Share
While there were multiple contributory reasons Martha Coakley lost the recent special election in Massachusetts for the late Ted Kennedy’s Senate seat, perhaps not the least of which was the fact she made it easy for her opponent.
When it comes to your online security, don’t make it easy for your opponent. On December 4th, the website RockYou.com, which boasts about 32 million users, was breached and their entire user database was stolen. RockYou didn’t acknowledge the intrusion until December 14th. And that was the good news.
The bad news was the fact that all the database entries including usernames, passwords, and e-mail addresses were stored in plain text, unencrypted, (talk about making it easy for your opponent), and all this lovely data was subsequently posted on the internet for all to see. How many of you reading this right now use the same password for numerous online sites and services? Perhaps even your bank’s website? The RockYou incident is a textbook example of why you shouldn’t.
The REALLY bad news to come out of this incident was contained in a research study performed on the stolen database by Imperva, perhaps one of the first times such a large volume of real-world passwords was available to examine. The study clearly shows that users are opening themselves up for attack.
For instance:
The most common password (290,731 users) was “123456.”
Nearly 50% of users used names, slang words, dictionary words, or trivial passwords (consecutive digits, adjacent keyboard keys, and so on).
The top 20 unique passwords account for 829,963 of the entries.
The top 10 passwords were 123456, 12345, 123456789, Password, iloveyou, princess, rockyou, 1234567, 12345678, and abc123.
Less than 4% used any non-alpha numeric characters.
Research like this is enough to give any IT admin grey hair. Why? Let’s take a look at password complexity and how it effects how quickly a given password can be hacked by a brute force attack. Below are estimates of the amount of time it would take to generate every possible combination of passwords for a given number of characters. There are many caveats to these figures, from security on the target side to detect and lockout a brute force attack in progress, to the speed of the attacker’s computer and connection. However, the point here is to compare the time-to-crack differential between weak and strong passwords.
| Password Length | All Characters | Only Lowercase |
|---|---|---|
| 3 characters
4 characters 5 characters 6 characters 7 characters 8 characters 9 characters 10 characters 11 characters 12 characters 13 characters 14 characters |
0.86 seconds
1.36 minutes 2.15 hours 8.51 days 2.21 years 2.10 centuries 20 millennia 1,899 millennia 180,365 millennia 17,184,705 millennia 1,627,797,068 millennia 154,640,721,434 millennia |
0.02 seconds
.046 seconds 11.9 seconds 5.15 minutes 2.23 hours 2.42 days 2.07 months 4.48 years 1.16 centuries 3.03 millennia 78.7 millennia 2,046 millennia |
Think about it:
A four character password containing only lower case letters could take as little as less than a second to crack.
An eight character password containing a combination of lowercase and uppercase letters, one number, and one non-alpha character (IE: !@#$%) could take over two centuries.
Recommendations:
Let’s say you currently use your dog’s name for many passwords: “spot.” First, add an uppercase letter, substitute a non-alpha numeric character, and add on the year the dog was born: “Sp@t2005.” You’ve just increased the password’s strength exponentially. Now, if we add a few letters from the name of the site it’s a password for, we have a very strong unique password. For instance, one could use “Sp@t2005aao” for Amazon.com or “Sp@t2005bsb” for bestbuy.com. Notice we used every other letter in the site’s name, so the formula isn’t obvious to someone looking at it in plain text, as what happened in the RockYou.com breach. You can also use an online password tester to see how secure your new password is. Here’s one from Microsoft.
Conclusions:
Don’t use simple passwords. Use upper and lower case, numbers, and at least one non-alpha numeric character.
Don’t use the same password for multiple websites and services.
Don’t save your passwords in your browser. Doing so saves them on your own computer (hopefully encrypted), which opens another avenue of attack, and typing a password in repeatedly will ensure you remember it.
Don’t make it easy for your opponent. While policing your personal online security may be about as much fun as standing outside Fenway Park in December shaking hands in the cold, just like a seat in the United States Senate, it’s important. Being proactive with your own security will take a lot less time and effort than trying to repair the damage done after the fact.
Update – Most consumers (73%) reuse banking passwords on another site:
“Online security firm Trusteer reports that 73 per cent of bank customers use their online account password to access at least one other, less sensitive website. Even worse, around half (47 per cent) use the same online banking username and password for other website logins… This dismal password security practice means that if cybercrooks trick a user into giving away his login credentials for a social networking site, for example, they stand a very good chance of getting into webmail and online banking accounts for the same person, potentially bringing about crippling financial losses as a result.”
blogs