'Trivial' Passwords Enabled Huge Hack
The hackers who stole and published 33 million passwords from the Rockyou.com website in December needn't have bothered, a security company has revealed. Many of them were so trivial they could have been guessed anyway.
According to a new analysis of the hacked passwords, the most popular password used on the Rockyou site was '123456'. Ridiculously, the second most popular password was '12345' closely followed (in order) by '12345687', 'Password', 'iloveyou', 'princess', and the imaginative 'rockyou'.
To put the use of '123456' into perspective, it was used on 290,731 accounts out of the nearly 33 million, which sounds small until Imperva reveals that the top 20 passwords were all equally transparent, and around 20 percent of the 5,000 most popular passwords were "names, slang words, dictionary words or trivial passwords." In 20th place, 13,856 accounts secured themselves with the word 'QWERTY'.
Helpfully, Imperva puts this disastrous state of affairs into perspective in its downloadable report that should probably be required reading for companies that do not enforce password complexity. (See "The Art of Creating Strong Passwords" for tips.)
"If a hacker would have used the list of the top 5,000 passwords as a dictionary for brute force attack on Rockyou. com users, it would take only one attempt (per account) to guess 0.9 percent of the users passwords or a rate of one success per 111 attempts," say its authors.
"At this rate, a hacker will gain access to one new account every second or just less than 17 minutes to compromise 1,000 accounts. And the problem is exponential," which is a technical way of saying that it would have been trivial to hack into many of the accounts one by one even without the serious breach that compromised the whole database.
Such hacking would have had rewards beyond Rockyou -- it is believed that the same passwords on the Rockyou accounts were defaults for user webmail accounts on Gmail, Yahoo, Hotmail, and others.Imperva makes some common sense suggestions on how websites and users can be educated to minimise such unnecessary vulnerability. Put CAPTCHAS on sites -- they slow down brute forcing -- enforce password changes, make users adopt password complexity, and never store or ransmit passwords in the clear.
Businesses are also asked to pay attention to the blurring of work and leisure web browsing.
"Employees using the same passwords on Facebook that they use in the workplace bring the possibility of compromising enterprise systems with insecure passwords, especially if they are using easy to crack passwords like '123456'," said Imperva's CTO, Amichai Shulman.
According to Shulman, passwords are no more sophisticated than they were 20 years ago, it's just that vastly more people are now being careless, increasing the potential effects of such naivety.
December's hack of Rockyou.com was blamed on an SQL injection vulnerability that compromised the company's entire and apparently unencrypted database. According to Imperva, the full database was posted for sale after the hacker posted a small portion first.