Home » Read Our Blog

Secure Passwords (Pt. 2)

(From Troy Hunt’s Blog) View Part 1

The problem with weak passwords

Firstly, what exactly is a weak password? Let me answer this in a roundabout way by focusing on strong passwords; a strong password is one which has a high degree of what we call entropy, or in simple terms, one that is as long and as random (in terms of both character types and sequence), as possible. As the entropy link explains:

People are notoriously remiss at achieving sufficient entropy to produce satisfactory passwords.

People struggle with strong password because they revert to patterns that are easily memorable. The patterns may be in a natural form such as someone’s name, a date, or a place or they may be memorable keyboard patterns such as “qwerty” or “123456”. These are all highly predictable patterns.

Let me demonstrate the problem with this based on a few recent events. Firstly we have Gawker who last December were the victims of an attack which lead to the disclosure of somewhere in the order of one million user accounts. Worse still, these accounts were posted online and readily accessible by anyone who wanted to take a look at who had signed up to the service and what their password was.

The interesting thing in the context of password strength is the prevalence of bad password choices. Take a look at these:

123456, password, 12345678, qwerty, abc123, 12345, monkey, 111111, consumer, letmein, 1234, dragon, trustno1, baseball, gizmodo, whatever, superman, 1234567, sunshine, iloveyou, starwars, shadow, princess, cheese, helloworld

These 25 passwords were used a total of 13,411 times by people with Gawker accounts. The first one – 123456 – was used over two and a half thousand times alone.

Another very similar example was an attack last month on rootkit.com. Password analysis on the breached database showed these top 25 passwords:

123456, password, rootkit, 111111, 12345678, qwerty, 123456789, 123123, qwertyui, letmein, 12345, 1234, abc123, dvcfghyt, 0, r00tk1t, ìîñêâà, 1234567, 1234567890, 123, 11111111, master, aaaaaa, 1qaz2wsx, helloworld

Look familiar? Worse still, you can easily see the corresponding username if you know where to look (I’ve deliberately blurred these but the originals are still there in the link):

networking-network-password-most used passwords-non-secure-passwordspt2

But here’s what’s really interesting about both these cases and the relevance to why password strength is important – all of these were stored in an encrypted fashion in the database. Without delving into cryptography concepts, the core of the problem with both these sites is that the encryption was implemented badly.

When a database such as rootkit.com is released into the wild with poorly implemented encryption, hackers are able to recreate the encryption process by feeding in a dictionary of common passwords and attempting to compare them to the database to find matches. The nature of encryption can mean this process needs to be repeated millions of times, but it’s an entirely automated process.

Password dictionaries are commonly available (wonder if you see any of yours in there?), as is the software to run them against the breached database. The biggest limitation is the computing power required to perform a fairly resource intensive process but as we all know, compute power is increasing at a very rapid pace and besides, you can easily acquire enough processing power to test 400,000 passwords per second for only 28 cents per minute.

But the bottom line is this; if your password conforms to a recognizable pattern, there’s a good chance it will either be in a password dictionary or guessable based on other known information about you (wife’s or kids name, etc.) If it is short or doesn’t contain sufficient variations in characters, the number of attempts required to guess it are going to be much lower; you become the low hanging fruit.

(From Troy Hunt’s Blog) View Part 1

Facebook comments:

Leave your response!

You must be logged in to post a comment.

Untitled Document
Serving Home & Mobile Audio Products to these local South Florida communities:
Palm Beach County: Boca Raton | Boynton Beach | Delray Beach | Juno Beach | Jupiter | Lake Worth | Palm Beach | Palm Beach Gardens | Wellington | West Palm Beach
Broward County: Coconut Creek | Coral Springs | Dania | Davie | Fort Lauderdale | Hallandale | Hollywood | Parkland| Plantation | Pompano
Miami/Dade County: Aventura | Bal Harbour | Coral Gables | Doral | Florida City | Hialeah | Homestead | Key Biscayne | Miami | Miami Gardens | North Miami