Do you use any of the worst passwords of 2016?

Password sticky 123456 It is time to talk about passwords again. They are like the seatbelts of the security world. There are many more exciting security tools but few are as important to keeping you safe from the risks you encounter day to day.

Splash Data recently released their list of the most common passwords from 2016 based on over five million stolen and leaked credentials.

Clearly things have improved and password requirements and gotten more stringent because the winner is no longer 1234, which has dropped to #11. It is now 123456! Second place goes to that perennial favorite “password” and we see12345 in third place.

Rather than showing how stupid people are I think this shows just how many passwords we are asked to create, keep track of, and change. I have over 1500 passwords right now. Asking humans to create, manage, and remember unguessable and unique passwords for all those sites is absurd. Humans tend to fall back on a couple of strategies. Some people have one good password that they use on all of their important websites, and a really simple one for all the other websites. Other people will create a simple pattern for generating passwords for each site like adding a word to the name of the site. The password for Facebook might be “fluffy3Facebook!" and Wells Fargo might be "fluffy3WellsFargo!”. Those would pass most tests for length, capitalization, numbers, and special characters, but if an attacker was able to discover one of them they could easily guess all the others. Random passwords are the gold standard but long random passwords are very hard to remember. Pass phrases can make long passwords memorable but it is still very hard to remember a thousand of them without resorting to a simple pattern.

My suggestion is to use a password managers (also called password vaults) like 1Password, Dashlane, or LastPass. Any of these will store all of your passwords, make them securely available across your devices, and automatically fill them in on web forms. They will also generate long random passwords for you, which you never need to bother trying to remember. For example, a typical password for me would be "kGAg2{MgHm8[cvrG7WE=“ which is very strong.

I do still need to remember one password, the one that secures the passwords in the vault. That is where the pass phrase really shines. That one memorable phrase protects all the impossible to remember unique and strong passwords. That phrase could be something like “H8 it when Fluffy poops on the rug, but love him all the time!” which is easy to remember, very hard to guess, and you only need one.

If you do just one thing for your security this year, get a good password manager and start changing all of your passwords to be strong and unique every time you go to a site.

For the curious, here is the full list of the 25 most common passwords:

  • 123456
  • password
  • 12345
  • 12345678
  • football
  • qwerty
  • 1234567890
  • 1234567
  • princess
  • 1234
  • login
  • welcome
  • solo
  • abc123
  • admin
  • 121212
  • flower
  • passw0rd
  • dragon
  • sunshine
  • master
  • hottie
  • loveme
  • zaq1zaq1
  • password1

Dropbox and bad password hygiene

Empty Cardboard Box The recent incident where attackers posted usernames and passwords for compromised Dropbox accounts really shows the importance of practicing good password hygiene.

GigaOm has one of many articles describing the actual events. The short version is that some hackers have been posting usernames and passwords to Dropbox accounts on a Pastebin page. Dropbox says that they have not been compromised, and that the passwords were actually taken from other websites or through other methods.

If this is true, and it seems reasonable, then those who have been compromised became victims because they reused their passwords across multiple websites. That is probably a bigger security error than choosing weak passwords in the first place.

The security at websites varies widely, usually based on the sensitivity of the information on that site. Banks tend to have better security than news sites or discussion sites. If you use the same password with all these sites, then if any of them is compromised the attacker can simply try your username / password on every other interesting website to see if they work there too.

The solution is to use a different password on every website. They should not be simply modifications of each other but actually completely different passwords. Additionally they should be long and random. This means that they will be impossible to remember, but a password manager or password vault can take care of that for you. It will generate the strong random passwords, fill in the forms for you, and sync between your various computers and other devices. There is no excuse not to use unique and strong passwords with every website, and you will be much safer if you do.

https://www.youtube.com/watch?v=XS7cyv_4o8A

[powerpress]

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

2 Apple security fumbles: Random MAC and Password Prediction

Apple Store Chicago Apple is getting taken to task for a couple of security issues.

First, their recently announced “Random MAC address” feature does not appear to be as effective as expected. The idea is that the iOS 8 device will use randomly generated MAC addresses to ping WiFi base stations when it is not actively connected to a WiFi network. This allows your phone to identify known networks and to use WiFi for enhanced location information without revealing your identity or allowing you to be tracked. Unfortunately the MAC only changes when the phone is sleeping, which is really rare with all the push notifications happening all the time. The effect is that the “random” MAC addresses are changed relatively infrequently. The feature is still good, but needs some work to be actually very useful.

Second, people are noticing their passwords showing up in Apples iOS 8 predictive keyboard. The keyboard is designed to recognize phrases you type frequently so it can propose them to you as you type, thus speeding message entry. The problem is that passwords often follow user names, and may be typed frequently. Research is suggesting that the problem is from websites that fail to mark their password fields. Apple is smart enough to ignore text in known password fields, but if it does not know that it is a password, then the learning happens. It is not clear that this is Apple’s fault, but it is still a problem for users. Auto-fill using the latest version of 1Password should protect against this.

https://www.youtube.com/watch?v=ceC9jMIpszI

[powerpress]

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me onFacebookTwitter, and Google+.

A tale of bad passwords and nude photos.

HiRes The Internet is on fire with discussions of the recent release of stolen nude photos of over 100 female celebrities. This is a massive invasion of their privacy, and it says something sad about our society that there is an active market for such pictures. While this particular attack was against the famous, most of us have information in the cloud that we would like to stay secret.

While there is not a definitive explanation of the breach the current consensus is that it was probably caused by a vulnerability in Apple’s “Find My iPhone” feature. Apparently the API interface to this service did not check for multiple password failures, a standard security practice. This allowed attackers to test effectively unlimited numbers of passwords for each of the accounts they wanted to access.

Because most people use relatively weak passwords, this attack is quite effective. Once they gained access to the accounts, they could sync down photos or any other information stored in iCloud.

Of course, the first rule of secrecy is: If it does not exist, it can’t be discovered.

If you do want to create something that you would be pained to see released publicly, then make sure you keep close control of it. Store it locally, and encrypted.

Wherever you keep it, make sure it has a strong password. Advice for strong passwords has changed over time because of the increasing speed of computers. It used to be that fancy pneumonics would do the trick but now the fundamental truth is: if you can remember it, it is too weak.

This is particularly true because you need to be using completely different passwords for every website. Changing a good password in a simple obvious way for every website is obvious. It might prevent brute force attacks but if some other attack gives access to your password, the attacker will be able to easily guess your password on all other websites.

You need to be using a password manager like 1Password (Mac), LastPass, Dashlane, etc. Let the password manager generate your passwords for you. This is what a good password should look like: wL?7mpEyfpqs#kt9ZKVvR

Obviously I am never going to remember that, but I don’t try. I have one good password that I have taken the time to memorize, and it unlocks the password manager which has everything else.

UPDATE: There appears to be some question about whether this vulnerability is actually to blame.

"The Big Hack, or maybe not..." — The Social Network Station

Social network station featured

"The Big Hack, or maybe not..." — The Social Network Station

On Friday I was asked to come on The Social Network Show to talk about the fact and questions surrounding the theft of over 1 Billion passwords.

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

The one thing you need to do about password breaches

Password Sticky Note

The recent Ebay password compromise is just the latest in a string of similar attacks. Each time we hear a call for people to change their passwords. Sometimes the attacked company will require password changes, but more often it is just a suggestion; a suggestion that a majority choose to ignore.

Further exacerbating the problem is the tendency of people to use the same username and password across many different websites. Even if a compromised website does require a password change on that site, it has no way of forcing users to change their passwords on any other sites where the same password was used. This matters because a smart attacker will try any username / password pairs he discovers against a range of interesting websites of value, like banks. Even though the compromise may have been on an unimportant website, it could give access to your most valuable accounts if you re-used the password.

The burden on the user can also be significant. If a password is used on 20 websites, then after a compromise it should be changed on all 20 (ideally to 20 different passwords this time). People who maintain good password discipline only need to change the one password on the single compromised website.

Trying to remember a large number of strong passwords is impossible for most of us. Some common results are that the the passwords are too simple,  the passwords all follow a simple and predictable pattern, passwords are re-used, or some or all of these at once.

Many companies and standards organizations are working hard to replace the password with a stronger alternative. Apple is using fingerprint scanners in its latest phones, and tools like OAUTH keep the actual password (or password hash) off the website entirely. Two factor authentication adds a hardware device to the mix making compromise of a password less damaging. So far many of these approaches have shown promise, but all have some disadvantages or vulnerabilities, and none appear to be a silver bullet.

 

For now, best practice is to use a password vault. I use 1Password but LastPassDashlane, and others are also well regarded. Create unique long random passwords for every website (since you no longer need to actually remember any of them). Don’t wait. If you are not using one of these tools, get it and start using it now.

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me onFacebookTwitter, and Google+.

The Privacy Blog Podcast – Ep.9: Government Surveillance Programs, Facebook Shadow Profiles, and Apple’s Weak Hotspot Security

Welcome to the June edition of the Privacy Blog Podcast, brought to you by Anonymizer. In June’s episode, I’ll discuss the true nature of the recently leaked surveillance programs that has dominated the news this month. We’ll go through a quick tutorial about decoding government “speak” regarding these programs and how you can protect yourself online.

Later in the episode, I’ll talk about Facebook’s accidental creation and compromise of shadow profiles along with Apple’s terrible personal hotspot security and what you can do to improve it.

Thanks for listening!

Picking Powerful Pins

Despite all the work on dual factor authentication and other new security methodologies, in general our passwords are the keys to the kingdom.

In many cases, such at ATMs, we are limited to 4 digit numeric PINs.

This post to DataGenetics does a good job of analyzing how bad we are at picking PINs and how easy we make things for the attackers.

It is worth a read.

Short answer: you can hack a over 10% of accounts by guessing "1234".