Two Million Passwords Stolen by Hackers

Trustwave logoOn November 24, 2013, researchers at Trustwave discovered that hackers have obtained up to 2 million passwords for websites like Facebook, Google, Yahoo!, Twitter (and others). Researchers learned this after digging into source code from Pony bonnet. It appears that information about this has only been made public very recently.

Here’s some quick stats about some of the domains from which the passwords were stolen:

* Facebook – 318,121 (or 57%)
* Yahoo! – 60,000
* Google Accounts – 54,437
* Twitter – 21,708
* Google.com – 16,095
* LinkedIn – 8,490
* ADP (a payroll provider) – 7,978

In total, Pony botnet stole credentials for: 1.58 million websites, 320,000 email accounts, 41,000 FTB accounts, 3,000 remote desktops, and 3,000 secure shell accounts.

According to Trustwave, around 16,000 accounts used the password “123456”, 2,221 used “password” and 1,991 used “admin”. Now is a good time to go change your passwords into something strong and secure.

Doing so won’t make it entirely impossible for hackers to crack it, but it could make it more difficult. Trustwave noted that only 5% of the 2 million passwords that were stolen had excellent passwords (meaning the passwords had all four character types and were longer than 8 characters).

Top 10 Worst Passwords of 2012

Top-Passwords-2012

It’s sad that, even today, lists like this exist.  Unfortunately, security continues to be a major issue for computer users around the world thanks to, not only malware and viruses, but also just plain old lack of understanding by many users.  The biggest problem can be insecure passwords, which account for many of the highest profile hacks that make the news.

Recently the web site Techie Buzz put together the top passwords of 2012 using data from Splash Data.  The results weren’t pretty, with “password” once again topping the list and going along with such favorites as “123456” and many more easy to hack passwords that nobody should seriously consider using.

You can view the list below, but if you have family or friends who are less than sophisticated computer users then perhaps you should share this information with them.  These are the first passwords used in a basic dictionary attack which can brute force it’s way into an account in mere minutes.  If you are using anything on the list below then please change it now.  Add capital letters, numbers and symbols and, especially, more characters.

#              Password                Change from 2011
1               password                 Unchanged
2               123456                    Unchanged
3               12345678                Unchanged
4               abc123                     Up 1
5               qwerty                     Down 1
6               monkey                    Unchanged
7               letmein                     Up 1
8               dragon                     Up 2
9               111111                    Up 3
10             baseball                   Up 1
11             iloveyou                   Up 2
12             trustno1                   Down 3
13             1234567                  Down 6
14             sunshine                  Up 1
15             master                      Down 1
16             123123                    Up 4
17             welcome                  New
18             shadow                    Up 1
19             ashley                      Down 3
20             football                     Up 5
21             jesus                        New
22             michael                     Up 2
23             ninja                         New
24             mustang                   New

Strong Passwords For Dummies

If you’re the kind of person who wants to use really strong passwords but you’ve a memory like a sieve, then PasswordCard might be for you.

It’s a credit card-sized set of random characters with symbols along the top and coloured bars which you keep handy in your wallet (or phone).

So how does it work?  First of all, set yourself a standard for the length of the passwords, say 8, and direction, say right-to-left.

Let’s say you want a password for a music web site.  Look along the top until you find the musical note symbol and then decide on a colour – yellow in this case.  You go down to the yellow row and then start reading 8 characters from right-to-left.  In this case it would be “cNKmSzNv”.

Anytime you return to the music site, all you have to remember is “note-yellow”, whip out the card and bang, you’ve got your strong password.  Note….yellow….right-to-left….8 letters.

Your bank could be “dollar-green”, social web site “smiley-yellow”, email “star-white” and so on.  Much easier to remember those two combinations than eight letters of gibberish.  There’s an option to generate a card with a PIN area, i.e. numbers only.

Each PasswordCard is different so there’s a unique number that you need to keep safe in case you need to regenerate it.  Personally, I’d save the .jpg in multiple locations and print out a copy for a safety deposit box.

The brilliance of the PasswordCard is that even if a nefarious individual does get hold of the card, without knowing the symbol-colour combination, the direction of read and the number of characters, it’s nearly impossible to make use of it.

It’s also low tech, incredibly cheap and easily replaceable – perfect if you are going to be travelling and you are worried about theft.

Wear Your Email Safety Helmet

Whenever I want to feel fearful and depressed I usually visit one of the news websites. Earthquakes, murder, war, theft, snoops, kidnappers, recession, depression, corruption, and all other sorts of horrible news. When I read the news sites I’m reminded of how unsafe the world is. Soon I tire of the bad news and move on to investigate the net for news on tech and design. Today Foxnews.com had the audacity to remind me that I am unsafe even on the web. The site highlighted the news from Microsoft that thousands of Hotmail passwords had been exposed. It scared me to death. I nearly jumped to my Hotmail account before I even finished the article. Reading on I discovered that Microsoft had deactivated all the affected accounts until true control could be restored. Why do I care? Hotmail only collects my spam from sites that demand an email address. Hotmail lets through all the other spam anyway! But I digress.

email icon The point of all this is: we are never safe. Their is no safe haven in the world or the web.  Every company does it’s best and so must we.  Yet, sometimes problems may come. If we live with that understanding we can truly do our best to protect ourselves. When we react in panic there is not a clear path of thinking. So with this reminder of our web-identities fragility, what should we do? Let’s refresh four basic email and online account rules:

  1. Always use a secure password. Your birthday, name spelled backwards, address, mothers name, dog’s name, middle name, favorite food, and initials hardly qualify. Use one of the many free random password generators on the web or if you insist on an easier to remember one then create a mixture of information that you can remember. For example and purely fictitious: !S1eP99t9 This could be a combination of the month and year you and your spouse were married. Now while I would only call this a basic password it sure beats “Fluffy”. Of course if you want your bank account to be protected by Fluffy, then more power to you.
  2. Never use the same passwords for multiple accounts. For that matter don’t do what I did at the start and use the same password with just the last letter different! Why would you want someone to have a free-for-all with all your accounts? Use different passwords and find an open-source or free password vault. I personally love 1Password for the Mac.
  3. Change your passwords periodically. I must admit it takes the misfortune of someone to remind me to do this.
  4. Don’t use a public computer. Many public computers are not adequately protected against the installation of malicious password key logging applications. Just don’t log in on a public computer. Just say no. And certainly don’t buy something online with your credit card information! Browse the web on it, read the news, just don’t give any information.

I understand these are basic tips, but sometimes we just need to be reminded to stay alert and on guard.  Kind of like reminding our kids to wear their helmet when they ride a bike.  Resist the urge to become lazy online. I don’t want to read about you on Foxnews.com.

Why You Need to Lie to be Secure

Twitter IconWhen you sign up for a new site that requires a logon with a password, it generally asks you to answer one or more security questions just in case you forget your password. These questions are simple ones like “What was the name of your first pet?”, “What street did you live on when you were growing up?”, “What city were you born in?”, “What month were you born?”.  The idea is if you forget your password, you just answer the security question and it will reset your password and allow you access.

This is how Twitter was hacked last month and how someone gained access to Sarah Palin’s yahoo email account last year. More and more people are joining social sites like Facebook and Twitter and posting personal information. Because the Internet doesn’t forget, this information is pretty easy to find by anyone willing to take the time to look.

This is why you should lie when you answer these simple “security questions.” Having a strong password is not enough if you answer a weak security question. Some sites allow you to pick your security question or even make up your own. What I find disturbing is a number of sites asking the same security questions (i.e. What city were you born in?). You can lie and give them the wrong answer, but than you have to remember the answer if you ever need to reset your password. If you use multiple sites and they all ask the same question, you should answer each one differently, just in case one of the sites is hacked and they steal the security question answers. Now the problem is worst because you need to remember two lies.

I use both a Mac and a PC and have password programs for both machines. I make sure that I use a unique and strong password for every site that requires a logon so I really have no need for the security questions that some sites require. In fact, I wish I could disable the ability to have the correct answer to a security question reset my account. My password programs can generate and store away my logon information so I never run into the case of not having that information available (unless I forget my password logon information).

I can understand why you would need a way to reset your password if you are trying to logon to a email account but don’t understand why other secure sites do it that way. A number of sites have a “Forget your password” feature that sends your password to the email account that you used when you first created the account. As long as you keep your email account safe (strong, unique password and a non-searchable answer to a security question), not giving out your password information, or clicking on unknown links in emails, you should be fine.

More and more of our lives are spent online which means the more we depend on it for passing around sensitive information. Leaving a backdoor access at one site can mean a breach in the entire chain. In the case of Twitter, a hacker was able to guess the security question in an employee’s Gmail account, which opened the door to gaining access to Twitter. This should be a wake-up call for everyone to think about their own on-line security.

73’s, Tom

GNC-2009-04-14 #468 Back in Oahu for the Podcast

Listen to win a PogoPlug you only have a short time to react to this contest due to time constraints I have set in the show. Have a bit of Jet Lag tonight as I am working to get my body back on Honolulu time.

Show Sponsors keep the lights on Please Support the Show Sponsors!
[Save 10% off any order at >GoDaddy.com!] use Code Todd
Save Money with all our GoDaddy Codes see our Promo Code Page
[Try GoToMeeting free for 30 days at GoToMeeting.com/techpodcasts. No credit card needed.]

Twitter Me http://www.twitter.com/geeknews
My Facebook Profile
FriendFeed GNC Room!!
Podcast Comments call 619-342-7365 or e-mail geeknews@gmail.com

Listener Links:
90# Scam
Chariot lets amputees ‘stand tall and walk’
New test could eliminate cancer biopsies
Space: The final frontier for cell phones?
Sign TWC Cap Petition
First Cigarette Tax now Soda Tax
TechCrunch Tablet
This looks cool for Windows.

Show Notes:
Palm Pre 5-16-09 Launch
$22.00 iPod Shuffle 3G
ZuneHD.net
OpenSecrets.org
Stumbleupon bought back from eBay
Korean Broadband Speeds
NASA Rover has Lived another day!
Middle Age People dominate Twitter
Miramax gives Show Tickets to wanna be Pirate
22 Firefox Gmail Plugins and Extensions
MPAA Hacking Case Set for Appeal
Where is your Software Easter Egg
Telecomm and TV open for Business in Cuba
2010 Shuttle Retirement Discussion
Where’s the Beef?
PG&E Signs Space Power Agreement
Be careful of all downloads sites
Space Junk Sales

Really Strong PalmOS Security

Tranzoa has released an updated version of it’s security application for PalmOS: OnlyMe. The new version works with PalmOS version 5 and all previous versions of the simple-to-use operating system.

OnlyMe stops people from trying one password after another. By preventing these brute force hacks the user can create a shorter, easier-to-remember password that would otherwise be required. In addition, OnlyMe stops incoming beams and unauthorized HotSyncs (both cabled or network).

The security app also locks the handheld after a set time or when powered off, preventing the user from accidentally forgetting to lock the system.

Passwords can be entered as screen taps, Graffiti (letters, digits, or both), or hardware buttons.

Dave’s Opinion
I’ve been using OnlyMe since the late 90s, and I just upgraded to the current version. It’s just as great as the previous versions. The interface hasn’t changed, so there was no learning curve, just install and go. I’ve tried a number of security apps on my various PalmOS handhelds, and OnlyMe is the only one that gives me a degree of comfort. I strongly recommend this application for all users who have a PalmOS handheld.

Call for Comments
What do you think? Leave your comments below.

References
Tranzoa