Do you use any of the worst passwords of 2016?

Password sticky 123456 It is time to talk about passwords again. They are like the seatbelts of the security world. There are many more exciting security tools but few are as important to keeping you safe from the risks you encounter day to day.

Splash Data recently released their list of the most common passwords from 2016 based on over five million stolen and leaked credentials.

Clearly things have improved and password requirements and gotten more stringent because the winner is no longer 1234, which has dropped to #11. It is now 123456! Second place goes to that perennial favorite “password” and we see12345 in third place.

Rather than showing how stupid people are I think this shows just how many passwords we are asked to create, keep track of, and change. I have over 1500 passwords right now. Asking humans to create, manage, and remember unguessable and unique passwords for all those sites is absurd. Humans tend to fall back on a couple of strategies. Some people have one good password that they use on all of their important websites, and a really simple one for all the other websites. Other people will create a simple pattern for generating passwords for each site like adding a word to the name of the site. The password for Facebook might be “fluffy3Facebook!" and Wells Fargo might be "fluffy3WellsFargo!”. Those would pass most tests for length, capitalization, numbers, and special characters, but if an attacker was able to discover one of them they could easily guess all the others. Random passwords are the gold standard but long random passwords are very hard to remember. Pass phrases can make long passwords memorable but it is still very hard to remember a thousand of them without resorting to a simple pattern.

My suggestion is to use a password managers (also called password vaults) like 1Password, Dashlane, or LastPass. Any of these will store all of your passwords, make them securely available across your devices, and automatically fill them in on web forms. They will also generate long random passwords for you, which you never need to bother trying to remember. For example, a typical password for me would be "kGAg2{MgHm8[cvrG7WE=“ which is very strong.

I do still need to remember one password, the one that secures the passwords in the vault. That is where the pass phrase really shines. That one memorable phrase protects all the impossible to remember unique and strong passwords. That phrase could be something like “H8 it when Fluffy poops on the rug, but love him all the time!” which is easy to remember, very hard to guess, and you only need one.

If you do just one thing for your security this year, get a good password manager and start changing all of your passwords to be strong and unique every time you go to a site.

For the curious, here is the full list of the 25 most common passwords:

  • 123456
  • password
  • 12345
  • 12345678
  • football
  • qwerty
  • 1234567890
  • 1234567
  • princess
  • 1234
  • login
  • welcome
  • solo
  • abc123
  • admin
  • 121212
  • flower
  • passw0rd
  • dragon
  • sunshine
  • master
  • hottie
  • loveme
  • zaq1zaq1
  • password1

So many reasons to never buy a D-Link router

D Link Logo Blue strap edited If you care at all about security and privacy, a recent security analysis of the D-Link DWR-932 B LTE router will make your head explode.

Researcher Pierre Kim found an amazing set of security vulnerabilities that should embarrass a first year developer.

First, by default you and SSH and Telnet (yes Telnet!) into the router using the root or admin accounts. These accounts have preset passwords of “admin” and “1234” respectively. People, you should never set up fixed accounts like this, and if you do don’t use trivial passwords!

Of course it gets worse. There is also a backdoor on the routers. If you send “HELODBG” to port 39889 it will start a telnet demon which provides access to root without any authentication at all. My head is starting to look like the guys at the end of Raiders of the Lost Ark.

Just for fun they have a fixed PIN number for WiFi Protected Setup, many vulnerabilities in the HTTP daemon, major weakness in their over the air firmware updating, and anyone on the LAN can also create any port forwarding rule on the router for any port.

It is amazing that one product could have such a comprehensive set of catastrophic security failures. It certainly begs the question of how well they secure any of their other products.

Facebook "Like" not protected speech in Virginia

Courthouse News Service reports that a virginia judge has ruled Facebook "Likes" are not protected speech.

The case was related to employees of the Hampton VA sheriff's office who "Liked" the current sheriff's opponent in the last election. After he was re-elected, he fired many of the people who had supported his opponent.

The judge ruled that posts on Facebook would have been protected, but not simple Likes.

India asks social network sites to manually screen all posts.

The NYTimes.com reports that Kapil Sibal, the acting telecommunications minister for India is pushing Google, Microsoft, Yahoo and Facebook to more actively and effectively screen their content for disparaging, inflammatory and defamatory content.

Specifically Mr. Sibal is telling these companies that automated screening is insufficient and that they should have humans read and approve allmessages before they are posted.

This demand is both absurd and offensive.

  • It is obviously impossible for these companies to have a human review the volume of messages they receive, the numbers are staggering.
  • The demand for human review is either evidence that Mr. Sibal is completely ignorant of the technical realities involved, or this is an attempt to kill social media and their associated free wheeling exchanges of information and opinion.
  • There is no clear objective standard for "disparaging, inflammatory, and defamatory" content, so the companies are assured of getting it wrong in many cases putting them at risk.
  • The example of unacceptable content sighted by Mr. Sibal is a Facebook page that maligned Congress Party president Sonia Gandhi suggesting that this is more about preventing criticism than actually protecting maligned citizens.

"Private" YouTube videos expose thumbnail images

Thanks to a PrivacyBlog reader for pointing me to this article: Blackhat SEO – Esrun » Youtube privacy failure

It looks like it is easy to find thumbnail images from YouTube videos that have been marked private.

If you have any such videos, go back and check that you are comfortable with the information in the thumbnails being public, or delete the video completely.

Stolen Credit Card website hacked

Vendor of Stolen Bank Cards Hacked — Krebs on Security Brian Krebs has an interesting blog post on how all of the credit card information was stolen by a hacker from a website that sells stolen credit cards.

This is in the "don't know whether to laugh or cry" department.