Friday, December 06, 2013

Do you need to bulk up your password?

Security firm SpiderLabs recently delved into the massive "Pony" botnet (a botnet usually represents a large number of PCs that have been compromised and are controlled by a malicious actor). Instances of Pony collected millions of passwords including passwords to websites, email accounts, FTP sites, etc.

With the source code of Pony leaked and in the wild, we continue to see new instances and forks of Pony 1.9. One of the latest instances we've run into is larger than the last with stolen credentials for approximately two million compromised accounts.

With so much data in our hands, we thought it would be interesting to look into some statistics regarding this particular attack...

As one might expect, most of the compromised web log-ins belong to popular websites and services such as Facebook, Google, Yahoo, Twitter, LinkedIn, etc...

...Since we couldn’t think of anything to do with two million credentials for popular websites, social media, and email accounts; we decided to make some use of the quantity to look into users' password selection habits.

Unfortunately, the most commonly used passwords were far from what your CISO would like to see, here's a small taste [at right]...

...But not all hope is lost, it seems that more people are willing to go the extra mile and set a long password (if not a complex one – see image below). Back in 2006 only 17% had a password of 10 characters or longer. In 2013 we see an impressive ascent to 46%!


Via: BadBlue Tech News. Cartoon: xkcd.

1 comment:

Jason in KT said...

My company has a pretty brutal password policy--changes every 60 days, minimum length, special characters, can't repeat one of the past ten passwords. The first one was easy--it was the same password I had used other places. After a couple of cycles, I ran out of "favorite" passwords and had a couple of calls to the help desk to get resets.

I realized that the easiest thing to do would be to take three elements in a natural list, and shift when I needed to go to the next one. Use a couple of hacker-style letter substitutions and I had something that both satisfied the requirements and was easy to remember.

M0n:Tu3:W3d:
Tu3:W3d:T#u:
W3d:T#u:Fr1:
etc...

The best part for me is that I can leave a post-it note on my monitor with the word "Wednesday:" and it reminds me where I left off in the pattern but doesn't give up the store.