Sponsored by..

Showing posts with label Passwords. Show all posts
Showing posts with label Passwords. Show all posts

Wednesday 22 January 2014

Password hand-wringing misses the point

Recently doing the rounds of news outlets is a list compiled by SplashData of weak passwords found in data breaches in 2013. There's nothing wrong with this list, but as ever, the media completely miss the point.

SplashData's list is as follows:


Rank
Password
Change from 2012
1
123456
Up 1
2
password
Down 1
3
12345678
Unchanged
4
qwerty
Up 1
5
abc123
Down 1
6
123456789
New
7
111111
Up 2
8
1234567
Up 5
9
iloveyou
Up 2
10
adobe123
New
11
123123
Up 5
12
admin
New
13
1234567890
New
14
letmein
Down 7
15
photoshop
New
16
1234
New
17
monkey
Down 11
18
shadow
Unchanged
19
sunshine
Down 5
20
12345
New
21
password1
Up 4
22
princess
New
23
azerty
New
24
trustno1
Down 12
25
000000
New


The presence of "adobe123" and "photoshop" as passwords show the influence of the Adobe data breach on the list. Back in 2010 when Gawker was breached, one of the popular passwords was.. you guessed it.. "gawker".

The media has a habit of picking up the wrong point.. they look at a password of "123456" and ask how can anyone be so stupid to use it? But my somewhat NSFW response is what the fuck does it matter?

Almost everything these days requires registration for which you need to supply an email address and password, and often for trivial things. One of the reasons that gawker featured so highly in the Gawker breach was that to the vast majority of users it matters not one jot if someone hacks into their account. The same is true for a lot of Adobe users.. in most cases the accounts are of absolutely no value to an attacker, so it really doesn't matter if you have adobe123 as a password or not.

So, the media (or at least some of it) says that you should choose a secure password such as fJ4C62GY0I8C15D but their advice is misleading because the real problem is password re-use and not the security of the password per se.

Despite the obvious security problems in doing so, many sites store passwords in plain text or in an insufficiently encrypted format. In these cases, it doesn't matter how secure your password is because the attackers will just be able to read it. Even in cases where the password is encrypted, with enough time and/or rainbow tables the password can often be determined, even it is a complex one.

And if you have re-used that email address and password on other sites.. well, you're buggered basically.

In an ideal world, you would have a nicely secure password for each site and you would remember it in your head. But of course, that's practically impossible, so one option is to use a password manager (SplashData themselves make these) to remember them all for you. There are several different password managers available, but of course there is always the possibility that one of these tools might get hacked itself which could be catastrophic for users.

If you don't want to use a password manager, then you'll have to do it the old-fashioned way, and either remember your passwords or store them in some other manner. You should always have a secure and unique password for your web mail, banking/finance, work and major shopping sites. But for all the cruft that you have to register, there's probably little harm in using a password that it easy to remember. Does it matter if the password I use for ranting at the BBC is abc123? Perhaps it doesn't.

But perhaps one problem is that there are simply too many times that you have to create an account in the first place. Sometimes it is nice to come across a retailer (for example) that will allow you to order stuff without creating a damned account.. something that seems to go against the grain, but it does mean that there's one less password to worry about..

Monday 20 December 2010

Gawker related attack from 174.132.178.37

The recent Gawker media hack is probably related to a spate of malicious activity from 174.132.178.37, trying to log into forums, according to a couple of different reports on the web -  [1] [2] -  and my own experience of someone trying to get into a forum, presumably with Gawker harvested credentials. The purpose is unknown, but the person behind it may well be trying to use established accounts to spam forums.

Here is a sample email that you might get:

Dear ----------,

Your account on ---------- has been locked because someone has tried to log into the account with the wrong password more than 5 times. You will be able to attempt to log in again in another 15 minutes.

The person trying to log into your account had the following IP address: 174.132.178.37

Don't forget that the password is case sensitive. Forgotten your password? Use the link below:
http://forums.----------.com/login.php?do=lostpw

I advise you to contact the web host responsible at abuse -at- theplanet.com with a copy of any evidence. Incidentally, the listed owner of that IP address (although remember that it may have hack) is:

network:Class-Name:network
network:ID:NETBLK-THEPLANET-BLK-15
network:Auth-Area:174.132.0.0/15
network:Network-Name:TPIS-BLK-174-132-178-0
network:IP-Network:174.132.178.32/28
network:IP-Network-Block:174.132.178.32 - 174.132.178.47
network:Organization-Name:Michael Strouse
network:Organization-City:winter springs
network:Organization-State:FL
network:Organization-Zip:32708
network:Organization-Country:USA
network:Description-Usage:customer
network:Server-Pri:ns1.theplanet.com
network:Server-Sec:ns2.theplanet.com
network:Tech-Contact;I:

If this has happened to you, why not post a comment below so that ThePlanet.com can see what it going on.

Tuesday 30 June 2009

Password masking facepalm

A bizarre shot in the security vs usability argument, as reported by El Reg: Masked passwords must go which reports on research saying that masked passwords are more trouble than they are worth.

A key bit of the argument? "Shoulder surfing is largely a phantom problem".. umm yeah, because people's passwords usually just show as blobs or stars so there's no point. If your damned password comes up as plaintext then you can betcha that it WILL be a problem.

Facepalm