1.9 Million of you use 123456 as a Password and it has to stop
What’s this all about? Adobe was recently hacked and about 150 million people’s account details have been leaked.
From News.Softpedia “Cybercriminals have managed to steal over 130 million encrypted passwords after hacking Adobe’s systems. However, since the company did a poor job of encrypting them, security experts have already managed to crack most of them.”
That’s because Adobe used the Triple DES (3DES) hashing algorithm in ECB mode to encrypt the password. This type of encryption provides some clues to what the passcode might be.
This, combined with the fact that Adobe’s database also contained password hints, made it trivial for experts to crack them.
Stricture Consulting Group has published a list of the 100 most common passwords used by the Adobe customers whose details were stolen by cybercriminals.
Unsurprisingly, the most common password is “123456,” used by 1,911,938 people. “123456” is followed by “123456789,” a passcode set by 446,162 individuals.
The top ten also includes “password,” “adobe123,” “12345678,” “qwerty,” “1234567,” “111111,” “photoshop” and “123123.””
First thing you need to do? Go to http://adobe.cynic.al/ and check to see if your email is on the list. Change your Adobe password immediately, and please use a complex password.
Considering Passphrases as opposed to Passwords
From technet.microsft.com:
The key differences between pass phrases and passwords are:
(1) A pass phrase usually has spaces; passwords don’t
(2) A pass phrase is much longer than the vast majority of words, and, more important, longer than any random string of letters that an ordinary person could remember.
Although a pass phrase could simply be considered a very long password, typically it is constructed of a sequence of words, or something similar to words.
Second, you need to understand the difference between password guessing and password cracking. Password guessing is when someone sits at the console or at a remote machine trying passwords. Guessing is not relevant to this article, because if an account has a relatively complex password, guessing will not succeed anyway. If guessing succeeds, the cause is either incredible luck on the part of the attacker, or a weak password.
Strong Passwords and Passphrases
From Microsoft Security: A strong password is an important protection to help you have safer online transactions. Here are some steps to create a strong password. Consider using some or all to help protect yourself online:
-
Length. Make your passwords at least eight (8) long.
-
Complexity. Include a combination of at least three (3) upper and/or lowercase letters, punctuation, symbols, and numerals. The more variety of characters in your password, the better.
-
Variation. Change your passwords often. Set an automatic reminder to update passwords on your email, banking, and credit card websites every three months.
-
Variety. Don’t use the same password for everything. Cyber criminals can steal passwords from websites that have poor security, and then use those same passwords to target more secure environments, such as banking websites.
There are many ways to create a long, complex password. Here are some suggestions that might help you remember it easily:
|
What to do |
Example |
|---|---|
|
Start with a sentence or two. |
Complex passwords are safer. |
|
Remove the spaces between the words in the sentence. |
Complexpasswordsaresafer. |
|
Turn words into shorthand or intentionally misspell a word. |
ComplekspasswordsRsafer. |
|
Add length with numbers. Put numbers that are meaningful to you after the sentence. |
ComplekspasswordsRsafer2013. |
More strategies for strong passwords
Test your password with a password checker
A password checker evaluates your password’s strength automatically. Try Microsoft’s password checker.
Characteristics/Examples of Weak/Bad Paswords/Passphrases
- Do we have to say 123456?
- Your name in any form – first, middle, last, maiden, spelled backwards, nickname or initials
- Your user ID or your user ID spelled backwards
- Part of your user ID or name
- Any common name, such as Joe
- The name of a close relative, friend or pet
- Your phone number, office number or address
- Your birthday or anniversary date
- Simple variants of names or words (even foreign words), simple patterns, famous equations or well-known values
- Your license plate number, your social security number or any all-numeral password
- Names from popular culture (e.g.: Beatles, Spiderman, etc.)
- Any password that is offered forth as an example
- ILoveYou
- Permutations of the username
- Family or pet birth dates
- Family or pet names or acronyms built from them
- Hobbies or activities
- Work or school-related information or work/school acquaintances
- Names of places visited or worked
- Important numbers such as social security, phone or account numbers
- Common words from dictionaries including foreign language
- Common dictionary word permutations
- Names or types of favorite objects
- All digits or all the same letter or letter sequences found on keyboards
What Next?
Read this article in Digital Trends by Geoff Duncan, that states in part: “…even our seemingly innocuous accounts can be stepping stones to PayPal, Amazon, iTunes, credit cards, bank accounts, and identity theft — and those are precisely what serious attackers want. With so much of our day-to-day lives now online and password breaches becoming so commonplace, an ounce of prevention — say, 16 random characters — can be worth a pound of cure.”
“What should we do now?” “What should we say?”