Zero Day
Ryan Naraine and Dancho DanchevAnd the most popular password is...
Summary
Analysis based on 32 million passwords from last month’s RockYou.com server breach, shows that millions of people continue using weak passwords.
Topics
Blogger Info
Ryan Naraine
Biography
Ryan Naraine
Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.
Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.
Dancho Danchev
Biography
Dancho Danchev
It is “123456,” based on the analysis of 32 million breached passwords, obtained from last month’s RockYou.com server breach, from which researchers from Imperva were able to analyze the insecure practices used by millions of users when choosing their passwords.
What did their analysis conclude? Short passwords, lack of lower-capital-numeric characters mix, and trivial dictionary words, which every decent brute forcing/password recovery application can find out in a matter of minutes.
Key findings include:
- In just 110 attempts, a hacker will typically gain access to one new account on every second or a mere 17 minutes to break into 1000 accounts
- About 30% of users chose passwords whose length is equal or below six characters
- Moreover, almost 60% of users chose their passwords from a limited set of alpha-numeric characters
- Nearly 50% of users used names, slang words, dictionary words or trivial passwords (consecutive digits, adjacent keyboard keys, and so on). The most common password among Rockyou.com account owners is “123456”
The rest of the passwords rated by popularity:
It’s important to point out that, the same password “123456” also topped a similar chart based on statistical analysis of 10,000 Hotmail passwords published in October, 2009.
What actions on behalf of RockYou could have prevented this systematic practice of allowing end users to register with weak passwords?
Enforcing the use of stronger passwords as a long-term strategy, or borrowing short-term tricks from Twitter’s, such as the “banned passwords” list consisting of 370 passwords that are not allowed to be used during the registration process. And “123456” is at the top of the list.
For starters, the 32 million passwords were stored in an unencrypted format, according to RockYou.com’s announcement, and even if they weren’t, the fact that the users were allowed to register with such weak passwords, makes it possible for someone to brute force them in a very short period of time once they gain access to the database.
Consider going through the recommendations offered in the analysis, but keep in mind that strong passwords as just as weak as weak passwords in general if you’re logging in from a malware-infected computer.
Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.
Disclosure
Dancho Danchev
Biography
Dancho Danchev
More from “Zero Day”
Related Discussions on TechRepublic
Did you know you can take part in these discussions with your ZDNet membership?Talkback Most Recent of 108 Talkback(s)
-
Epic Fail
Admins need to better monitor passwords. Users who pick something like this need reprimanded or re-trained.
NStalnecker(Edited: 01/21/2010 06:36 PM) -
That's Amazing!!!
"I've got the same combination on my luggage!!!"
President Skroob - Spaceballs, The Movie
JLHenry(Edited: 01/21/2010 07:13 PM) -
Loverock Davidson01/21/2010 07:51 PM -
that's !
Excacly what I tougth when I saw it...
and followed by Dark Helmet's first reply about this password:
"123456! that's a password idiots uses to protect their luggage!".
Ceridan01/25/2010 05:26 AM -
I liked . . .
the look they gave him when he said that about his luggage . . . JLHenry01/25/2010 07:01 AM -
No.
Problem 1)
Complete waste of resources; much better to let natural selection run its course.
Problem 2)
The passwords shouldn't be being stored in plain text where the admin (or attackers) can view them. That is a horrible design flaw. They should be stored as salted hashes.
AzuMao01/21/2010 08:27 PM -
Totally agree
Passwords should NEVER be stored in a
retrievable format. Should always be salted
with something (persistent) from the users
account and something app specific.
Admins MUST NEVER be allowed to retrieve users
passwords.
Even draconian lameness filters will be
circumvented. I bet those who came up with
654321 though they were being really smart. A
seemingly strong password like 1qaz@WSX may
pass a lameness filter. But look at your
keyboard and how those letters are arranged.
Crackers know this.
The core of this problem is passwords
themselves. We need a better two-factor system
(something you know and something you have) and
we need federated and anonymized access.
honeymonster01/22/2010 12:09 AM -
ssh (disable passwords) use keys
with pass-phrase and be done with servers.
Change the port from 22 to another high
level port number.
People go away once they find out you know
how to secure systems.
Also, when you use secure email server
software other than MS, you enforce strict
passwords and force them to expire and
not be re-used.
Use_More_OIL_NOW01/24/2010 08:37 PM -
If you run your own mail server, and do so only for your own use, sure.
But how can anyone else use it if they don't know what port you're running it on? If all mail servers did this nobody would
be able to use email.AzuMao01/25/2010 12:24 AM -
It might work at LANL, but not most places.
Most businesses wont support the added confusion and there are downsides in addition to that as well, see some of the comments below.
bernalillo01/25/2010 10:12 AM -
Other than MS?
AD and Exchange have very good tools to enforce strict password selection. I know because users complain how hard it is to pick a password.
A.Sinic01/26/2010 03:37 AM -
Make passwords simpler
Best thing is allow simple passwords with an extremely short lock out time. So you could have a Password of Cat and 3 attempts. Sure it's easy to crack if you have unlimited attempts but if the account locks after you try 3 times the chances or you guessing Cat the first 3 times in near impossible. Users with a a password as simple as Cat wouldn't for get, would be unlikely to mistype it and would not trigger the 3 attempt lock out. If you see accounts getting locked out all the time you have sure fire alert that something it going on that shouldn't be.
Take on a token, and finger print to this short password and it's even better.
voska101/25/2010 09:34 AM -
Natural selection is for nature
You can't let "natural selection" take its course when you're running a business. Yes, the users in question might be idiots, but guess whose neck is on the line if their accounts get hacked? Part of the reason that admins need to care about this is because if they don't have the proper password policies in place, they'll get blamed when their systems are hacked. (There's a certain amount of justice to this, since it is the admins' systems.)
bhartman3601/26/2010 05:30 AM -
That would be like..
..blaming Ford if my car got stolen because they
didn't force me to lock the door, or if I got into
an accident because they didn't force me to obey
the speed limit. Absolutely ridiculous.AzuMao01/26/2010 06:29 PM -
Not a great analogy on your part.
The question is, how good is the lock?
Remember: These people did lock the door, so to speak. It's not like they don't have passwords. What happens here is more akin to jimmying open a car door with a slim jim (lockout tool), or, more crudely, breaking the window to get to the lock. It's not reasonable to blame users if they're going by your password requirements. But it is reasonable to be blamed by users if the specs you set for passwords don't keep them secure. It'd certainly be nice if users knew more about security, but it's hardly reasonable to expect them to know more than the admins who set the password requirements.bhartman3601/27/2010 04:29 PM
Talkback - Tell Us What You Think
Get it the way you want it
ZDNet Newsletters
Get the best of ZDNet delivered straight to your inbox
Vendor Showcase
Blog Roll
- All About Microsoft
- The Apple Core
- Between the Lines
- BriefingsDirect
- Collaboration 2.0
- Dev Connection
- A Developer's View
- Digital Cameras & Camcorders
- Ed Bott's Microsoft Report
- Emerging Tech
- Enterprise Web 2.0
- Five Nines: The Next Gen Datacenter
- Forrester Research
- Googling Google
- GreenTech Pastures
- Hardware 2.0
- Home Theater
- iGeneration
- India IT
- Irregular Enterprise
- IT Project Failures
- Laptops & Desktops
- Lawgarithms
- Linux and Open Source
- Managing L'unix
- The Mobile Gadgeteer
- On Sustainability
- The Semantic Web
- Service Oriented
- Smartphones and Cell Phones
- Social Business
- Social CRM: The Conversation
- Software & Services Safari
- Software as Services
- Storage Bits
- Team Think
- Tech Broiler
- Tom Foremski: IMHO
- The ToyBox
- Virtually Speaking
- The Web Life
- ZDNet Education
- ZDNet Government
- ZDNet Healthcare
- Zero Day
Blog Archive
White Papers, Webcasts, & Resources
- 77 Features for Windows 7 that Every IT Professional Should Know AboutWindows 7 builds on Windows Vista's positives and eliminates many of the ... (Global Knowledge) Download Now
- 10 Dying IT SkillsThere are some things in life, like good manners, which never go out of ... (Global Knowledge) Download Now
- 2010 IT Skills & Salary ReportAre you wondering how your salary compares to your colleagues? Or how ... (Global Knowledge) Download Now
