Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

8/9/2019
10:00 AM
Sam Bocetta
Sam Bocetta
Commentary
50%
50%

It's (Still) the Password, Stupid!

The best way to protect your identity in cyberspace is the simplest: Use a variety of strong passwords, and never, ever, use "123456" no matter how easy it is to type.

Stop me if you've heard this one before. Last year, billions of credentials were exposed due to thousands of data breaches. Many of the companies that were hacked didn't tell anyone until months after the fact, and the most common password exposed during these breaches was … 123456.

I know, right? Same old story.

At this point, I'd love to tell you that there was something new and exciting about these breaches. In some ways, there is: The poor security used by many large companies is under greater scrutiny than ever before. But in other ways, these exposures reinforce the importance of the advice that's been around for years: Choose a strong password and, where you can, don't use a password at all.

The most succinct summary of the scale of data breaches in 2018 comes courtesy of SpyCloud, a firm specializing in security analysis and anti-account takeover solutions. It reports that in 2018 it was able to recover 3.5 billion credentials from 2,882 breached sources and managed to decrypt 87% of the passwords contained in this data.

A deeper analysis reveals more troubling factors. One is that it's not clear that many of the "data breaches" reported in the press last year were data breaches at all. In some cases, companies merely released data that they had permission to release — for example, Facebook's controversial "research project," reported by TechCrunch, that involved releasing a data-mining app (subsequently blocked) to consumers that was intended for internal corporate use under Apple's licensing agreement. The second worrying issue is the ongoing prevalence of email scams, which still account for the vast majority of hacks for which a worrying number of people still fall.

And then we come to companies' responses to these breaches. MyFitnessPal, owned by Under Armour, unintentionally shared the credentials of at least 150 million users in a much-publicized hack, but one that only came to light weeks after it had happened. Quora, in a similar attack, had 100 million user names, passwords, and other data stolen.

Now, you might think that MyFitnessPal and Quora are hardly the most important accounts in your life, and that's true. Neither carries detailed financial information or personal photographs. The problem is that too many people use the same password for these apps as they do for all of their online accounts, and so a breach of even a "low-level" account can have huge consequences both in yielding access to other accounts and driving customers away from the affected company for good.

Password Hashing
It's also worth looking at how passwords and other information was extracted from the data stolen from Quora and MyFitnessPal.

The stolen data was encrypted, as well it should be. Instead of a plaintext password, the breached information contained hashes of passwords. These are codes generated from passwords by an encryption algorithm, and many companies (including these two, it turns out) think that this makes them secure.

It doesn't. Or, rather, it would if they were using quality algorithms. Unfortunately, the encryption scheme used by both companies — md5 and sha1, respectively — are now pretty easy for cybercriminals to overcome. There are even free pieces of software that will do this for them.

So, the companies involved in these hacks were certainly at blame, but only partially. A closer look at the data in the breaches also reveals that poor security practices on the part of users also made the hackers' job a lot easier.

Password Reuse
To see why that is, it's worth looking at the most common passwords that were exposed during these breaches.

Here they are: 123456 123456789 password qwerty 12345 qwerty123 1q2w3e 123123 111111 12345678 1234567 1234567890 abc123 anhyeuem iloveyou password1 123456789 123321 qwertyuiop 654321 123456 121212 asdasd 666666 zxcvbnm 987654321 112233 123456a 123123123 123qwe 11111111 aaaaaa qwe123 dragon 1234 1q2w3e4r5t reset zinch 25251325 monkey a123456 1qaz2wsx 1q2w3e4r 123654 159753 222222 asdfghjkl 147258369 999999 5201314 123abc qweqwe 456789 555555 7777777 qazwsx princess qwerty1 1111111 football j38ifUbn asdfgh 66bob 888888 163.com 147258 asd123 azerty sunshine 789456 3rJs1la7qE 159357 michael 789456123 88888888 1234qwer daniel Password abcd1234 myspace1 computer 987654321 shadow qqqqqq 1234561 killer superman pokemon 987654 master q1w2e3r4t5y6 baseball 777777 123456789a charlie 11223344 333333 soccer x4ivygA51F

It gets even worse when you realize that the kind of person who uses 123456 as a password is probably using this password for all of their online accounts.

And so the issue is not that someone gets access to a Quora account. It's that password reuse is still common practice despite the penetration of password management software into the mainstream, nearly all of which uses AES 256-bit encryption. The best advice, besides letting your computer do the managing for you, is to use a variety of strong passwords and never, ever, use 123456, no matter how easy it is to type.

Related Content:

Sam Bocetta is a freelance journalist specializing in U.S. diplomacy and national security, with emphases on technology trends in cyber warfare, cyber defense, and cryptography. Previously, Sam was a defense contractor. He worked in close partnership with architects and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
8/12/2019 | 2:15:31 PM
Re: State Farm ran into the same problem
My password rules - unique and easy to remember, right?  Well all of us have hobbies, unique interests that we never forget.   

Let us say you like Model T fords - you have a ton of instant syntax years at your hand right now.  The T was introduced in year 1908

We can combine facts here with data to make very very good passwords.  How about: M0del_T*L908

You can follow up years to 1927, end of production.    These rules make for an endless and very good string of data to combine easy and not hard to forget.  Oh, then there is the Model A Ford too.    

My 2 cents.
LukeHooper
50%
50%
LukeHooper,
User Rank: Apprentice
8/11/2019 | 7:04:50 AM
I visited I enjoyed your posts.
this is really amazing platform and nest news updates thanks for the nice sharing..
tdsan
50%
50%
tdsan,
User Rank: Ninja
8/10/2019 | 4:51:32 PM
State Farm ran into the same problem
https://www.darkreading.com/endpoint/state-farm-reports-credential-stuffing-attack/d/d-id/1335487#msgs

In a dark reading post, State Farm had a problem with users using passwords that they used before and the actors pulled information from breached sites to assess the already known login.

I mentioned that if we added 1 character, 1 upper and 1 lowercase letter, 1 number and incorporate in the mix MFA/2FA to the equation, we could increase the potential by:
  • (72 x 10)^14th power and add a 6digit code to the equation

I am with you, it is not rocket science, it is something we need to utilize on a regular basis.

T
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19642
PUBLISHED: 2019-12-08
On SuperMicro X8STi-F motherboards with IPMI firmware 2.06 and BIOS 02.68, the Virtual Media feature allows OS Command Injection by authenticated attackers who can send HTTP requests to the IPMI IP address. This requires a POST to /rpc/setvmdrive.asp with shell metacharacters in ShareHost or ShareNa...
CVE-2019-19637
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is an integer overflow in the function sixel_decode_raw_impl at fromsixel.c.
CVE-2019-19638
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is a heap-based buffer overflow in the function load_pnm at frompnm.c, due to an integer overflow.
CVE-2019-19635
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is a heap-based buffer overflow in the function sixel_decode_raw_impl at fromsixel.c.
CVE-2019-19636
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is an integer overflow in the function sixel_encode_body at tosixel.c.