Ramblings of an old Doc

 

 

According to a report, most users still haven't answered the call by
security experts to implement more robust passwords. In fact, in a
list of the most easy to hack passwords, simply typing '123456' took a
truly forgettable top prize.

Security firm Imperva recently released its list of the passwords most
likely to be hacked based on 32 million instances of successful
hacking. Imperva named their report "Consumer Password Worst
Practices," and some of the entries near the top are truly simple. Here’s a LINK to the report.

 

Worst Password Practices

The top three passwords all included the simple streaming of numbers:
first '123456' followed by '12345' and then '123456789'. Similar
entries reappeared at eight and nine on a top ten list. However, the
fourth most-hacked password was actually just the word 'Password'
followed by 'iloveyou' and 'princess' at spots five and six. (Source:
computerworld.com)

What the report shows is that people still aren't using effective
strategies to protect their sensitive information online. Using these
kinds of passwords to protect your email account or, worse yet,
banking information, could lead to theft or identity fraud.

Top 10 Worst Passwords

The following is a list of the most predictable passwords, and should
not be used under any circumstances (Source: pcworld.com):

1. 123456
2. 12345
3. 123456789
4. Password
5. iloveyou
6. princess
7. rockyou
8. 1234567
9. 12345678
10. abc123

How to Strengthen Your Passwords

Other key findings in the report: it seems that almost 1 in 3 users
choose passwords comprised of six or fewer characters; more than half
use passwords based on only alpha-numeric characters; and almost 50
per cent used variations on their name, popular slang terms, or simple
strings of consecutive characters from the average QWERTY keyboard --
such as 'asdfg'.

Imperva has made several obvious recommendations, suggesting most
users adopt passwords with at least eight characters and to mix those
characters between upper and lower case letters, numbers, and symbols:

Recommendations

Users:

1. Choose a strong password for sites you care for the privacy of the information you
store. Bruce Schneir’s advice is useful: “take a sentence and turn it into a password.
Something like “This little piggy went to market” might become "tlpWENT2m".
That nine-character password won't be in anyone's dictionary.”


2. Use a different password for all sites – even for the ones where privacy isn’t an
issue. To help remember the passwords, again, following Bruce Schneier’s advice is
recommended: “If you can't remember your passwords, write them down and put
the paper in your wallet. But just write the sentence – or better yet – a hint that
will help you remember your sentence.”

3. Never trust a 3rd party with your important passwords (webmail, banking,
medical etc.). If you can’t remember them all, write them down and keep them in your wallet.

Administrators:


1. Enforce strong password policy – if you give the users a choice, it is very likely that
they would choose weak passwords.

2. Make sure passwords are not transmitted in clear text. Always use HTTPS on login.
3. Make sure passwords are not kept in clear text. Always digest password before
storing to DB.


4. Employ aggressive anti-brute force mechanisms to detect and mitigate brute
force attacks on login credentials. Make these attacks too slowly for any practical
purposes even for shorter passwords. You should actively put obstacles in the way
of a brute-force attacker – such as CAPTCHAs, computational challenges, etc.


5. Employ a password change policy. Trigger the policy either by time or when
suspicion for a compromise arises.


6. Allow and encourage passphrases instead of passwords. Although sentences may
be longer, they may be easier to remember. With added characters, they become
more difficult to break.

Passwords should be simple enough that they won't be too easily
forgotten, but the idea is to make cracking the code virtually
impossible for either an unknown or known hacker.


Comments (Page 3)
4 Pages1 2 3 4 
on Jan 09, 2011

Most of those make sense to me but I was surprised at "rockyou" being so high on the list. I wonder why that is so popular.

on Jan 09, 2011

Hm. I use a strong one for financial things, but a fairly weak one for everything else (because really, if somebody wants to impersonate me and post on a forum as me, I can just email the admin and nothing of value is lost).

I haven't heard about the 90 day changes being a security risk before.

on Jan 09, 2011

I'm not sure he would consider requiring periodic PW changes (90 day or otherwise) to be a security risk per se, though he argues that doing so almost guarantees, at least certainly invites, insecure behavior such as writing them down and keeping them in insecure places, but he definitely feels doing so is a needless waste of otherwise productive time.  And a source of immense frustration for people needing legitimate access, especially to multiple systems & subsystems on a routine basis.

on Jan 09, 2011

The periodic change thing makes for a lot of unnecessary angst and, quite frankly, not sure I buy into it.

If you have one strong pw >8 letters with upper and lower case, numbers and other doodads/wingdings ... ah well. Why not have two.

My other one is Zubaz. The way he types it.

As for the CAPTCHA text?

I used to think they were talking about J. D. Salinger's book. You know...

"The CAPTCHA in the Rye".

on Jan 10, 2011

Top 10 Passwords You Should Never Use!

 

well yeh now that you went and posted them for everyone to see..

wanders off to change his abc passwrod..

on Jan 10, 2011

How about "iwannastealallyourpizza", HG?

on Jan 10, 2011

You can use this one too. Fashizzleitupyourbutt lol

EDIT: To avoid misunderstanding the above is not directed at anyone. Its just a bunch of words, nothing more. Please don't read anything else into it.

on Jan 10, 2011

I'm acquainted with a gentleman who makes his living consulting nationally & internationally on computer security issues.  He advocates having 2 strong passwords, one for financial transactions and one for everything else, and that is his personal practice.  He also believes forcing employees to change passwords every 90 days, a common practice, is counterproductive and less secure than leaving them alone.  One man's opinion.  YMMV.

Daiwa, that is a man after my own heart!  I use to work at a place where the security folks would require changing the password every 30 days!  Needless to say, what was actually happening was that over 75% of the users had their password written somewhere around their desk.

I actually do follow his advice - kind of.  I have a couple of very strong ones for sensitive sites, and then a couple of strong ones for throw away sites (a throw away site is a news paper, or other site that requires login that does not store any financial information of mine).  Each password is picked from 1 of 2 themes - so you have to guess both themes to get the passwords.

I do favor changing passwords periodically.  But the more often you force them, the less likely someone is to remember them and the less secure they are.120-180 days seems good.  Even a 30 day weak password is going to be hacked in time.  But most sites will lock out an account after several wrong entries, and then you have to know either your secret questions, or click on a link in an email sent to your account (so email is one of the strong passwords since it has the "keys to the kingdom" for most of the rest of your password sites.)

on Jan 10, 2011

I use to work at a place where the security folks would require changing the password every 30 days!

Probably to show the higher ups they're doing something.

 

I do favor changing passwords periodically. But the more often you force them, the less likely someone is to remember them and the less secure they are.120-180 days seems good. Even a 30 day weak password is going to be hacked in time. But most sites will lock out an account after several wrong entries, and then you have to know either your secret questions, or click on a link in an email sent to your account (so email is one of the strong passwords since it has the "keys to the kingdom" for most of the rest of your password sites.)

Actually, if you don't use one of the other schemes or pw keepers/safes, that doesn't sound too bad.

on Jan 11, 2011

DrJBHL
How about "iwannastealallyourpizza", HG?

 

LOL thats the first one people would try that know me.

 

on Jan 11, 2011

my password for everything is 1234.

on Jan 11, 2011

oh crap.

on Jan 11, 2011

heehe

on Jan 11, 2011

I use an Olfactometer to recognize my scent  

on Jan 11, 2011

Really? On the net? You must have a rather....uniquely strong one.

4 Pages1 2 3 4