In case you had missed it, social media site Gawker, along with its affiliates Gizmodo, Lifehacker, and Jezebel, recently was the victim of a security breach. Sometime over the past month, a hacking group by the name of Gnosis broke into Gawker and over the weekend and stole the email address and password information for 1.3 million Gawker users. Although most of the passwords were encrypted, nearly 200,000 registered commenter accounts were cracked. The usernames and passwords were available at some bitTorrent sites.
The move prompted some other services like LinkedIn to force their users to reset their user credentials as many users use the same password among multiple sites. The idea is that if a user had their email address and password at one site compromised (i.e., username = firstname.lastname@example.org, password = 123456), then perhaps that same username and password combination will work at LinkedIn. Or in this case, maybe it also works at Hotmail as well. Thus, insecurity at one site has lead to compromise at another site even if the other site has good security and is resistant to hacking. The user is the weakest point in the security chain, as is usually the case.
The Wall Street Journal, on a blog post this past Monday, published the list of the most frequently found passwords in the Gawker media list. Of the 188,279 decrypted passwords, “123456” was the most common password, “password” was number two, and “12345678” was number three. Looking at the graph on that blog page, then the top 5 most common passwords account for approximately 5% of the decrypted passwords. That’s quite a bit. Given the frequency of username/password combination, you could probably surmise that 5% of the entire population uses these passwords. Given the recent barrage of Twitter spam, one theory floating about is that the people who used their usernames and passwords at Gawker saw their credentials stolen to send about spam through Twitter accounts (never mind the fact that Twitter spam attacks already happen with great regularity).
PCWorld then posted an editorial about what these passwords should teach us about security:
1. Don’t use personal information like your own name, birth date, or favorite sports team.
2. Don’t use any keyboard sequence such as "123456", "qwerty", or "asdfgh".
3. Don’t use any word that can actually be found in a dictionary.
4. Don’t try to be tricky and use a dictionary word with an obvious character substitution–like "passw0rd" instead of "password". That just means it will take 47 seconds to guess or crack your password instead of five.
5. Do use mixed character types including upper and lower case letters, numbers, and special character like exclamation points and asterisks.
6. Do use passphrases that make it easier for you to remember complex passwords. Instead of "password", you could use "It is a pain in the ass to come up with secure passwords" but turn it into a passphrase following rule #5. Take the first letter from each word and mix it up to get "iiapit@2cuwSP".
There are a couple of data points here that I’d like to examine.
- Many users are very blasé about their passwords on Gawker and social media sites, but does that mean that they are blasé about everything?
The above advice presumes that users password reuse is rampant amongst users, but how rampant is it? Will a user use the same password for their Hotmail account or Gawker account that they would use to login to their bank? Obviously, some will. But how many actually do? Personally, if my username was compromised at Gawker, I wouldn’t care that much. The cost to me of losing it isn’t all that high. But if I were to lose it in my trading account or bank, that’s a lot worse. The potential cost to me is very high (a hacker might buy shares in a company whose stock price hasn’t moved in 8 years). Ergo, I will consciously use different passwords that are more secure for high value sites than for low value sites.
I realize that as a security professional I might be the exception to the rule. But am I really? I don’t think we know enough about users’ online habits to make a judgment one way or the other. To be sure, some users do reuse passwords (I do, too). But to what extent do they do this?
- Password advice still is not very realistic.
The advice from the PC World editorial is pretty much the same that I have been criticizing on this blog. The advice is to make your passwords difficult to remember. This advice ignores the human element that we are not biologically programmed to remember so many random things, especially if we do not login to them very often (or use them that often). Therefore, we use heuristic shortcuts.
The advice in the column is to use a secure passphrase and use a short cut to remember it such as the first letter. But how many passphrases should we have? A different one for each site? Or a couple? Some of us have logins to 20 or more sites (this is pretty easy to do, I probably have 30-40… perhaps as many as 100 over my Internet life time). There is no way I can remember that many different passphrases and letter case combinations. I think that the computer security industry, if they are going to continue to dole out this advice, needs to get together with the psychology profession and read up a bit on how people learn and how memory works – human memory, not the digital kind.
- Publishing what these leaked passwords are is helping to arm others.
If you were a script kiddie and didn’t have many skillz, you would now have some knowledge in which to go to the rest of the Internet. By going to the article above that I published that contains the most commonly used passwords, you now know the most common ones that are likely to work anywhere on the Internet. And you didn’t have to hack your way into anything, you just went to PC World and read the article (or somebody with a blog who pointed you to it).
Seriously though, social engineering makes it a lot easier to get the things you are trying to get. Even if we are alerting people to it, do we as security professionals have a responsibility not to publish security vulnerabilities like this? Are we doing the cyber equivalent of shouting to the rooftops “Hey, hackers! Take a look at all these insecure passwords that people are using! Can you believe how silly people are? Oh, yeah, don’t use them!” We may be berating users for using insecure passwords, but at the same time we are not exactly being realistic because it is more likely that hackers will use the information for nefarious purposes long before users change their online behavior.
That’s how I see it.