Monday, June 11, 2012

No lessons learned: LinkedIn password hack shows users still selecting all-too-easy passwords

When hackers leaked millions of LinkedIn passwords a few days ago, we knew it was only a matter of time before some of them were decrypted, and we were also certain too many of the passwords would be of the way-too-easy variety. According to security firm Rapid7, that is indeed the case.

Password occurrences were different than most such hacks. It seems that due to the nature of the LinkedIn site (meaning its domain name), "link” was the top hacked password. In addition, other LinkedIn users picked passwords such as “work” and “job” that were associated with the career site’s content.

Also appearing, however, were the passwords that always seem to appear in these sorts of lists: "1234," "12345," 123456," "654321," and "1234567." Religious words such as “god,” “angel” and “jesus” also made the top fifteen.

Also among the top passwords were the typical swear words that show up in these lists "f*ck," "d*ck," and "b*tch."

To be absolutely correct, though, Rapid7's list of passwords is really a list of strings within passwords. In other words, "12345" could be a substring in a password like "link12345." The simplicity of those substrings, though, mean it is far easier for a hacker to break into an account.

A password should never contain an actual word or a string of consecutive numbers. It should also be long (and "link12345" is decently long) and contain symbols, assuming the site allows them (and it is extremely annoying in this day and age when a site does not allow that).

165,000 hashes have been cracked so far. If any of your contain strings from the top 30, you should probably consider changing them, and quickly.

No comments: