Most users tend to select simple or common passwords or leave the default passwords of hardware and software they purchase unchanged, security vendor Imperva found after analyzing 32 million user names and passwords exposed when a database at social networking advertising network firm Rockyou.com was breached in December.
However, users are not solely to blame; many companies that collect user information such as names and passwords also don’t store the data securely. In Rockyou.com’s case, the data was stored in clear text, which would let any thief use it immediately.
How can individuals and corporations increase password security to at least minimize the danger when PCs are hacked into or databases are breached?
What Imperva Found
Generally, users are pretty poor at selecting passwords, Imperva discovered when analyzing the Rockyou.com breach. About 60 percent of the 32 million users affected chose their passwords from a limited set of alphanumeric characters.
Nearly half of them used names, slang words, dictionary words, or what Imperva called “trivial” passwords such as consecutive digits — 123456, for example — and adjacent keyboard keys such as “QWERTY.”
About 30 percent used passwords that had six or fewer characters.
The most common password among Rockyou.com users was “123456.” This happens to be the default setting for many computer hardware and software vendors and for some routers, and most of the manuals for these tell the user to change that password.
Imperva identified the 20 most common passwords in its report. The top five are “123456,” “12345,” “123456789,” “Password” and “iloveyou.”
Why didn’t the users change their passwords or get secure ones? Sometimes it has to do with age. “A lot of Rockyou.com’s users are young,” Imperva spokesperson Rob Rachwald explained. Or it could be that they can’t remember more complex passwords, he said.
There’s another dimension to password security: Hackers have become much more sophisticated in their attacks, so they can now crack thousands of passwords at once where previously they had to crack them one at a time, Rachwald pointed out. So while relatively weak passwords gave some measure of protection in the past because the probability of any one individual being attacked was small, they are even less adequate now.
“There’s software that automates hacking, and there are brute force dictionary attacks, so if you’re using common nouns or words or common letter and number sequences, you’re opening yourself up to hackers. It’s very possible, in the case of Rockyou, that a hacker using a basic dictionary and basic automated hacking tools could break into one account every second.”
Creating Strong Passwords
Imperva recommends users select a mix of four different types of characters — upper and lower case letters, numbers and special characters such as “!,” “@,” and “&” — when they create passwords. If only one letter or special character is used, it should not begin or end the password.
The National Aeronautics and Space Administration (NASA)’s guidelines suggest passwords should be at least 12 characters long and contain at least three of the four different types of characters. They must not have repeating or consecutive sequences of characters.
The guidelines also say passwords should not contain personal information about the user such as the user’s name or user ID; must not be the same as previous passwords; and must not employ words in any language even with numerals used to replace letters. For example, a word like “eleph23nt” would be discouraged.
Imperva recommends that passwords should not be slang words and that they do not include any part of a user’s name or e-mail address. Users should employ different passwords for different Web sites.
One way to make up a strong password is to follow security consultant Bruce Schneir’s recommendation to take a sentence and turn it into a password by stringing together the first letters of every word in the sentence, Imperva said.
Advice for Businesses
The Rockyou.com breach occurred because that company stored user names, passwords and third-party site logins in its database in plain text. In December, a hacker broke into the database using an SQL injection attack and stole the information. He then posted the data on his blog after Imperva posted a warning about the flaw and Rockyou.com downplayed the extent of the breach, according to ReadWriteWeb.
The hacker, who was identified only as “Tom,” said Rockyou.com’s database also included third-party site logins. Rockyou.com works with Facebook, MySpace, Hi5, Friendster, Orkut and other social networking sites.
SQL injection attacks are commonly used on social networking sites. They exploit incorrectly filtered SQL statements or other input information. With the rise of Web 2.0 and social networking, SQL injection vulnerabilities have become more common.
That’s because Web 2.0 has led to interactive Web sites, and these require users to create accounts and provide their information to the site, explained Wolfgang Kandek, chief technology officer at Qualys. This means companies have to be share the responsibility for protecting passwords with users. Some companies such as Twitter already do, but more businesses should take action. “Twitter does an excellent job in banning the 500 most common passwords,” Rachwald said. “But there’s plenty of companies that don’t enforce strong passwords.”
While SQL injection attacks are common, businesses can protect against them in various ways, Qualys’ Kandek said. “Web application programmers should frequently check their code with Web application scanners, which can help find SQL injection vulnerabilities,” he pointed out. Other actions include using prepared SQL statements and using application firewalls, which can be programmed to look for or disallow suspicious patterns in input parameters.
Businesses should also be careful how they store data. “Passwords should never be stored in clear text on a database; they have to be stored in a hashed format,” Kandek said. “Storing passwords in clear text is a clear indication of a total lack of basic security techniques on the part of Rockyou.com’s engineering.”
Rockyou.com declined comment; Susan Yin from the company’s public relations agency Rogers and Cowan pointed TechNewsWorld to a statement on Rockyou.com’s Web site.
The breached database had been stored on a legacy platform dedicated for Rockyou.com’s use, and the platform was shut down immediately after the company learned of the breach, according to the statement. Rockyou.com says it is now encrypting all passwords, upgrading the legacy platform, reviewing its data security practices and cooperating with federal authorities to investigate the breach.