Blog posts tagged passwords

Are you using one of the world's worst passwords?

Here's a list that might jolt you out of complacency if you're a bit lax when it comes to choosing and changing passwords.

SplashData, a leading provider of password management solutions, has put together a list of the 2012's worst passwords.

The list was compiled by analysing millions of compromised passwords that were posted online by hackers, and identifying the most common. It contains few surprises, but certainly underlines that we can all be far too slapdash when securing our online accounts.

Here are the top 10 worst passwords of 2012:

1. password
2. 123456
3. 12345678
4. abc123
5. qwerty
6. monkey
7. letmein
8. dragon
9. 111111
10. baseball

See any passwords you recognise? Change them, now. Because if you don't, it'll be child's play for a hacker to get in to your account.

Remember: the strongest passwords are as long as possible and use upper and lower-case letters, numbers and symbols. I like to choose a song lyric, take the first letters and then substitute in symbols and numbers where they're easy to remember.

For instance, the Rolling Stones' classic lines You can't always get what you want / But if you try sometimes you just might find can become:

• YcagwywB1yt$yjmf

See five other ways to create strong passwords you can remember >>

Friday Donut tip: generate unique, memorable passwords for any website

Passwords and website security breaches seem to be in the news constantly. Yet people still insist that passwords are generally a nuisance, and would rather have simple ones or use the same one for every website.

But that's risky. Having just one of those passwords revealed could potentially allow an attacker to access many of your other online accounts.

One really simple way to ensure you have a unique password is to use the name of the website in the password itself.

Come up with a password (or better yet, a passphrase) that you will remember. For example:

Ilikepineapples

That will be the base for your other passwords. For your Google account, you would use the password:

IlikepineapplesGoog

For your YouTube account you would use:

IlikepineapplesYout

Easy! You can obviously make the passwords as complex as you like, using numbers, symbols and both upper and lowercase letters.

NB: I would recommend including numbers, symbols and capitals in your password. I didn't here for simplicity.

Previous Friday Donut tips:

• How to change text capitalisation
• Easier ways to stay focused while you work
• Useful keyboard shortcuts

How hackers target your passwords

When you enter a gym’s locker room, there are hundreds of lockers. Each has its own combination lock. Without giving it too much thought, you open your locker using the combination only you know, which is the same combination you provided when you signed up at the gym.

Similarly, a password is a shared secret between a user and a service. When the user wants to connect to the service, they identify themselves with their username and prove that identity with the password.

The service checks the password. If it matches, the user is allowed to access the service.

We can think of the service as the locker, the username as the locker’s number and the password as the lock’s combination.

Problems occur, of course, if someone else has your combination. It could be that you use a very popular combination, or someone saw you using the same combination on your bag.

Alternatively, it could be that someone broke into the gym and saw the list of locks and combinations. Let’s take a look at these aspects in the virtual world.  

How hackers break your passwords

On the internet, some passwords are more common than others. Hackers use lists of the most common passwords to increase their chance of guessing a user’s password quickly. The hacker tools used to guess these passwords are called crackers. Two types of crackers exist - online and offline:

• Online crackers use trial and error to break into a service, testing different passwords until the right one is found. The speed at which they can test passwords is limited by the speed at which the service accepts and handles requests. In many cases, online crackers can only try a few passwords because most services lock accounts after a certain number of incorrect passwords have been entered.
• Offline crackers are used when passwords are stolen from an online service, but are stored in a digested format. This means the service stores a mathematical transformation of the password rather than the password itself – it’s an extra security precaution.  An offline cracker repeatedly chooses different passwords, transforms them to their digested format and compares them to the list. Offline crackers can run incredibly fast, depending on the power of the computer running the cracker.

To reduce the effectiveness of offline crackers, many services add a step to the process called salting. Using a salt, a different digest is created each time, even if the password is the same. So although salted passwords are not completely hack-proof, they’re much harder to guess.

How to secure passwords in your business

So, that’s how passwords get cracked. Now, how do you stop that happening to your business?

On an individual level, always use strong passwords – and don’t use the same password on different websites. Think about what information the password is protecting. You want a really strong one for your online banking, PayPal and other online services you consider sensitive.

Use a really strong password for your email too, as getting access here can allow a hacker to wreak havoc by resetting your passwords on lots of other sites.

In your business, it’s important to realise that you can’t trust your users to choose strong passwords themselves. If you give them the choice, they’ll simply choose weak passwords.  In fact, two years ago a database containing 32 million passwords was leaked to the web. Analysis of these passwords showed that 20% of users chose the same passwords from a pool of 5,000 words.

It’s up to you – or your IT administrator - to keep the passwords secure. Here’s how

• Enforce strong password policies. Force passwords to have a minimum length, ban common passwords and require a mix of characters (digits, letters, uppercase, lowercase, etc).
• Make sure passwords are not transmitted in the clear. Passwords are vulnerable to interception if they’re transmitted across networks or the internet. Always use encryption, or use a technique that ensures the password itself never travels through the network.
• Don’t store passwords in plain text. Doing so means that if a hacker breaks into your systems, they can just grab and make off with your passwords. Salt and digest a password before storing to the database.
• Detect and block brute force attacks. Put obstacles in the way to stop online crackers trying lots of different passwords for user accounts. Use CAPTCHAs and restrict the number of times people can retry their passwords.
• Force people to change passwords regularly. Many businesses require users to change passwords every couple of months, or when they suspect an account has been compromised.
• Allow and encourage passphrases instead of passwords. That means using sentences instead of passwords. Although that may be longer, they’re easier to remember. And because they’re longer, they’re more difficult to break.

Implementing many of these precautions will require help from your IT staff or IT supplier. But if you’re going to maintain the security of your systems and website, it’s vital you think carefully about enforcing a strong password policy.

• When did you last change your password?
• Five key website security checks
• Keeping your data safe

Noa Bar-Yosef is Senior Security Strategist at Imperva.