Friday, June 8, 2012

LinkedIn leak lesson: top 30 dumb passwords

Internet users continue to make things very easy for hackers.? A close inspection of a portion of the 6.5 million leaked LinkedIn passwords proves people keep making foolish password choices.? In fact, the most commonly used phrase in the password set appears to be ?link,? according to Boston-based security firm Rapid7, which created a top 30 list for msnbc.com. The list was generated by studying a sample of 160,000 passwords from the 6.5 million that have been released on the Internet.

What hacker would ever guess that your LinkedIn password had the work ?link? in it? Answer: All of them.

Second on the list of most common password phrases: ?1234.?? And because LinkedIn required seven-letter passwords, ?12345? wasn?t far behind, either, ranking sixth on the list (123456 was 15th.) Rounding out the top 10 were ?work,? ?god,? ?job,? ?angel,? ?the,? ?ilove,? and ?sex.?

?We are seeing a trend of Internet users trying to use simplistic passphrases on Internet sites,? said Marcus Carey, a security researcher?at Rapid7. ?They are (being hacked) because of the simple fact that many are using words that have been long considered bad passwords. Password-cracking algorithms include these bad passwords as a part of their recipe.? ?

The top 30 list generated by Rapid7 contains partial passwords used by consumers.? In other words, no one used the simple word ?link? as a password ? it was part of a password, such as ?BobLink? or ?LinkPass.?? That might seem to mitigate the danger, but it doesn?t offer much protection. Hackers spend hours guessing users? passwords, using tools that brute force their way through millions of combinations.? If a hacker knows someone used a seven-letter password, and part of that password is ?link,? the bad guy only has to crack what is essentially a three-letter password. That?s exponentially easier.? (How much easier? Assuming 94 potential password characters, based on the common keyboard layout, a three-digit password offers 830,000 possibilities; a seven-digit password offers 65 billion possibilities.)

?What people need to understand is that even with trusted sites such as LinkedIn there is still a possibility for massive compromise,? Carey said. ?The bigger the site, the more personal information is leaked, and the big boys on the block are the ones who are targeted the most.?

This experiment has been done before. In fact, a company named SplashData compiles a ?worst passwords? list annually from stolen passwords. You?ll see a lot of overlap between that list and this LinkedIn list. That means people aren?t learning. To that end, if you use any of the phrases on the list below to build your password, you should know that attaching ?!!!? to the end doesn?t make you safe.

RED TAPE WRESTLING TIPS

It's important to note that even the strongest of passwords provided little defense against the LinkedIn hack (and the subsequently announced eHarmony hack).? Bad guys stole password files directly from the companies involved, so even "%R7^Tgh1" ( wasn't safe from their prying eyes. This doesn't lessen the lesson, however.? Consumers still should do all they can to protect themselves, and they don't.

Words that are in the dictionary shouldn't be in your password, but unusual characters should be.? Names on your Facebook page -- such as your dog's name?or high school mascot -- shouldn't be in your password, either. That of course makes remembering your password a challenge, but here's a trick that security professionals recommend: think of a sentence that you can remember, and take the first letter of every word in the sentence as your password. For example: My daughter Julie was born on November 1 would yield a password of "MdJwboN1." Throw in an exclamation point at the end to show your love for your daughter, and you have a pretty strong, unique password.? For more tips, vist this page at US-CERT.

*Follow Bob Sullivan on Facebook.
*Follow Bob Sullivan on Twitter.?

?

Ranking

Password Phrase

Number of Times Appeared

1

link

941

2

1234

435

3

work

294

4

god

214

5

job

205

6

12345

179

7

angel

176

8

:the

143

9

ilove

133

10

sex

119

11

jesus

95

12

connect

91

13

Fu**

85

14

monkey

78

15

123456

76

16

master

72

17

Bitch

65

18

Dick

60

19

michael

52

20

jordan

48

21

dragon

46

22

soccer

45

23

Killer

32

24

654321

32

25

pepper

31

26

Devil

30

27

princess

29

28

1234567

28

29

iloveyou

26

30

career

26

?

?

?

?

?

?

?

?

?

?

?

?

?

?

?

?

?

?

?

?

?

?

?

?

ray charles cheney heart transplant weather san diego unitarian new black panther party lost in space elizabeth banks

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.