Quotulatiousness

January 21, 2010

And yet more on passwords

Filed under: Technology — Tags: , , , , , — Nicholas @ 13:11

This is becoming a quarterly topic around here. Imperva has done some statistical analysis of the 32 million passwords which were exposed in the Rockyou.com security breach:

Key findings of the study include:

* The shortness and simplicity of passwords means many users select credentials that will make them susceptible to basic forms of cyber attacks known as “brute force attacks.”

* Nearly 50% of users used names, slang words, dictionary words or trivial passwords (consecutive digits, adjacent keyboard keys, and so on). The most common password is “123456”.

* Recommendations for users and administrators for choosing strong passwords.

“Everyone needs to understand what the combination of poor passwords means in today’s world of automated cyber attacks: with only minimal effort, a hacker can gain access to one new account every second—or 1000 accounts every 17 minutes,” explained Imperva’s CTO Amichai Shulman.

The report identifies the most commonly used passwords:

1. 123456
2. 12345
3. 123456789
4. Password
5. iloveyou
6. princess
7. rockyou
8. 1234567
9. 12345678
10. abc123

So there you go — all the tools you need to be a world-class password cracker.

December 18, 2009

More on passwords

Filed under: Technology — Tags: , , , , — Nicholas @ 08:58

The Economist‘s Tech.view correspondent confesses to password laxity:

He admits to flouting the advice of security experts: his failings include using essentially the same logon and password for many similar sites, relying on easily remembered words—and, heaven forbid, writing them down on scraps of paper. So his new year’s resolution is to set up a proper software vault for the various passwords and ditch the dog-eared list.

Your correspondent’s one consolation is that he is not alone in using easily crackable words for most of his passwords. Indeed, the majority of online users have an understandable aversion to strong, but hard-to-remember, passwords. The most popular passwords in Britain are “123” followed by “password”. At least people in America have learned to combine letters and numbers. Their most popular ones are “password1” followed by “abc123”.

I’ve written some carefully considered advice on passwords, which is still as valid today as it was in those dark, distant days of October.

November 24, 2009

Friendly reminder to UK readers: you do not have a right to remain silent

Filed under: Britain, Law, Technology — Tags: , , , , , — Nicholas @ 07:28

A fascinating story about a case in Britain where the government’s shiny new powers under Regulation of Investigatory Powers Act (RIPA) have been used to jail a schizophrenic man for refusing to divulge the passwords to access his files:

The first person jailed under draconian UK police powers that Ministers said were vital to battle terrorism and serious crime has been identified by The Register as a schizophrenic science hobbyist with no previous criminal record.

His crime was a persistent refusal to give counter-terrorism police the keys to decrypt his computer files.

The 33-year-old man, originally from London, is currently held at a secure mental health unit after being sectioned while serving his sentence at Winchester Prison.

In June the man, JFL, who spoke on condition we do not publish his full name, was sentenced to nine months imprisonment under Part III of the Regulation of Investigatory Powers Act (RIPA). The powers came into force at the beginning of October 2007.

[. . .]

Throughout several hours of questioning, JFL maintained silence. With a deep-seated wariness of authorities, he did not trust his interviewers. He also claims a belief in the right to silence — a belief which would later allow him to be prosecuted under RIPA Part III.

November 8, 2009

Aussie iPhone owners rickrolled

Filed under: Australia, Technology — Tags: , , , , — Nicholas @ 18:56

The horror, the horror:

The attacks, which researchers say are the world’s first iPhone worm in the wild, target jailbroken iPhones that have SSH software installed and keep Apple’s default root password of “alpine.” In addition to showing a well-coiffed picture of Astley, the new wallpaper displays the message “ikee is never going to give you up,” a play on Astley’s saccharine addled 1987 hit “Never Gonna Give You Up.”

Tricking victims in to inadvertently playing the song has become a popular prank known as Rickrolling.

A review of some of the source code, shows that the malware, once installed, searches the mobile phone network for other vulnerable iPhones and when it finds one, copies itself to them using the the default password and SSH, a Unix application also known as secure shell. People posting to this thread on Australian discussion forum Whirlpool first reported being hit on Friday.

October 10, 2009

Passwords and the average user

Filed under: Humour, Technology — Tags: , , , , — Nicholas @ 11:22

In this day of widely publicized panic about online security, it’s time we revisited the basics of password security. I’m sure that none of you reading this would ever have a less-than-ironclad routine for all your online activities:

  1. Never ever use the same password on multiple sites. Once they’ve grabbed for login for the MyLittlePony site, they’re into your bank account . . . or worse, your MyLittlePonyDoesDallas account.
  2. Always use the maximum number of characters allowed . . . I know it’s a pain when a site allows 1024 characters, but your online security is paramount. I believe most health insurance now covers carpal tunnel treatment, so you’re golden.
  3. Never include any word — in any human language — embedded within your password: this includes all the words in the Scrabble® dictionary for every known language. Can’t assume that the black hats speak English, y’know.
  4. Always use both capital and lower-case letters and include at least a single digit and a non-letter character in every password.

    5. Note: Don’t try to be clever and use 1337speak. The folks trying to crack your password all post on 4chan: you’re giving them a head-start. They dream in 1337.

  5. Change your password regularly. Daily, if necessary. Even hourly if you share a computer with others.
  6. Never, ever write your password down. That’s the first thing they’ll look for when they break down your door and trash your crib.
  7. Never, ever re-use a password. Don’t pretend you haven’t done this one. We all used to do it, until site admins started checking that you hadn’t re-used an old password.

Of course, even the professionals don’t do all of this. Some of ’em don’t do any of it. Do like the pros do: set all your passwords to “passw0rd”. Nobody ever guesses that.

For actual password advice that might be helpful, you can try this post on the Gmail Blog.

« Newer Posts

Powered by WordPress