[BreachExchange] Dumb passwords are increasing the threat of 'targeted online guessing'

Audrey McNeil audrey at riskbasedsecurity.com
Tue Nov 8 19:27:11 EST 2016 

http://www.theinquirer.net/inquirer/news/2476557/top-10-
worst-passwords-revealed-again

RESEARCHERS HAVE collated the passwords leaked in the Yahoo hack of 2012
and come up with another list of the most frequently used examples on the
internet.

Things do not change much, sadly, and the password list does not include
many surprises. It has been compiled by Dr Jeff Yan of Lancaster
University, and reported on by The Daily Mail.

Because we associate The Daily Mail with pictures of ladies getting out of
cars or stooping to pick things up, we wanted to get the information from
the researcher's direct. Fortunately we were able to do that.

We've already published a list of the top six worst passwords from the
LinkedIn hack, and nothing much has changed.

The list begins with '123456' and ends with 'qwerty'. On the way, it takes
in 'ninja', 'princess', 'abc123' and, of course, 'password'. We do not
assume that any ninjas were using 'ninja' as their authentication, because
they are not meant to leave any trace.

Other passwords in the list are 'welcome', which is not welcome,
'sunshine', which needs some sunblock, and the masterful duo that is
'12345678' and '123456789'.

They researchers note that the use of dumb passwords makes them easy to
guess by hackers. They do not make such a big deal out of the worst
passwords list, despite the fact that they are absolutely ridiculous, but
they do say a lot about choosing a password wisely and the reasons for
doing so.

"We are finding that targeted online guessing threats are increasingly more
damaging and realistic. This is a serious security concern as there are
large amounts of personally identifiable information, and leaked passwords
readily available to criminals due to lots of million-sized data breaches
like Yahoo, Myspace, Linkedin, Dropbox and VK.com,"said Professor Ping Wang
of Peking University.

"Our results should encourage people to vary the passwords they use on
different websites much more substantially to make it harder for criminals
to guess their passwords. This work should also help inform Internet
service providers looking to introduce more robust security measures to
detect and resist online guessing."

They found that their attacks models, which were informed by the passwords
from recent attacks, were able to guess passwords on accounts in 73 percent
of cases.

"This work shows, for the first time, that targeted password guessing is a
much underestimated threat and we have demonstrated that a large number of
passwords can be guessed if personal information is known to the attacker –
especially if they know passwords from other accounts owned by the
potential victim," piped up Ding Wang, the leading student author of the
research
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161108/01862cc5/attachment.html>

More information about the BreachExchange mailing list