April 17, 2014

What were the 25 worst passwords of 2012

(LiveHacking.Com) – This year has seen many high profile data breaches, including Yahoo and LinkedIn, where user information, including passwords, has been taken from supposedly secure servers. The humble password remains the single most used method of authentication and is used for a whole range of services including email, online payment systems and online shopping. The problem is that there is still a large portion of people who don’t take passwords seriously.

SplashData has published its annual “25 Worst Passwords of the Year” list and unsurprisingly last years top three passwords, “password,” “123456,” and “12345678,” still hold the top spot in 2012. These aren’t imaginary passwords or passwords to unlock a screen saver on the kids PC, these are real passwords compiled from files of stolen passwords posted online by hackers.

There are however some new entries in the top 25 this year including ”welcome”, “ninja”, “mustang” and “password1″. But they only continue to show the lack of imagination people have when creating a new password.

According to howsecureismypassword.net a modern cracking system can break an 8 letter password made up of lowercase letters in less than a minute. Where as a 10 character password made up of uppercase letters, lowercase letters, symbols and numbers would take 58 years!

Therefore I recommend that you use passwords of at least 10 characters with mixed case,digits and symbols. The perfect 10 character password would be something like sKy12get33% however that can be hard to remember. An easier to remember password which fulfills these criteria might be something like gon3%Home!

You should always avoid using the same username and password combination for multiple websites. This year when LinkedIn was hacked, the biggest danger was not unauthorized access to LinkedIn (as it quickly forced users to change their passwords) but rather if the same username and password was used elsewhere then cyber-criminals could gain access to email accounts or services like eBay.

Here is the full top 25 list of passwords you should definitely avoid!

1. password (Unchanged)
2, 123456 (Unchanged)
3. 12345678 (Unchanged)
4. abc123 (Up 1)
5. qwerty (Down 1)
6. monkey (Unchanged)
7. letmein (Up 1)
8. dragon (Up 2)
9. 111111 (Up 3)
10. baseball (Up 1)
11. iloveyou (Up 2)
12. trustno1 (Down 3)
13. 1234567 (Down 6)
14. sunshine (Up 1)
15. master (Down 1)
16. 123123 (Up 4)
17. welcome (New)
18. shadow (Up 1)
19. ashley (Down 3)
20. football (Up 5)
21. jesus (New)
22. michael (Up 2)
23. ninja     (New)
24. mustang (New)
25. password1 (New)



Cambridge University Study Says That Multi Word Passphrases Not As Secure As You Might Think

(LiveHacking.Com) – It is conventional wisdom that the more complex a password is then the harder it is for hackers to crack. This had led online users to start using multi-word passphrases (rather than single-word passwords) for account authentication. Multi-word passphrases are easier to remember than completely random password strings and have the supposed added advantage that they are just as secure. However research from the Computer Laboratory at the University of Cambridge suggests that this might not be the case. Although mult-word passphrases could be as secure as random password strings, it is important to evaluate actual user choices for password not theoretical passphrase possibilities.

The research paper, by Joseph Bonneau and Ekaterina Shutova, studied data taken from the now-defunct Amazon PayPhrase system (which was only availbale in the US) to learn how people choose passphrases in general. The pair then set about trying to guess the passphrases using a dictionary attack based on movie titles, sports team names, and other types of proper nouns taken from Wikipedia. Using this method the researchers cracked about 8,000 phrases.

Apply some clever mathematics and the results shows that passphrases provide the equivalent of 20 bit security against an attacker trying to compromise 1% of available accounts. Normal passwords provide under 10 bits when using the same maths, so clearly passphrases are better, but not enough to make online dictionary attacks impractical unless proper rate-limiting is used by the online service.

Some clear trends emerged—people strongly prefer phrases which are either a single modified noun (“operation room”) or a single modified verb (“send immediately”). These phrases are perhaps easier to remember than phrases which include a verb and a noun and are therefore closer to a complete sentence. Within these categories, users don’t stray too far from choosing two-word phrases the way they’re actually produced in natural language. That is, phrases like “young man” which come up often in speech are proportionately more likely to be chosen than rare phrases like “young table.”