Gawker was recently hacked and a huge number of password revealed. I’ll leave the repetitive and vapid comments about how weak everyone’s password were to others. Instead I’ll note something interesting. When looking at numeric passwords, those with an even number of digits were far more common than those with an odd number of digits. For example 123456 and 12345678 were both more common than 12345 and 1234567.  Other common numeric passwords were 111111, 666666, 1234, 123123, and 654321, all of which have an even number of digits. I commented on this once before in the context of voicemail passwords, but unfortunately I’m still no closer to a guess as to why this should be the case, although I suspect something innate to the ways humans remember things. Does the human brain find it easier to remember a string of numbers in pairs? Do people just like even numbers more? Are there any psychologists who want to do some research on this?

Speaking of passwords….

In the last few weeks there have been a few stories about criminals using stolen credentials to steal large amounts of money from unsuspecting victims. The Zeus botnet stole about a million dollars from UK banks. Criminals stole a million dollars from UVA, and the Diocese of Des Moines had 600K stolen. All of these followed a similar pattern – criminals used stolen credentials to move money to other bank accounts. I’m reminded of the 2010 Verizon Data Breach Investigations Report (if you haven’t read it, please do). One of the recommendations was to limit the amount of damage that can be caused by compromised credentials. If these banks had been following that advice, their customers might not now be out millions of dollars. If they had implemented any sort of program to look for fraud indicators, they likely would have avoided this whole mess. I know of many banks that have such a program in place, and let’s just say that I haven’t seen any of them show up in the news lately.

There are a lot of reasons to hate passwords as an authentication mechanism – the fact that users hate them, easy to guess/brute force, overhead involved in maintaining the system when credentials, are forgotten/lost, overhead due to locked out users, over reliance on a single factor of authentication, etc, etc. All of it comes down though to one central theme: using passwords put the responsibility for security on the users and not the security folk, and this is a huge mistake. Users are not trained security professionals, and they can’t be expected to be. It is simply unreasonable to expect users to create unique strong passwords for everything they access, remember them, not write them down, and never forget them. They have other things to do, and security is just not one of them. I don’t want my employees to be the primary line of defense for IT systems I’m responsible – I want qualified security personnel. If you use passwords for authentication, then that’s essentially what you’re doing. This is the root cause of all the other problems with passwords.

Lest this blog turn into nothing more than a source of announcements, I figured I’d post something that has been eating me up for ages. Anyone who knows me knows that I hate passwords with a passion. They’re easy to break, easy to social engineer, and provide a false sense of security. People trade them for candy bars, reuse them, and don’t pick ones that are hard to guess. As soon as they become hard to guess, they also become hard to remember, leading to lots of helpdesk calls for password resets. All of these (and other) issues stem from one single root cause – passwords move the security role from the IT security department to the end users. We IT security people are constantly trying to make new rules for the end users to make sure they protect their passwords, but the problem is that while all these rules make sense to us, the end users are not IT security experts. They don’t have the background, experience, knowhow, etc. Expecting the end users to manage security of a system they don’t even understand is a huge mistake. And yet, for some reason, that’s what we do when we use passwords as the single factor needed to access sensitive data.

I was clearing out my bookmark file on an old machine this morning and stumbled across something I’d bookmarked and completely forgotten about – the best default password list I think I’ve ever seen. Also, it’s actually maintained! I just figured I’d share it.

I’ve been using Windows 7 fairly regularly on one of my machines for the past month or so. One thing I noticed is that the default password settings for Windows 7 include the fact that password expire after 42 days. Since most home users will never change their default settings, this setting will likely become a de-facto standard. However, the default settings also have a password history of zero (no remembered passwords), and a minimum age of zero as well. This means that every home user, when prompted to change their password, will simply change it to the password they had initially, making this setting useless.

Every so often I make a post whose main purpose is to get indexed by google and provide people with (what I think is) some nugget of useful information. Although googling for 8Ry2YjIyt7RRXU24 will yield a lot of results, none of them mention that this is the hash for a blank password on a pix firewall. (In other words, if you found this post because you have a Pix that has enable password 8Ry2YjIyt7RRXU24 encrypted set, that means the enable password is blank).

phpbb.com was broken into recently, and 20,000 passwords were revealed. There are two articles which attempt to draw conclusions from the data. One lists the 500 most common passwords, and the other does some analysis to try and get aggregate groupings.

The bottom line: no matter how much training we do, even reasonably internet literate people like the phpbb users, still pick crappy passwords. People don’t like remembering passwords, and therefore they find every conceivable measure to circumvent them. (See my previous post: all passwords are weak). If you’re developing a security system where the people who are supposed to be protected feel the need to circumvent the security, they will usually bring your security system down. Better to make a different system which is more transparent to the people who you’re trying to protect.

This looks like it could be a lot of fun. (You know, if someone were to try that. Not that I would ever participate in or condone such an activity). This just boils down to the fact that yet another embedded device has a default password on it that most people never change. The best protection in this case is probably to just lock the access panel.

Piggybacking on something I wrote about earlier, with the proliferation of WoW credential stealing bots, WoW is now offering two-factor authentication to its users. It makes sense frankly. WoW needs to keep their customers happy to keep their bottom line, and they’ve begun to realize that all passwords are inherently weak.