Passwords: How easy are yours? How often do you change them?

[Cynthetiq]

Quote:

View: If Your Password Is 123456, Just Make It HackMe
Source: Nytimes
posted with the TFP thread generator

If Your Password Is 123456, Just Make It HackMe
January 21, 2010
If Your Password Is 123456, Just Make It HackMe
By ASHLEE VANCE

Back at the dawn of the Web, the most popular account password was “12345.”

Today, it’s one digit longer but hardly safer: “123456.”

Despite all the reports of Internet security breaches over the years, including the recent attacks on Google’s e-mail service, many people have reacted to the break-ins with a shrug.

According to a new analysis, one out of five Web users still decides to leave the digital equivalent of a key under the doormat: they choose a simple, easily guessed password like “abc123,” “iloveyou” or even “password” to protect their data.

“I guess it’s just a genetic flaw in humans,” said Amichai Shulman, the chief technology officer at Imperva, which makes software for blocking hackers. “We’ve been following the same patterns since the 1990s.”

Mr. Shulman and his company examined a list of 32 million passwords that an unknown hacker stole last month from RockYou, a company that makes software for users of social networking sites like Facebook and MySpace. The list was briefly posted on the Web, and hackers and security researchers downloaded it. (RockYou, which had already been widely criticized for lax privacy practices, has advised its customers to change their passwords, as the hacker gained information about their e-mail accounts as well.)

The trove provided an unusually detailed window into computer users’ password habits. Typically, only government agencies like the F.B.I. or the National Security Agency have had access to such a large password list.

“This was the mother lode,” said Matt Weir, a doctoral candidate in the e-crimes and investigation technology lab at Florida State University, where researchers are also examining the data.

Imperva found that nearly 1 percent of the 32 million people it studied had used “123456” as a password. The second-most-popular password was “12345.” Others in the top 20 included “qwerty,” “abc123” and “princess.”

More disturbing, said Mr. Shulman, was that about 20 percent of people on the RockYou list picked from the same, relatively small pool of 5,000 passwords.

That suggests that hackers could easily break into many accounts just by trying the most common passwords. Because of the prevalence of fast computers and speedy networks, hackers can fire off thousands of password guesses per minute.

“We tend to think of password guessing as a very time-consuming attack in which I take each account and try a large number of name-and-password combinations,” Mr. Shulman said. “The reality is that you can be very effective by choosing a small number of common passwords.”

Some Web sites try to thwart the attackers by freezing an account for a certain period of time if too many incorrect passwords are typed. But experts say that the hackers simply learn to trick the system, by making guesses at an acceptable rate, for instance.

To improve security, some Web sites are forcing users to mix letters, numbers and even symbols in their passwords. Others, like Twitter, prevent people from picking common passwords.

Still, researchers say, social networking and entertainment Web sites often try to make life simpler for their users and are reluctant to put too many controls in place.

Even commercial sites like eBay must weigh the consequences of freezing accounts, since a hacker could, say, try to win an auction by freezing the accounts of other bidders.

Overusing simple passwords is not a new phenomenon. A similar survey examined computer passwords used in the mid-1990s and found that the most popular ones at that time were “12345,” “abc123” and “password.”

Why do so many people continue to choose easy-to-guess passwords, despite so many warnings about the risks?

Security experts suggest that we are simply overwhelmed by the sheer number of things we have to remember in this digital age.

“Nowadays, we have to keep probably 10 times as many passwords in our head as we did 10 years ago,” said Jeff Moss, who founded a popular hacking conference and is now on the Homeland Security Advisory Council. “Voice mail passwords, A.T.M. PINs and Internet passwords — it’s so hard to keep track of.”

In the idealized world championed by security specialists, people would have different passwords for every Web site they visit and store them in their head or, if absolutely necessary, on a piece of paper.

But bowing to the reality of our overcrowded brains, the experts suggest that everyone choose at least two different passwords — a complex one for Web sites were security is vital, such as banks and e-mail, and a simpler one for places where the stakes are lower, such as social networking and entertainment sites.

Mr. Moss relies on passwords at least 12 characters long, figuring that those make him a more difficult target than the millions of people who choose five- and six-character passwords.

“It’s like the joke where the hikers run into a bear in the forest, and the hiker that survives is the one who outruns his buddy,” Mr. Moss said. “You just want to run that bit faster.”

My passwords are very well protected. I don't use the same one in all that same places, but really I look at it from a level of security. At TFP, I have a unique password that I don't use anywhere else. At other forums, I use a password that is generic to forums, blogs, newspapers, and other online media where security is in my opinion superficial.

For email, I use a very robust password since that is the nexus of someone being able to gain access to all your other accounts. It's long, has upper and lowercase, and has a number. I'm just missing the symbol and it would be the "perfect" password according to security folks.

Are you the person in the article with the easy to guess password? Why? Why not?

[Martian]

The attack they're describing is a dictionary attack, and it's very common. A simple script, 20 minutes or so and if the website in question doesn't have specific measures in place to counteract it, an account can be cracked.

I do generally follow secure password policy. My only conceit is that I do reuse passwords to some extent. I have a list of them memorized and will select one more or less at random for a new account. One of the benefits of this system is that if I should forget what password goes with which account or website, I only have to guess a limited number of times before I hit on the right one. The monumental downside is that if someone were to somehow obtain a list of all my passwords they'd have access to basically everything.

The principles of a strong password have been understood for a long time. No words, mix of numbers and letters, mixed case, at least 8 characters. If more people followed these guidelines there'd be less cybercrime. It's as simple as that.

[World's King]

Mine aren't very hard to figure out.

I figure if you take the time to hack into anything of mine, you're an idiot and didn't do much homework/background work on me. I have no money, all my credit cards are maxed out, and I don't own anything.

So even if you managed to steal my identity or what have you... You can't do fuck all with it.

[lovejoy777]

My solution is simple use an address which is familiar to you for example Tony Hancocks address in Hancocks half hour:

23 Railway cuttings

or

pick one from somewhere you have visited like a bed and breakfast place:

38 marine drive

They are not likely to pick that out of the blue

[Zeraph]

The way I do it, so that they're easy to remember for me, but hard to figure out, is;

I have 3 bases which may or may not be real words.

Then I have three strings of numbers which have significance to me but not obvious (not even close to my birthday or license plate).

I then take those and mix them up for each new account I need secured. There are more common ones which I use for things in which I need less security. And rarer/longer password combos which might actually be cracked (like MMO accounts).

So if I forget, I first ask myself the security level, which narrows it down, then usually remember the letter string associated with the account, then its only 3 choices on the number string. So I almost never forget my passwords, yet I have 9 standard + ~3 bonus varying in complexity all the way up to 12 characters.

Yes, I'm quite pleased with myself

[Jetée]

I used to use passwords, but now I don't anymore.

I either use the same standard (unconventional) letter+number+symbol string, that may or may not also be my favorite titlepiece, or I comes up with a random 21 character key that I promptly 'wand'. If it should ever break (it has happened once), I just use the original e-mail address I provided to obtain a new password.

Besides the above, I shift usernames (and specific throwaway e-mail addys) instead of passwords. No sense in letting one cracked accounted become the gateway to multiples.

[Charlatan]

I have a long one with Caps and numbers.

I use different ones for different sites.

I can't believe people still use things like password or 123456.

[Reese]

It doesn't matter if you have a 100 digit password, a keylogger with steal in an instant.

I just try to keep my passwords long enough and random enough to avoid dictionary and brute force attacks. I change my passwords fairly often even though I probably have far less to lose than other people. I think the only thing connected to my email is my World of Warcraft account and a ton of newsletters which I didn't subscribe to. I don't log into my email and stuff from any computer other than my own because I don't know if they're secure. If I do have to log into one of my accounts from another computer, I change my password when I get home.. It just bugs me if I don't change it.

[MSD]

Type a word you're familiar wit and can touch type

password

As anyone can tell you, that's a terrible password. Move your hands over one row of keys to the right

[sddeptf

Now add a number to the end to make brute forcing a bit harder

[sddeptf0

Now double it

[sddeptf0[sddeptf0

Good luck guessing that. Mix it up, only move your right hand over and leave your left in place; move your right hand up a row, move your left hand over to the left so "a" becomes capslock and makes it even more difficult to brute force.

0AAQ9ES

In a way it's like an old Caesar cypher, but without knowing the 12 letter phrase I use and what permutation of hand position, it makes encryption a lot stronger.

[canuckguy]

My passwords for important items are usually a variation very tight, for stupid online things i always make it one generic word/number that would be easily guessable if you really wanted to post as me on some online places...go nuts.

What shocks me is the a lot of those people who keep those same strong password, then write them down near there computer. We did a consulting job once found a top level access guy had a freaking Rolex on his desk of all his passwords...even personal bank stuff...he worked for a major company. brutal.

[Punk.of.Ages]

My password's very, very easy. So easy I can't get away with on it on most sites these days...

I don't really care. I don't store private info on the intrawebz.

[Lindy]

I used to use v1o9l6k4s which comes from

v o l k s
1 9 6 4

I used lbc for a hint, which stands for the "little blue car" that I learned how to drive in.
LBC hint changes the case of the letters in the password.

I don't use that pw any more. Obviously works with any five letter word and four digit number.

Lindy

[LordEden]

I have aset of passwords that I change depending on the site i"m on, I need to change all of them again as I have a similar password on a lot of sites now. I should think about that today.

My boss sets all the admin passwords for his servers he sets up as 1Password. It's sad.

[Plan9]

I use the measurements of former lovers, myself.

[Manic_Skafe]

Quote:

Originally Posted by Jetée

Besides the above, I shift usernames (and specific throwaway e-mail addys) instead of passwords. No sense in letting one cracked accounted become the gateway to multiples.

+1

I don't worry so much about forums or social networking sites but I've got one email account that I guard pretty rigorously and several disposable accounts that forward everything sent and received back into that one account. All the passwords are different and so nothing is really lost in the event that one becomes compromised.

But even then, it's not like I really need an archive of my emails.

[freeload]

I have a "safe" password I use permutations of, and an easy one for all my nonimportant online activities. The safe password is in the form of 593epd (random numbers and letters), then I add the initials of the website and perhaps an "index" if I need to change my password frequently. If I was working for KFC and was required to change my password often it could be 593epdKFCg. Easy for me, but hard to bruteforce.

At high school I had a 26 character password built with parts of a long phrase translated to leet-speak. Needed a tough one as we tried to hack eachother all the time. I won by creating a program imitating the log on prompt, checking the username and then either steal the password or call the real password prompt if allready snatched. The user got a "Invalid password" message once, then every thing worked fine. Later I collected the hidden files containing usernames and passwords Good times!

[dksuddeth]

I use incredibly complex passwords. One time, it got me fired. I was hired as the systems administrator for a very small 60 employee company. I changed the primary domain administrator account password to K@$m1rF@bric$@dm1n

They were not amused

[lostgirl]

"So the combination is... one, two, three, four, five? That's the stupidest combination I've ever heard in my life! The kind of thing an idiot would have on his luggage!"

Some of mine are easy, some are more difficult. It depends on what they are for.

[fie]

Quote:

Originally Posted by Jetée

a random 21 character key that I promptly 'wand'.

The problem with that is physical security. If anyone has access to your computer, they can get your passwords.

And in the case of this article, it doesn't matter what your password was because they were storing them in plain text.

[Pearl Trade]

I have two different passwords that I use, but both are about the same. One has numbers, the other doesn't.

Is it possible the hack number is so high in the study because some people made an account with a simple, one time use password just to fool around or maybe for some other reason?

[pan6467]

Quote:

Originally Posted by World's King

Mine aren't very hard to figure out.

I figure if you take the time to hack into anything of mine, you're an idiot and didn't do much homework/background work on me. I have no money, all my credit cards are maxed out, and I don't own anything.

So even if you managed to steal my identity or what have you... You can't do fuck all with it.

It's the story of my life...lol WK, we must be twins.

[Xerxys]

Like the US state department of intelligence in the movies, I have a text file with all my passwords saved locally in a password protected .ZIP. I am Jason Bourne.

[Jinn]

My password is hunter2. I use it for everything. See how it's starred out so none of you can see it?

[Xerxys]

^^ Yeah, mine is gigolo2sxy4ya ... it's also starred out so none o' y'all can see jack sh*t.

[Redlemon]

My password is six asterisks. That way I can see it when I type it in.

[Jinn]

hunter2 reference was actually from QDB: Quote #244321, kinda one of those interweb memes. In other words, totally irrelevant to most people.

[Xerxys]

^^ Oh, so we weren't coming up with convoluted ways of making up a password then?

Ahh, bummer.

[Slims]

I paid attention to this thread because I got the "your password is 14,000+ days old" message and was curious what prompted the forced password change.

I have several standard passwords, one for things I don't have to keep protected (TFP) one for banking, and one for things I intend to keep really secure. The last two I rotate.

[Willravel]

Quote:

Originally Posted by Slims

I paid attention to this thread because I got the "your password is 14,000+ days old" message and was curious what prompted the forced password change.

Same. I read message as "we assume you suck at picking or maintaining passwords, so we're forcing you to change yours." My password is fine. All of my passwords online are just fine. A 15+ digit, random, alpha-numeric password is basically as secure as you can get within reason.

[Ourcrazymodern?]

Like World's King & pan, I am,
without the wherewithal to worry
nor any need for secrets.

I find changing passwords confusing & annoying.

[freeload]

>How often do you change it?
Got this message on TFP today: Your password is 14663 days old, and has therefore expired.
That's my oldest password so far. (It's 40.15 years old - older than me and most of the World Wide Web)

[yournamehere]

It doesn't matter - The Mentalist or any CSI team can guess it just by looking around your room.

[hunnychile]

Heheheh....I work with an IT major dweeb ( a friend who looks a lot like my favorite high school BF!) and this dude makes us change ours every 4 weeks, on the job. So my newest game is to continually devise the longest & most diversified PW ever. He thinks it's a game and hasn't "broKen it" yet.

Luckily we are very good buds. (I know his deepest darkest secrets!!!)

/Gottya create fun wherever you are!!/Yes!

[Jinn]

Quote:

Originally Posted by Willravel

Same. I read message as "we assume you suck at picking or maintaining passwords, so we're forcing you to change yours." My password is fine. All of my passwords online are just fine. A 15+ digit, random, alpha-numeric password is basically as secure as you can get within reason.

Until unsalted hashes of everyone's passwords on a given site are acquired and rapidly decrypted with a rainbow table. If password storage on the server side is poor, like stored in plain text (I've seen it), or stored unsalted, there is another attack vector independent of the brute-force strength of your password. From Cyn's post, I assume he had a concern about server-side password security, and forcing users to change passwords is a great way to assuage that concern. It's part of the reason (good) sysdbas and network administrators enforce password complexity as well as forced obsolescence.

[Willravel]

My point is that it's as secure as it can be within reason on my end. I can't control how it's kept safe otherwise, which is why I never use the same password in two places anymore.

Anyway, this is a forum so the worst thing that could happen if someone did access my TFP is maybe some trolling or something, maybe deleting some of my old posts or changing settings. I'd be more worried about my online banking and shopping, but those are generally pretty damned secure.

[ASU2003]

The difficulty of my password goes down the more often I have to change it. And I would trade convenience over security (If LifeLock can monitor stuff, so can my bank without charging me. I think it is a scam), like I get full credit card statements in the mail that has no security, but I have to log in and jump through a bunch of hoops because I use random networks to access my account. My e-mail is far more secure at least for the basic statement.

It would be impossible for me to create new passwords for every bank, credit card, e-mail account, forum, paypal, on-line retailer, and computer every few months and keep them all straight.

[Derwood]

i have a couple of passwords I use interchangeably on different sites, but neither are real words and are completely nonsensical to anyone but me.

[Jinn]

Quote:

Originally Posted by ASU2003

... like I get full credit card statements in the mail that has no security, but I have to log in and jump through a bunch of hoops because I use random networks to access my account. My e-mail is far more secure at least for the basic statement.

This analogy would hold if your mail went through about 60,000,000 hands (in other countries) before it go to you. You're looking at about a dozen hops per packet between you and the bank's website. As it is, postal mail usually goes through 3-4 hands and a few machines in secure buildings the US between you and the sender. In directed attacks specifically on you, they're roughly the same security.. wait outside your mailbox / firewall. But in random sniffing attacks like phishers, postal mail seems like maximum security compared to the Internet.

[Lucifer]

How often do I change my password? Apparently, not often enough:

Capture.JPG

[The_Jazz]

And the horse is now dead. And rotted. And the corpse has been hauled off to the dog food factory.

Can we put a stop to the jokes about the password change requirement? There was a very good reason that we asked everyone to do that (one I'm not about to discuss in a google-crawled area of the board). Yes, it was a pain in the ass. Yes, the message looked a little silly to some of you. The same joke being told in 2 different threads wore thin a while ago though.