About a year ago, Google Apps did a survey of 2,000 people and found that their Fluffies and their Fidos were at the very top of the list of the most common passwords.
(Pet name trivia: In the US, “Bella” was the top pet name for both dogs and cats. “Charlie” was big in the UK. Australians liked to name their pets “Max”.)
At the time, I wrote that anybody who’s reading news on a security site was unlikely to use a commonly used password – be it “Bella”, the word “password”, your kid’s name or your current partner’s name – as a password.
If I could, I would jump in the wayback machine and change that sentiment, given what’s been newly revealed by the infamous Jeremy Hammond.
Hammond, you might recall, is the Anonymous-affiliated attacker who’s now serving a 10-year prison term – the maximum allowed under his plea agreement last year – for attacking the security intelligence services company Stratfor and stealing some 60,000 addresses, credit cards and names of customers, which wound up being posted publicly.
Those customers included the likes of Northrop Grumman, the Marine Corps and Time Warner Cable.
According to court records, the attackers not only posted what they claimed to have been about 5 million emails between Stratfor employees and clients on the WikiLeaks website; they also used some of the credit card numbers to donate money to the Red Cross.
In total, the attackers used the credit cards to rack up $700,000 in fraudulent donations to non-profit groups.
The notorious Hammond sat down recently in a drab cinderblock visiting room to talk to the Associated Press about why and how he did what he did.
First of all, it was crazy stupid easy to take Stratfor down, he said.
As Stratfor CEO George Friedman admitted after the breach, basic security was lacking: customer credit card files, in fact, weren’t encrypted.
Hammond was “like a kid in a candy shop”, the AP says, quoting him about how surprising the lack of security was:
I was like damn man, this is crazy.
Hammond was talented from a young age. He was designing video games at the age of eight, creating databases by the age of 13, and winning first place in a district-wide science competition for a computer program he designed in high school.
How, then, did the Feds crack Hammond’s defenses and garner the evidence they needed to send the young man they called (rightfully) a recidivist cyber attacker back to prison?
He’s not sure. But he has an idea.
His password, he told AP, was “really weak”.
In fact, it was the name of his cat, “Chewy”.
His password, he told the reporter, looking down at his hands: “Chewy 123”.
And thus, we have Chewy 123: one fuzzy, four-legged reason among many for why we hammer home, over and over, the gospel of password complexity and originality and uniqueness, and why I will never again assume that people who are astute about security are above using easily-guessed passwords.
If you’re guilty of pet-passwording, or even just guilty of using weak passwords, here’s how to pick a proper password:
→ Can’t view the video on this page? Watch directly from YouTube. Can’t hear the audio? Click on the Captions icon for closed captions.Follow @NakedSecurity