As simple as Password123
Anyone with an Internet connection can’t have escaped recent stories reporting the loss of intimate celebrity photographs, probably from Apples iCloud. The media have generally focused on the who the victim is and what was lost, and rather ignored how it was taken.
As the analysis starts, it does appear to be down to good old passwords. Problems with password choice, password reset procedures and systems that are vulnerable to brute force attacks all appear in the mix.
An interesting report on passwords was recently been produced by Trustwave that focused on the sorts of password most people use. ‘Password1’ ‘Hello123’ and ‘Password’ were the three most common, with 92% of passwords being broken during the analysis. Two things come out of this, firstly humans seem really bad at selecting passwords and secondly 8% of passwords were not broken. So, for those 8% of users it is possible to select a high quality password that is not trivial to break.
Passwords are perhaps the best example of the gap between being merely compliant with a policy and delivering real IT security. ‘Password123’ might look to an automated compliance check like a great password, it mixes numbers and letters, it mixes upper and lowercase and it is eleven characters long. It is, of course terrible, as are any variations on password, such as P@s5w0rd.
Many users select passwords in common formats, such as word plus number, or word plus date, making such passwords high on an attackers priority list. The Trustwave report breaks these down further, there is a link to the report at the bottom of this post.
A Good password is one that an attacker would not consider to try before any other password, so any sort of variation on a scrambling a common word with numbers and symbols is likely to be weak, while a random string of numbers, letters and symbols is likely to be strong. The problem of remembering it, and increasingly commonly, typing into a mobile device remain of course, but that is its own problem.
Systems designed to allow us to reset our own passwords can be fooled, Q&A questions such as your pets name or your first school may well be found in your social networking data etc, so this process too needs the sort of care we give our passwords.
These issues also exist for business users, how to encourage users to use high quality, as opposed to merely complaint passwords and how to properly identify users prior to a password reset.
Cloud services, of course make this more complex. We are not responsible for the security of cloud computers, and can only have very limited influence on password resets, though we can select our own passwords with great care.
A now famous quote from IT Security expert Graham Cluley illustrates one important point, “don’t call it the cloud, call it somebody else’s computer.” We need to select our passwords with this in mind, and guard them with suitable care.
Graham Cluley: http://grahamcluley.com/2013/12/cloud-privacy-computer/
Apple statement: http://www.apple.com/pr/library/2014/09/02Apple-Media-Advisory.html