Tag Archive for Weak passwords

RB | April 24, 2010
No comments

9 Year Old Hacks School System

ComputerWorld reports that officials at Fairfax County Public Schools thought they had a hacker on their hands. It was reported that someone was changing teacher passwords on the Falls Church, Virginia, school district’s Blackboard system. Blackboard (NASDEQ BBBB)  give teachers, students and parents a way to communicate and stay on top of homework assignments and class announcements over the Web. Blackboard’s web site says more than 5,000 K-12 and higher-education institutions nationwide use its software.

The District contacted local authorities when teachers’ and staff members’ reported their passwords were changed preventing access to their accounts because, according to ComputerWorld. Changes to content and enrollment information for some courses was also discovered. The local police investigated and pulled a search warrant for Cox Communications, the Washington Post reports. They traced the  IP address which accessed the Blackboard system to the McLean, Virginia physical address of the home of a 9-year-old student in Fairfax County Public Schools. The police initially suspected the student’s mother, but after interrogating both of them it became clear that the child was to blame.

Turns out that the Blackboard system was not hacked. The student had simply taken a teacher’s password from a desk and used it to change enrollment lists and other teachers’ passwords. “This was a case where an individual … got hold of a teacher’s password, and the passwords had administrative rights,” said Paul Regnier, a school board representative. “It was actually not a hack, unless you consider the fact that the 9-year-old took the teacher’s username and password from the desk a hack,” said Michael Stanton, Blackboard’s senior vice president of corporate affairs. Although there will be no criminal charges filed against the perpetrator, citing school policy, Regnier wouldn’t confirm that it is a student, the Fairfax school board is taking the incident seriously, Regnier said. “Nothing bad happened this time, but we have to make sure that … it doesn’t happen again,” he said.

rb-

This event correlated with the recent (04-14-10) Tufin Technologies survey results of the hacking habits of 1000 New York City teenagers. The survey found that 39% of the teens surveyed think hacking is “cool” and 16%, or roughly one in six, admitted to trying their hand at it. Only 15% of the entire sample has either been caught or knows someone who has – particularly disturbing considering 7% of young hackers reported they did so for money and 6% view it as a viable career path.

The big lesson here is of course, SECURE YOUR PASSWORDS

Category: Security | Tags: , ,
RB | January 30, 2010
No comments

Password Insecurity

The massive Rockyou.com breach reveals the weakness of most passwords.  The Rockyou.com breach provided  an opportunity to evaluate the true strength of passwords as a security mechanism. The  California based security firm Imperva analyzed the stolen cache of 32 million passwords and the results are not pretty.  According to researchers, the majority of passwords are eight or fewer characters and nearly 30% of passwords were six characters or less. They also found Nearly 50% of users used names, slang words, dictionary words or trivial passwords (consecutive digits, adjacent keyboard keys, and so on) and 20 percent are from a pool of 5,000 passwords. The ten most common passwords used were:

  1. 123456
  2. 12345
  3. 123456789
  4. Password
  5. iloveyou
  6. princess
  7. rockyou
  8. 1234567
  9. 12345678
  10. abc123

“The problem has changed very little over the past 20 years,” explained Imperva’s CTO Amichai Shulman, referring to a 1990 Unix password study that showed a password selection pattern similar to what consumers select today. “It’s time for everyone to take password security seriously; it’s an important first step in data security. It’s important to point out that, the same password “123456” also topped a similar chart based on statistical analysis of 10,000 Hotmail passwords published in October, 2009 by Acunetix.

“Everyone needs to understand what the combination of poor passwords means in today’s world of automated cyber attacks: with only minimal effort, a hacker can gain access to one new account every second—or 1000 accounts every 17 minutes,” explained Shulman in a press release.

For enterprises, password insecurity can have serious consequences. “Employees using the same passwords on Facebook that they use in the workplace bring the possibility of compromising enterprise systems with insecure passwords, especially if they are using easy to crack passwords like ‘123456’,” said Shulman.

The rest of the passwords rated by popularity:

Some of the lessons that firms can lead from the Imperva research are: 1) Most users implement short passwords which lack a lower-capital-numeric characters mix or trivial dictionary words which every decent brute forcing/password recovery application can find in a matter of minutes.  A hacker will typically take 17 minutes to gain access to 1000 accounts. 2) Strong password algorithms must be coupled with longer passwords that contain a mix of letters, numbers, and, where possible, punctuation. 3) Firms should emulate the Twitter’sbanned passwords” list consisting of 370 passwords that are not allowed to be used. The analysis  proves that most people don’t care enough about their own online security to give more than a fleeting thought when choosing the password which secures access to their accounts.  This research shows why firms must take proactive actions to manage their users choices in passwords.

PASSWORD RELATED SECURITY BEST PRACTICES:

• All passwords are to be treated as sensitive, confidential corporate information.
• D0n’t use the same password for corporate accounts and non-corporate accounts (e.g., Facebook, Twitter, personal ISP account,  etc.).
• If someone demands a password call someone in the Information Security Department.
• Change passwords at least once every four months.
• Do not use the “Remember Password” feature of applications (e.g., Eudora, OutLook, Netscape Messenger).
• If an account or password is suspected to have been compromised, report the incident and change all passwords.

Strong passwords characteristics:
• At least eight (8) alpha- numeric characters
• At least one numeric character (0-9)
• At least one lower case character (a-z)
• At least one upper case character (A-Z)
• At least one non-alphanumeric character* (~, !, @, #, $, %, ^, &, *, (, ), -, =, +, ?, [, ], {, })
• Are not a word in any language, slang, dialect, jargon, etc.
• Are not based on personal information, names of family, etc.
• Are never written down or stored on-line.

Password  “dont’s”:
• Don’t reveal a password over the phone to ANYONE
• Don’t reveal a password in an email message
• Don’t reveal a password to the boss
• Don’t talk about a password in front of others
• Don’t hint at the format of a password (e.g., “my family name”)
• Don’t reveal a password on questionnaires or security forms
• Don’t share a password with family members
• Don’t reveal a password to co-workers while on vacation

OTHER PASSWORD RELATED SECURITY BEST PRACTICES:
• Account Lockout: all systems should be set to “lock out” a user after a maximum of 5 incorrect password or failed login attempts
• Lockout Threshold: all systems should have a minimum “lock out” time of five (5) minutes
• Password History: systems should be configured to require a password that is different from the last ten (10) passwords

Category: Security | Tags: , ,
 

Switch to our mobile site