Twitter
Nov
13
Around 45000 MySpace passwords were leaked on the net recently. While it might seem like leaking such passwords is a major security threat, these passwords were already collected by phishing sites and possibly abused by the wrong people. The good thing is that this gives security folks a chance to see how effective or ineffective password policies can be.
The people behind the-interweb.com published an article called A brief analysis of 40,000 leaked MySpace passwords. What is interesting is that MySpace apply a password policy which says that you have to use at least a non-alphabetic character in the password. So from the analysis we get the top 10 passwords - top password being "password1". What we learnt (or already knew):
How does this help us make better security decisions?
A lot of security is based on passwords nowadays, despite being the most abused form of security (or I would argue - lack of). By applying security policies, a password attack will change a little but not much. The chosen passwords in most cases are still the same: "password", "love", and so on, but with an additional character (usually "1") at the end. This means that such passwords are still pretty guessable and can be guessed via a wordlist attack.
So how does the systems administrator make an educated security password policy?
In my opinion, one has to keep in mind the following before setting a password complexity policy:
The longer the password age, more at ease end users will be at choosing complex and unique passwords. A shorter password age will make end users think twice before choosing a password that they have to remember for 2 weeks only until the system starts nagging them to change their password again!
Say users are required to include 1 non-alphabetic character in their password, and the account lockout is after 10 attempts. That gives an attacker a high chance of finding users on the system who started their password with the word "password" and included a numeric digit at the end. If, on the other hand, end users are required to use 2 non-alphabetic characters, then that decreases the chance of a password.
Having a blacklist of known common passwords for the specific password complexity policy might be an idea to limit usage of common passwords.
The people behind the-interweb.com published an article called A brief analysis of 40,000 leaked MySpace passwords. What is interesting is that MySpace apply a password policy which says that you have to use at least a non-alphabetic character in the password. So from the analysis we get the top 10 passwords - top password being "password1". What we learnt (or already knew):
- Half the passwords start with a dictionary word and have at least one digit/non-alphanumeric after that
- The most popular suffix after an alphabetic password is obviously "1", followed by "2" and then "123"
- The most popular prefix after an alphabetic password is "1", followed by "123" and then "2"
- Most popular password when the non-alphabetic characters are stripped off is "password", followed by "iloveyou" and "love".
How does this help us make better security decisions?
A lot of security is based on passwords nowadays, despite being the most abused form of security (or I would argue - lack of). By applying security policies, a password attack will change a little but not much. The chosen passwords in most cases are still the same: "password", "love", and so on, but with an additional character (usually "1") at the end. This means that such passwords are still pretty guessable and can be guessed via a wordlist attack.
So how does the systems administrator make an educated security password policy?
In my opinion, one has to keep in mind the following before setting a password complexity policy:
- Password age
- Number of attempts before account lockout
- What kind of passwords are going to be common with a given password complexity policy
The longer the password age, more at ease end users will be at choosing complex and unique passwords. A shorter password age will make end users think twice before choosing a password that they have to remember for 2 weeks only until the system starts nagging them to change their password again!
Say users are required to include 1 non-alphabetic character in their password, and the account lockout is after 10 attempts. That gives an attacker a high chance of finding users on the system who started their password with the word "password" and included a numeric digit at the end. If, on the other hand, end users are required to use 2 non-alphabetic characters, then that decreases the chance of a password.
Having a blacklist of known common passwords for the specific password complexity policy might be an idea to limit usage of common passwords.
