- Posted January 8, 2014 by
This iReport is part of an assignment:
10 worst password mistakes People do
If you’re a registered Adobe client, change your passwords now. They have been stolen and published on the Internet; someone even made a crossword puzzle out of them. This is a good time to examine which passwords are better NOT to use.
Using a single password for different online services is a serious security issue. Even worse, millions of users make the same mistake when inventing a new password. Let’s learn from these mistakes, taking the most popular passwords from the Adobe database as a recent example.
1. “Password”, “qwerty” and “123456”
Astonishingly, these very obvious passwords still top the popular passwords list after all these years. In the Adobe database, password “123456” takes first place with over 2 million users out of 150 using it. Second to it is the much more complicated password “123456789”, followed by the word “password” itself. 345,000 users selected “password” as a password. Also popular was the keyboard sequence “qwerty” which holds 6th place.
2. Company or site name or its variations
You might think that login “John” and password “Facebook” are original. They are not. Of course, a service name might not be present in the dictionaries being used by hackers to bruteforce a password. However, an experienced hacker will definitely add such passwords to his database (as we’ve seen in the Adobe case). This principle is used in passwords ranked #4, #9, #15 and #16 in the Adobe top-100: “adobe123”, “photoshop”, “adobe1” and “macromedia”.
3. Name=Password and other hints
Even though other providers might encrypt stored passwords much more effectively than Adobe did, it’s quite probable that a hacker will see accompanying fields in the database without extra effort. They have proven to be quite useful for password recovery. The fields in discussion are user name, email, password hint, etc. The biggest hit is a password, which is exactly the same as a user name. Other “smart” tricks are quite impressive as well. Some people write their passwords down in a password hint field, or provide such obvious hints as “1 to 6” or “Last First”.
4. Obvious facts
Facebook is a favourite hacker tool. Having the email and user name of a victim, it’s very easy to make a Facebook search and solve such password hints as “dog”, “son’s name”, “birthday”, “work”, “mother’s maiden name”, “favourite band” and so on. About one third of all hints refer to family members and pets with an additional 15% quoting a password directly or almost directly.
5. Simple sequences
It seems that letters or digit combinations are endless. However, people use this power in a very limited way. They have very strong “hints” in the form of the alphabet and keyboard in front of them. This way passwords like “abc123”, “00000”, “123321”, “asdfgh” and “1q2w3e4r” are born. If you discovered some letter and digit sequence, which is very easy to memorise, abandon it – it’s also convenient for hacking and most likely present in password dictionaries.
6. Basic words
According to various researchers, from one third to one half of all passwords are simple words from the dictionary and they typically belong to 10,000 of the most frequently used words of a language. Modern computers are able to try 10,000 passwords in a few seconds, that’s why these passwords are totally unreliable. In the Adobe top list there are a lot of passwords of this kind: “sunshine”, “monkey”, “shadow”, “princess”, “dragon”, “welcome”, “jesus” “sex”, “god”.
7. Obvious modifications
To make dictionary-based bruteforce attacks harder, most services require users to set their password according to specific rules. For example: at least 6 characters, obligatory mixing of upper- and lower-case letters, plus digits and characters. But users have made their way around those requirements already. Most certainly the first letter will become the only uppercase, while most popular number-based modification is an addition of “1” at the end of the password. In the Adobe database, these tricks are combined with obvious words, resulting in quite bad passwords like “adobe1” and “password1”. The most popular characters are exclamation marks and underscores.
8. Obvious modifications-2 (1337)
Thanks to the “Hackers” movie and other pop culture artifacts, a wider audience is now aware of “hacker speak” LEET (1337), which features some letters being replaced by similarly looking numbers or characters and other basic modifications. Making such replacements seems to be a good idea and passwords like “H4X0R” or “$1NGL3” are looking impressive. Unfortunately, they are not much more complicated than the obvious “hacker” and “single”, because special password bruteforcing apps feature a so-called mutation engine, which tries all the obvious modifications on each dictionary word.
9. Energetic sentences
In the modern world, longer passwords are always better, thus a passphrase is considered a better protection than a password. However, there are multiple exceptions – very short and extremely predictable phrases. On the Adobe top-100 you can find “letmein”, “fuckyou” and “iloveyou”. Nothing to add.
10. Social security and other important numbers
Those passwords are harder to guess. However, hackers will definitely spend additional effort on finding such numbers, when they see a “my social security number” type of password hint. When combined with a user name, birthdate and other Facebook-provided data, a SSN is usable for identity theft, making this kind of password very easy to monetise.
More information about this topic you can google " Voice of Green Hats"