RockYou hack reveals easy-to-crack passwords
Analysis of the 32 million passwords recently exposed in the breach of social media application developer RockYou last month provides further proof that consumers routinely use easy to guess login credentials. Sensitive login credentials - stored in plain text - were left exposed because of a SQL injection bug in RockYou's …
>If users (as they often do) use the same login credentials for social networking sites and more sensitive accounts
That's the whole point, people use junk passwords for all those sites that insist on a password for no good reason - and keep the secure ones separate for important uses, like er' reg comments.
One would like to think that was true - and certainly among Reg readers it probably is - but I'm not so sure about Joe Public. The subtleties of strong passwords might evade them (if they can even be bothered with a complex password), as might the issues surrounding your banking password being at one with your favourite pr0n site.
Internet banking vs. Internet spanking, if you will.
Coat. Yep.
I'm not going to vote you down, but I think you're wrong for the majority of users out there.
Don't get me wrong... You guys are great (other commenters). I mean we have some terrific discussions on here, and sometimes, well, I just don't know how I would get by without your helpful advice! But, TBH, if my reg account got h4x0r3d... I'd probably just make a new one, and try to get on with my life. I post as AC mostly anyhow.
My reply above was directed at "Yet another anonymous user"
So not only was this site open to a SQL injection attack, but the passwords were stored in plain text?
Fail.
Just imagine how many shiny web 2.0 sites are secured in this way. Even storing a simple password hash with salt makes it orders of magnitude more difficult.
Most of those passwords would not be allowed if even the most basic restrictions were imposed by RockYou when they were created (i.e. 8 or more characters and containing at least letters and numbers).
Apparently RockYou weren't even requiring a minimum password length!
Of course people are stupid and will chose stupid passwords given half the chance, but this still says more about how inept RockYou were as a service provider.
I once had a project where client (Marketing guy) asked for strong password to be required, so I build a strong password validator for the site; when the client was asked to test it, he said it didn't work.
It did work, but it was just to hard for him to create a password that was strong :P
In addition to requiring caps,non-caps, number and symbol,It wouldn't let you use your first or last name, username, email or any sequence like qwerty wertyu asdf in your password.
My password here on the reg is definitely weak ;)
Pa55word!
There, that's strong.
Strong passwords are easy if people are given the right mental tool(s).
Why does this stupid site demand yet another password => wdt55dy4p
No capitals or symbols, but at nine characters it doesn't really matter. The above is
good enough. I've been working with some passwords recently that are so "strong" that they are weak - you can neither memorise them nor type them in accurately; hence the only thing to do is store them on a computer. Duh!
Horses for courses...
It's not generally considered necesary to enforce typical 'strong password' rules on social networking sites etc. However, I would at least have expected RockYou to have required a minimum of 8 characters and the use of letters & numbers, which is the general convention for online services which store personal data.
I own a Hotmail account for which the password is only 6 characters and a dictionary word since it was set up in 1996 before minimum password strength rules became widely used, I don't use the account but keep the password as it is for sentimantality sake ;oP
"However, I would at least have expected RockYou to have required a minimum of 8 characters and the use of letters & numbers, which is the general convention for online services which store personal data."
Er.. how many accounts were compromised through weak passwords, and how many were compromised by the stupid and completely unnecessary fuckwitty fail of storing CLEARTEXT?
The mind boggles - just HOW difficult is hashFunc(password) ; on the way into a DB?
How can anyone that mind-numbingly retarded be expected to mandate any sort of password regime?
Write the password down and store them somewhere safe, eg sealed in an envelope and stuck in a safe.
Consider using a passphrase rather than a password. For example: 'Red Lorry Yellow Lorry' and then perform a standard substituion eg always replace 'e' with '3'. Really easy to remember but incredibly hard to crack. Or another approach is to use a mnemonic. For example 'I live in Birmingham but work in Stratford' would give you a password of IliBbwiS substitute '1's for 'i's and $ for the all the 's'es and you have a great password.: Il1Bw1$ and easy for you to remember.
"I've been working with some passwords recently that are so "strong" that they are weak - you can neither memorise them nor type them in accurately; hence the only thing to do is store them on a computer. Duh!"
That's my biggest gripe. My highest risk online account - a business bank account - has a
- login name (required as you can have multiple users for a bank account)
- Login password
- Authentication password
- item 4 which i can't even remember
All of them must be 8 digits or more and it asks for a number of "nth digit"s to validate. Even after a few years with the same credentials theres no way i can achieve anything without them written down in front of me.
Likewise my work account which has 30 day password expiry (effectively 20 days as that's when it starts nagging you daily that your password will expire). I started off with secure passwords but over a few years they've become steadily less secure to the point where it's now trivial.
"......the only thing to do is store them on a computer."
Gosh, if only most people were that security-conscious. A post-it note stuck on the screen is rather more common in my experience.
Guess it depends how valuable users perceive their personal (and I guess sometimes *very* personal details) to be.
But yes these are staggeringly trivial.
But *another* SQL injection attack.
are you actually that naive, or is that sarcasm? maybe the people who read sites like the reg do that, but everyone else?
...passwords stored as unencrypted strings? wtf? :)
I've had experience creating a system requiring a user to create a strong password, and also had problems with users that can't remember their 'overly-complicated passwords'.
The bottom line is unless you use a password generator (I use Deadbolt Password Generator) to create strong unique passwords for every site or a password safe of some kind (although I don't like storing ALL my passwords in one place) people will always have trouble remembering good passwords and will stick to using weak ones instead.
What if you use a dictionary word but replace certain letters with numbers, leet-style, ie 3 for E etc? Not that that's what I do, I'm just saying. STOP TRYING TO GUESS MY PASSWORD!
.... but with the added protection of using a *Welsh* dictionary. (It may as well be a random selection of letters, as far as most people in the world are concerned.)
Flames, cos we likes to keep the (holiday) home fires burning...
I'll see your Welsh dictionary and raise you my personal conlang!
Take words from my conlang like Kaseryndhalan, Dwimmathdene and Khatalinlat, replace the vowels with numbers - K4s3ryndh4l4n, Dw1mm4thd3d3 and Kh4t4l1nl4t - and I have easy-to-remember passwords that nobody's going to guess... :)
Conlangs are an awesome and uncrackable means of encryption too if you take the time and effort to develop one. For example, I can guarantee that there are only 3 people, including myself, on this planet who would be able to translate this statement:
Hyarin marhyad thiel ke koyanad kya shariadi adawaya kya khanya kha simain. Saeli tielyad kya kelduran kha sharath kya tunai anlani re shalayneth lamanya dawya gharan.
"For example, I can guarantee that there are only 3 people, including myself, on this planet who would be able to translate this statement:"
I can guarantee that there are no people who are interested.
Hyarin marhyad thiel ke koyanad kya shariadi adawaya kya khanya kha simain. !!!
Shalayneth lamanya dawya gharan.
Cuttlefish!
DROP DATABASE ROCKYOU.
someone. please. for everyone's sake.
Passphrase is the way forward.
cantbruteforcethisitstoolong.
You can tell the advice from Microsoft and Sophos has come from computer scientists. To remember your passphrase, you need to work through the algorithm you used to generate it, flawlessly. Once a passphrase has been used a few times, most people are much better at remembering a list of words than a list of letters and symbols; words are an intrinsic part of brain function. If you want a stronger passphrase, just add another word. There’s much better advice on The Diceware Passphrase Home Page [1], including a measure of strength.
Unfortunately, you still come across websites with instructions like “Choose Password (6-10 characters):”
BTW, your example passphrase may not be as strong as you think. It’s a sentence fragment, not a list of random words, so the words are interdependent
[1] http://www.world.std.com/~reinhold/diceware.html
There are just so many places that need passwords that it is completely unrealistic to expect people to remember a different one for every place. As YAAC said above, most people I know keep one password for serious stuff and another for waste of space passwords that they don't care about.
Another problem is that best practise really doesn't work in most environments.
We have access to a government database which every member of the company needs to get into - from directors to pool secretaries, and there's supposed to be full traceability. Its password policy requires each user not only to have mixed alphanumeric 12 digit passwords with no logical sequences and so on, but requires a change every month. Surprise surprise, after the first couple of months no one could remember the passwords they had last come up with, so we spent hours every week on the phone to the govt dept concerned resetting accounts. In the end, we just decided it wasn't worth the bother and told everyone to write the blasted things down. Self defeating password policy. You could blame us for not having superhuman powers of recalling random character strings, but at the end of the day, humans are not machines - and people who come up with password policies need to be realistic.
If the users don't give enough of a shit to use strong passwords, why should anyone cry for them when they get haxx0rzed?
I like to think of a random song, then use the initials to the lyrics.
I had "oidltbbtss" once for a while (oh i do like to be beside the sea-side) - yeah, technically only one s at the end, but when singing it my mind, 2 was easier.
The problem with ENFORCING overly complicated password is that people end up writing them down
I do that as well but with phrases, first sentence from a book, sayings, poetry. Sometimes uppercase the first two letters or the first and last then add an underscore and number on the end.
as long as you store them securely.
All my most important passwords are written down and stored in a sealed envelope inside a safe.
Where have you written the combination to the safe?
it's in a text file which is encrypted with a strong passphrase.
"Persuading users to use stronger passwords is an age-old problem that dates back to the dawn of the PC era."
It's not an old problem, it's a new problem.
In the old days, you had about 3 passwords; you had to convince the user to make them strong. Once they were strong, you could use them for a long time because they were secure. Because you didn't change them, you could remember them.
Now, we all have a dozen or so passwords. If we make them strong, they're hard to remember. The harder they are to remember, the more likely we are to reuse them. Because some people use weak passwords, corporate policies add a layer of security by forcing us to change them every few months.
I can remember every password I had on the computers at uni, because I used them frequently for a long time. My password for the office PC expires so quickly that I've barely learnt it by the time I'm asked to change it. The cognitive load is high, and every time I sit back down and unlock my PC, I have to filter out "noise" from half-a-dozen old and "other system" passwords before I get to log in.
So my passwords are getting weaker all the time as it's the only way to remember them.
It is a new problem -- it just looks similar to an old one.
I have so many I have to write them down: in a GPG encrypted document on a USB stick. At least the password for that key is reasonably long
Let a reasonably difficult string be printed as a bar code on a convenient small card, or on a label to stick in a book, or a loose leaf binder.
Then let me show that card to my cheap PC digital camera in order to "type" the password.
Weaknesses, yes...
My employeer (10,000+ employees) introduced "strong" password policy similar to the one AC described, and they force them to be changed every 60 days. The result was that for the next six months, every second desk had a post it note with a weird word/number combination on it. Now days, most people I asked say they use a word that is visible on their desk and sufix with the digits with the month they are forced to change it in. I wonder how many in my company are using Intel01?
Storing password has become like storing credit card numbers. Outsource it and move on with your core competency...
Now there's a practical idea I will probably use and recommend in future!
The vast majority of users are completely unaware of the importance of password security, these are casual users or the not-as-IT-literate-as-us users. It's not their fault, we're in an age where you can distinctly seperate users into two groups: those who've grown up with IT and those who've lived most of their lives without it. It's the latter group who're responsible for most of these epic password fails whereas those of us who've been using computers since puberty are well aware of the risks.
Any organisation who requests a password should attempt at least a basic explanation of how to set a strong password and why it's important, most of these RockYou customers will have no idea that they've left themselves vulnerable.
Of course some organisations, including my bank (who I won't name for obvious reasons) who don't allow the use of special characters in passwords should be held to account for being so lax.
If the site isn't storing bank account information why should I use a strong password. I hate sites that require more then 6 characters to protect, well, nothing!
Use strong passwords on your bank account sites and email but nothing else. Even Amazon won't let you retrieve credit card info. The worst someone could do is order you a product.
As more and more employers are using google to find out about potential employees then it might be wise to ensure that noone can hack their social networking site accounts and update their list of hobbies with something they'd rather not be associated with. You won't even get to the interview stage to explain that your interest in goatse was the result of someone guessing your password and even if you did do you think they'd be impressed by the explantion? So either use a strong password or, like me, stay clear of such sites.
She wrote the article on this in the NY Times today, conflict of interest, or has she left El Reg?
Think of a colour.....think of an object...capitalize the first letter of each and put it together and swap out a few for numbers, voila!
R3dAer0plane
Gr33nB1ke
Purp1eB0ard
the list goes on and i doubt they are in a wordlist....
Sign up, sign up for The Register's weekly IT security newsletter - click here
