Cryptosmith

A social networking site called Rockyou.Com was hacked a few months ago, and someone was thoughtful enough to tell them about it in December. After some dithering, they announced it to their user community.

Unfortunately, they were trying to do site aggregation stuff – using other site login credentials to link that site to theirs. All very Web 2.0. All very dangerous, especially since passwords were stored in plaintext. Thus, the attackers collected 32 million user login credentials: ids, passwords, e-mail addresses. This was courtesy of a cross site scripting vulnerability.

John, a former colleague, sent me a note about a security group named Imperva that analyzed the list of passwords.

The actual report is poorly drafted – you can’t tell how much of the database they really analyzed, or how they chose a set to analyze. However, it seems that they analyzed a sampling of the passwords and compiled a list of the 5,000 most common ones. Which they didn’t share. They did share a list of the 20 most common: the most common word was “Password” while “princess” and “Nicole” were the most common names.

Continue Reading »

Posted under Security | No Comments »

Here’s a recent posting on password problems that suggests 10 hard-to-follow rules.

The author highlights an important problem: attackers can do systematic trial-and-error guessing attacks against on-line sites. She focuses on a Google Gmail problem recently reported on Full Disclosure.

Here’s the point: use strong protection on high-value targets. Take the time to protect your major e-mail account, your financial resources, and anything else you really value. If you’re going to slack off, do it when registering to post a one-off blog comment.

Let me take a stab at my own list of recommendations.

Continue Reading »

Posted under Security | No Comments »

Ivan Lucas of “Lockdown.co.uk” has posted an interesting summary of Password Recovery Speeds. These are scaled on the assumption that the attacker will do trial-and-error attempts of all possible permutations. I think it would be interesting to include a scale that considers ‘likely’ password selections.

I’ve been reviewing postings from the past few months that look at password selection, including a password list stolen from phpbb, a built-in list used for cracking by the Conficker worm, and a list of the “500 most common passwords from a book called Perfect Passwords. Bruce Schneier also did a thing on MySpace passwords back in 2006. Dan Klein did the classic assessment of password selection and cracking ‘way back in 1990 and it seems like peoples’ choices haven’t changed a lot since then.

Aside from speedup due to Moore’s Law, I don’t think password security has changed much since 1990.

Posted under Security | No Comments »

It used to be that the default password was your mother’s maiden name, your SSN, your birthdate, or something like that. Now you have to pick a password, and your ‘password recovery’ questions are based on those old stand-by questions. So you can still break in to a person’s accounts by answering those classic questions.

There have been some interesting recent reports about the use of personal questions for password resetting, and Bob Sullivan has summarized them in a recent posting.

This problem will only disappear over time, as people learn how NOT to lose security credentials. Continue Reading »

Posted under Security | No Comments »