The UK tabloid News of the World was recently shut down on the back of the widespread phone-hacking scandal. Apart from being guilty of engaging in unethical journalism practices, this scandal revealed just how easy it is to hack certain services.
In the case of News of the World journalists accessed voice mail by using a person’s phone number and the default PIN like 1234 or 0000 (British cell phones come with 0000 and 1234 as pre-set PIN codes).
Unless this default PIN was pro-actively changed by the user, anyone could access their account by using their mobile number and default PIN.
Weak passwords or apathy from users create widespread security vulnerabilities in a range of online services like Gmail, bank cards and mobile services.
PINs and passwords to watch out for
New York-based developer Daniel Amitay published an article titled “Most Common iPhone Passcodes” revealing the most common iPhone pass codes.
The most common passcode was 1234, mimicking the most common internet passwords. Other popular codes included 0000, 2580, 1111, 5555, 5683, 0852, 2222, 1212, 1998.
Online security firm Imperva released its analysis of 32 million online passwords in January 2010, detailing the most popular among them.
The study came about after popular social media portal RockYou.com made available a significant portion of its members’ passwords late last year after a major security breach.
Using this information the firm revealed the twenty most popular password phrases of the website’s users.
|Rank||Password||Number of users with password|
Many tech savvy users may laugh at the weak passwords, but even technical staff are guilty of selecting easy-to-guess passwords or even using default passwords.
In September 2010 Dragon Research Group (DRG) released the results of their “SSH password authentication insight and analysis” research, showing a surprising amount of weak usernames and passwords used by SSH users.
DRG points out that the Secure Shell (SSH) architecture is a set of protocols and tools based on the ability to enable encrypted remote system login. SSH has largely replaced tools such as TELNET and rsh for most system administrative needs and is widely used by more tech-savvy individuals.
“Often the weakest link in SSH configurations is the reliance on username and password authentication. When passwords are weak or easily guessed, other underlying SSH benefits are rendered worthless. Unfortunately, many SSH systems are susceptible to brute force password guessing and dictionary attacks,” DRG said.
The following table provides an overview of the most used SSH usernames and passwords:
DRG SSH Username and Password Authentication
|Most popular usernames||Most popular passwords|
Other popular passwords among the surveyed SSH users include the easily guessable: admin, abc123, passwd, qwerty, test, test123, root, linux, user, 1, and administrator.
Recommendations from Imperva on passwords
- Choose a strong password for sites you care for the privacy of the information you store. Bruce Schneir’s advice is useful: “take a sentence and turn it into a password. Something like “This little piggy went to market” might become “tlpWENT2m”. That nine-character password won’t be in anyone’s dictionary.”
- Use a different password for all sites – even for the ones where privacy isn’t an issue. To help remember the passwords, again, following Bruce Schneier’s advice is recommended: “If you can’t remember your passwords, write them down and put the paper in your wallet. But just write the sentence – or better yet – a hint that will help you remember your sentence.”
- Never trust a 3rd party with your important passwords (webmail, banking, medical etc.).
- Enforce strong password policy – if you give the users a choice, it is very likely that they would choose weak passwords.
- Make sure passwords are not transmitted in clear text. Always use HTTPS on login.
- Make sure passwords are not kept in clear text. Always digest password before storing to the database.
- Employ aggressive anti-brute force mechanisms to detect and mitigate brute force attacks on login credentials. Make these attacks too slow for any practical purposes even for shorter passwords. You should actively put obstacles in the way of a brute-force attacker – such as CAPTCHAs, computational challenges, etc.
- Employ a password change policy. Trigger the policy either by time or when suspicion of a compromise arises.
- Allow and encourage passphrases instead of passwords. Although sentences may be longer, they may be easier to remember. With added characters, they become more difficult to break.