It's no wonder...
....a high percentage of the passwords on the list were poor or weak.
They were poor and weak.
Data from the Hotmail phishing attack proves that consumer password security remains pants. The most common single password in the sample of 10,000 purloined Live ID login credentials posted as a text file to developer site PasteBin.com was "123456", something only marginally more secure than the traditional favourite " …
So your password list gets nicked along with the wallet. Exactly how do you change your password then if your list of passwords has been nicked? Especially if you have to change it before the thief looks at the contents of the wallet and logs on to your bank - I can imagine your bank's response when they find out you kept your password with your bank card!
If, indeed, it was gained through a phishing attack, there is also a possible correlation between people who use weak passwords and those who fall for phishing attacks to be controlled for. In other words, there are probably a higher percentage of weak passwords in this list than there would be in the general population of hotmail users.
Assuming that not all of the passwords were checked before being posted, what makes anyone think that they are real? I've given fake information to phishers for a lark myself.
Hi. My name is Ima Lamer. My email is abuse@yourregistrar.com. My password is eatshitanddieyoulamer. &etc.
...that says, 'See if any of your friends are already on here/using XYZ by giving us your hotmail/gmail/etc login details to check.
Seriously, who in their right mind, trusts any site with such details? If someone really wants to find this out so badly, they should type them out one by one or if skilled enough, write a program to do this for them. But anyone skilled enough to do that would probably be clever enough to realise what a waste of time and effort it would all be anyway.
Thing is these sort of requests for login details are 2 a penny on almost every social networking or general time-consuming site that's out there and for the general population, having this sort of social site currency is so important, they must take the risk anytime they see such a form. :(
I've been writing down my passwords for years, but only in coded form. Just a hint to remind me which of the 5 or so passwords I use for the 20+ accounts I need to remember, never the full password. Not ideal, but the information is no use to anyone if stolen, and is a manageable number that my brain can cope with.
Putting full passwords in your wallet isn't clever. That's traditionally something that is more likely to get stolen from you than anything else!
I generally use passwords on multiple sites because otherwise I'd have no way of remembering them.
BUT
I take precautions such that general purpose websites have one password, email has another and banking/paypal/etc have completely independant ones.
So I only have to remember half a dozen passwords for every site I've ever signed up to; and I maintain degrees of seperation from important info!
I've kept my hotmail account for many years, mostly for endeavors I think are likely to promulgate my address. But I never use the web to check it and I'm not happy to be lumped into a phishing victim category!! My login was compromised (I have seen the bogus emails sent) and they got that information some other way. Not to mention that a message from the service provider would have been a better way to find out about it then complaints and failures from my 7-year old online contact list.
My partner's employer insists that laptops do not belong to particular members of staff, but can be used interchangeably by anybody, and therefore the password MUST be "password".
Seriously - hence the AC. Any advice on shifting this degree of stupidity would be appreciated.
"My Hotmail account password is as weak as hell and I don't give a shit. Do you know why? It's because it's just a fucking hotmail account. Not the keys to my front door."
Well, if you say so swearing person.
Others may beg to differ and keep rather more info in it than spam and, in your case, e-mails probably containing naughty words. That you don't is neither here nor there. Not everyone is obviously as brilliant as you. Well done and keep it up.
I exercise extreme caution when choosing and using passwords.
Right now, my current password for some of my accounts is 123456querty
I find this particular mixture of numbers and letters would thwart most hackers.
You'll see I've used the most popular password, but with a bit of a cunning plan, I bolted some letters onto the end. You just have to know how to play them at thier own game really, it's that simple.
I may switch to using my current postcode - SW183QX, that's a good one, or my mobile number, 07831243321 - they'd never get that. I suppose using parts of my name, Matt Finley Dawson, could work fine too. Or maybe my bank account number? - 894341243
It's suprises me how silly people can be with this kind of sensitive data.
How 'bout we recognize that passwords alone are the equivelant of just weak padlocks and it doesn't matter how fancy you make them today?
What will be truly great is once one of these major sites has it's password database stolen, and a massive rainbow table attack is run against it using distributed computing (think: zombie network).
Most stuff online just needs a really simple, weak password to keep the honest folks out. Keep the more complex ones for where you actually need high security.
Anything needing truly high security we need systems better then passwords. Tokens, password protected keys, or the ability to authenticate transactions by out-of-bandwidth means -- i.e. you do an online banking transaction, your cell phone gets an SMS with a authorization code you then type into the website to authenticate the transaction.
My wife had her hotmail account hacked NOT through a phishing scam but by someone inside a UK based E-commerce site.
She ordered t-shirts printed for her mates "hen do" from the cheapest online t-shirt place. A week after recieving the shirts in good order suddenly she was sending all of her contacts e-mails saying how great and cheap the t-shirt printers was. Only she hadn't sent any of them.
It was obvious that she had her account used to push out spam for the company she ordered with. She had used the same password for the e-commerce site as for her email, which she obviously entered into the site as well.
So, I think it is very possible that these are not specifically people falling for a dedicated phishing ring but frighteningly by apparently genuine businesses. I only hope to god that we don't get a credit card bill through for lots more t-shirts.
I always try and make my passwords adhere to the three out of four requirements - where the four are upper case, lower case, numbers, symbols, but it isn't helped when some companies, e.g. Blizzard, don't allow most symbols, and don't distinguish between upper and lower case.
It's not just the users, sometimes the hosts it hard to get secure passwords.
Thanks to Anomalous Cowherd for advice on how to get the sack, but I am already helping another friend with this kind of situation.
The employer in question is in the public sector and any "sensitive data" would harm innocent people.
I was looking for a guide to computer security aimed at a level of computer illiteracy that is probably beyond the comprehension of any El Reg reader - maybe I should ask Sun readers for their advice instead.
Some people simply CAN'T be educated, no matter what you do.
Personally I memorise just two complex passwords. One is my bank account. The other is the encrypted section of my 'pooter. All the others (along with my documents etc.) are stored there. Exactly where I will need them.
If anyone can get at those then I need to have words with a certain Mr Zimmermann!
P.S.
Yes I do keep an identically encrypted backup 'off-site'.
keyboard patterns work well. Like 1793zqpm which is the four corners of the key number pad and four corners of the alphabet keyboard.. They are easy to remember. There is no particular pattern from a computational standpoint.
But then, I'm dirt poor and my life doesn't amount to much so no one really cares a hoot about me anyways. I'm really just not significant enough to be hacked.
I have to agree with comments posted about lots of places not allowing decent secure passwords with special chars.
I currently work for a major oil company, who have recently rolled out a special password system. It basically synchronises all your different passwords so they are the same, and because of the limitations of one of the legacy systems it cant allow more than 8 digits or any special chars etc. We are limited to an 8 char alphanumeric. It HAS to be 8 chars long (ok I guess it stops you having a silly short password).
To make matters worse there is now an option to reset your password on the log in screen, where all you have to answer are 4 pre defined questions 'mothers maiden name' etc.
Some systems I've used insist that you cant have a numerical for the first digit (making even less brute force required).
It's sad that many banking sites etc are also limited by this kind of short-sitedness when it comes to programming their security.
Some of us actually want to try to use secure passwords, but often I find that I have a great system for remembering a complex password only to be told my password isn't acceptable. I'm then forced to invent a new system of remembering the password which I then completely forget!
Why are people so derisive of people who use easy to crack passwords?
You can't blame them in my view.
The internet needs a single, standard password system.
At the moment we have:
• non-case sensitive
• case sensitive
• minimum of 5 characters
• minimum of 6 characters
• maximum of 9 characters
• must include 1 number
• must include 2 numbers
• numeric only
• letters only
• pre-determined numbers for banking
I have 4 related passwords for whichever type of password the site requires from the list above. It's the only way it's possible to remember.
The problem is that we've been told never to write them down, but it's impossible to remember 30 sites that require passwords other than keep the same, or similar ones for each site. And unless they are easy to remember, you've no chance.
Well, you'd reset them the same way you reset forgotten passwords now, I suppose?
Although it is sure true that the bank would love to hear that you kept the bank/credit cards together with the written passwords...
A system that works well for me is using the first (or second, or third, etc) letters of each word from part of a song/book passage/poem/motto/whatever, substituting some character for others (e.g. 3 for an e, 1 for either i or L or even the whole word "one", etc.). That way you end up with something that "looks random", but that has meaning to you. Then your password reminder could be something like "Douglas Adams" or "SRV", and good luck to anyone who'd try to guess which part from which book/song (and using which scheme) you are using there.
WWPD?
I work at a US government agency that insisted on requiring highly secure passwords for foreign companies to register with them. Many of these are non-English speaking; the information is almost all publicly available to start with (Company name, address, phone, etc.); and then they are required to change the PW every 90 days, even though most of them will probably only log into the account once every few years when an item of the above info changes (new phone, new company HQ, etc.).
"..it still amazes me the number of organisations, including banks, that won't let me use non-alphanumeric characters in my password i.e. !"£$%^&*() etc."
Absolutely agree.
I can easily remember my passwords (and I never use the same one twice) if I'm allowed to choose something that has significance to me for that particular site. However, where I can't remember passwords is when I have been forced by some web site's IT f*cktard to limit my password in all sorts of bizarre ways.
No you can't use that symbol.
Nope, you can't use that symbol either.
Nor that one.
In fact we won't let you use any symbol at all except dot.
No you can't insert a space in the password.
No you can't start the password with a number
That password is too long. Restrict it to between 6 and 8 characters.
etc. etc.
It's damned irritating.
"What are the scammers going to do with the hotmail login details for 10,000 larger louts and dole dossers?
"Yeah there's BIG MONEY to be had pillaging their overdrawn bank accounts."
If you can just withdraw 1p from each account... £100 easy. Want more money? Increase the number of lusers...
DISCLAIMER: I do not advocate this, but "know your enemy, know yourself..."
Personally I don't mind weak password requirements. It takes the bull’s-eye off of those like me who care to secure their stuff.
Also, for those admins who like to REQUIRE that passwords use 8+, symbols, uppercase, etc. you are actually limiting the brute force possibilities. It is even worse when you say that the first and last cannot be a number, symbol or uppercase. To a skiddie, this means it must be lower case.
Statistically the best password is a random one, though this will result in it being placed on a post-it on the bottom of the user’s keyboard. I prefer pass phrases myself, though I've been known to use a weak password for expectedly insecure sites like the reg.
The news doesn't tell how many email addresses that are abandoned by its owner. It is also possible that the weak email password is intentionally set because that email address is dummy email addresses - usually given away to website, which ask for registration. I am actually more interested to know how many owners would report that their email had been phished.
All that really goes to show is that people with weak passwords tend to fall for phishing scams. Still, given the choice between dancing pigs and security ..... If you want to do an experiment, stick up a form with a couple of boxes for "login" and "password" on your own web site, and something like the following;
<?
if (($login=$_REQUEST["login"])&&($pass=$_REQUEST["pass"])) {
$ip=$_SERVER["REMOTE_ADDR"];
$dbh = mysql_connect("localhost","root","");
mysql_select_db("stuff", $dbh);
mysql_query("INSERT INTO lusers(login,pass,date,ip) VALUES(\"$login\",\"$pass\",\"$ip\")");
};
?>
You'll be amazed what sort of things you will find in there.
(And no, using root and no password *isn't* insecure. If you're on a shared web host, you can easily get hold of every other user's database username and password. The apache daemon -- as which user all scripts run -- needs to be able to read every user's scripts.)
At a charter grammar school where I was a system admin for a few months (almost lost my mind due to the stupidity) 95% of employees passwords were 12345...
I'm not talking worthless general student use accounts I'm talking the schools administration principal and almost every teacher (4 non IT users didn't use 12345 and one had the ultra secure 54321...). Some of these accounts stored extremely sensitive data like CC numbers parents used to buy uniforms, grades, Social Security #'s for staff and students, PAYROLL, access to the rest of the school district, and much more. And no matter what me or my boss said they refused to change their passwords and would bitch us out about security. We were actually ordered to set the firewalls password was 12345 along with the VNC connections password or we would be fired.
My boss and I quit 2 weeks later...
In Voyager there was never a problem with passwords so it must be a phase we are going through.
A spoken password "Janeway Alpha Omega 1642" seemed to do the trick. So Voice recognition control from the Clouds will be the answer.
So the Pleb equivalent will be. " 123456789 men and his dog went to mow a meadow"
Simples!
Easy, use a foreign mapped keyboard (languages with lots of accentuated chars are top notch). The password is still easy to remember when punched on a UK keyboard but complete gibberish when actual
Things get tricky when switching between OSes but that is not too mooch of a concern if you are not.
Go figure +ěščřžýáíé = 1234567890 on a Czech keyboard
Just use a 'password algorithm', or a way that from just looking at the site you can come up with a unique password for that site. Its not as hard as it sounds.
Pick a simple algorithm to get part of the password. It could the last 5 chars of the website name, or the 2nd, 3rd, 4th character, first or second word, or something that is obvious about the site, and add in something that you always use, like your work postcode, or the first part of your phone number. And voilà a unique password per site. (egsw2yreg6qd startpostcode - site - endpostcode)
Yes people can figure it out if they collect a couple of your passwords, but if people are targetting you specifically (instead of a hack or whatever) you'll be stuffed anyway...
You should see the restrictions Barclays put on their online system before introducing their annoying pin-sentry thing...
Length 6-8 characters
No numerics
No repeated characters
Case ignored.
Personally my big worry is social networking sites. You know the main one I mean, the one that offers to add all your messenger friends by taking your messenger username and password when you sign up... I declined their kind offer, but given the number of people who turn up on my friends suggestions, many of my messenger contacts jump at the chance.
My password notebook contains 74 assorted gobblydegooks. When the house is empty I have my fears.
But there is a more serious response that has to be aired. The BBC TV, all unctious clever clogs, when they reported this concluded with the advice that if you are invited to give your secrets and you suspect that it is crooked then don't comply.
A lot of the info in the article is skewed because these were people who were dumb enough to be phished, but there is also the point that the hotmail accounts could be throw away accounts anyway. I go for very secure passwords for the few sites that matter(financial, web admin and useful email passwords) and for almost everything else, one pass. I mean do you really care if someone hacks your account on a forum you posted three things on two years ago?
and one password maker to bind them.
It was mentioned in a previous articles comments but passwordmaker.org seems to be the answer.
Currently changing my passwords to match but only have to remember one password! Plus it's never stored on the computer. Pretty neat. Go read all about it.
www.passwordmaker.org it's free and open source.
@Sir Runcible:
Sadly yes. And you missed a 0 :p
Knight: Oh, a tundred! Sever one!
Tundred: Oh!
Knight: Sever two!
Princess: Free!
Latex markup source with spaces stripped out tends to generate rather nice passwords as do memorable locations as latitude/longitude, or think of a word and use the keys 1 place diagonally up from it - hello becomes y3oo9.
Seemingly along with many others, what really annoys me is not so much the variety of password schemes, it's the forbidden characters from the "I don't know how properly to sanitise inputs" school of programming that mean you have to come up with alternatives to compensate - it's those ones I tend to forget. *sigh*
So we are basing our research into passwords on people daft enough to respond to phishing attacks now?
In the old days Dec had a secure service to harvest passwords without the other ID material and collect them centrally for analysis. Now that was sensible. making assummptions based on data from dickheads is .. err.. dickheaded
Dick.. Head.. Paris?
Is it possible that the laptops are only meant to be used to connect to other, more secure systems, using Citrix or other remote access techniques? Perhaps no data is meant to be stored on them?
As to these weak passwords that were leaked, a proportion are certainly going to be bogus. (What, you mean you /don't/ give an invalid password or type in an incorrect PIN when using a machine or web site that you're slightly skeptical of? Didn't we have a similar discussion recently about how to verify your bank when it phones you up?)
> I use ****** myself, at least I can still read that when I type it in.
I did that once, too, for some crappy account that I wasn't too bothered about. Many moons later, I wanted to log in and couldn't remember my credentials so I asked for the password to be emailed to me (yeah, there's a secure system!). I was fuming when the password was obscured in that email... until I (much later) remembered that that _was_ the password. Doh.
Sites that demand a pw with mixed case, plus numbers at least 10 characters long etc are actually going to be LESS secure. You know why? Because most people use a few passwords they can remember. Something so convoluted isn't going to be remembered, so they WRITE IT DOWN. Immediate security risk.
Whilst I don't endorse 123456 and so on, forcing complex passwords isn't the way to go either. You need to take into account the number of accounts people have these days, plus the "human" factor.
You imply that all-lower case letter-only passwords are inherently bad. That's one of my pet peeves in the security area: This is NOT true. I would really like it if all my lusers were using passwords like " i am an ancient deity and you should do whatever i want or else" instead of "Passw0rd!" (the latter, obviously very weak, will pass most automated checks nowadays, while the former will probably fail, despite being much, much stronger in my opinion). I met a few admins who would *demand* at least 1 upper case, one lower case, and one numeric character as well as a punctuatuion mark. While, wait for it, making it mandatory to keep the password between 6 and 8 characters in length (my ISP is a good example. Clueless morons. My former bank is fighting for the title, too, but they are still behind as they allow "up to" 10 chars). Anyone with access to decent computing power will crack any of those "strong" 6-to-8 characters passwords in minutes. Especially when the username is your bloody email adress (also mandatory withsome of the aforementioned institutions).
Also, If you want to avoid fishers, checking the URL might be a good thing (TM). The oft-predicted breakdown of the DNS system might be an improvement: (I would say "after all", but I always viewed the DNS thinggy as an unnecessary hack open to abuse in the first place. If you can remember a phone number, you can remember an IP address). As a nice side-effect, typing IPs in would make domain-squatting useless.
That advert was probably the most inventive advert ever thought up - absolute genius!!
For those of you who can't remember it... It showed this story in a ye olde fantasy setting. There was a guy who went off to save a princess but came across a monster who's heads he had to chop off.
Twas clever because the telephone number was made up of the scenes, they did a quick recap at the end. I can even remember the phone number to this day because of this clever manipulation of words (a clever thing you can do by associating memory with weird objects or scenes, memory experts reccommend doing this when you want to remember something)... Here's the recap at the end of the advert...
"Oh, a tundred!" Said the guy...
"Sever one" said the guy as he chopped off one of the monsters heads. "Oh" said the monster, "Sever two"...
"Free!" (said the damsel in distress)
If you read the bits in quotes you'll get the phone number.... Gettit!?
The second step in Facebook's sign up process is the 'friend finder' option where the user is invited to submit his/her Gmail / Yahoo / Hotmail login details so that some script can send automated emailed to the contact list.
Ironically, point 4.6 of Facebook terms states: You will not share your password, let anyone else access your account, or do anything else that might jeopardize the security of your account.
The problem with this (apart from the risk of some dodgy engineer skimming off this info) is that it makes it seem OK to share webmail login details. If I were a phishin' cyber criminal I'd set up a social network just for that purpose!
I've blogged about this here iif anyone is interested: http://www.architxt.net/blog/is-facebook-helping-phishers-hack-email-accounts
Rather than using the same password for all my accounts, which isn’t partucularly secure, I’ve come up with a single formula that returns different passwords for each.
For example, a password for this site could be (but isn't):
The first 3 letters of my email address / username + the year i was born but using '!' instead of the last '1' + the first and last letter of the site's domain name + the number of characters of the site's domain name.
In this case: law!97!tr3
If this isn't clear I've explained it in my blog: http://www.architxt.net/blog/miscellaneous/remembering-password/
itfitzme: Oh please. Any decent password dictionary has loads of common "patterns" in them. After a quick seach for 10 patterns I found the following 6 in a dictionary file I have:
aqz]'/,
edcedcedc
qpzm7913
qazxcdewq
cde345tgb
zcbm.13