Online Password Tips And Tricks
When it comes to being targeted by a hacker, you're more likely to be a fish than a deer.
Unlike in the movies, where cybercriminals are able to pinpoint their victims (deer), real-life bad guys are automating attacks across large pools of people (fish) in hopes of stealing data from a few.
A recent hack on a social-gaming company called RockYou suggests that hackers can be more efficient when they target large groups of people rather than trying to crack one person's password. By casting a wide net, a hacker gained control of over 32 million RockYou user passwords. Security company Imperva, which discovered and announced the security hole in RockYou's database systems, analyzed the stolen passwords and published a paper based on the password data.
Here's what Imperva found: The most common password used was "123456," followed by "12345" and "123456789." All in all, more than half a million people chose passwords composed of only consecutive numbers. So, if a hacker tried to log in to all RockYou accounts with just one password attempt--123456--every hundred or so attempts would yield a compromised account. Dozens of attempts can be scripted every second, so Imperva estimates that using this technique would only take around 15 minutes to hack 1,000 accounts.
"The entire operation of password breaking ... looks very different than what we've been used to thinking," says Imperva Chief Technologist Amichai Shulman.
The RockYou password sample is biased towards people who play social games on sites like MySpace. Moreover, programmers can mitigate the threat of automated attacks by building lock-outs and other security mechanisms into their Web applications.
But for the most part, programmers aren't taking the key steps to prevent automated attacks, says security analyst Kevin Johnson, who teaches a course on hacking Web applications for the SANS Institute, a security training outfit.
"The majority of Web applications aren't protected against that kind of attack," says Johnson. "Security is not something on most people's mind."
Taylor Buley, Forbes.com