- by Chad, "Dream", Weaver
It has finally come to the time where I can no longer stay silent on this topic. The Gawker hack. I am not even really concerned with the hack that has been covered enough in the news. Or even that there were users using the same password at multiple sites. I can say that I use a different password at every site that I use, but I do this for a living and can understand that using secure passwords for every site can become harder to manage. That isn’t the cause for this rant; today I saw something much, much, more disconcerting; something that shocked me to the very core of my IT Support loving self. Today I saw the most common passwords that were in use by large numbers of users was shocking.
I think before I go in to the specifics, there was a similar breach of user’s information from the service Rockyou.com where the most common passwords in use were reviled. Now considering how public this information was you would think we would learn from our mistakes. How wrong I was, how utterly wrong I was. One of the number one passwords that were in use at Rockyou was 123456. Can you guess what that’s up there on this list too? If you are reading this and you are using this password anywhere, please, I beg of you - change it right now. You can finish reading this in a couple minutes, please! Ok enough pleading, drum roll please.
- password (No caps)
- passw0rd (Seriously, not any better you are not fooling anyone)
- 123456 (Any combination of keys in a row is not secure)
- qwerty (This is no better then 123456)
- lifehack (lifehacker.com was one of the included hacked sites)
- letmein (I love this one)
- monkey (Any word found in the dictionary shouldn’t even be considered and adding the #1 to the end doesn’t cut it either)
- cheese (same as above but so quirky I had to mention it, plus I do love cheese just not for a password)
- 11111 (This isn’t even trying)
My comments may seem a little harsh, but this isn’t 1999 where the internet is a novelty invented by Al Gore. Our lives are run on there now, our bills are paid information you would want no one else to ever have access to but desire at our fingertips is there. Passwords like the ones above are like leaving the keys in the car with the window open and the engine running. Now when you come back the car might still be there, but you do this enough, some day you will come back to that car to find it gone. And just like the car analogy, it could have been prevented, had you taken some simple steps, perhaps remove the keys from the ignition and lock the car door. It is the same for password security, I know it is hard to keep all of your passwords straight, but there is no excuse for these kind of passwords, none.
One of the easiest ways to come up with a secure password is to use a phrase something that means something only to you, and to mix it up securely making an air tight password. Some things to consider, if it’s a word in the dictionary just don’t user it ever, adding a number or 2 on the end of it doesn’t count either. Think up a phrase like I have a large brown dog his name is rex, I just made that up but for example it could be used to make a password like 1H@lBdhnIR!. This is a secure password, while meaning something to the creator is near impossible through any means to break. There are even different services that can do all this for you. One website to consider is Lastpass.com it helps keep a password list for you on their secure website, you will still need one secure master password to access your info, it also includes browser add-ons that can enter the passwords for you.
It is something to check out if you have trouble with keeping it all straight. Trigon prides itself on being a secure company and we help our clients do the same. Be sure to contact us if you would like a hand.
To see part one of this blog, read An In Depth Look At Password Security - Part 1
To verify that people are ultimately lazy with passwords, and think their accounts will never be hacked, I did my own limited survey of password use. I asked co-workers, client users, family, and friends if they used any variation of the 123456 password, names, slang, important dates, dictionary words. I found that those not in the IT Support field used names and dates as passwords, I even had one person admit to using 123456. Those in the IT field mostly used names with numbers, capitals, and non standard characters or substitutions. Only two people indicated they used abbreviated phrase based passwords (more on that later). So even in my Monkey Sphere (look it up if you don't know this) I found people taking the easy way.
Those of us in the IT Services field know how to fix this: using the technology provided to restrict the usage of simple passwords and require more complex passwords and training users.
The report also references NASA's password policies. I took a look about the internet and found a FAQ from NASA about their password policy and found that they apply the following criteria:
- The password must have a minimum of 12 characters.
- The password must contain at least one character from at least three of the four following sets of characters:
- o Uppercase Letters (A, B, C, etc.)
- o Lowercase Letters (a, b, c, etc.),
- o Special Characters (~, !, @, #, $, etc.)
- o Numbers (1, 2, 3, etc.).
- You may not reuse any of your previous 24 passwords.
- Password changes are set for every 60 days (That's up to four years till you get to use the same password again.)
WOW! That is restrictive! I love it, and I know the average user would hate it. Do you think this would be acceptable at your average client...probably not?
One tactic that both the report and NASA brought up was using password phrases. I have switched over to these recently and it is very easy to remember passwords based on this.
Basically it goes like this:
Take a sentence and turn it into a password, for example: "Passwords should be complex and hard to hack" might become pwSbc@h2h, that's a nine character password that is not in the dictionary. Picking a sentence that is easy to remember and utilizing substitution, capitalization, and maybe a random character will make a strong password (write that down in your IT Security notes).
All this is not new information to anyone in IT. But it could be new information to the users who just don't know better or new to the work force. It is our responsibility to provide not only the restrictions to make sure the passwords are strong, but the training to the users so they can understand why we have fits when we find passwords like 123456.
I can hear you all say "You can lead a horse to water, but you can't make it drink". Well I say, if the password complexity restrictions are leading the horse (the user) to the water, the training will be me pouring the water over the horse... eventually some water will get into the horse.
If you're located in the Philadelphia area and you were interested in the tips and information in this article, call Trigon, a Philadelphia IT Support company that can help you with IT Security and other IT problems through our PinnacleCare Managed Services Program!
I recently came across a report on password security that was...well.... disturbing. Especially since I work in IT Support.
The report was conducted by Imperva and can be found here.
The report was based on a password study of 32 million passwords, yes 32,000,000. Let's put that number into perspective because it is a large number. If each person in NY City had one password, 32 million passwords would be 3.8 NY Cities!!! A more local comparison would be the same criteria applied to the city of Philadelphia which would work out to be 20.7 Philadelphias!
The passwords were from a hacker who obtained them and posted them in clear text on the internet. Imperva points out that this is a rare opportunity to get actual passwords to study, most password studies are conducted via surveys not actual data. This is the raw data they got to study, not coy answers from people.
The study produced several key findings:
- About 30% of the users chose passwords which had lengths equal or below six characters.
- o Let me do the math to you, 30% of 32 million passwords is 9.6 million passwords. That is everyone in NY City and some of the surrounding areas all having a single insecure password with six or less characters.
- Almost 60% of the users chose passwords for a limited set of alpha-numeric characters.
- o Read: Variations of 123456. Again, I can do the math for you....works out to be....19.2 million passwords. That everyone in NY City and some of the surrounding areas times two!
- Nearly 50% of the users used names, slang words, dictionary words, or trivial passwords (consecutive digits, adjacent keyboard keys, and so on).
- o That means 16 million of those passwords were based on criteria that can easily be discovered through brute force attacks.
- These results compared to another password break 10 years ago which provided a large amount of passwords to be studied and a 1990 Unix password study showed there has been little improvement in user's selection of passwords. The same issues found in the 2009 study are also in the 1999 and 1990 studies.
Why did I find all this disturbing...well it shows something we all know is true, but never to this scale. People are lazy....particularly, lazy with passwords. They will always choose the simple password to remember rather than some obtuse password that is secure if you let them. No matter how often they hear about accounts getting hacked they seem to take the "it won't happen to me" and "remembering is hard" viewpoints.
Be sure to check out Part 2 of this blog later this week! If you need further information on IT Services or IT Security, feel free to contact Trigon!