SlideShare une entreprise Scribd logo

Wp consumer password_worst_practices

IvonaPoyntz
IvonaPoyntz

Ivona Poyntz upload re passwords

Technologie
1  sur  5
Télécharger pour lire hors ligne
Consumer Password Worst Practices The Imperva Application Defense Center (ADC) Summary In December 2009, a major password breach occurred that led to the release of 32 million passwords1. Further, the hacker posted White Paper to the Internet2 the full list of the 32 million passwords (with no other identifiable information). Passwords were stored in clear- text in the database and were extracted through a SQL Injection vulnerability3. The data provides a unique glimpse into the way that users select passwords and an opportunity to evaluate the true strength of these as a security mechanism. In the past, password studies have focused mostly on surveys4. Never before has there been such a high volume of real-world passwords to examine. The Imperva Application Defense Center (ADC) analyzed the strength of the passwords. ADC 1 http://www.rockyou.com/help/securityMessage.php 2 http://igigi.baywords.com/rockyou-com-passwords-list/ 3 http://www.techcrunch.com/2009/12/14/rockyou-hacked/ 4 http://blog.absolute.com/passwords-are-not-enough/
Consumer Password Worst Practices The shortness and simplicity of passwords means many users select credentials that will make them susceptible to basic, brute force password attacks. Furthermore, studies show5,6,7 that about one half of the users use the same (or very similar) password to all websites that require logging in. Ironically, the problem has changed very little over the past twenty years. In 1990, a study of Unix password security revealed that password selection is strikingly similar to the 32 million breached passwords8. Just ten years ago, hacked Hotmail passwords showed little change9. This means that the users, if allowed to, will choose very weak passwords even for sites that hold their most private data. Worse, as hackers continue to rapidly adopt smarter brute force password cracking software, consumers and companies will be at greater risk. To quantify the issue, the combination of poor passwords and automated attacks means that in just 110 attempts, a hacker will typically gain access to one new account on every second or a mere 17 minutes to break into 1000 accounts. Key findings: » About 30% of users chose passwords whose length is equal or below six characters. » Moreover, almost 60% of users chose their passwords from a limited set of alpha-numeric characters. » Nearly 50% of users used names, slang words, dictionary words or trivial passwords (consecutive digits, adjacent keyboard keys, and so on). The most common password among Rockyou.com account owners is “123456”. 5 http://www.telegraph.co.uk/technology/news/6125081/Security-risk-as-people-use-same-password-on-all-websites.html 6 http://www.readwriteweb.com/archives/majority_use_same_password.php 7 http://www.thetechherald.com/article.php/200911/3184/Internet-users-still-using-same-password-for-all-Web-sites 8 http://www.klein.com/dvk/publications/passwd.pdf 9 http://www.switched.com/2009/10/07/hotmail-scam-reveals-most-common-password-123456/ Imperva White Paper < 2 >
Consumer Password Worst Practices Analysis NASA provides the following Recommendations10 for strong password selection. The ADC used NASA’s standards to help benchmark consumers’ password selection: 1. Recommendation: It should contain at least eight characters. The ADC analysis revealed that just one half of the passwords contained seven or less characters. (Rockyou.com current minimal password length requirement is five). A staggering 30% of users chose passwords whose length was equal to or below six characters. Password Length Distribution 13 12 1.32% 2.11% 5 4.07% 11 3.57% 6 10 26.04% 9.06% 9 12.11% 7 8 19.29% 19.98% 2. Recommendation: It should contain a mix of four different types of characters – upper case letters, lower case letters, numbers, and special characters such as !@#$%^&*,;" If there is only one letter or special character, it should not be either the first or last character in the password. The ADC analysis showed that almost 60% of users chose their passwords from within a limited set of characters. About 40% of the users use only lowercase characters for their passwords and about another 16% use only digits. Less than 4% of the users use special characters. Password Length Distribution 3.81% 1.62% 36.94% 41.69% 15.94% In fact, after evaluating the passwords against two of NASA's recommendations only 0.2% of Rockyou.com users have a password that could be considered as strong password: » Eight characters or longer » Contain a mixture of special characters, numbers and both lower and upper case letters. 10 http://www.hq.nasa.gov/office/ospp/securityguide/V1comput/Password.htm Imperva White Paper < 3 >
Consumer Password Worst Practices 3. Recommendation: It should not be a name, a slang word, or any word in the dictionary. It should not include any part of your name or your e-mail address. Almost all of the 5000 most popular passwords, that are used by a share of 20% of the users, were just that – names, slang words, dictionary words or trivial passwords (consecutive digits, adjacent keyboard keys, and so on). The most common password among Rockyou.com account owners is “123456”. The runner up is “12345”. The following table depicts the top 20 common passwords in the database list: Password Popularity – Top 20 Number of Users with Number of Users with Rank Password Rank Password Password (absolute) Password (absolute) 1 123456 290731 11 Nicole 17168 2 12345 79078 12 Daniel 16409 3 123456789 76790 13 babygirl 16094 4 Password 61958 14 monkey 15294 5 iloveyou 51622 15 Jessica 15162 6 princess 35231 16 Lovely 14950 7 rockyou 22588 17 michael 14898 8 1234567 21726 18 Ashley 14329 9 12345678 20553 19 654321 13984 10 abc123 17542 20 Qwerty 13856 If a hacker would have used the list of the top 5000 passwords as a dictionary for brute force attack on Rockyou. com users, it would take only one attempt (per account) to guess 0.9% of the users passwords or a rate of one success per 111 attempts. Assuming an attacker with a DSL connection of 55KBPS upload rate and that each attempt is 0.5KB in size, it means that the attacker can have 110 attempts per second. At this rate, a hacker will gain access to one new account every second or just less than 17 minutes to compromise 1000 accounts. And the problem is exponential. After the first wave of attacks, it would only take 116 attempts per account to compromise 5% of the accounts, 683 attempts to compromise 10% of accounts and about 5000 attempts to compromise 20% of accounts. The following diagram depicts the expected effectiveness of attacks using a small, carefully chosen, attack dictionary: Accumulated Percent of Dictionary Attack Success 20% 15% 10% 5% 0 1 359 717 1075 1433 1791 2149 2507 2865 3223 3581 3939 4297 4655 Number of password tries Imperva White Paper < 4 >
Recommendations Users: 1. Choose a strong password for sites you care for the privacy of the information you store. Bruce Schneir’s advice is useful: “take a sentence and turn it into a password. Something like “This little piggy went to market” might become "tlpWENT2m". That nine-character password won't be in anyone's dictionary.”11 2. Use a different password for all sites – even for the ones where privacy isn’t an issue. To help remember the passwords, again, following Bruce Schneier’s advice is recommended: “If you can't remember your passwords, write them down and put the paper in your wallet. But just write the sentence – or better yet – a hint that will help you remember your sentence.”12 3. Never trust a 3rd party with your important passwords (webmail, banking, medical etc.) Administrators: 1. Enforce strong password policy – if you give the users a choice, it is very likely that they would choose weak passwords. 2. Make sure passwords are not transmitted in clear text. Always use HTTPS on login. 3. Make sure passwords are not kept in clear text. Always digest password before storing to DB. 4. Employ aggressive anti-brute force mechanisms to detect and mitigate brute force attacks on login credentials. Make these attacks too slowly for any practical purposes even for shorter passwords. You should actively put obstacles in the way of a brute-force attacker – such as CAPTCHAs, computational challenges, etc. 5. Employ a password change policy. Trigger the policy either by time or when suspicion for a compromise arises. 6. Allow and encourage passphrases instead of passwords. Although sentences may be longer, they may be easier to remember. With added characters, they become more difficult to break. 11 http://www.guardian.co.uk/technology/2008/nov/13/internet-passwords 12 ibid Imperva Headquarters 3400 Bridge Parkway Suite 101 Redwood Shores, CA 94065 Tel: +1-650-345-9000 Fax: +1-650-345-9004 Toll Free (U.S. only): +1-866-926-4678 www.imperva.com © Copyright 2010, Imperva All rights reserved. Imperva and SecureSphere are registered trademarks of Imperva. All other brand or product names are trademarks or registered trademarks of their respective holders. #WP-WORSTPRACTICES_PASSWORDS-0110rev1

Recommandé

Wp consumer password_worst_practices
Wp consumer password_worst_practicesWp consumer password_worst_practices
Wp consumer password_worst_practicesKorfinpl
 
Social engineering via social media
Social engineering via social mediaSocial engineering via social media
Social engineering via social mediab coatesworth
 
Kelsey
KelseyKelsey
Kelseyhellokelsey
 
Juramantul de credinta_al_domnitorului_cuza
Juramantul de credinta_al_domnitorului_cuzaJuramantul de credinta_al_domnitorului_cuza
Juramantul de credinta_al_domnitorului_cuzaCarmen Tivadar
 
powerpoint
powerpointpowerpoint
powerpointIvonaPoyntz
 
Dot net
Dot netDot net
Dot netRavi Sankar
 
Toamnaceabogat
ToamnaceabogatToamnaceabogat
ToamnaceabogatCarmen Tivadar
 
Compositional Photography Rules
Compositional Photography RulesCompositional Photography Rules
Compositional Photography Ruleshellokelsey
 

Recommandé

Wp consumer password_worst_practices
Wp consumer password_worst_practicesWp consumer password_worst_practices
Wp consumer password_worst_practicesKorfinpl
 
Social engineering via social media
Social engineering via social mediaSocial engineering via social media
Social engineering via social mediab coatesworth
 
Kelsey
KelseyKelsey
Kelseyhellokelsey
 
Juramantul de credinta_al_domnitorului_cuza
Juramantul de credinta_al_domnitorului_cuzaJuramantul de credinta_al_domnitorului_cuza
Juramantul de credinta_al_domnitorului_cuzaCarmen Tivadar
 
powerpoint
powerpointpowerpoint
powerpointIvonaPoyntz
 
Dot net
Dot netDot net
Dot netRavi Sankar
 
Toamnaceabogat
ToamnaceabogatToamnaceabogat
ToamnaceabogatCarmen Tivadar
 
Compositional Photography Rules
Compositional Photography RulesCompositional Photography Rules
Compositional Photography Ruleshellokelsey
 
Consumer Password Worst Practices
Consumer Password Worst PracticesConsumer Password Worst Practices
Consumer Password Worst PracticesMichael Scovetta
 
Pentester's Mindset! - Ravikumar Paghdal
Pentester's Mindset! - Ravikumar PaghdalPentester's Mindset! - Ravikumar Paghdal
Pentester's Mindset! - Ravikumar PaghdalNSConclave
 
How to choose a password that’s hard to crack
How to choose a password that’s hard to crackHow to choose a password that’s hard to crack
How to choose a password that’s hard to crackKlaus Drosch
 
OlgerHoxha_Thesis_Final
OlgerHoxha_Thesis_FinalOlgerHoxha_Thesis_Final
OlgerHoxha_Thesis_FinalOlger Hoxha, CISSP CISM
 
Secureview 3
Secureview 3Secureview 3
Secureview 3Felipe Prado
 
Developing accessible experiences - Alison Walden
Developing accessible experiences - Alison WaldenDeveloping accessible experiences - Alison Walden
Developing accessible experiences - Alison WaldenWeb à Québec
 
Personal Internet Security System
Personal Internet Security SystemPersonal Internet Security System
Personal Internet Security SystemMatthew Bricker
 
W make107
W make107W make107
W make107Greg in SD
 
Password Cracking
Password CrackingPassword Cracking
Password CrackingHajer alriyami
 
How to Use Cryptography Properly: Common Mistakes People Make When Using Cry...
How to Use Cryptography Properly: Common Mistakes People Make When Using Cry...How to Use Cryptography Properly: Common Mistakes People Make When Using Cry...
How to Use Cryptography Properly: Common Mistakes People Make When Using Cry...All Things Open
 
USG_Security_Awareness_Primer.pptx
USG_Security_Awareness_Primer.pptxUSG_Security_Awareness_Primer.pptx
USG_Security_Awareness_Primer.pptxssuser04fcec
 
Security_Awareness_Primer.pptx
Security_Awareness_Primer.pptxSecurity_Awareness_Primer.pptx
Security_Awareness_Primer.pptxFaith Shimba
 
Why is password protection a fallacy a point of view
Why is password protection a fallacy a point of viewWhy is password protection a fallacy a point of view
Why is password protection a fallacy a point of viewSTO STRATEGY
 
Implementing a comprehensive application security progaram - Tawfiq
Implementing a comprehensive application security progaram - Tawfiq Implementing a comprehensive application security progaram - Tawfiq
Implementing a comprehensive application security progaram - Tawfiq OWASP-Qatar Chapter
 
Slay the Dragons of Agile Measurement
Slay the Dragons of Agile MeasurementSlay the Dragons of Agile Measurement
Slay the Dragons of Agile MeasurementJosiah Renaudin
 
Enterprise Password Worst Practices
Enterprise Password Worst PracticesEnterprise Password Worst Practices
Enterprise Password Worst PracticesImperva
 
2012 June Symantec Intelligence Report
2012 June Symantec Intelligence Report2012 June Symantec Intelligence Report
2012 June Symantec Intelligence ReportSymantec
 
PCI OWASP Course Storyboard
PCI OWASP Course StoryboardPCI OWASP Course Storyboard
PCI OWASP Course StoryboardJim Piechocki
 
The life of breached data and the attack lifecycle
The life of breached data and the attack lifecycleThe life of breached data and the attack lifecycle
The life of breached data and the attack lifecycleJarrod Overson
 
2011 October Symantec Intelligence Report
2011 October Symantec Intelligence Report2011 October Symantec Intelligence Report
2011 October Symantec Intelligence ReportSymantec
 
supermarket results
supermarket resultssupermarket results
supermarket resultsIvonaPoyntz
 
Bosch instruction manual
Bosch instruction manualBosch instruction manual
Bosch instruction manualIvonaPoyntz
 

Contenu connexe

Similaire à Wp consumer password_worst_practices

Consumer Password Worst Practices
Consumer Password Worst PracticesConsumer Password Worst Practices
Consumer Password Worst PracticesMichael Scovetta
 
Pentester's Mindset! - Ravikumar Paghdal
Pentester's Mindset! - Ravikumar PaghdalPentester's Mindset! - Ravikumar Paghdal
Pentester's Mindset! - Ravikumar PaghdalNSConclave
 
How to choose a password that’s hard to crack
How to choose a password that’s hard to crackHow to choose a password that’s hard to crack
How to choose a password that’s hard to crackKlaus Drosch
 
Developing accessible experiences - Alison Walden
Developing accessible experiences - Alison WaldenDeveloping accessible experiences - Alison Walden
Developing accessible experiences - Alison WaldenWeb à Québec
 
Personal Internet Security System
Personal Internet Security SystemPersonal Internet Security System
Personal Internet Security SystemMatthew Bricker
 
How to Use Cryptography Properly: Common Mistakes People Make When Using Cry...
How to Use Cryptography Properly: Common Mistakes People Make When Using Cry...How to Use Cryptography Properly: Common Mistakes People Make When Using Cry...
How to Use Cryptography Properly: Common Mistakes People Make When Using Cry...All Things Open
 
USG_Security_Awareness_Primer.pptx
USG_Security_Awareness_Primer.pptxUSG_Security_Awareness_Primer.pptx
USG_Security_Awareness_Primer.pptxssuser04fcec
 
Security_Awareness_Primer.pptx
Security_Awareness_Primer.pptxSecurity_Awareness_Primer.pptx
Security_Awareness_Primer.pptxFaith Shimba
 
Why is password protection a fallacy a point of view
Why is password protection a fallacy a point of viewWhy is password protection a fallacy a point of view
Why is password protection a fallacy a point of viewSTO STRATEGY
 
Implementing a comprehensive application security progaram - Tawfiq
Implementing a comprehensive application security progaram - Tawfiq Implementing a comprehensive application security progaram - Tawfiq
Implementing a comprehensive application security progaram - Tawfiq OWASP-Qatar Chapter
 
Slay the Dragons of Agile Measurement
Slay the Dragons of Agile MeasurementSlay the Dragons of Agile Measurement
Slay the Dragons of Agile MeasurementJosiah Renaudin
 
Enterprise Password Worst Practices
Enterprise Password Worst PracticesEnterprise Password Worst Practices
Enterprise Password Worst PracticesImperva
 
2012 June Symantec Intelligence Report
2012 June Symantec Intelligence Report2012 June Symantec Intelligence Report
2012 June Symantec Intelligence ReportSymantec
 
PCI OWASP Course Storyboard
PCI OWASP Course StoryboardPCI OWASP Course Storyboard
PCI OWASP Course StoryboardJim Piechocki
 
The life of breached data and the attack lifecycle
The life of breached data and the attack lifecycleThe life of breached data and the attack lifecycle
The life of breached data and the attack lifecycleJarrod Overson
 
2011 October Symantec Intelligence Report
2011 October Symantec Intelligence Report2011 October Symantec Intelligence Report
2011 October Symantec Intelligence ReportSymantec
 

Similaire à Wp consumer password_worst_practices (20)

Consumer Password Worst Practices
Consumer Password Worst PracticesConsumer Password Worst Practices
Consumer Password Worst Practices
 
Pentester's Mindset! - Ravikumar Paghdal
Pentester's Mindset! - Ravikumar PaghdalPentester's Mindset! - Ravikumar Paghdal
Pentester's Mindset! - Ravikumar Paghdal
 
How to choose a password that’s hard to crack
How to choose a password that’s hard to crackHow to choose a password that’s hard to crack
How to choose a password that’s hard to crack
 
OlgerHoxha_Thesis_Final
OlgerHoxha_Thesis_FinalOlgerHoxha_Thesis_Final
OlgerHoxha_Thesis_Final
 
Secureview 3
Secureview 3Secureview 3
Secureview 3
 
Developing accessible experiences - Alison Walden
Developing accessible experiences - Alison WaldenDeveloping accessible experiences - Alison Walden
Developing accessible experiences - Alison Walden
 
Personal Internet Security System
Personal Internet Security SystemPersonal Internet Security System
Personal Internet Security System
 
W make107
W make107W make107
W make107
 
Password Cracking
Password CrackingPassword Cracking
Password Cracking
 
How to Use Cryptography Properly: Common Mistakes People Make When Using Cry...
How to Use Cryptography Properly: Common Mistakes People Make When Using Cry...How to Use Cryptography Properly: Common Mistakes People Make When Using Cry...
How to Use Cryptography Properly: Common Mistakes People Make When Using Cry...
 
USG_Security_Awareness_Primer.pptx
USG_Security_Awareness_Primer.pptxUSG_Security_Awareness_Primer.pptx
USG_Security_Awareness_Primer.pptx
 
Security_Awareness_Primer.pptx
Security_Awareness_Primer.pptxSecurity_Awareness_Primer.pptx
Security_Awareness_Primer.pptx
 
Why is password protection a fallacy a point of view
Why is password protection a fallacy a point of viewWhy is password protection a fallacy a point of view
Why is password protection a fallacy a point of view
 
Implementing a comprehensive application security progaram - Tawfiq
Implementing a comprehensive application security progaram - Tawfiq Implementing a comprehensive application security progaram - Tawfiq
Implementing a comprehensive application security progaram - Tawfiq
 
Slay the Dragons of Agile Measurement
Slay the Dragons of Agile MeasurementSlay the Dragons of Agile Measurement
Slay the Dragons of Agile Measurement
 
Enterprise Password Worst Practices
Enterprise Password Worst PracticesEnterprise Password Worst Practices
Enterprise Password Worst Practices
 
2012 June Symantec Intelligence Report
2012 June Symantec Intelligence Report2012 June Symantec Intelligence Report
2012 June Symantec Intelligence Report
 
PCI OWASP Course Storyboard
PCI OWASP Course StoryboardPCI OWASP Course Storyboard
PCI OWASP Course Storyboard
 
The life of breached data and the attack lifecycle
The life of breached data and the attack lifecycleThe life of breached data and the attack lifecycle
The life of breached data and the attack lifecycle
 
2011 October Symantec Intelligence Report
2011 October Symantec Intelligence Report2011 October Symantec Intelligence Report
2011 October Symantec Intelligence Report
 

Plus de IvonaPoyntz

supermarket results
supermarket resultssupermarket results
supermarket resultsIvonaPoyntz
 
Bosch instruction manual
Bosch instruction manualBosch instruction manual
Bosch instruction manualIvonaPoyntz
 
Kodak playtouch-zi10-user-manual
Kodak playtouch-zi10-user-manualKodak playtouch-zi10-user-manual
Kodak playtouch-zi10-user-manualIvonaPoyntz
 
Supermarket annual report_2012
Supermarket annual report_2012Supermarket annual report_2012
Supermarket annual report_2012IvonaPoyntz
 
multi level discourse
multi level discoursemulti level discourse
multi level discourseIvonaPoyntz
 
Moroccan chicken and couscous salad
Moroccan chicken and couscous saladMoroccan chicken and couscous salad
Moroccan chicken and couscous saladIvonaPoyntz
 
1 dixonsretailq3tradingstatement17jan12
1 dixonsretailq3tradingstatement17jan121 dixonsretailq3tradingstatement17jan12
1 dixonsretailq3tradingstatement17jan12IvonaPoyntz
 
Ivona Poyntz Yorkshire building Society 2010 report accounts
Ivona Poyntz Yorkshire building Society 2010 report accountsIvona Poyntz Yorkshire building Society 2010 report accounts
Ivona Poyntz Yorkshire building Society 2010 report accountsIvonaPoyntz
 
Annual report ivona poyntz
Annual report ivona poyntzAnnual report ivona poyntz
Annual report ivona poyntzIvonaPoyntz
 

Plus de IvonaPoyntz (10)

supermarket results
supermarket resultssupermarket results
supermarket results
 
Bosch instruction manual
Bosch instruction manualBosch instruction manual
Bosch instruction manual
 
Kodak playtouch-zi10-user-manual
Kodak playtouch-zi10-user-manualKodak playtouch-zi10-user-manual
Kodak playtouch-zi10-user-manual
 
Supermarket annual report_2012
Supermarket annual report_2012Supermarket annual report_2012
Supermarket annual report_2012
 
multi level discourse
multi level discoursemulti level discourse
multi level discourse
 
Media arts
Media artsMedia arts
Media arts
 
Moroccan chicken and couscous salad
Moroccan chicken and couscous saladMoroccan chicken and couscous salad
Moroccan chicken and couscous salad
 
1 dixonsretailq3tradingstatement17jan12
1 dixonsretailq3tradingstatement17jan121 dixonsretailq3tradingstatement17jan12
1 dixonsretailq3tradingstatement17jan12
 
Ivona Poyntz Yorkshire building Society 2010 report accounts
Ivona Poyntz Yorkshire building Society 2010 report accountsIvona Poyntz Yorkshire building Society 2010 report accounts
Ivona Poyntz Yorkshire building Society 2010 report accounts
 
Annual report ivona poyntz
Annual report ivona poyntzAnnual report ivona poyntz
Annual report ivona poyntz
 

Dernier

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 

Dernier (20)

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 

Wp consumer password_worst_practices

  • 1. Consumer Password Worst Practices The Imperva Application Defense Center (ADC) Summary In December 2009, a major password breach occurred that led to the release of 32 million passwords1. Further, the hacker posted White Paper to the Internet2 the full list of the 32 million passwords (with no other identifiable information). Passwords were stored in clear- text in the database and were extracted through a SQL Injection vulnerability3. The data provides a unique glimpse into the way that users select passwords and an opportunity to evaluate the true strength of these as a security mechanism. In the past, password studies have focused mostly on surveys4. Never before has there been such a high volume of real-world passwords to examine. The Imperva Application Defense Center (ADC) analyzed the strength of the passwords. ADC 1 http://www.rockyou.com/help/securityMessage.php 2 http://igigi.baywords.com/rockyou-com-passwords-list/ 3 http://www.techcrunch.com/2009/12/14/rockyou-hacked/ 4 http://blog.absolute.com/passwords-are-not-enough/
  • 2. Consumer Password Worst Practices The shortness and simplicity of passwords means many users select credentials that will make them susceptible to basic, brute force password attacks. Furthermore, studies show5,6,7 that about one half of the users use the same (or very similar) password to all websites that require logging in. Ironically, the problem has changed very little over the past twenty years. In 1990, a study of Unix password security revealed that password selection is strikingly similar to the 32 million breached passwords8. Just ten years ago, hacked Hotmail passwords showed little change9. This means that the users, if allowed to, will choose very weak passwords even for sites that hold their most private data. Worse, as hackers continue to rapidly adopt smarter brute force password cracking software, consumers and companies will be at greater risk. To quantify the issue, the combination of poor passwords and automated attacks means that in just 110 attempts, a hacker will typically gain access to one new account on every second or a mere 17 minutes to break into 1000 accounts. Key findings: » About 30% of users chose passwords whose length is equal or below six characters. » Moreover, almost 60% of users chose their passwords from a limited set of alpha-numeric characters. » Nearly 50% of users used names, slang words, dictionary words or trivial passwords (consecutive digits, adjacent keyboard keys, and so on). The most common password among Rockyou.com account owners is “123456”. 5 http://www.telegraph.co.uk/technology/news/6125081/Security-risk-as-people-use-same-password-on-all-websites.html 6 http://www.readwriteweb.com/archives/majority_use_same_password.php 7 http://www.thetechherald.com/article.php/200911/3184/Internet-users-still-using-same-password-for-all-Web-sites 8 http://www.klein.com/dvk/publications/passwd.pdf 9 http://www.switched.com/2009/10/07/hotmail-scam-reveals-most-common-password-123456/ Imperva White Paper < 2 >
  • 3. Consumer Password Worst Practices Analysis NASA provides the following Recommendations10 for strong password selection. The ADC used NASA’s standards to help benchmark consumers’ password selection: 1. Recommendation: It should contain at least eight characters. The ADC analysis revealed that just one half of the passwords contained seven or less characters. (Rockyou.com current minimal password length requirement is five). A staggering 30% of users chose passwords whose length was equal to or below six characters. Password Length Distribution 13 12 1.32% 2.11% 5 4.07% 11 3.57% 6 10 26.04% 9.06% 9 12.11% 7 8 19.29% 19.98% 2. Recommendation: It should contain a mix of four different types of characters – upper case letters, lower case letters, numbers, and special characters such as !@#$%^&*,;" If there is only one letter or special character, it should not be either the first or last character in the password. The ADC analysis showed that almost 60% of users chose their passwords from within a limited set of characters. About 40% of the users use only lowercase characters for their passwords and about another 16% use only digits. Less than 4% of the users use special characters. Password Length Distribution 3.81% 1.62% 36.94% 41.69% 15.94% In fact, after evaluating the passwords against two of NASA's recommendations only 0.2% of Rockyou.com users have a password that could be considered as strong password: » Eight characters or longer » Contain a mixture of special characters, numbers and both lower and upper case letters. 10 http://www.hq.nasa.gov/office/ospp/securityguide/V1comput/Password.htm Imperva White Paper < 3 >
  • 4. Consumer Password Worst Practices 3. Recommendation: It should not be a name, a slang word, or any word in the dictionary. It should not include any part of your name or your e-mail address. Almost all of the 5000 most popular passwords, that are used by a share of 20% of the users, were just that – names, slang words, dictionary words or trivial passwords (consecutive digits, adjacent keyboard keys, and so on). The most common password among Rockyou.com account owners is “123456”. The runner up is “12345”. The following table depicts the top 20 common passwords in the database list: Password Popularity – Top 20 Number of Users with Number of Users with Rank Password Rank Password Password (absolute) Password (absolute) 1 123456 290731 11 Nicole 17168 2 12345 79078 12 Daniel 16409 3 123456789 76790 13 babygirl 16094 4 Password 61958 14 monkey 15294 5 iloveyou 51622 15 Jessica 15162 6 princess 35231 16 Lovely 14950 7 rockyou 22588 17 michael 14898 8 1234567 21726 18 Ashley 14329 9 12345678 20553 19 654321 13984 10 abc123 17542 20 Qwerty 13856 If a hacker would have used the list of the top 5000 passwords as a dictionary for brute force attack on Rockyou. com users, it would take only one attempt (per account) to guess 0.9% of the users passwords or a rate of one success per 111 attempts. Assuming an attacker with a DSL connection of 55KBPS upload rate and that each attempt is 0.5KB in size, it means that the attacker can have 110 attempts per second. At this rate, a hacker will gain access to one new account every second or just less than 17 minutes to compromise 1000 accounts. And the problem is exponential. After the first wave of attacks, it would only take 116 attempts per account to compromise 5% of the accounts, 683 attempts to compromise 10% of accounts and about 5000 attempts to compromise 20% of accounts. The following diagram depicts the expected effectiveness of attacks using a small, carefully chosen, attack dictionary: Accumulated Percent of Dictionary Attack Success 20% 15% 10% 5% 0 1 359 717 1075 1433 1791 2149 2507 2865 3223 3581 3939 4297 4655 Number of password tries Imperva White Paper < 4 >
  • 5. Recommendations Users: 1. Choose a strong password for sites you care for the privacy of the information you store. Bruce Schneir’s advice is useful: “take a sentence and turn it into a password. Something like “This little piggy went to market” might become "tlpWENT2m". That nine-character password won't be in anyone's dictionary.”11 2. Use a different password for all sites – even for the ones where privacy isn’t an issue. To help remember the passwords, again, following Bruce Schneier’s advice is recommended: “If you can't remember your passwords, write them down and put the paper in your wallet. But just write the sentence – or better yet – a hint that will help you remember your sentence.”12 3. Never trust a 3rd party with your important passwords (webmail, banking, medical etc.) Administrators: 1. Enforce strong password policy – if you give the users a choice, it is very likely that they would choose weak passwords. 2. Make sure passwords are not transmitted in clear text. Always use HTTPS on login. 3. Make sure passwords are not kept in clear text. Always digest password before storing to DB. 4. Employ aggressive anti-brute force mechanisms to detect and mitigate brute force attacks on login credentials. Make these attacks too slowly for any practical purposes even for shorter passwords. You should actively put obstacles in the way of a brute-force attacker – such as CAPTCHAs, computational challenges, etc. 5. Employ a password change policy. Trigger the policy either by time or when suspicion for a compromise arises. 6. Allow and encourage passphrases instead of passwords. Although sentences may be longer, they may be easier to remember. With added characters, they become more difficult to break. 11 http://www.guardian.co.uk/technology/2008/nov/13/internet-passwords 12 ibid Imperva Headquarters 3400 Bridge Parkway Suite 101 Redwood Shores, CA 94065 Tel: +1-650-345-9000 Fax: +1-650-345-9004 Toll Free (U.S. only): +1-866-926-4678 www.imperva.com © Copyright 2010, Imperva All rights reserved. Imperva and SecureSphere are registered trademarks of Imperva. All other brand or product names are trademarks or registered trademarks of their respective holders. #WP-WORSTPRACTICES_PASSWORDS-0110rev1