Blog Post

Weak Passwords Discovered in the 10,000 Disclosed Hotmail/Live.com/MSN leaked accounts

,

By now, hopefully everyone has heard of the security breach where accounts and passwords were found on a public site listed the account usernames and passwords of some 10,000 users. Initially it was just reported to be Hotmail/Live.com/MSN, but it turns out Yahoo!, Earthlink, GMail, and others were also affected. The attackers got at the information using phishing attacks, so it wasn't a breach of any of the sites themselves. Still, it meant someone was in possession of that account information, and that is in an issue for the folks affected. And since the list only had names starting with the letters A and B, there's surely a whole lot more than 10,000 affected.

Since the list was publically available, a security researcher was able to grab it before it was pulled offline. And what was found wasn't surprising, but it shows we still have a long way to go with respect to educating folks about online security. Here are some of the details the report contains:

  • The password "123456" was the most common, occuring 64 times.

  • Almost 2,000 of the 10,000 passwords were only 6 characters in length.

  • Most of the top 20 passwords were names (it happened that they were Spanish names, meaning the phishing attack likely targeted Spanish speaking-communities, but we can take from it that a lot of folks still use names as passwords.

  • Over 40% of the passwords only used lowercase characters.

  • 19% only used numbers

Passwords are still a necessary evil. And for some folks, that email account may have represented a "throw away" type of email address, but I suspect for a lot of folks, they just didn't know better with respect to doing a better job with passwords. Microsoft has published some good guidance to help with picking relatively strong passwords, and it's not hard to do. As for me? I like long passwords that are based on phrases that make sense to me with mixed case, special characters, and numeric characters as well. I know I'm paranoid about that stuff, but I have found that when I do that, it's not that difficult. In a lot of cases I just let my password vault generate a random password and use that for a given web site. But if it's somewhere that I'm going to need to log onto and I suspect I won't have my password vault, I'll follow my own algorithm. Here's how I might go about picking a password:

  • I can think of something related to the site or the activity. For instance, for SQL Server Central, I might think about something related to SQL Server. Let's go with, "I'm glad I'm not on SQL Server 6.5!"

  • I can use that as a starting point for a passphrase (when you use a phrase for the password): I'mgladI'mnotonSQLServer6.5!

  • We already have mixed case, numeric, and special characters in that passprase. But we could make still make it more complex.

  • Let's substitute the "o" character with the "#" character. That's not a standard substitution. That leaves us with: I'mgladI'mn#t#nSQLServer6.5!

  • And we're left with a 28 character password that has mixed case, numeric, and special characters. One that should be relatively easy to remember.

  • Now, if you didn't want to have to type 28 characters, you could shorten it to just the first characters (remember we've substituted the "o" with "#"), leaving the numbers intact: IgIn#SS6.5!

  • And you're still left with an 11 character mixed cased, numeric, special character password that should hopefully be easy to remember.

And on a side note, no, that's not my SQL Server Central password. While I can think of something related to the site or activity, I tend not to. I tend to think of something that usually makes no sense at all except to me and build from there. For instance, maybe something happened on SSC in the forums once that reminded me of Yosemite Sam. There hasn't been, to my knowledge, but if there had been, that may be what I initially derive my password from. If you know me and you know the site, you may assume I may connect something related, and you begin your attempts to brute force a password of mine, you're already going down the wrong path. So why do I recommend that folks start with something related? Because for folks who aren't used to generating "complex" passwords, it gives them a starting point which, if they follow the rules, the ending point will be so ambiguous that it doesn't matter much. Me? I'm just paranoid like that.

 

 

Rate

You rated this post out of 5. Change rating

Share

Tags

Share

Rate

You rated this post out of 5. Change rating

Related content

Technical Article

Database Mirroring FAQ: Can a 2008 SQL instance be used as the witness for a 2005 database mirroring setup?

Question: Can a 2008 SQL instance be used as the witness for a 2005 database mirroring setup? This question was sent to me via email. My reply follows. Can a 2008 SQL instance be used as the witness for a 2005 database mirroring setup? Databases to be mirrored are currently running on 2005 SQL instances but will be upgraded to 2008 SQL in the near future.

You rated this post out of 5. Change rating

2009-02-23

1,567 reads

Technical Article

Networking - Part 4

You may want to read Part 1 , Part 2 , and Part 3 before continuing. This time around I'd like to talk about social networking. We'll start with social networking. Facebook, MySpace, and Twitter are all good examples of using technology to let...

You rated this post out of 5. Change rating

2009-02-17

1,530 reads

Technical Article

Speaking at Community Events - More Thoughts

Last week I posted Speaking at Community Events - Time to Raise the Bar?, a first cut at talking about to what degree we should require experience for speakers at events like SQLSaturday as well as when it might be appropriate to add additional focus/limitations on the presentations that are accepted. I've got a few more thoughts on the topic this week, and I look forward to your comments.

You rated this post out of 5. Change rating

2009-02-13

360 reads