Sophos Cloud Optix
Are you one of the many people who is using a dangerously easy-to-guess password?
Maybe now’s the time to fix that before it’s too late.
Twitter, LinkedIn, World of Warcraft and Yahoo are amongst the popular websites which are advising users to change their passwords in light of the recent security breach at the Gawker Media family of sites.
The issue is that many people (33% in our research) use the same password on every single website. That means that if your password gets stolen in one place (like Gawker’s Gizmodo or Lifehacker websites), it can be used to unlock access to other sites too.
Unfortunately, an analysis of the passwords stolen in the Gawker incident show that many people are choosing very poor passwords, that are easy for intruders to guess:
Disturbing isn’t it? Too many of us are choosing risible passwords – and trust me, the hackers know about the most commonly chosen passwords and are quick to try them out when trying to break into your accounts. Malware like the infamous Conficker worm have even had lists of commonly-used passwords built into them – and have used them to try to spread further.
So, clearly people need to get out of the habit of using the same password everywhere, and they also need to ensure that their passwords are not easy to guess or crack.
But another thought springs to my mind. Why don’t more websites test the password that you’ve chosen to ensure that it’s strong enough?
It would be fairly simple, for instance, when a new user creates an account for the website to run the password they submit against a database of commonly used passwords and a dictionary. If the password you offer is a dictionary word, or is too easy to crack then it should be rejected by the website.
If websites simply tell users to change their passwords after the Gawker incident what’s to stop folks changing their “123456” password to the just as bad “password” password?
We need to not just drum into users heads about the importance of password safety, but also police submitted passwords better to ensure weak ones *can’t* easily be chosen.
Here’s a YouTube video I made a while back showing how to choose a hard-to-crack but easy-to-remember password. It also explains how password management software programs like 1Password, KeePass and LastPass can help you remember all your different passwords.
(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)
Password chart image source: Wall Street Journal
I have to admit i was guilty of repeated passwords which were a little on the simple side which was mainly out of being lazy, which sadly lots of people are hence not bothering with strong passwords.
The best way ive found is using a service like lastpass, cross browser, web and mobile password management, meaning you can use long and super strong passwords everywhere without having to memorise them, now all 100 or so of my online passwords are unique now and i regularly change my LP password and use multifactor code card authentication so my LP account isnt at risk
that’s great – i’ve just checked out last pass….but what is there when you use multiple computers and some of these work in a secure environment where the user has no permissions to install software?
you can check & see lastpass vault via their website, without installing any app.
I'm a LastPass user as well – using a thirteen character master password and pseudo-random passwords of at least twelve characters long on any site that will accept ones that long.
One scary aspect of the story is that Gawker aren't even imposing a minimum password length – the eleventh most popular password was "0" (yes, just a single digit!)…
I did something similar and had the same dilemma of remembering the passwords and the temptation of using the same one. I simply added another rule to the password generation process that essentially allowed for one password to rule them all!
F+WSD4ADOE&H which can be far too long for some websites, wish they would keep to standards! What I would do to change the website password would be to add something predictable.
I selected after the 2nd letter of the main password, the last three letters of the domain name, reverse them then add a fullstop.
Password thus:
Sophos: F+soh.WSD4ADOE&H
Facebook: F+koo.WSD4ADOE&H
Twitter: F+ret.WSD4ADOE&H
So same simple rules, and really same password, but each resource would have a different password and a hacker would need to know the rules you employed to exploit each site and unless he had the password lists to all sites to compare then it is highly unlikely they'd gain access.
I would imagine it would remain secure long enough for you to change your password ruleset to another one and propagate that through all your resources.
The problem with that approach is that if someone works out your algorithm, you're screwed. They'll be able to unlock anything.
Best to use *really* random passwords. 🙂
I understand the value of high-entropy passwords in resisting off-line dictionary attacks. My question, in the context of on-line web-services attacks, is does entropy really matter so much? Are today’s web-services still so accommodating of dictionary attacks that they don’t have a lock-out period that’s triggered by some threshold of failed attempts? Once you’ve gotten past dictionary and easily guessable words, isn’t that commonly “good enough”?
Did you seriously just say your password?
So little imagination used on passwords! I like really random stuff and I have mine on hard copy (AKA- paper) hidden in a notebook. I know which one. Pets when you were 10 plus phone number when you were 15. Made up words, words wrote backwards, not that anybody would want to hack my stuff because I don't keep anything important on most of my accounts. But really, people, Make it hard for the bad guys! Like leaving your front door open and saying I have an alarm system. Useless.
I might use some stupid password like 1234 to register on Gawker because what information about me can be harvested there? I certainly wouldn't use something like that on my bank account. Am I wrong to think my Gawker-Gizmodo-RandomBlog password is useless to hackers?
A couple of fun facts from the days when I worked on an academic UNIX network and did a review of password security:
– the most common password was 'banana'
– second was 'password'
– third was the name of the department
So I modified the password-changing program to do a dictionary search, and refuse passwords that were dictionary words. One user in particular got very frustrated: he was from Greece, and my dictionary library wouldn't let him use Greek words. He thought I should just disallow English words, because the computer was in English ;-).
Why am i supposed to change my Linkedin acocunt passwords??????????
Thanks in advanced, i appologise for asking daft questions but i dont see how Gawker been hacked as got anything to do with Linkedin.
I HAVE READ NUMEROUS ARTCLES ADVISING PEOPLE
LinkedIn has sent advisories to some of its users who they believe may have been using the same password on LinkedIn as they were on one of of the Gawker websites.
Ok thanks for reply
my uni had some insanely tough password rules such as numbers, letters and symbols
no recognisable words in any language (i tried to get round this using japanese, korean etc words in and just couldnt)
with 6 monthly non optional updates and you couldnt repeat a password.
i worked out the best way to remember a password was to look at a group of keyskeys make up a random onamatapaic word, with no vowels, where it was clear you could hear every letter when you said it and that i liked the sound of.
then add in numbers /symbols before/after
so you could say/remember number-password sound as a word.
it was good and easy. i used to write them down and keep them hidden away
it left me with a whole load of back up passwords forever etched into my memory by sound and route that i still use and mod/mix up today
and a method to create more that i also use a fair amount as well (esp as my work now has an even more infuriating password policing system)
Thanks for all the great ideas!
Yes, great ideas! I agree! Personally, I use Sticky Password manager and I was hacked too, so now my passwords are completely new, stronger then before and I feel safe again. With password managers, the life is easier 🙂
It seems that major breaches like this are becoming quite common.
What does that say about the security thinking among people operating
the compromised system, and about the security thinking among end users?
If you operate a major web site, a big security compromise like this can
kill your business. Not investing enough time, money and infrastructure
in security means putting your organization at risk of major harm, because
of bad press, lost end users, lost advertisers, etc. This is a big deal.
If you are a user whose password has been compromised, I guess it depends
on how many other systems you sign into with the same ID/password and
whether you care about compromise of any/every account that uses the
same credentials. At a minimum, once you learn about a compromise like
this, you should change your “standard, used for systems I don’t care
much about” password everywhere.
In either case, you can learn about effective password management
practices: for organizations (http://password-manager.hitachi-id.com/docs/password-management-best-practices.html) and for end users (http://password-manager.hitachi-id.com/docs/choosing-good-passwords.html)
– Idan Shoham, CTO, Hitachi ID Systems
Password managers are the best way to go. Even if you create a strong password, it can still be stolen. Website security varies greatly. Using the same password for very secure and less secure websites can be dangerous. Your password could be stolen from one website and used on another (paypal, bank site, etc.) Password managers allow you to create very difficult passwords that you don't have to remmber. To create the password, you could also use one of the methods mentioned above or a password generator.
Paul Ciatto, Insource Technology
Bear in mind that people may have “low security” passwords for sites they don’t much care about. I have sth like “lala123” which I use on sites I don’t trust, or where I may share the login. That doesn’t mean I’d use the same one for Twitter or email.
That's a fair point. But if password managers make it easy to generate unique, random passwords for every website you visit – why not use them anyway?
That way you won't accidentally choose a simple "low security" password for a site which turns out to have been more important to you.
I adopt the same policy: separate low-value and high-value passwords. I admit to running a cascading-vulnerability risk with my shared low-value passwords. There are times when I need to access sites from a quasi-public computer, so a password manager program isn’t a solution for me. For financial sites, I employ two-factor authentication using a hardware token based solution.
The analysis is somewhat skewed in the fact that the Gawker password database only performed a DES crypt function on the first 8 characters. This means that anyone who entered in more than 8 characters effectively had their passwords truncated to 8 characters. Nice of them (and others) to omit detailing this "feature" to their users.
Having had to deal with this nonsense throughout the 90s I've made damn sure that the first 8 characters in any password contain uppercase, lowercase, numbers and punctuation where permitted. Granted, this means the brute force takes a teeny bit longer in the modern age, but you have to do what you can. :-/
While password managers are good, they are not the be-all and end-all. How do I access my online services from a PC where I don't have the password manager installed? I don't always have a USB key with me. I either remember the 13 character random password (the whole problem in the first place) or I am restricted on how I can use online services.
Great ideas…. but, before any passwords are setup, shouldn't we determine if there are keyloggers on our computers?
You are right about. Keyloggers but how can you find them on your machine if there is one ?
My laptop was bought second-hand. It was originally from some company, and virus scanning has located an "Employee tracker" or something like that. So are all my keystrokes reported to some unknown place, and how can I get RID of this code?
I virus scan at least once a week, have a firewall, and my spyware program finds around 100 or so new adwares a day! (PopUps are "mostly blocked", but I do get a few.) I don't do that much surfing, mostly Email & Email links from known & mostly trusted URLs.
A colleague recently set up a new MySophos account
& although told that his password was weak it was still
accepted – people who live in glass houses…. 😉
I am guilty of re-using passwords for several sites – however they are complex. What miffs me is where a site will not allow you to use a complex password.
Hey, how about NOT using passwords at all. The problem is
that passwords are a legacy credential. Even government has
recognized and acted on this, ahead of private enterprise, and that
says A LOT. Secure elements and private keys are where it's
at.
I learned to create military grade passwords a long time ago. This stuff is the way we should all do it if we could. Two additional pieces of information:
Keys that aren't on the keyboard!! I once put a post-it on my monitor with my password and offered $20 to anyone who could log into my machine. The password was Abstinence. What I failed to mention was that the first character was not English. If you hold down the Alt key and press 0192 on the numeric keypad, you will get the European À character. All I had to remember was the 192. It is not necessarily a strong password just because I got tricky with one char, however, but it was proof of concept to the SCIF SysAdmin. If you go into the Windows program Character Map, you can click on a character to see if there is an Alt-code to enter it directly from the keyboard. Some laptops have trouble with using Alt-numbers, in which case you need to cut and paste from the Character Map program.
Another method is in regards to which characters to capitalize. If only there was a rule to help us remember which letters to capitalize. In the German language, nouns are capitalized, and I find that nouns are usually sprinkled nicely throughout a phrase. In the video, the proper names of Fred and Wilma could be the capitalized. If there are no proper names, people will frequently only capitalize only the first char and then no more. One investor I knew had a favorite phrase: Bulls and bears make money, pigs get slaughtered. He thought this would translate into Babmmpgs. I suggested B&Bm$Pgs instead. And becomes ampersand, like we saw already, money becomes the dollar sign, and all the nouns become capital letters. If you want to incorporate my first suggestion, you could even change the dollar sign to a different currency symbol, like the Euro ( Alt+0128 = € ), using the ASCII keyboard entry. This would be more effective in the US, obviously 🙂
The new military method is to "combine something known with something owned". A weak password plus a few numbers can be more secure than a 10 character random password if the numbers are generated by an authenticator. There is even an online gaming company that offers authenticators for its players at a very low price. Why don't banks?!?! Grr.
Actually, some banks do, e.g. Bank of America. They ofter a low cost hardware OTP generator card. It likely works on the same principle as the RSA SecurID tokens. PayPal offers a similar low cost token.
"One investor I knew had a favorite phrase: Bulls and bears make money, pigs get slaughtered. He thought this would translate into Babmmpgs. I suggested B&Bm$Pgs instead."
My suggestion would have been to not base his password on something others are likely to know about him, like his favorite phrase. You just added a little bit of security through obscurity and that's not security at all.
I generate a random password of at least 8 to 10 characters and then try to associate each 2 or 3 character segment with a relatively meaningful mnemonic. For instance if I were to generate Sw8zz19f as a password, I’d probably give it the mnemonic “sweat [Sw8], sleep [zz], 19f [easy to remember 3 characters if they don’t have a quick word association]”. Most times I try to associate numbers with days or years that hold special meaning in my life, and letters with people/pet names, but as with the example above, it doesn’t always work out that way when the characters are generated truly randomly.
"19f [easy to remember 3 characters if they don't have a quick word association]"
Do you mean a quick word association like… starting to "sweat" after "sleeping" with a "19 year old female"?
That password could very easily be one that wasn't generated randomly at all.
I wish someone would hack my FB account, that way I could blame them for all the silly crap I put on there. 🙂
I use the name of the website in my password and then rotate between several different levels of numbers.
IE: three numbers for low level things (freebie sites), four numbers for social sites, five numbers for financials and so on.
So it’s not a repeatable password, even if I used the same 5 numbers for every site.
Another thing I like doing is associating the numbers on the keypad of the phone with key words in the site. For instance 92466 would be YAHOO as taken off of a phone. Just another way of doing it.
LOVE the idea of using punctuation marks and various other characters. thanks and I’ll implement this!
“Why don’t more websites test the password that you’ve chosen to ensure that it’s strong enough?”
Forcing users to use strong passwords encourages them to use the same strong one across multiple sites, thus not mitigating against the consequences of a security breach if the passwords can be obtained.
Website operators should not be trying to shift the burden of security to users; there’s a very good reason why so many people use weak, shared passwords. The solution is to ensure that the security on the server is strong and that the passwords cannot be recovered even if access is obtained.
As an IT guy, I found that an unusually large number of females used the same password: butterfly
I have an index file system where I write each password, usernam, e-mail etc. I couldn’t remember all of them there are hundreds. I wouldn’t trust an on-line program either, my computer has crashed too many times and I have lost everything so I feel safer having the passwords where I know I can access them if my computer crashes.
The problem with using things from your childhood is that so many social networks ask you questions like that – all someone has to do is google your name, and look around for things like 'my first pet's name' or 'town i grew up in' and the like. I use different ex-girlfriend's middle names or 'pet' names or last names or even addresses, with several non-alphabet characters mixed in, depending on the site, and the need for a more secure password. No one (but my exes) know their middle names, and there's enough to have a different one for each website i'm on 🙂 Remembering which is for which site has become a bit of an issue though – but well worth it, knowing my sites are more secure than most people's. (Mind you, this is NOT my exact way of making passwords, but something similar – and an idea for others, as it seems like this post is about)
"If the password you offer is a dictionary word, or is too easy to crack then it should be rejected by the website."
It's not the websites job to babysit and nanny it's users. The internet has been around long enough for people to know to use strong passwords. If they don't, then when their information gets compromised hopefully they'll learn the hard way. But it's not up to websites to make people make smart choices.
http://xkcd.com/936/
2012 and we still use passwords, need something new, a biometric DNA upload that cross references you and the ID thief.
Honestly, if they REALLY want my account that much, they can go ahead and take it.
i love the way people tell how they come up with passwords great help for hackers LOL
I know someone who changed his/her password to "incorrect." This way, when said person forgets the password, s/he will get a message stating, "Your Windows Password is incorrect."
Nyuck, Nyuck, Nyuck!
All I'm saying is that people should remember their password, which should be complicated and long.
this website is grate