Cybercrime: 2 Million Stolen Passwords

As a technology student, an article from Reuters came out yesterday that you might want to be aware of.

You can’t use the article as an excuse not to turn in your assignments, but I’m fine with you reading the article during class if you’d like to.

Security experts have uncovered a trove of some 
2 million stolen passwords to websites including
FacebookGoogle, Twitter and Yahoo from Internet 
users across the globe. 

Researchers with Trustwave's SpiderLabs said they discovered the credentials while investigating a server in the Netherlands that cyber criminals use to control a massive network of compromised  computers known as the "Pony botnet."
>> Read the rest at Reuters >>

Heres an excerpt from SpiderLab’s Analysis of what they found. Link provided courtesy of Retuers:

~2,000,000 Passwords
Since we couldn’t think of anything to do with 
two million credentials for popular websites, 
social media, and email accounts; we decided to 
make some use of the quantity to look into users' 
password selection habits. 

Unfortunately, the most commonly used passwords were far from what your CISO would like to see...
But not all hope is lost, it seems that more people are willing to go the extra mile and set a long password (if not a complex one – see image below). Back in 2006 only 17% had a password of 10 characters or longer. In 2013 we see an impressive ascent to 46%!


>> Read the rest at Spider Labs >>

I don’t 100% agree with the comic. While the “CORRECTHORSEBATTERYSTAPLE” may be a stronger password overall, it could be improved easily. Currently, that password only has one type of character, capital letters. “CorrectHorsebatterystaple” would be a stronger password, because it has both upper case and lower case. “Correct.Horse&batterystaple!” would be even stronger due to the use of punctuation (&, ., and !). Add in numbers “2Correct.3Horse&batterystaple!” and the password is still easy to remember, but also very strong.

The only issue is some websites or services don’t allow long passwords, which is problematic. When I run into this issue, I turn it into an acronym, so for this example: “2C.3H&bs!” Looks like gibberish, but becuase it means something silly that I’ve already memorized, its not hard to remember.

Which one is actually better? Well it depends… some hackers create programs that just go through trying every possible character combination (called brute-force cracking), thus meaning “2Correct.3Horse&batterystaple!” is stronger than “1C.2H&bs.”. However, its more common for hackers to try methods like word lists, pattern checking, or dictionary attacks. A dictionary attack uses words from a dictionary listing first. So, if “correcthorsebatterystaple” and “2Correct.3Horse&batterystaple!” are too long of a password… then the acronym should be pretty affective, as brute force attacks aren’t that common as they take longer to crack most passwords than word lists, pattern checking, or dictionary attacks. Of course, this is only because hackers find these other methods more efficient that brute-force attacks because most people create poor passwords.

So, what then? If the website will allow long passwords, I’ll normally create an easy to remember acronym but I will just type the acronym twice, once holding shift, and once not. So, if my password is Five Flaming Giraffes Are Awesome!, my acronym becomes “5fgaa1” (the 1 is an exclamation point without holding shift); then doubled while holding shift it becomes “5fgaa1%FGAA!”, and now I have a password thats easy for me to remember but hard for a computer program to guess. Want to make it even harder to guess? Make a longer acronym, or instead type it three times: “5fgaa15fgaa1%FGAA!”. Password done.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s