{"id":1892,"date":"2010-01-30T20:46:56","date_gmt":"2010-01-31T01:46:56","guid":{"rendered":"http:\/\/rbachnet.wwwmi3-ss40.a2hosted.com\/?p=1892"},"modified":"2022-12-30T12:40:50","modified_gmt":"2022-12-30T17:40:50","slug":"password-insecurity","status":"publish","type":"post","link":"https:\/\/rbach.net\/index.php\/password-insecurity\/","title":{"rendered":"Password Insecurity"},"content":{"rendered":"

\"password\"<\/a> The massive Rockyou.com<\/a> breach reveals the weakness of the password. The Rockyou.com breach provided an opportunity to evaluate the true strength of passwords as a security mechanism. California-based security firm Imperva<\/a> analyzed the stolen cache of 32 million passwords and the results are not pretty. According to researchers, most passwords are eight or fewer characters and nearly 30% of passwords were six characters or less. They also found Nearly 50% of users used names, slang words, dictionary words, or trivial passwords (consecutive digits, adjacent keyboard keys, and so on), and 20 percent are from a pool of 5,000 passwords. The ten most common passwords used were:<\/p>\n

    \n
  1. 123456<\/li>\n
  2. 12345<\/li>\n
  3. 123456789<\/li>\n
  4. Password<\/li>\n
  5. iloveyou<\/li>\n
  6. princess<\/li>\n
  7. rockyou<\/li>\n
  8. 1234567<\/li>\n
  9. 12345678<\/li>\n
  10. abc123<\/li>\n<\/ol>\n

    \"Imperva\"<\/a>\u201cThe problem has changed very little over the past 20 years,\u201d explained Imperva\u2019s CTO Amichai Shulman, referring to a 1990 Unix password study that showed a password selection pattern similar to what consumers select today. \u201cIt\u2019s time for everyone to take password security seriously; it\u2019s an important first step in data security<\/a>. It\u2019s important to point out that, the same password \u201c123456\u201d also topped a similar chart based on a statistical analysis of 10,000 Hotmail passwords published (Link removed at the request of Acunetix)<\/em> October 2009 by Acunetix (Link removed at the request of Acunetix)<\/em>.<\/p>\n

    \u201cEveryone needs to understand what the combination of poor passwords means in today\u2019s world of automated cyber attacks: with only minimal effort, a hacker can gain access to one new account every second\u2014or 1000 accounts every 17 minutes,\u201d explained Shulman in a press release<\/a>.<\/p>\n

    For enterprises, password insecurity can have serious consequences. \u201cEmployees using the same passwords on Facebook that they use in the workplace bring the possibility of compromising enterprise systems with insecure passwords, especially if they are using easy to crack passwords like \u2018123456\u2019,\u201d said Shulman.<\/p>\n

    The rest of the passwords rated by popularity:<\/p>\n

    \"Imperva<\/p>\n

    Some of the lessons that firms can lead from the Imperva research are:<\/p>\n

    1) Most users use short passwords which lack a lower-capital-numeric characters mix or trivial dictionary words which every decent brute-forcing\/password recovery application can find in a matter of minutes.\u00a0 A hacker will typically take 17 minutes to gain access to 1000 accounts.<\/p>\n

    2) Strong password algorithms must be coupled with longer passwords that contain a mix of letters, numbers, and, where possible, punctuation.<\/p>\n

    3) Firms should emulate Twitter\u2019s<\/a> \u201cbanned passwords<\/a>\u201d list consisting of 370 passwords that are not allowed to be used.<\/p>\n

    The analysis proves that most people don’t care enough about their own online security to give more than a fleeting thought when choosing the password which secures access to their accounts.\u00a0 This research shows why firms must take proactive actions to manage their users’ choices in passwords.<\/p>\n

    PASSWORD RELATED SECURITY BEST PRACTICES:<\/strong><\/p>\n

    \u2022 All passwords are to be treated as sensitive, confidential corporate information.
    \n\u2022 Don’t use the same password for corporate accounts and non-corporate accounts (e.g., Facebook, Twitter, personal ISP account,\u00a0 etc.).
    \n\u2022 If someone demands a password call someone in the Information Security Department.
    \n\u2022 Change passwords at least once every four months.
    \n\u2022 Do not use the “Remember Password” feature of applications (e.g., Eudora,     Outlook<\/a>, Netscape Messenger<\/a>).
    \n\u2022 If an account or password is suspected to have been compromised, report the incident and change all passwords.<\/p>\n

    Strong passwords characteristics:<\/strong>
    \n\u2022 At least eight (8) alpha-numeric characters
    \n\u2022 At least one numeric character (0-9)
    \n\u2022 At least one lower case character (a-z)
    \n\u2022 At least one upper case character (A-Z)
    \n\u2022 At least one non-alphanumeric character* (~, !, @, #, $, %, ^, &, *, (, ), -, =, +, ?, [, ], {, })
    \n\u2022 Are not a word in any language, slang, dialect, jargon, etc.
    \n\u2022 Are not based on personal information, names of family, etc.
    \n\u2022 Are never written down or stored online.<\/p>\n

    Password\u00a0 “dont’s”:<\/strong>
    \n\u2022 Don’t reveal a password over the phone to ANYONE
    \n\u2022 Don’t reveal a password in an email message
    \n\u2022 Don’t reveal a password to the boss
    \n\u2022 Don’t talk about a password in front of others
    \n\u2022 Don’t hint at the format of a password (e.g., “my family name”)
    \n\u2022 Don’t reveal a password on questionnaires or security forms
    \n\u2022 Don’t share a password with family members
    \n\u2022 Don’t reveal a password to co-workers while on vacation<\/p>\n

    OTHER PASSWORD-RELATED SECURITY BEST PRACTICES:<\/strong>
    \n\u2022 Account Lockout: all systems should be set to “lockout” a user after a maximum of 5 incorrect passwords or failed login attempts
    \n\u2022 Lockout Threshold: all systems should have a minimum “lockout” time of five (5) minutes
    \n\u2022 Password History: systems should be configured to require a password that is different from the last ten (10) passwords<\/p>\n

    Related articles<\/h6>\n