[ubuntu-in] OT: Advise for Newbies and oldies alike - Study: Hacking Passwords Easy As 123456

Thu Jan 21 17:29:25 GMT 2010

An interesting study about passwords, though i think in India the
popular passwords might be a bit different.

Wonder what it might be - though

ram

Study: Hacking Passwords Easy As 123456

http://www.pcworld.com/businesscenter/article/187354/study_hacking_passwords_easy_as_123456.html

If you are using "123456" as your password it is past time to stop.
Same if you are using the always popular "Password" to protect your
account. Those easy-to-hack passwords were the top and fourth
most-popular from among 32 million hacked from RockU.com, a new study
finds.

 Imperva studied the breached passwords and has published an
interesting study that talks about them. While "Consumer Password
Worst Practices" isn't about us supposedly savvy business users, as an
occasional system administrator I've run into both 123456 and Password
on many occasions.

Here are the top passwords Imperva found among those compromised in
the attack (they were posted online, without identifying details, for
the world to see--and analyze):

1. 123456
2. 12345
3. 123456789
4. Password
5. iloveyou
6. princess
7. rockyou
8. 1234567
9. 12345678
10. abc123

If any of those look too familiar, please stop reading this story and
change your password now. All these passwords are easy to crack using
simple brute-force automated methods. And with the list now published,
they are likely to move to the top of everyone's list of those to try
first when attempting to crack an account manually.

"To quantify the issue, the combination of poor passwords and
automated attacks means that in just 110 attempts, a hacker will
typically gain access to one new account on every second or a mere 17
minutes to break into 1000 accounts," Imperva said in its report.

Among its key findings:

    * About 30 percent of users chose passwords whose length is equal
or below six characters.
    * Moreover, almost 60% of users chose their passwords from a
limited set of alpha-numeric characters.
    * Nearly 50% of users used names, slang words, dictionary words or
trivial passwords (consecutive digits, adjacent keyboard keys, and so
on).

If it makes you feel any better, a similar study of hacked Hotmail
passwords from 20 years ago found much the same thing.

Imperva provides a list of password best practices, created by NASA to
help its users protect their rocket science, they include:

    * It should contain at least eight characters
    * It should contain a mix of four different types of characters -
upper case letters, lower case letters, numbers, and special
characters such as !@#$%^&*,;" If there is only one letter or special
character, it should not be either the first or last character in the
password.
    * It should not be a name, a slang word, or any word in the
dictionary. It should not include any part of your name or your e-mail
address.

Following that advice, of course, means you'll create a password that
will be impossible, unless you try a trick credited to security guru
Bruce Schneir: Turn a sentence into a password.

For example, "Now I lay me down to sleep" might become nilmDOWN2s, a
10-character password that won't be found in any dictionary.

Can't remember that password? Schneir says it's OK to write it down
and put it in your wallet, or better yet keep a hint in your wallet.
Just don't also include a list of the sites and services that password
works with. Try to use a different password on every service, but if
you can't do that, at least develop a set of passwords that you use at
different sites.

Someday, we will use authentication schemes, perhaps biometrics, that
don't require so much jumping through hoops to protect our data. But,
in the meantime, passwords are all most of us have, so they ought to
be strong enough to do the job.

And don't even try 654321 or Qwerty--19th and 20th on Imperva's list-- OK?

(Here's a story we did in early 2009 on how to protect your passwords
and another with tips on creating strong passwords).

David Coursey has been writing about technology products and companies
for more than 25 years. He tweets as @techinciter and may be contacted
via his Web site.