Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Itís official: Malicious hackers have crappy password hygiene, too


  • Please log in to reply
3 replies to this topic

#1 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 11,696 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:09:20 AM

Posted 10 June 2014 - 06:30 PM

 

Given the amount of time malicious hackers spend bypassing other people's security, you might think that they pay close attention to locking down their own digital fortresses. It turns out that many of them don't, according to a recent blog post documenting some of their sloppiest password hygiene.

http://arstechnica.com/security/2014/06/its-official-malicious-hackers-have-crappy-password-hygiene-too/

 

Do you use the same easy password for everything? When was the last time you changed your passwords? Don't you think it's time to do it? How secure are they?

 

 

Answers to common security questions - Best Practices By quietman7

http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/

 


Edited by NickAu1, 10 June 2014 - 06:43 PM.


BC AdBot (Login to Remove)

 


m

#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,572 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:20 PM

Posted 10 June 2014 - 07:51 PM

Remarkably, 1,255 of the underlying passwords were in plaintext, while another 346 were protected with the easily crackable MD5 hashing algorithm. The resulting 1,601 passwords he had to work with allowed him to see just how poor the bottom four percent of hackers' passwords were....Then there were the passwords themselves. The average length was just six characters, short enough to be brute-force cracked in a matter of minutes in most cases. The passwords also contained a relatively small number of upper-case letters, numbers, and special characters. By sticking mostly to predictable lower-case letters, the hackers significantly reduced the "key space" required to carry out brute-force attacks.

:whistle:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Kilroy

Kilroy

  • BC Advisor
  • 3,279 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Launderdale, MN
  • Local time:04:20 PM

Posted 11 June 2014 - 08:21 AM

We really need to take a new look at passwords use and standards.  Those things that were thought to be good ideas, may have been at the time, but this is no longer the case.

 

Do you use the same easy password for everything?

 

It doesn't matter if your password is easy, if it is the same as a compromised password.  Every online account should have it own unique complex randomly generated password.  Humans are not capable of random.  We are also not capable of remembering the massive number of online passwords that are now required by our digital lives.  A password manager is the only viable solution.  Personally I use LastPass

 

When was the last time you changed your passwords?

 

If your password has not been compromised there is no reason to change your passwords, provided they are complex and random.  Changing a password only invalidates a compromised password, this is the reason for changing passwords.  It does not provide any additional security.

 

How secure are they?

 

Provided the organization requiring the password allows it, they are 16 character random characters.  I'd make them 254 characters if they were allowed on the majority of sites.  There is no reason for a limit on password length as passwords should be salted and hashed.  Any password that can be recovered and sent to you is not secure.

 

In reality security questions, failure to protect your account from being compromised by social engineering, and failure to protect the user information entrusted to them, is more likely to compromise an account than your password.  Your passwords now need to protect the rest of  your accounts when a different account's information has been compromised.


Edited by Kilroy, 11 June 2014 - 03:50 PM.


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,572 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:20 PM

Posted 11 June 2014 - 03:45 PM

+1
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users