Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

Sony Breach Reveals Users Lax With Password Security

Analysis of recent hacks finds that people commonly reuse logins and choose easy-to-crack passwords.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
Who's got the better security, you or Sony?

Based on an analysis of SonyPictures.com users, half of passwords use fewer than eight characters, only 4% of passwords use more than three character types (uppercase, lowercase, numbers), and fewer than 1% of passwords use non-alphanumeric characters. Furthermore, two-thirds of people reuse their passwords on other websites.

Those findings come by way of software architect Troy Hunt, who analyzed the SonyPictures.com user account information recently released by the LulzSec hacking group. Based on that analysis "users continue to apply lousy password practices," he said in a blog post. "Sony's breach is Sony's fault, no doubt, but a whole bunch of people have made the situation far worse than it needs to be through reuse."

Indeed, while 17 different Sony websites may have been hacked in the past two months-- making the company, in the words of one security industry watcher, "a laughing stock amongst the hacking community," most Sony website users don't have anything to laugh at.

How prevalent is password reuse? To find out, Hunt looked at two of the Sony databases released by LulzSec, and found that they contained over 2,000 identical email addresses, meaning that "someone has registered on both databases," he said. But had they used different passwords? In fact, 92% of people used the same password. Perhaps, however, they were just reusing the same password on multiple Sony websites?

To find out, Hunt compared the 37,608 Sony passwords released by LulzSec, to data from last year's hack of Gawker by the Gnosis group, which led to 188,000 Gawker users' credentials being publicly disclosed.

"Although there were only 88 email addresses found in common with Sony (I had thought it might be a bit higher but then again, they're pretty independent fields), the results are still very interesting," said Hunt. Namely, 67% of people with accounts at both Sony and Gawker used the same password in both places. In other words, password reuse continues to be a problem.

Thankfully, people did at least choose relatively unique passwords. "There weren't a whole lot of instances of multiple people choosing the same password," said Hunt. In addition, the top 25 passwords seen--including "seinfeld," "password," and "123456"--only accounted for 2.5% of all passwords, while "80% of passwords actually only occurred once." Some choices, however, are better than others. For example, 36% of passwords that people chose are simply a word that appears in the dictionary, meaning that it would be easily susceptible to a dictionary attack.

Poor password practices, and people selecting relatively simple and thus easy-to-crack passwords, are nothing new. But security researchers say another significant problem is that too many websites don't properly enforce strong passwords, or properly secure stored passwords. As a result, thanks to rampant reuse of passwords, an attacker can compromise a poorly secured website, harvest user credentials, then use them to access more secure websites.

Of course, then there's Sony, which simply failed to encrypt passwords stored on a publicly accessible Web server, for example by using a cryptographic hash function such as MD5. "Sony has clearly screwed up big time here, no doubt," said Hunt. "The usual process with these exploits is to berate the responsible organization for only using MD5 or because they didn't salt the password before hashing, but to not even attempt to obfuscate passwords and simply store them in the clear? Wow."

In this special retrospective of recent news coverage, Dark Reading offers a look at the lessons learned from the most common database security mistakes and big-time breaches, as well as tips for how to avoid them. Download it now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
US Sets $5 Million Bounty For Russian Hacker Behind Zeus Banking Thefts
Jai Vijayan, Contributing Writer,  12/5/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19604
PUBLISHED: 2019-12-11
Arbitrary command execution is possible in Git before 2.20.2, 2.21.x before 2.21.1, 2.22.x before 2.22.2, 2.23.x before 2.23.1, and 2.24.x before 2.24.1 because a "git submodule update" operation can run commands found in the .gitmodules file of a malicious repository.
CVE-2019-14861
PUBLISHED: 2019-12-10
All Samba versions 4.x.x before 4.9.17, 4.10.x before 4.10.11 and 4.11.x before 4.11.3 have an issue, where the (poorly named) dnsserver RPC pipe provides administrative facilities to modify DNS records and zones. Samba, when acting as an AD DC, stores DNS records in LDAP. In AD, the default permiss...
CVE-2019-14870
PUBLISHED: 2019-12-10
All Samba versions 4.x.x before 4.9.17, 4.10.x before 4.10.11 and 4.11.x before 4.11.3 have an issue, where the S4U (MS-SFU) Kerberos delegation model includes a feature allowing for a subset of clients to be opted out of constrained delegation in any way, either S4U2Self or regular Kerberos authent...
CVE-2019-14889
PUBLISHED: 2019-12-10
A flaw was found with the libssh API function ssh_scp_new() in versions before 0.9.3 and before 0.8.8. When the libssh SCP client connects to a server, the scp command, which includes a user-provided path, is executed on the server-side. In case the library is used in a way where users can influence...
CVE-2019-1484
PUBLISHED: 2019-12-10
A remote code execution vulnerability exists when Microsoft Windows OLE fails to properly validate user input, aka 'Windows OLE Remote Code Execution Vulnerability'.