Loading...
HOME
 |
Mass Password Brute - Over 33 million passwords stolen | ||
Discussion by thejode with 10 Replies.
Last Update: February 10, 2010, 11:13 pm | |||
 |
|||
 |
 |
|
 |
 |
| Reply / Comment | New Discussion / Topic | Share / Bookmark | E-Mail a Friend |
 |
|
|
Are you a member of Rockyou.com? You probably know about this (and have most likely deleted your account and sided it with a complaint letter to the company), but 33 MILLION passwords were stolen from the database, and are now floating around in cyberspace. Some people have gotten so ticked, they’ve sued rockyou. Now, you may thing “It’s not their fault, it was a security breach”. This is a lot worse. They might as well write their passwords on their office building. The passwords were stored in simple text files, UNENCRYPTED.
Now, what is Rockyou? They’ve created social networking applications, such as “Pieces of Flair”, and “Superwall”.
Now, here’s kind of the problem with Rockyou’s user database. The most popular user password was “123456”, followed by “12345687”. Other incredibly imaginative and secure passwords were closely following these two, including “Password”, “QWERTY”, and “rockyou”.
If a hacker used the list of top 5,000 passwords for a dictionary brute force on Rockyou, it would take only one attempt per account to guess about %0.9 of the community’s passwords. At this rate, hackers would gain access to 1 account every second, or 17 minutes to gain access to 1,000 accounts. Now, estimates show that sites like Gmail, Hotmail, AOL, etc. probably carry the same population of people who use these ridiculously easy passwords. But they have a captcha, a computer generated image that displays text and letters at a funky angle and weird colors.
(Generated by Google)
Other security systems require you to answer a question (“What is the color of the sky?”), and complete arithmetic problems via a captcha.
Most experts agree that passwords haven’t changed from 20 years ago. Users and businesses are just becoming more careless about security measures. Companies are also worried about employees using the same insecure password they use for social networking sites as they use for their business. This brings a new threat of a mass password hack that could result in millions of dollars lost. Who will suffer? Those who are careless. Beware of “123456” passwords!
Now, what is Rockyou? They’ve created social networking applications, such as “Pieces of Flair”, and “Superwall”.
Now, here’s kind of the problem with Rockyou’s user database. The most popular user password was “123456”, followed by “12345687”. Other incredibly imaginative and secure passwords were closely following these two, including “Password”, “QWERTY”, and “rockyou”.
If a hacker used the list of top 5,000 passwords for a dictionary brute force on Rockyou, it would take only one attempt per account to guess about %0.9 of the community’s passwords. At this rate, hackers would gain access to 1 account every second, or 17 minutes to gain access to 1,000 accounts. Now, estimates show that sites like Gmail, Hotmail, AOL, etc. probably carry the same population of people who use these ridiculously easy passwords. But they have a captcha, a computer generated image that displays text and letters at a funky angle and weird colors.
(Generated by Google)Other security systems require you to answer a question (“What is the color of the sky?”), and complete arithmetic problems via a captcha.
Most experts agree that passwords haven’t changed from 20 years ago. Users and businesses are just becoming more careless about security measures. Companies are also worried about employees using the same insecure password they use for social networking sites as they use for their business. This brings a new threat of a mass password hack that could result in millions of dollars lost. Who will suffer? Those who are careless. Beware of “123456” passwords!
QUOTE (thejode)
Are you a member of Rockyou.com? You probably know about this (and have most likely deleted your account and sided it with a complaint letter to the company), but 33 MILLION passwords were stolen from the database, and are now floating around in cyberspace. Some people have gotten so ticked, they’ve sued rockyou. Now, you may thing “It’s not their fault, it was a security breach”. This is a lot worse. They might as well write their passwords on their office building. The passwords were stored in simple text files, UNENCRYPTED.Now, what is Rockyou? They’ve created social networking applications, such as “Pieces of Flair”, and “Superwall”.
Now, here’s kind of the problem with Rockyou’s user database. The most popular user password was “123456”, followed by “12345687”. Other incredibly imaginative and secure passwords were closely following these two, including “Password”, “QWERTY”, and “rockyou”.
If a hacker used the list of top 5,000 passwords for a dictionary brute force on Rockyou, it would take only one attempt per account to guess about %0.9 of the community’s passwords. At this rate, hackers would gain access to 1 account every second, or 17 minutes to gain access to 1,000 accounts. Now, estimates show that sites like Gmail, Hotmail, AOL, etc. probably carry the same population of people who use these ridiculously easy passwords. But they have a captcha, a computer generated image that displays text and letters at a funky angle and weird colors.
(Generated by Google)Other security systems require you to answer a question (“What is the color of the sky?”), and complete arithmetic problems via a captcha.
Most experts agree that passwords haven’t changed from 20 years ago. Users and businesses are just becoming more careless about security measures. Companies are also worried about employees using the same insecure password they use for social networking sites as they use for their business. This brings a new threat of a mass password hack that could result in millions of dollars lost. Who will suffer? Those who are careless. Beware of “123456” passwords!
Link: view Post: 476947
Excellent Post! A lot of information there! I definitely agree! People are becoming less creative with the passwords. I dont even know what my facebook or gmail password is. You know why? Because I barely see it, because I can touch type, I coordinate my fingers to form a pattern on the keyboard (UK keyboard, im screwed in Russia, and seriously twisted in China) but hey it works! If I was battered to a pulp with a spoon I wouldn't be able to think of the password. Everytime I have to check my mail on the phone I have to use my fingers and think very hard of the keyboard layout.
Anyway, I think all passwords should follow the same format (maybe not as uptight and with so much paranoia as mine but still) - something that is utterly random, that will take more than 3 attempts for a hacker to use Brute Force, as after three attempts, most applications like googlemail initiate a form of security often in the form of captcha codes and questions.
Be careful! AND NEVER use the same password for bank accounts, business networks and school/uni networks. It is highly dangerous depending on the level of information at risk!
And when it is advised to use mix characters, uppercase and lowercase & numbers + symbols, be grateful and use it to your advantage!
That is why I make my password as secure as I can, to prevent being a victim of a hacker ("wordpass" is ftw). Seriously though, I would be so pissed if this happened to me. Websites need to make sure their systems are encrypted and safe to prevent hackers stealing passwords from the websites user base. At least keep it more secure with adding a captcha question, or whatever they are called, and try to beat the hack bots from mass hacking like these from happening.
QUOTE (thejode)
Are you a member of Rockyou.com? You probably know about this (and have most likely deleted your account and sided it with a complaint letter to the company), but 33 MILLION passwords were stolen from the database, and are now floating around in cyberspace. Some people have gotten so ticked, they've sued rockyou. Now, you may thing "It's not their fault, it was a security breach". This is a lot worse. They might as well write their passwords on their office building. The passwords were stored in simple text files, UNENCRYPTED.Now, what is Rockyou? They've created social networking applications, such as "Pieces of Flair", and "Superwall".
Now, here's kind of the problem with Rockyou's user database. The most popular user password was "123456", followed by "12345687". Other incredibly imaginative and secure passwords were closely following these two, including "Password", "QWERTY", and "rockyou".
If a hacker used the list of top 5,000 passwords for a dictionary brute force on Rockyou, it would take only one attempt per account to guess about %0.9 of the community's passwords. At this rate, hackers would gain access to 1 account every second, or 17 minutes to gain access to 1,000 accounts. Now, estimates show that sites like Gmail, Hotmail, AOL, etc. probably carry the same population of people who use these ridiculously easy passwords. But they have a captcha, a computer generated image that displays text and letters at a funky angle and weird colors.
(Generated by Google)Other security systems require you to answer a question ("What is the color of the sky?"), and complete arithmetic problems via a captcha.
Most experts agree that passwords haven't changed from 20 years ago. Users and businesses are just becoming more careless about security measures. Companies are also worried about employees using the same insecure password they use for social networking sites as they use for their business. This brings a new threat of a mass password hack that could result in millions of dollars lost. Who will suffer? Those who are careless. Beware of "123456" passwords!
Link: view Post: 476947
Yes, this is really terrrible. So weak passowrds. But this really isn’t surprising. We’d all be amazed how much this wouldn’t happen if people took the extra .5 seconds to add a number or two to the end of their password. Leave the door open and people will come in. Using passwords like “1234″ just isn’t smart.
Talk about "grabbing the wrong end of the stick". People use short passwords because they are easy to remember and enter. I have a short password and I still mistype it. Couple that to the rotating password system that is recommended (replace your password after 6 months) and you are obviously going to pick a short easy to remember (and break) password.Demand a 32 character password for your site and see how many people will bother to log-in! Do you think that corrupt corporations would put up with it taking 10 minutes/day, for their workers to successfully log-in to their user accounts? A simple mechanical key & lock would be more effective!
How many people would use ATMs, if their PIN changed every 6 months?
Look at this list for example, it lists the most common of the 32 passwords provided by v-Sync:
QUOTE
1. 1234562. 12345
3. 123456789
4. password
5. iloveyou
6. princess
7. rockyou
8. 1234567
9. 12345678
10. abc123
11. nicole
12. daniel
13. babygirl
14. monkey
15. jessica
16. lovely
17. michael
18. ashley
19. 654321
20. qwerty
21. iloveu
22. michelle
23. 111111
24. 0
25. tigger
26. password1
27. sunshine
28. chocolate
29. anthony
30. angel
31. FRIENDS (yes, all caps)
32. soccer
How many of you are guilty in using these passwords?
Personally, on some registration forms, I use passwords like 1234 and etc. just because I don't care about that account, but for the accounts I care I usually use quite good passwords, which are hard to hack..
But it's strange for me that those passwords aren't encrypted in the database and can be seen like that, by just getting some data from the database or sometimes it's encrypted with functions which can be decrypted quite easy, for example base64 ;]
But it's strange for me that those passwords aren't encrypted in the database and can be seen like that, by just getting some data from the database or sometimes it's encrypted with functions which can be decrypted quite easy, for example base64 ;]
Wow what idiot would make there password that? My password for everything is 21 characters long and consists of number and some caps. If someone guessed my password it would be a miracle. Its funny how the most popular one was 12345678. And password seriously?
And password seriously?
Lol this is so funny - how could they even not encrypt their database records?! In this day and age?!! Half of the people use the same set of passwords for each and every site they register to so unless the hacker is stupid he can get access to almost every aspect of the victim's online presence. While keeping weak passwords is the victim's fault, getting hacked isn't entirely the person's fault. In this case, clearly the website and the people who maintain it are to blame - they may have cost losses to hundreds of people in terms of privacy, money, etc
Wow, I've made some login systems(back in the days when it was warm), and I always use a md5 hash to verify password. How the hell can someone be so 'smart' to save the password itself to the database?! It should be done like this:
You have md5 hash of the user's password in the database
The user inserts password on login
You convert the password to md5 and compare with the one in the database, if they match, login
You have to be a really dumb programmer nowadays to have the passwords themselves saved up there... IN TEXT FILES?! Not even in a dynamic database?! Were they trying to get hacked on purpose?
You have md5 hash of the user's password in the database
The user inserts password on login
You convert the password to md5 and compare with the one in the database, if they match, login
You have to be a really dumb programmer nowadays to have the passwords themselves saved up there... IN TEXT FILES?! Not even in a dynamic database?! Were they trying to get hacked on purpose?
I'm guessing that someone didn't even bother, thinking that it wouldn't be that big of a deal... or that person was "getting around to it." Text files? Do it right the first time and you won't suffer the bad PR that comes with a massive blow to security like this.
Even though it was their fault in basically leaving the keys in the car, it goes to show how stupid people really are when it comes to passwords. You trade in security for convenience, and if you're protecting your financial information with these kind of passwords... well, you deserve to have your crap stolen from under your nose if you're that lazy.
Good rule of thumb for passwords: letters, numbers, uppercase, lowercase, and symbols. Mix it up and you'll severely reduce your chances of an easy brute force hack. I'm a lazy guy by nature myself, but I still go by that philosophy, and it's relatively simple to stick to it while making it easy to remember.
I used to use "ThisSucks11!!" for one of my work stations when I was stationed in Germany. It has two capital letters, the rest lowercase, two numbers, and two symbols to meet DOD standards for passwords, plus it was easy to remember because... well, my job sucked. See how easy that is and how much more of a force it is to be reckoned with compared to "123456?"
You can do the same thing too to keep yourself safe. Use a phrase, or a name even. "Michael" can turn into "MichaelJames13!!" "Password" can be something easy as "Pa55word!!" which gives you the effectiveness of adding numbers and symbols to your password, and essentially, it's the same password.
Of course, this is all useless if you're the kind of guy who loves to write your passwords down on a sticky-note and stick them to the sides of your monitor...
Even though it was their fault in basically leaving the keys in the car, it goes to show how stupid people really are when it comes to passwords. You trade in security for convenience, and if you're protecting your financial information with these kind of passwords... well, you deserve to have your crap stolen from under your nose if you're that lazy.
Good rule of thumb for passwords: letters, numbers, uppercase, lowercase, and symbols. Mix it up and you'll severely reduce your chances of an easy brute force hack. I'm a lazy guy by nature myself, but I still go by that philosophy, and it's relatively simple to stick to it while making it easy to remember.
I used to use "ThisSucks11!!" for one of my work stations when I was stationed in Germany. It has two capital letters, the rest lowercase, two numbers, and two symbols to meet DOD standards for passwords, plus it was easy to remember because... well, my job sucked. See how easy that is and how much more of a force it is to be reckoned with compared to "123456?"
You can do the same thing too to keep yourself safe. Use a phrase, or a name even. "Michael" can turn into "MichaelJames13!!" "Password" can be something easy as "Pa55word!!" which gives you the effectiveness of adding numbers and symbols to your password, and essentially, it's the same password.
Of course, this is all useless if you're the kind of guy who loves to write your passwords down on a sticky-note and stick them to the sides of your monitor...
Well, I was trying to figure out how on earth qwerty could be an easy to guess and commonly used password and was just going to ask how anybody could come up with that one, then I looked at my keyboard. Duh. Now it makes sense.
But I guess I'm a little better, I don't use any of those passwords.
I try to make my passwords complicated, but then unless I write them down I will never remember all of them, so if somebody actually got my list I'd be in trouble, but at least it's not on my computer, and they would have to get threw me, my dogs and my 357 to get my list
But I guess I'm a little better, I don't use any of those passwords.
I try to make my passwords complicated, but then unless I write them down I will never remember all of them, so if somebody actually got my list I'd be in trouble, but at least it's not on my computer, and they would have to get threw me, my dogs and my 357 to get my list
To add, passwords like qwerty and asdf are also popular, on some services I also use it, especially on localhost when creating something and like adding users, these passwords are very convenient, it's easy to remember and I don't really care about them on localhost, as with time the database will be flushed..
But as I said, for services which people don't care about, they use these passwords, even though it's a bad habit, it's really much better to use hard passwords to guess every time.
Also, I think all the services online needs to have the ability to reset password and etc.
But as I said, for services which people don't care about, they use these passwords, even though it's a bad habit, it's really much better to use hard passwords to guess every time.
Also, I think all the services online needs to have the ability to reset password and etc.
|
|
|
|
|
|
| Reply / Comment | New Discussion / Topic | Share / Bookmark | E-Mail a Friend |
Similar Topics:
How To Remember Complex Passwords
Router Security Issue
Welcome to the discussion about , Routers and their security issues. Let me start off with what is a Router and i am sure that for Trap people that is self explanatory. Still to give a kick start Routers are end devices of any Network, it is where all packets get routed from one network to another , ...more
View Saved Passwords
With Firefox, your saved logins and passwords for quick access to protected services like messaging, forums, etc.. can be accessed and seen if you do not remember a password and you want to find it.
Let's see how it works :
1.In order to access the list of saved passwords, click the ...more
 Is Cameron's 'avatar' Unstoppable? (14)
|
(8) Midnight Release Are you going? 
|
