April 17, 2014

What were the 25 worst passwords of 2012

(LiveHacking.Com) – This year has seen many high profile data breaches, including Yahoo and LinkedIn, where user information, including passwords, has been taken from supposedly secure servers. The humble password remains the single most used method of authentication and is used for a whole range of services including email, online payment systems and online shopping. The problem is that there is still a large portion of people who don’t take passwords seriously.

SplashData has published its annual “25 Worst Passwords of the Year” list and unsurprisingly last years top three passwords, “password,” “123456,” and “12345678,” still hold the top spot in 2012. These aren’t imaginary passwords or passwords to unlock a screen saver on the kids PC, these are real passwords compiled from files of stolen passwords posted online by hackers.

There are however some new entries in the top 25 this year including ”welcome”, “ninja”, “mustang” and “password1″. But they only continue to show the lack of imagination people have when creating a new password.

According to howsecureismypassword.net a modern cracking system can break an 8 letter password made up of lowercase letters in less than a minute. Where as a 10 character password made up of uppercase letters, lowercase letters, symbols and numbers would take 58 years!

Therefore I recommend that you use passwords of at least 10 characters with mixed case,digits and symbols. The perfect 10 character password would be something like sKy12get33% however that can be hard to remember. An easier to remember password which fulfills these criteria might be something like gon3%Home!

You should always avoid using the same username and password combination for multiple websites. This year when LinkedIn was hacked, the biggest danger was not unauthorized access to LinkedIn (as it quickly forced users to change their passwords) but rather if the same username and password was used elsewhere then cyber-criminals could gain access to email accounts or services like eBay.

Here is the full top 25 list of passwords you should definitely avoid!

1. password (Unchanged)
2, 123456 (Unchanged)
3. 12345678 (Unchanged)
4. abc123 (Up 1)
5. qwerty (Down 1)
6. monkey (Unchanged)
7. letmein (Up 1)
8. dragon (Up 2)
9. 111111 (Up 3)
10. baseball (Up 1)
11. iloveyou (Up 2)
12. trustno1 (Down 3)
13. 1234567 (Down 6)
14. sunshine (Up 1)
15. master (Down 1)
16. 123123 (Up 4)
17. welcome (New)
18. shadow (Up 1)
19. ashley (Down 3)
20. football (Up 5)
21. jesus (New)
22. michael (Up 2)
23. ninja     (New)
24. mustang (New)
25. password1 (New)



Cambridge University Study Says That Multi Word Passphrases Not As Secure As You Might Think

(LiveHacking.Com) – It is conventional wisdom that the more complex a password is then the harder it is for hackers to crack. This had led online users to start using multi-word passphrases (rather than single-word passwords) for account authentication. Multi-word passphrases are easier to remember than completely random password strings and have the supposed added advantage that they are just as secure. However research from the Computer Laboratory at the University of Cambridge suggests that this might not be the case. Although mult-word passphrases could be as secure as random password strings, it is important to evaluate actual user choices for password not theoretical passphrase possibilities.

The research paper, by Joseph Bonneau and Ekaterina Shutova, studied data taken from the now-defunct Amazon PayPhrase system (which was only availbale in the US) to learn how people choose passphrases in general. The pair then set about trying to guess the passphrases using a dictionary attack based on movie titles, sports team names, and other types of proper nouns taken from Wikipedia. Using this method the researchers cracked about 8,000 phrases.

Apply some clever mathematics and the results shows that passphrases provide the equivalent of 20 bit security against an attacker trying to compromise 1% of available accounts. Normal passwords provide under 10 bits when using the same maths, so clearly passphrases are better, but not enough to make online dictionary attacks impractical unless proper rate-limiting is used by the online service.

Some clear trends emerged—people strongly prefer phrases which are either a single modified noun (“operation room”) or a single modified verb (“send immediately”). These phrases are perhaps easier to remember than phrases which include a verb and a noun and are therefore closer to a complete sentence. Within these categories, users don’t stray too far from choosing two-word phrases the way they’re actually produced in natural language. That is, phrases like “young man” which come up often in speech are proportionately more likely to be chosen than rare phrases like “young table.”

The Fedora Project Asks Users to Change Their Passwords to Preempt Hacking Attempts

(LiveHacking.Com) - There has been a large number of high profile open source sites which have suffered security breaches in recent months (including The Linux Foundation and kernel.org). The latest of these happened just a few days ago when hackers used phpMyAdmin to access the WineHQ project’s database and steal users’ appdb and bugzilla access credentials.

In a preemptive move, the Fedora Project is asking all existing users of the Fedora Account System (FAS) to change their password and upload a NEW ssh public key before 2011-11-30.

The project is also using the opportunity to enforce some new password rules to make them harder to guess:

  • Nine or more characters with lower and upper case letters, digits and punctuation marks.
  • Ten or more characters with lower and upper case letters and digits.
  • Twelve or more characters with lower case letters and digits
  • Twenty or more characters with all lower case letters.

Finally the project administrators are warning that any user who fails to update their password may have their account marked as inactive.

New version of Elcomsoft Distributed Password Recovery

New version of Elcomsoft Distributed Password Recovery has released. The new version of Elcomsoft Distributed Password Recovery is able to create a queue for attack to multiple password-protected files.

Elcomsoft Distributed Password Recovery is a high-end solution for forensic and government agencies, data recovery and password recovery services and corporate users with multiple networked workstations connected over a LAN or the Internet.

More information is available here.

Facebook introduces one time passwords

[ad code=6 align=left]

Facebook lunched one-time password for non-secure computers in places like hotels, cafes or airports. The one-time password (OTP) will be sent to you as a text message If you have any concerns about security of the computer you’re using while accessing Facebook. Facebook can text you a one-time password to use instead of your regular password.

Simply text “otp” to 32665 on your mobile phone (U.S. only), and you’ll immediately receive a password that can be used only once and expires in 20 minutes. In order to access this feature, you’ll need a mobile phone number in your account. Facebook are rolling this out gradually, and it should be available to everyone in the coming weeks.