Monday, January 25, 2010

Same old problem - people won't think

I was both annoyed - as a former IT professional - and saddened - as a retired pastor - to see that the human race hasn't changed much . . . at least, not in terms of computer security.

According to a new analysis, one out of five Web users still decides to leave the digital equivalent of a key under the doormat: they choose a simple, easily guessed password like “abc123,” “iloveyou” or even “password” to protect their data.

“I guess it’s just a genetic flaw in humans,” said Amichai Shulman, the chief technology officer at Imperva, which makes software for blocking hackers. “We’ve been following the same patterns since the 1990s.”

Mr. Shulman and his company examined a list of 32 million passwords that an unknown hacker stole last month from RockYou, a company that makes software for users of social networking sites like Facebook and MySpace. The list was briefly posted on the Web, and hackers and security researchers downloaded it. (RockYou, which had already been widely criticized for lax privacy practices, has advised its customers to change their passwords, as the hacker gained information about their e-mail accounts as well.)

The trove provided an unusually detailed window into computer users’ password habits. Typically, only government agencies like the F.B.I. or the National Security Agency have had access to such a large password list.

“This was the mother lode,” said Matt Weir, a doctoral candidate in the e-crimes and investigation technology lab at Florida State University, where researchers are also examining the data.

Imperva found that nearly 1 percent of the 32 million people it studied had used “123456” as a password. The second-most-popular password was “12345.” Others in the top 20 included “qwerty,” “abc123” and “princess.”

More disturbing, said Mr. Shulman, was that about 20 percent of people on the RockYou list picked from the same, relatively small pool of 5,000 passwords.

That suggests that hackers could easily break into many accounts just by trying the most common passwords. Because of the prevalence of fast computers and speedy networks, hackers can fire off thousands of password guesses per minute.

“We tend to think of password guessing as a very time-consuming attack in which I take each account and try a large number of name-and-password combinations,” Mr. Shulman said. “The reality is that you can be very effective by choosing a small number of common passwords.”

. . .

Why do so many people continue to choose easy-to-guess passwords, despite so many warnings about the risks?

Security experts suggest that we are simply overwhelmed by the sheer number of things we have to remember in this digital age.

“Nowadays, we have to keep probably 10 times as many passwords in our head as we did 10 years ago,” said Jeff Moss, who founded a popular hacking conference and is now on the Homeland Security Advisory Council. “Voice mail passwords, A.T.M. PINs and Internet passwords — it’s so hard to keep track of.”

In the idealized world championed by security specialists, people would have different passwords for every Web site they visit and store them in their head or, if absolutely necessary, on a piece of paper.

But bowing to the reality of our overcrowded brains, the experts suggest that everyone choose at least two different passwords — a complex one for Web sites were security is vital, such as banks and e-mail, and a simpler one for places where the stakes are lower, such as social networking and entertainment sites.

There's more at the link. It's well worth reading the full article.

Out of the 32 million passwords stolen, the following were used (in descending order of popularity) by about a million RockYou users.

  1. 123456
  2. 12345
  3. 123456789
  4. password
  5. iloveyou
  6. princess
  7. rockyou
  8. 1234567
  9. 12345678
  10. abc123
  11. nicole
  12. daniel
  13. babygirl
  14. monkey
  15. jessica
  16. lovely
  17. michael
  18. ashley
  19. 654321
  20. qwerty
  21. iloveu
  22. michelle
  23. 111111
  24. 0
  25. tigger
  26. password1
  27. sunshine
  28. chocolate
  29. anthony
  30. angel

Folks, if you're using a simple, easily-guessed or -hacked password on your social network and/or e-mail accounts, please, please, change it now! There are computer programs out there that can mount a mass attack, trying thousands of passwords in a matter of minutes. The use of easily-guessed passwords like those quoted above makes the job of hackers and cyber-thieves that much simpler.

(I've done what I can to make the lives of cyber-sniffers more difficult if they try to figure out my passwords. Unless they speak Zulu, they won't know where to start . . . and even then, they'd have to know some words that aren't part of the normal introductory Zulu course vocabulary, and combine them in interesting ways. I suspect most Chinese or Russian hackers - who seem to be the most active - won't get very far!)



Dirk said...

There's dozens of sites out there that will help you create a strong password. Use letters, numbers, upper and lower case, and special characters, if you can. If you have a blackberry, there's an app on there that you can store all your accounts, urls, and passwords in - but of course, if you lose it or have it stolen, you expose yourself hugely if you don't have a very strong password for that app!

If you simply must use your wife's name or your anniversary as your password, strengthen it by using upper and lower case letters in it, adding a string of numbers to the end of it, and adding a special character or two. For example:

Instead of "nicole", try "N1c0l3-021403" - It's still easy for you to remember, but I doubt it'll be an easy one to crack.

Don't use words that you could find in a dictionary - unless you jumble them up, combine them in odd ways, use upper/lower case, numbers, and special characters with them. But be logical and thoughtful in how you do it, so you can remember your passwords.

And for WoW players - get an authenticator! Even if you have the best, strongest, most secure password in the known universe, it won't help you if you've managed to get a keylogger installed on your machine, despite your best precautions (which aren't always good enough, no matter how knowledgeable you are). You can buy a physical token for under $10, or you can get a free app for you IPhone, or 99c for your Blackberry, for most carriers. Well worth the investment.

Bryn, North Wales, UK said...

There's always Welsh.... :-)

Anonymous said...