Most security breaches teach us that people use very common passwords for most of their online services.
A recent article about the LinkedIn breach of 2012 where a hacker stole 6.5 million encrypted passwords revealed that many common passwords were used. Also the amount of data quoted in that article was incorrect as later it was shown that another hacker by the name of “Peace” was selling 117 million email and password combinations from LinkedIn.
The hacked passwords were stored as sha1 hashes and as such thousands at the time were brute forced or decrypted using rainbow tables.
The hack revealed the 10 most common LinkedIn passwords to be the following:
So at the time of the breach in 2012 and before LinkedIn had a password policy of six characters, no complexity, all lowercase allowed, all numbers allowed. Most websites and apps these days atleast have a eight character minimum with 1 upper case letter and 1 number minimum. However in the last few days I have seen a couple that do not have that.
Firstly Gmail.com – I recently have been working with a school that is setting up their website for the first time and they chose their gmail account to have a 8 character dictionary word that was directly related to the function of their website. The only added security that they had was an upper case letter for the beginning of the password.
Why Gmail.com is this acceptable – I would expect by 2017 that there would be a password complexity setting for most well known websites especially for something as critical as email.
WordPress.com – The same school chose their management username and password to be something like admin and the password was the same as the gmail account. Whilst wordpress suggests passwords, they are often very complex – atleast 10 characters with mix of special characters, numbers and different cased letters. I can see why so many people choose a dictionary word.
There are services out there that in light of all these security breaches are not re-evaluating their customers and their password choices – perhaps there is no way to tell if your customer has a weak password or not and thats why it hasn’t been done. Perhaps they are letting customers decide whether or not they should update their own password – I can tell you now that most people probably will not even think of it unless they are sent an email to remind them. An example of this is amazon.com – I have a six lowercase letter with all letters password for my purchasing account. I think a site such as Amazon should atleast enforce customers to update for better security.
Lastly the complexity doesnt need to be 10 to 15 character lengths with multiple numbers, special characters and different cased letters, it could be as simple as random words with spaces between and some numbers. Simple Phrases that are easy to remember, however in the age of smart phones with apps like keychain, 1Password, or LastPass who needs to remember passwords anyway.
Go here to understand why it was so easy to crack the passwords from the 2012 LinkedIn breach.