Excellent article on password protection and passwords is found on CXO Magazine’s website.
Go over and look at their chart on passwords. Also here is our team’s Assistant Network Administrator -Dawn Babian’s article reprinted to compliment this article.
Weak Passwords Still Being Used
A recent report released by security vendor Imperva, Inc., shows that most internet users still use short, weak passwords. These types of passwords make it easy for hackers to gain access to user accounts.
Imperva based their report on the 32 million passwords that were exposed during a recent database intrusion at RockYou Inc., developers of several popular facebook applications. An extensive analysis of the passwords which had been stored in clear text by the company showed that approximately 30% of the passwords in the list were six characters or smaller, 60% of the passwords were created from a limited set of alphanumeric characters. Almost 50% of the accounts had passwords that were easy to guess, such as consecutive numbers or adjacent keyboard keys, common words or phrases.The top five passwords used by RockYou users included, “123456,” “12345,” “123456789,” the word “password,” and “iloveyou.”
Most of the top 5000 words in the hacked database are the same as those found in password dictionaries which hackers use to brute-force their way into accounts. It was noted by Amichai Shulman, the chief technology officer for Imperva, that on average an attacker using one of those password dictionaries would have been able to break into a RockYou account at the rate of approximately one every second using an automated password-guessing tool.
The troubling aspect of this practice is that users don’t realize how they may be compromising their workplace systems especially if they use the same passwords for all of their user accounts. Password insecurity could have serious consequences for the enterpise.
NASA provides recommendations for strong password selection:
1. Passwords should contain at least eight characters.
2. Passwords should contain a mix of four different types of characters – uppercase and lowercase letters, numbers and special characters. The first and last characters should not be a special character if the password contains only one special character.
3. Passwords should not be a name, slang word, or any word in the dictionary. It should not contain any part of a user’s name or email address.
Recommendations for users include choosing a strong password for all sites where privacy of the information is important and use a different password for all sites, even for ones where privacy isn’t a concern and never trust a 3rd party with important passwords.
Recommendations for administrators include enforcing a strong password policy, make sure passwords are not transmitted in clear text, make sure passwords are not stored in clear text, actively put obstacles in the way of a brute-force attacker – such as CAPTCHAs or computational challenges. Create a password change policy. Encourage users to use passphrases instead of passwords.