Categories
Fails

Adobe’s Top 20 Passwords

Avinash Kaushik:

Adobe was hacked recently and of course someone smart is going to analyze the data to find insights. My favourite one was the top 20 passwords used by Adobe users.

38 million records were lost by Adobe, though the original number was said to be 2.9 million. 1.9 million people used 123456 as their password!

Here’s the image he included with his post:

36

Yes, people are stupid and these are ludicrously bad passwords. Shame on them.

But shame on Adobe for allowing users to set these kinds of passwords in the first place. Regardless of the hack, these are easily guessed passwords and could have led to account compromises without too much work.

Categories
Markel!

Password Attacks and Good Account Policy

A lot of digital ink has been spilled regarding the supposedly surprising revelation that there is a concentrated effort going on by an apparent botnet to “hack” into your WordPress installation. Some of the better and/or more interesting writeups have been:

It’s important to think about why this attack is happening, and I don’t mean what the eventual goal of the botnet might be. For this attack to be profitable in terms of time and resources, it needs to be worth the effort that is being expended to create it.

Is it happening because the sites in question are running WordPress? Almost certainly not.

It’s happening because users don’t follow good password practices.

I’ll say that again: it’s not happening because WordPress is inherently insecure; it’s happening because you and I have a habit of creating, picking, and using crappy passwords.

Krebs posted a link to the list that’s currently known to be used in this attack, which you can find here. Take a look at it, because if you have had any experience in dealing with access attempts, it will probably look familiar. The vast majority of the usernames that are being tried are admin, and the passwords are by and large passwords that are among the most common passwords chosen by users across every web service in existence, not just WordPress.com.

As the Sucuri blog points out, there are a couple of passwords in there that don’t make a ton of sense compared to the common password list, like these:

6160 [pwd] => #@F#GBH$R^JNEBSRVWRVW
5392 [pwd] => $#GBERBSTGBR%GSERHBSR
5058 [pwd] => %G#GBAEGBW%HBFGBFXGB
5024 [pwd] => RGA%BT%HBSERGAEEAHAEH
4861 [pwd] => aethAEHBAEGBAEGEE%

What this tells us is that it’s not enough just to have a secure password. You need to have more than one. I’ll illustrate with a short story about this happening to me. Remember last year, when LinkedIn and last.fm had a couple of security breaches and they (or at least last.fm) told people it was possible that username and password information had been stolen?

I know from personal experience that they had, because some of my accounts were accessed by people who weren’t me. At the time, I used a “low security” email and password combination, which was exactly the same and used on sites that I considered to be lower in personal priority. Within a few days of the last.fm breach, I started receiving emails from some other services that I didn’t remember asking for. I looked into it, first logging in to my account with EA/Origin (because I knew it was one of those other accounts that shared that email and username combination).

When I did, I found that my EA account was set to display in Russian. It had been accessed using a reverse brute force attack, where the attackers had my combination of email address and password from the last.fm breach and were trying to use it on every web service they could find. Once they knew the combination was valid, it was dumped into a list and used by who knows how many people, trying to see if it gave them access to other accounts.

After going through this—and the associated panic at not knowing which of my accounts were affected—I no longer consider any service or web app I use to be low priority. You shouldn’t, either.

To protect yourself from these kinds of attacks, there are some very simple, slightly paranoid rules you should follow:

  • Don’t use a common password. A good list of these is in this post about common Twitter passwords from a few years back.
  • Try to avoid using dictionary words in your passwords—or if you are, make a passphrase, which is a very secure option.
  • Use a combination of letter case, numbers, and symbols if you’re not using a passphrase.
  • Don’t use the same password for more than one site. I can’t stress this enough. Use a password storage application that has encryption and passwording of its own, like 1Password or KeePass.
  • Use 2-factor authentication wherever you feasibly can. Google offers this for all accounts. For WordPress, there are a few good plugin options, and on WordPress.com, we offer 2-factor as an option for all users.
  • When you set up a new WordPress installation, don’t use admin as your username. Pick something else.
  • For self-hosted WordPress installations, know what your security keys are and how to change them if you suspect a breach.

Krebs posted a link to the password policy page on the WordPress.com support site (for which I feel a bit of pride because I helped write its current incarnation), which goes into more detail and starts with easy stuff you can do and moves on to more complicated options. If you want more tips, I suggest you check it out.

Remember that the best option for protecting yourself from password-based attacks is simply to have good personal password policies and stick to them. For any service that uses a single authentication factor, it’s your job to make sure that factor is created and maintained as secure.

Categories
Markel!

Logins: Roll Your Own

We know now that Mat Honan’s account compromise was due to bad policy at Apple for allowing account access, but this bit from Daniel Jalkut’s post about the situation holds true regardless:

One way to protect yourself is by declining to delegate authentication to third parties. When enrolling in a new service that offers Twitter or Facebook authentication, I usually go through the nuisance of creating a new account instead. That way I can choose a unique passphrase, and store that in my keychain. I prefer this to allowing numerous items to be implicitly added to my Twitter or Facebook “keychain.” Don’t put all your eggs in one basket, as they say. (Well, that’s what I’m doing with my keychain, but I am empowered to personally protect it and to back it up as I see fit.)

This is a strong argument against permitting multiple login “vectors” from social services to your web service. It’s a good idea to permit connecting to these services so your service can leverage things like contacts and posting access but a bad idea to permit authentication from these services.

And you should never use the same password twice across services. The last.fm/LinkedIn password craziness should have taught everyone that.