ReveNews Online Revenue News & Opinions Since 1998

RockYou is Latest Reminder Not to Neglect Your Passwords

The recent attack on RockYou.com’s database opened many people’s eyes to a number of security flaws that exist on even some of the more popular web sites. To begin with, the RockYou social network’s database was susceptible to a Structured Query Language (SQL) injection exploit.

According to Jeremiah Grossman of WhiteHat Security, at least “16 percent of websites are vulnerable to SQL Injection” so while sad, it is not surprising. Jeremiah also sites Verizon’s Data Breach Incident Report (DBIR), which says that “SQL injection attacks, cross-site scripting, authentication bypass and exploitation of session variables contributed to nearly half of the cases investigated that involved hacking.”

More shocking is that the user account data that was stolen was stored in clear text – plain text that has not been encrypted. For a site as large as RockYou, this is unacceptable. Still, it is not the most frightening thing that is exposed by this attack.

When igigi, the hacker responsible for the attack, harvested over 32 million username and password combinations from the site, the passwords – not the usernames – were posted online for all to see. After the collection of passwords was analyzed by the Imperva Application Defense Center, the results were a bit astonishing.

Password findings

After looking at the collection of passwords, it was found that:

• 30 percent of users chose passwords whose length is equal to, or below six characters
• Roughly 60 percent of passwords came from a limited set of alpha-numeric characters
• Almost 50 percent of users used names, slang words, dictionary words or trivial passwords (consecutive digits, adjacent keyboard keys, etc)

And what were the most common passwords? The following table shows the top ten passwords in the first column. The second column shows the number of users who selected that as their password.

123456	290731
12345	79078
123456789	76790
Password	61958
iloveyou	51622
princess	35231
rockyou	22588
1234567	21726
12345678	20553
abc123	17542

According to their findings, Imperva reported that in 17 minutes an attacker could compromise 1000 different accounts using a brute-force password cracking tool.

“Everyone needs to understand what the combination of poor passwords means in today’s world of automated cyberattacks: with only minimal effort, a hacker can gain access to one new account every second — or 1000 accounts every 17 minutes,” said Amichai Shulman, CTO of Imperva.

Combine this with the findings from the British firm Trusteer that “73 percent of Internet bank clients share online banking password with non-financial sites, and 47 percent re-use both their online banking user name and password” and you have a potential for disaster.

Strong passwords

While there is no excuse for the mistakes made by RockYou, any efforts made by them to protect their database would do nothing to prevent a brute-force attack from cracking some of these passwords in a matter of mere seconds.

To make things more difficult on attackers looking to steal your passwords, a few basic rules need to be followed:

• A password must be at least 8 characters
• A password needs to consist of at least 4 different types of characters – upper case letters, lower case letters, numbers, and special characters
• A password should not be a name, a slang word, or any word in the dictionary. It should not include any part of your name or your e-mail address

A common complaint about the strong password requirements is that they are impossible to remember. After all, Aghe83#Qs@ can be quite difficult to rattle off when logging in first thing in the morning. Rather than writing down a complex password like this on a post-it note stuck to the monitor, opt for a passphrase. HisBirthd@yisJune12 is pretty easy to remember and it abides by all three of the strong password rules.

Search Through 10 Years of ReveNews Content:

•  

  

• Subscribe to ReveNews

  • Get ReveNews Updates in Your Reader
  • Get ReveNews Updates in Your Email

• The Latest Comments

  • Kawika on The New LinkShare Merchandiser API and Other Affiliate Web Services
  • Jaclyn Boruch on Creating an Actual Social Media Marketing Strategy
  • Armando Williams on Amazon Plays Chicken with Connecticut over Bill HB 5481.
  • Vinny O'Hare on MediaTrust Sets the Pace with NASCAR Success
  • Nick Doneilo on MediaTrust Sets the Pace with NASCAR Success
  • Cory Grassell on Last Gasp for MySpace?
  • Barry Silverstein on Last Gasp for MySpace?
  • Chad Wilson on MediaTrust Sets the Pace with NASCAR Success
  • Angel Djambazov on MediaTrust Sets the Pace with NASCAR Success
  • John Harrington on MediaTrust Sets the Pace with NASCAR Success

• ReveNews Readers

• Archives

  Select Month March 2010 February 2010 January 2010 December 2009 November 2009 October 2009 September 2009 August 2009 July 2009 June 2009 May 2009 April 2009 March 2009 February 2009 January 2009 December 2008 November 2008 October 2008 September 2008 August 2008 July 2008 June 2008 May 2008 April 2008 March 2008 February 2008 January 2008 December 2007 November 2007 October 2007 September 2007 August 2007 July 2007 June 2007 May 2007 April 2007 March 2007 February 2007 January 2007 December 2006 November 2006 October 2006 September 2006 August 2006 July 2006 June 2006 May 2006 April 2006 March 2006 February 2006 January 2006 December 2005 November 2005 October 2005 September 2005 August 2005 July 2005 June 2005 May 2005 April 2005 March 2005 February 2005 January 2005 December 2004 November 2004 October 2004 September 2004 August 2004 July 2004 June 2004