mercredi 23 novembre 2011

Les 25 pires mot de passe de 2011: ‘password,’ ‘123456′

In spite of a constant drumbeat of news about hacking and cracking computer accounts, users still are employing extremely common and obvious phrases as passwords.  A compilation of the most commonly used — and potentially most insecure — passwords seen over the past year was recently drawn up by Splashdata and reported in Mashable. Splashdata found that incredibly enough, the leading password in use today is the word “password.” Interestingly, number 4 on the list, the keyboard lineup of “qwerty,” is counterbalanced by item number 23, “qazwsx,” which is the first three rows of keys typed vertically.

The list closely parallels that developed close to two years ago byImperva, showing that these terms never go out of vogue.
Here is this year’s list:
1. password
2. 123456
4. qwerty
5. abc123
6. monkey
7. 1234567
8. letmein
9. trustno1
10. dragon
11. baseball
12. 111111
13. iloveyou
14. master
15. sunshine
16. ashley
17. bailey
18. passw0rd
19. shadow
20. 123123
21. 654321
22. superman
23. qazwsx
24. michael
25. football
SmartPlanet colleague Tuan C. Nguyen provides a surprisingly simple technique for deriving a strong password that makes it difficult for hacking programs to arrive at the right brute force combination — employing a symbol in combination with an upper-case and lower-case letter.
Not everyone thinks that strong passwords are the answer, however. In another study on passwords, a Microsoft researcher conducted a cost/benefit analysis of  efforts to encourage stronger passwords, and questions whether the costs of strong password management outweighs the benefits.


It’s a perpetual dilemma. We all instinctively know that passwords comprised of simple numerical patterns or familiar words like our name tend to be the easiest ones to remember. The drawback is it makes them easy to hack, too. But make them too complicated and you’ll have a hard time committing the password to memory.
Proposed solutions to this problem aren’t hard to find. Do a little research on Google and you’ll find a wealth of ideas on how to create a secure password that’s can also be easily recalled, the so-called holy grail of internet security. However, I’ve recently came across a post on the blog Tecca entitled “5 ways to make an easy-to-remember, ultra-secure password” that, in my opinion, provides one of the best approaches on the topic.
While the author Taylor Hatmaker echoes much of the well-worn advice that’s already out there, she advocates a special method that, oddly enough, allows for simple words and even character patterns — but only within certain parameters.
Before we get into that let’s review some of the basic best practices for creating secure passwords by going over what you shouldn’t do.
  • Avoid using parts of your name or email address since criminals can easily figure this out
  • Don’t include personal information like your birth date, names of family members or street addresses.
  • Consecutive numbers are a bad idea. You can basically nix “123456″ or any other pervasively common combinations.
  • Steer clear of familiar sequences, phrases and slang terms.
What users are left with is the conventional thinking is that the best approach is to use a jumbled-up mixture of numbers, symbols and upper and lower case letters. Hence, a good password would look something like this: T^n3k28$P!eV*AfJ9
Sounds like life on the internet is getting pretty complicated, right? So then you’re probably wondering how it can be possible that using patterns, even simple ones, can bolster the strength of your password. The technique Hatmaker recommends involves a technique called “password padding,” which suggests incorporating more symbols along with making passwords longer as a way of fortifying them against an attack.
The strategy, proposed by renowned security expert Steve Gibson, is based on the rationale that incorporating those two factors gives users the best chance at thwarting malicious programs that rapidly runs several password combinations to uncover the right one, otherwise known as brute force simulators. For instance, there are more than 1500 symbols a hacking program needs to run through to correctly lock down one character of your password while each character added to a pass-code makes it several times more difficult to crack, Hatmaker writes.
Here’s an example from Gibson’s website in which he explains the counter-intuitive logic behind it:
The main concept can be understood by answering this question:
Which of the following two passwords is stronger,
more secure, and more difficult to crack?
You probably know this is a trick question, but the answer is: Despite the fact that the first password is HUGELY easier to use and more memorable, it is also the stronger of the two! In fact, since it is one character longer and contains uppercase, lowercase, a number and special characters, that first password would take an attacker approximately 95 times longer to find by searching than the second impossible-to-remember-or-type password!
But wouldn’t something like “D0g” be in a dictionary, even with the ‘o’ being a zero?
Sure, it might be. But that doesn’t matter, because the attacker is totally blind to the way your passwords look. The old expression “Close only counts in horseshoes and hand grenades” applies here. The only thing an attacker can know is whether a password guess was an exact match . . . or not. The attacker doesn’t know how long the password is, nor anything about what it might look like. So after exhausting all of the standard password cracking lists, databases and dictionaries, the attacker has no option other than to either give up and move on to someone else, or start guessing every possible password.
Don’t believe it? You can test out Gibson’s tactic using the password strength tester by going tohis website.

Aucun commentaire:

Enregistrer un commentaire