Sophos Cloud Optix
Want to hack into somebody’s account?*
For shame!
Here’s how you do it: type in the name Bella.
It’s statistically likely to work. Often.
Why? Because
- It’s the most popular name for both dogs and cats (in the US, at any rate, while “Charlie” is big for UK pets), and
- Pet names are the most common passwords.
No, seriously? We’re using Fido and Binky and Fluffy as passwords? Oh, my head.
This news comes from Google Apps, discovered recently when it commissioned a survey of 2,000 Brits.
Here are the Top 10 most common passwords, according to Google Apps’ survey:
- Pet’s name
- Significant dates (e.g. wedding anniversary)
- Date of birth of close relation
- Child’s name
- Other family member’s name
- Place of birth
- Favourite holiday
- Something related to favourite football team
- Current partner’s name
- The word “Password”
The company put out a statement with a slew of other depressing, albeit unsurprising, password head-bangers.
To wit:
- 67% of us only change passwords when we have to.
- 21%, or one in 5, people admit to having clicked on spam links over the past year.
- 3% of those surveyed write down passwords on a Post-It note that they then glued around their desks.
- 48% share passwords with others like so many germ-saturated hankies.
- Only 41% of respondents updated their antivirus software this year.
- 19% have walked off and left their computer without logging out of a service.
- 15% of Brits admitted to peeking into their partner’s emails, thanks, one assumes, to their partners having sashayed away without logging out.
Eran Feigenbaum, Director of Security, Google Apps, said this about the sashaying-away finding:
“People often leave their information open to online security breaches without even realizing it. Lax attitudes to online security can lead to serious consequences if strangers access your information.”
The steps he recommended for making passwords less entirely-super-easily-guessable-by-anybody-on-the-planet are simple:
- Choose more complicated passwords.
- Always log out of services.
- Consider using two-factor authentication.
Back in the bad old days, before I discovered the joy of password management software (thank goodness for LastPass! Or KeePass, or 1Password), I too would, on occasion, use my cat’s name as a password.
But, influenced by the magical password-convolution technique, I switched to using my cat’s full name – or, rather, as many characters of my cat’s full name that a given site would digest without regurgitating a “too many characters” message.
To wit:
ChesterBonaparte,CatOfDistinction/ChairmanOfTheBoard:BiteyBallIndustries.
That’s a passphrase rather than a password.
If you’re reading news on a security site, you likely don’t use “Bella” or “password” as a password, but you most assuredly know people who do.
Talk them out of it. Talk them out of passphrases, too, no matter how unique.
Complicated passphrases still have to be remembered, lest they get repeated between sites. A crook who cracks one has cracked them all, in the case of password reuse.
Talk your pet name-using acquaintances into password management software so they don’t have to concoct their own hard-to-guess passwords or passphrases and don’t feel the need to scribble down elaborate phrases.
Then, when you find them walking away without logging out, use all those Post-Its to plaster their screen with tsk-tsk messages.
(*Don’t hack into anybody’s account. It’s not nice and it’s illegal.)
Images of pets and safe/unsafe courtesy of Shutterstock.
Well, one or two of my older passwords in 2008/2009 did contain my pet's name… Yes, "bella", as well as a string of two words, and a 4-digit number, yeah… 2008, you got me…
Needless to say, I can quickly see myself changing those old passwords
If I talk my "pet name-using acquaintances" into using a password vault or similar, I know for sure that it will be me that gets blamed when they lose the password vault master password or password database file (despite the fact that I will have told them to back it up after any changes)
Password repository software is only as good as the soft, squishy bit operating it. The same for any security solution.
As the rest of the survey suggests, people don't take security seriously. And to be fair, you only need to be better than the majority of other users to be relatively safe. There is so much low-hanging fruit for evil-doers to go after, why go for the difficult bits?
Don't hack into anybody's account. It's not nice/illegal.
Maybe:
It's not nice/legal
or
It's (not nice)/illegal
or: not-nice/illegal, employing, or perhaps inventing, the form of compound adjective?
What is the security record of software like LastPass! Or KeePass, or 1Password? How does this compare to the security of password storage functionality of browsers and email clients?
I use KeePassX and have been very happy with its functionality. I don't have any test data to give you (perhaps someone out there has done such a test), but my understanding is that KeePass and KeePassX encrypt their databases with AES. That is pretty good security on its own. But if you want to take it a step further, then you could always encrypt the storage media that you put your KeePass database onto.
I know that the default password storage in Firefox is easily hacked using Metasploit, but that if you set the Master Password option then it makes it much more secure.
When it comes to email clients, I actually store my Thunderbird profile on an ecrypted partition (using TrueCrypt). I manually mount it when I am going to use it and dismount it later.
Ultimately, a password manager is only as secure as its user.
The 'password storage" that come with browsers and email clients aren't encrypted (I think Opera can be, but still not great). So a hacker could get access to that data and cackle all the way to your bank. Real password managers encrypt and (should) salt the hashes. LastPass, KeePass and 1Password all use AES 256 (or better), and I know for sure that LastPass and KeePass salt the hashes. Lastpass does not store the master password anywhere in their systems (which is why you can't recover it, but also why it's secure; you can't steal something that doesn't exist). Lastpass supports Google 2 factor authentication. KeePass can use a key file and/or password for some form of 2 factor. Lastpass is about the only reasonably safe way I've ever found for sharing a password with someone (in the rare cases where that is unavoidable and moderately appropriate). Passpack specializes in team password sharing, but costs money.
KeePass is totally local, so it's vulnerability to hackers is dependent on the device it's on. LastPass and 1Password are both cloud-based, so there are some risks. LastPass was hacked in 2011, and hackers made off with hashed logins. But Lastpass was very open and responsible with the disclosure, the account data was sanitized properly, and I never heard of or experienced any consequences past having to change my master password. They also made some good changes after that, and there are a lot of security settings you can choose to turn on that make it very, very hard to get into. And I'd trust any decent password manager over my own brain any day.
Yeah it's sure. Use softwares like KeePass is simple and secure!
And with malwares (password stealers), you don't store any password in your browser or other software.
Considering how the mind works this is not surprising, as these types of passwords are easy to remember. However knowing how the internet spies are operating and how easy it is to obtain someones passwords, great care has to be taken on choosing a password.
If necessary use all the characters on your keyboard and remember the order in which you used them. Making notes until you remember your passwords don't forget to secure your notes……
"Talk them out of it. Talk them out of passphrases, too, no matter how unique."
Why are you discouraging the use of passphrases? I thought those to be the more secure, especially if you chose something like "My keyboard loves to purr in the sand" which has no real meaning.
I can think of two possible arguments against passphrases. I don't know if these are what the author has in mind, though. These are, of course, beyond having a really poorly designed passphrase like "iamroot".
1) A passphrase that is simply a line taken from a book, movie, song, etc., might be guessable by a password cracking software.
2) If you use a passphrase which consists entirely of alphabetical characters, then you are decreasing the potential entropy of the password. Of course, that is only a problem if the attacker knows/guesses that you are using an entirely alphabetical password.
Yes, but also there's this: You need to have a unique passphrase for every site. Are you actually going to remember them all, or will you have to write them down? If you write them down, you're venturing into Post-It land.
How often do you recommend changing a password?
I set up Keepass with all my passwords. Then immediately forgot the password to get into it.
You mention password management software to securely store passwords but what about password hashing so you have strong passwords that you don't have to remember?
Salting and hashing are for the development side. Regular users don't have the power to instruct every site they visit to use salting/hashing, nor to vet how well they've implemented it. We see that pretty much every time we see a large breach: it's typically a mystery how they've protected passwords. Even if they mention hashing, it doesn't mean they've salted, which ideally makes for the strongest protection as I understand it.
The better way is to Salt and then use bcrypt (or similar) to hash the passwords.
MD5, SHA1 etc were all created to be super fast on various types of hardware. bcrypt uses a modified Blowfish algorithm and has a "work factor" in it so you can tune it to take longer to hash passwords. 50ms isn't very long in user time but when your trying to crack a password it drastically increases the amount of time taken.
As a people, are we seriously still this daft..? Don't answer that…
I think that that just because some people don't "get" computer security the way that we do, it does not make them unintelligent or "daft". I personally know physicists who understand complex mathematics and complicated systems within their field of study, yet who profess to me that they have are not very capable with computers. Not surprisingly, this does tend to be people who are of an older generation. I have also seen this kind of thing with medical doctors and with lawyers.
The trouble with these articles is that they never address the key issue. I mean, what if I use my Cat's name? I never talk to anyone about my Cat, the only people who know my Cat's name aren't going to to be able to working in this building and the Cat isn't called 'Fluffy, Charlie or Bella' and I reckon if I gathered 100 people in a room and gave them a day to come up with his name, it would take a long time before anyone guessed it? Not quite as long as a team of Monkey's writing Shakespeare perhaps but still…
Not walking away without locking your screen etc. are all reasonable expectations and should be encouraged but if a Hacker has password breaking software that goes through a couple of billion words / digit combinations then I guess this thing is going to happen and all we're doing is making it more difficult.
Anyway, enough of a grip I'm off home to feed Wiggins…OOPS!
The issue isn't time, its risk. You can use your cats name. But if a hacker thinks Blagg has some data on his PC he wants, he will get to it if he only has to crack a password called "Fluffy76". Are you willing to risk your data or would you rather have a complex password and other security measures in place?
Also discouraging more PC security isn't helping the situation.
well, not me, buttcheekasaurus rex is too long, so i cant use it for passwords sometimes
Prometric's Password is "aptc".
OOPS!
These people need to make a stronger password, period.