

on Jan 08, 2011

I wish I was half that dedicated.
It's not that hard, because I use things I personally am familiar with, and the names are pretty short. For instance: http://metroid.wikia.com/wiki/List_of_creatures_in_Super_Metroid - Although nobody would ever guess "Dessgeega", I have a very good idea of what a Dessgeega is and where it is placed on the rotation.

on Jan 08, 2011

To be honest I never use a "Password"

 

on Jan 08, 2011

Scoutdog, you make it sound easy.   And Dessgeega, yup. Guessed that right off. {kidding }

But dedication.. not just knowledge in my case slows me down.

on Jan 08, 2011

My password is a popular phrase from my book. Thirteen characters and has been rated very strong. I use only three. Each one a variation on that theme. Fours years old and never been hacked. Sorry ... make that five years. This is 2011. lol

on Jan 08, 2011

I have four A4 pages of passwords written down for various web sites and services. Typewritten. Different for each, although admittedly many are variations over a theme. They are a mix of alphanumeric upper/lower case, but usually not symbols.

One VERY good reason to not use one password all over was a post from a webmaster, mentioning that an asstard on the forums had been a pain, but had used the same password for other websites as for that one, and had been easy to .... make trouble for.. in other sites. Not all administration systems encrypt passwords for superusers.

 

 

on Jan 08, 2011


"I have to admit "Myst" always left me in a bit of a fog."

 
Someone hit him, please.....

Oh yeah? Who gonna try, huh? 

on Jan 08, 2011

myfist0
I use 1 very strong password for every forum and game login (not bank). Remembering 50 passwords is for the birds. I might just try that LastPass. 

Which is a dangerous practise, want to bet at least half of those sites store your password unencrypted in their database?

4 Pages1 2 3  Last