Sophos Cloud Optix
About a year ago, Google Apps did a survey of 2,000 people and found that their Fluffies and their Fidos were at the very top of the list of the most common passwords.
(Pet name trivia: In the US, “Bella” was the top pet name for both dogs and cats. “Charlie” was big in the UK. Australians liked to name their pets “Max”.)
At the time, I wrote that anybody who’s reading news on a security site was unlikely to use a commonly used password – be it “Bella”, the word “password”, your kid’s name or your current partner’s name – as a password.
If I could, I would jump in the wayback machine and change that sentiment, given what’s been newly revealed by the infamous Jeremy Hammond.
Hammond, you might recall, is the Anonymous-affiliated attacker who’s now serving a 10-year prison term – the maximum allowed under his plea agreement last year – for attacking the security intelligence services company Stratfor and stealing some 60,000 addresses, credit cards and names of customers, which wound up being posted publicly.
Those customers included the likes of Northrop Grumman, the Marine Corps and Time Warner Cable.
According to court records, the attackers not only posted what they claimed to have been about 5 million emails between Stratfor employees and clients on the WikiLeaks website; they also used some of the credit card numbers to donate money to the Red Cross.
In total, the attackers used the credit cards to rack up $700,000 in fraudulent donations to non-profit groups.
The notorious Hammond sat down recently in a drab cinderblock visiting room to talk to the Associated Press about why and how he did what he did.
First of all, it was crazy stupid easy to take Stratfor down, he said.
As Stratfor CEO George Friedman admitted after the breach, basic security was lacking: customer credit card files, in fact, weren’t encrypted.
Hammond was “like a kid in a candy shop”, the AP says, quoting him about how surprising the lack of security was:
I was like damn man, this is crazy.
Hammond was talented from a young age. He was designing video games at the age of eight, creating databases by the age of 13, and winning first place in a district-wide science competition for a computer program he designed in high school.
How, then, did the Feds crack Hammond’s defenses and garner the evidence they needed to send the young man they called (rightfully) a recidivist cyber attacker back to prison?
He’s not sure. But he has an idea.
His password, he told AP, was “really weak”.
In fact, it was the name of his cat, “Chewy”.
His password, he told the reporter, looking down at his hands: “Chewy 123”.
And thus, we have Chewy 123: one fuzzy, four-legged reason among many for why we hammer home, over and over, the gospel of password complexity and originality and uniqueness, and why I will never again assume that people who are astute about security are above using easily-guessed passwords.
If you’re guilty of pet-passwording, or even just guilty of using weak passwords, here’s how to pick a proper password:
→ Can’t view the video on this page? Watch directly from YouTube. Can’t hear the audio? Click on the Captions icon for closed captions.
Image of cat on computer and cat on keyboard courtesy of Shutterstock.
I’m not a wizard, but I retired from a lead programming job and a reserve police officer, so I have experience in some odd things. Guess it’s a jack of all trades, master of none. However, I had around 50 machines that I had to access, many had unique OS and therefore software to support passwords was, realistically. impossible to get, even if you wrote them yourself.
Add to this that, even in this day, I’ve run into sites that limit passwords to 8 characters (thought this went out with PC’s in the 80’s), but I’m sure it’s the ol’ 370 world that creeps in here. Then there are the ones that won’t let you use some of the special characters like !, #, & and *…
What I’m driving at, is yes it’s poor to secure something like most of us do, but the way things are now it’s very difficult to get things to different machines and with most of the programs like ‘keypass’ they generate really random keys and if you can’t port the key database, you are pretty hosed up.
I’m just trying to point out that it’s more than difficult to do what you are asking until we get better tools to do this and learn to use them. At least in my world. I would think you people would have to access many different machines how do you really support that? Or do you? Ask your IT group and compare the machines, OS’s length of passwords and so forth and see if they are up to this task also. This has been a struggle for over 30 years for me, as much as I understand, I still have difficulty making it work across the few machines I have and the web sites or banking services that I have to use.
I agree that we’re asking the user to compensate fore poorly designed back-end systems, and they shouldn’t have to. But since we’re only rarely told how our passwords are being stored, the safest things we can do is to assume they’re terrible and try to make better passwords.
The explosion of passwords is precisely why single sign-on systems like Open ID are a good idea. Let site owners who don’t care or run sites users won’t care about all just get directed to one sign-on provider whose existence depends on them caring. Cheaper and safer for everyone.
For now, password management is a large reason why I have a smart phone. Though they’ve had some issues, I like using Lastpass (with seriously locked down settings) because I can access it from any computer with a web browser. Or use it on my phone if necessary. I’ve also used keepass stored in Dropbox to similar purpose in the past. Though the moment you trust passwords to the cloud you really do have to methodically lock down all the settings you can. But I knew that I’d get lazy and reuse passwords if I didn’t have easy access to them and decided for myself that was even worse. I also know people that write them down in locked diaries and carry them around with them. Worse physical security, but harder for remote hackers to get to. Depends who you’re most afraid of.
Chewy 123? He wanted to be caught.
8 characters, upper and lower case letters, and numbers?
More complex than a lot of other passwords in use by the generam public!