Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

'Trivial' Passwords Enabled Huge Hack
pcworld.com ^ | Jan 23, 2010 | John E. Dunn

Posted on 01/23/2010 7:59:06 AM PST by TaxPayer2000

The hackers who stole and published 33 million passwords from the Rockyou.com website in December needn't have bothered, a security company has revealed. Many of them were so trivial they could have been guessed anyway.

According to a new analysis of the hacked passwords, the most popular password used on the Rockyou site was '123456'. Ridiculously, the second most popular password was '12345' closely followed (in order) by '12345687', 'Password', 'iloveyou', 'princess', and the imaginative 'rockyou'.

To put the use of '123456' into perspective, it was used on 290,731 accounts out of the nearly 33 million, which sounds small until Imperva reveals that the top 20 passwords were all equally transparent, and around 20 percent of the 5,000 most popular passwords were "names, slang words, dictionary words or trivial passwords." In 20th place, 13,856 accounts secured themselves with the word 'QWERTY'.

~SNIP~

"If a hacker would have used the list of the top 5,000 passwords as a dictionary for brute force attack on Rockyou.com users, it would take only one attempt (per account) to guess 0.9 percent of the users passwords or a rate of one success per 111 attempts," say its authors.

"At this rate, a hacker will gain access to one new account every second or just less than 17 minutes to compromise 1,000 accounts. And the problem is exponential,"

~SNIP~

Such hacking would have had rewards beyond Rockyou -- it is believed that the same passwords on the Rockyou accounts were defaults for user webmail accounts on Gmail, Yahoo, Hotmail, and others.

~SNIP~

"Employees using the same passwords on Facebook that they use in the workplace bring the possibility of compromising enterprise systems with insecure passwords, especially if they are using easy to crack passwords like '123456'," said Imperva's CTO, Amichai Shulman.

(Excerpt) Read more at pcworld.com ...


TOPICS: Business/Economy; Crime/Corruption; News/Current Events
KEYWORDS:
Navigation: use the links below to view more comments.
first 1-2021-4041-6061-71 next last

1 posted on 01/23/2010 7:59:07 AM PST by TaxPayer2000
[ Post Reply | Private Reply | View Replies]

To: TaxPayer2000
most popular password used on the Rockyou site was '123456'

Sounds like a pwd that someone would use on their luggage.

2 posted on 01/23/2010 8:01:24 AM PST by C210N (A government big enough to give you everything you want, is big enough to take everything you have)
[ Post Reply | Private Reply | To 1 | View Replies]

To: TaxPayer2000

it is imperative that you use a strong password everywhere all the time and change them.


3 posted on 01/23/2010 8:01:42 AM PST by gibtx2 (keep up the good work I am out of work but post 20 a month to this out of WF Check)
[ Post Reply | Private Reply | To 1 | View Replies]

To: TaxPayer2000

Thus proving people are morons.

Other popular passwords include birthdates, social security numbers, and spouse/children’s names.

Don’t use them. :P


4 posted on 01/23/2010 8:03:29 AM PST by Spktyr (Overwhelmingly superior firepower and the willingness to use it is the only proven peace solution.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: C210N
Sounds like a pwd that someone would use on their luggage.

"Holy cow! That's the same combination that I have on my luggage!"


5 posted on 01/23/2010 8:07:26 AM PST by Bloody Sam Roberts (An armed man is a citizen. An unarmed man is a subject.)
[ Post Reply | Private Reply | To 2 | View Replies]

To: TaxPayer2000

There needs to be a new method for securing various sites rather than the simple password. The real problem is that for many there are multiple sites all requiring a password, and in some cases a requirement they change often.

How is a person suppose to keep track of all the various passwords, by memory? Of course people are going to use simple passwords.

Perhaps what is needed is a USB type devide that can generate and keep track of complicated passwords. You plug the device in, use your password to access the device (or better yet, use a fingerprint to confirm your ID to the device) and then the device signs on to the site you want to access.

If someone does not have your USB device it should be set up that even with a password they can not sign on.

I would pay for that type of security.

As it is, I need to keep a book with all my various usernames and passwords because I have so many I can not remember them all.


6 posted on 01/23/2010 8:10:01 AM PST by CIB-173RDABN
[ Post Reply | Private Reply | To 1 | View Replies]

To: TaxPayer2000

At the very least you should have one capital letter, one number and one character like ! in any password. I recently updated my anti-virus program and was prompted to change and modify all my passwords to more secure variations.


7 posted on 01/23/2010 8:11:39 AM PST by The Great RJ ("The problem with socialism is that you eventually run out of other people's money." M. Thatcher)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Bloody Sam Roberts

Argh. You guys beat me to it.


8 posted on 01/23/2010 8:12:14 AM PST by chargers fan
[ Post Reply | Private Reply | To 5 | View Replies]

To: Spktyr
Don’t use them. :P

I use filthy, foul languaged phrases with numrerals and puncuation marks substituted for regular letters. All at least 12 characters long. "1W@nt2........." or maybe "1L!ket0......" or something similar.
Makes 'em easy to remember.

9 posted on 01/23/2010 8:13:14 AM PST by Bloody Sam Roberts (An armed man is a citizen. An unarmed man is a subject.)
[ Post Reply | Private Reply | To 4 | View Replies]

To: TaxPayer2000

It depends on whether security is important or not. I use the same password on all web sites where all you do is chat and post comments.

If you start to see strange comments here under my nic, then some hacker has guessed my password!


10 posted on 01/23/2010 8:13:18 AM PST by proxy_user
[ Post Reply | Private Reply | To 1 | View Replies]

To: gibtx2

It is imperative that societies begin treating hackers the same as forced entry home robbers. Identity thieves are guilty of Grand Larceny.

If the cops can confiscate autos, boats & airplanes of drug dealers, then the victims of Identity Theft should be allowed to do likewise to hackers.

Sure, they are difficult to find. However, a Bounty Hunter system should allow entrepreneurs to make a buck or two. After we get the hackers under control, we then apply the system to ambulance chasing lawyers.

“The Law firm of Stinkpot, Stinkpot & Sleazeball is not licensed in the State of New Jersey. Your case may be referred. etc, etc, etc.”

Next comes the EPA with its “endangered desert rat”, spotted owl, etc....


11 posted on 01/23/2010 8:14:04 AM PST by BwanaNdege
[ Post Reply | Private Reply | To 3 | View Replies]

To: TaxPayer2000

“711hasTHEbestdonuts!” Is a great password as it uses caps, numbers, symbols, is long, but easy to remember. I know this only ‘cuz I found it written on a piece of paper under my 480lb, ex-boss’s keyboard. (True story.)


12 posted on 01/23/2010 8:14:21 AM PST by LittleBillyInfidel (''If you look good and speak well, people will buy anything.'' - Criswell in ED WOOD.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: TaxPayer2000

bosco


13 posted on 01/23/2010 8:16:55 AM PST by steveo (2010 never again)
[ Post Reply | Private Reply | To 1 | View Replies]

To: CIB-173RDABN
How is a person suppose to keep track of all the various passwords, by memory?

Download a piece of freeware called PINs. I use it and keep it on a thumbdrive or two. It is a database where you can keep a collection of passwords, credit card numbers, website addresses with your account names and passwords. All protected and accessible with one password. Make it a very secure and tough password to crack. All you need to do is remember the one password.

14 posted on 01/23/2010 8:17:01 AM PST by Bloody Sam Roberts (An armed man is a citizen. An unarmed man is a subject.)
[ Post Reply | Private Reply | To 6 | View Replies]

To: TaxPayer2000
I sites would let you use any password you want without restrictions this wouldn't be such a problem.

BUT when they make me use 7 or 9 letters and especially if they make me use at least one number, I have to keep it simple just to remember it.

15 posted on 01/23/2010 8:17:52 AM PST by TexasFreeper2009 (Obama lied, the economy died)
[ Post Reply | Private Reply | To 1 | View Replies]

To: CIB-173RDABN
Everything you describe already exists. There are plenty of password keepers out there that encrypt your passwords on your computer or store them encrypted on that particular company's server.
16 posted on 01/23/2010 8:23:15 AM PST by tomh68
[ Post Reply | Private Reply | To 6 | View Replies]

To: CIB-173RDABN

This already exists, it’s called KeePass. Use on a USB drive, it will generate random passwords using whatever characters you like, keep them available to you, and is very easy to use. Best of all it is free here:

http://keepass.info/


17 posted on 01/23/2010 8:24:34 AM PST by Second Amendment First
[ Post Reply | Private Reply | To 6 | View Replies]

To: TaxPayer2000

“Rosebud.....”


18 posted on 01/23/2010 8:26:28 AM PST by ladyvet (WOLVERINES!!!!!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: C210N
Sounds like a pwd that someone would use on their luggage.

Uh. I have on my briefcase...

19 posted on 01/23/2010 8:26:36 AM PST by null and void (We are now in day 367 of our national holiday from reality. - 0bama really isn't one of US.)
[ Post Reply | Private Reply | To 2 | View Replies]

To: CIB-173RDABN

There’s something like that already. You can use Keepass password manager on a USB stick. The program and it’s encrypted database resides entirely on the USB stick, supposedly leaving no trace on the computer you use it on when done.


20 posted on 01/23/2010 8:28:36 AM PST by shorty_harris
[ Post Reply | Private Reply | To 6 | View Replies]


Navigation: use the links below to view more comments.
first 1-2021-4041-6061-71 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson