Editorial
Weak Passwords – The Attacker's Low-Hanging Fruit
By now you've probably heard that Italy's Hacking Team, a company that sells intrusion and surveillance tools to governments and law enforcement agencies, has had its private information laid bare for the entire world. Almost 400GB of data, published in a single Torrent file, made its way onto the Internet for all to enjoy. This incident was, according to Eric Rabe, Chief Marketing and Communications Officer for the Hacking Team, "… an extremely dangerous situation." Indeed it is. How did these hackers manage to hack the hackers of the Hacking Team? The initial entry point for the attack is unclear, but one thing is certain: The Hacking Team needs to attend a seminar on password security.
Part of the data revealed with the attack were passwords from some Hacking Team employees. How weak were the passwords these "security experts" were using to protect their data? Some of the passwords uncovered in the attack were:
- HTPassw0rd
- Passw0rd!81
- Passw0rd
- Passw0rd!
- Pas$w0rd
- Rite1.!!
Security professionals' passwords should be made of sterner stuff. The Hacking Team employee whose passwords you see above followed the correct spirit of password creation: At least eight characters, mixed case, numbers, and alternate characters. However, using the word "password" in any form is a very poor example for colleagues and customers.
It makes me wonder if his luggage lock code is 123456 or his personal WordPress blog password is abcd1234.
Bad passwords are bad news, and you should always try to avoid them. But let me give you some even worse news: Even strong passwords can be hacked. Why? Because passwords aren't secure. There's a very limited number of possibilities for each character, which means the password has a limited effectiveness, regardless of how long or complex you believe it is. A brute force attack will reveal any password with enough time and computing power behind it. And you know what attackers have a lot of? Time and computing power.
What is your best chance for keeping your systems safe? Create very strong passwords. Don't reuse them, and change them often. Don't use passwords that I could extract from you if I know 20 things about you. And never give your password to anyone.
The second thing to do, since you know passwords are not secure, is to secure your sites and accounts with multifactor authentication. Many sites support multifactor techniques. Enable all the security measures available to you on every site you use. If multifactor authentication or other security measures aren't available, either don't use the site or send email to the site owner requesting better security.
My best advice is to throw away the low-hanging fruit and make the attackers earn their keep by spending more time and effort on getting access to your Facebook page. Your mission, should you choose to accept it, is to go out today and change all of your current passwords to really good passwords, enable multifactor authentication, and set up enhanced security for every account you own. I bid you Godspeed, my friends, in your effort to secure your online presence. And no, Godspeed is not a good password.
Ken Hess * ADMIN Senior Editor
Buy this article as PDF
(incl. VAT)