Researcher Creates Clearinghouse Of 14 Million Hacked Passwords

[Jake Kouns <jkouns () opensecurityfoundation org>]

http://blogs.forbes.com/andygreenberg/2010/08/26/researcher-creates-clearinghouse-of-14-million-hacked-passwords/?boxes=Homepagechannels

The “Wall of Sheep” has become a cherished tradition at the annual
Defcon hacker conference in Las Vegas: Anyone foolish enough to use
the local wireless network at the hotel will likely have his or her
username and password stolen, and later see those vital digital
details projected onto a screen for thousands of attendees to see.

Now Canadian researcher Ron Bowes has created a sort of Wall of Sheep
for the entire Internet. By simply collecting all the publicly-spilled
repositories of users’ passwords from recent hacking incidents, he’s
created a clearinghouse for stolen passwords on his Web
site–14,488,929 distinct passwords to be exact, collected from
32,943,045 users.

Bowes didn’t steal these passwords, and they’re not associated with
usernames, an extra piece of data that would make listing them far
more dangerous. The vast majority of those millions of passwords
became public after the breach of RockYou.com, a social networking
applications site penetrated by cybercriminals using an SQL-injection.
Another 180,000 were spilled when the bulletin board software site
phpbb was hacked using a vulnerability in one of the site’s plugins.
37,000 more were stolen from MySpace using phishing techniques.

Bowes, a consultant with Dash9 security and a developer for security
scanning tool NMap, says he collected the passwords to help
researchers figure out how users choose passwords and make the
authentication process more secure. The site he’s assembled is a wiki,
so anyone can update it with new breached password lists. “Since I
created it, I’ve had exceptionally good feedback from researchers
around the world.,” Bowes wrote in his blog. ” As far as I know, it’s
the best collection of breached passwords anywhere.”

The real lesson from Bowes’ collection: People choose terrible
passwords. In most lists that Bowes analyzed, “123456″ was the most
common password, with “password” somewhere shortly after. Most top ten
lists of common passwords include the name of the site the user is
logging in to. The most common passwords on Christian blogging site
Faithwriters included words like jesuschrist, heaven, christ, and
blessed, all easy enough to guess for a hacker to guess or even easier
to find with a dictionary attack that cycles through millions of word
variants.

One fix Bowes suggests: blocking users from choosing the worst
passwords. Twitter, for instance, has created a blacklist of 370
easily guessable passwords that it won’t accept, disallowing users
from choosing insecure words or phrases like “Password1″ or
“TwitterRocks.” The most common 1,000 passwords on his site, Bowes
wrote in an email to me, should probably be used as a blacklist for
password choices on every site.

But the real solution, Bowes writes, isn’t to require users to pick
convoluted, non-word passwords they’ll forget or have to write down.
Instead, companies whenever possible should use “multi-factor
authentication.” That means giving users a token with a changing
random number, using biometric tests like fingerprints, or sending a
text message to a user’s phone to authenticate him or her. “Passwords
are well and good for low-security applications, like forums,” he
writes. “But there’s no way I should be able to log into my banking
site with just a password.”
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/

Get business, compliance, IT and security staff on the same page with
CREDANT Technologies: The Shortcut Guide to Understanding Data Protection
from Four Critical Perspectives. The eBook begins with considerations
important to executives and business leaders.
http://www.credant.com/campaigns/ebook-chpt-one-web.php