The recent attack on RockYou.com’s database opened many people’s eyes to a number of security flaws that exist on even some of the more popular web sites. To begin with, the RockYou social network’s database was susceptible to a Structured Query Language (SQL) injection exploit.
According to Jeremiah Grossman of WhiteHat Security, at least “16 percent of websites are vulnerable to SQL Injection” so while sad, it is not surprising. Jeremiah also sites Verizon’s Data Breach Incident Report (DBIR), which says that “SQL injection attacks, cross-site scripting, authentication bypass and exploitation of session variables contributed to nearly half of the cases investigated that involved hacking.”
More shocking is that the user account data that was stolen was stored in clear text – plain text that has not been encrypted. For a site as large as RockYou, this is unacceptable. Still, it is not the most frightening thing that is exposed by this attack.
When igigi, the hacker responsible for the attack, harvested over 32 million username and password combinations from the site, the passwords – not the usernames – were posted online for all to see. After the collection of passwords was analyzed by the Imperva Application Defense Center, the results were a bit astonishing.
Password findings
After looking at the collection of passwords, it was found that:
- 30 percent of users chose passwords whose length is equal to, or below six characters
- Roughly 60 percent of passwords came from a limited set of alpha-numeric characters
- Almost 50 percent of users used names, slang words, dictionary words or trivial passwords (consecutive digits, adjacent keyboard keys, etc)
And what were the most common passwords? The following table shows the top ten passwords in the first column. The second column shows the number of users who selected that as their password.
| 123456 | 290731 |
| 12345 | 79078 |
| 123456789 | 76790 |
| Password | 61958 |
| iloveyou | 51622 |
| princess | 35231 |
| rockyou | 22588 |
| 1234567 | 21726 |
| 12345678 | 20553 |
| abc123 | 17542 |
According to their findings, Imperva reported that in 17 minutes an attacker could compromise 1000 different accounts using a brute-force password cracking tool.
“Everyone needs to understand what the combination of poor passwords means in today’s world of automated cyberattacks: with only minimal effort, a hacker can gain access to one new account every second — or 1000 accounts every 17 minutes,” said Amichai Shulman, CTO of Imperva.
Combine this with the findings from the British firm Trusteer that “73 percent of Internet bank clients share online banking password with non-financial sites, and 47 percent re-use both their online banking user name and password” and you have a potential for disaster.
Strong passwords
While there is no excuse for the mistakes made by RockYou, any efforts made by them to protect their database would do nothing to prevent a brute-force attack from cracking some of these passwords in a matter of mere seconds.
To make things more difficult on attackers looking to steal your passwords, a few basic rules need to be followed:
- A password must be at least 8 characters
- A password needs to consist of at least 4 different types of characters – upper case letters, lower case letters, numbers, and special characters
- A password should not be a name, a slang word, or any word in the dictionary. It should not include any part of your name or your e-mail address
A common complaint about the strong password requirements is that they are impossible to remember. After all, Aghe83#Qs@ can be quite difficult to rattle off when logging in first thing in the morning. Rather than writing down a complex password like this on a post-it note stuck to the monitor, opt for a passphrase. HisBirthd@yisJune12 is pretty easy to remember and it abides by all three of the strong password rules.
See the original post here:
RockYou is Latest Reminder Not to Neglect Your Passwords
Comments
Leave a comment Trackback