SlideShare une entreprise Scribd logo

Consumer Password Worst Practices

Michael Scovetta
Michael Scovetta

Password Report from Imperva, 2009.

Technologie
1  sur  5
Télécharger pour lire hors ligne
Consumer Password Worst Practices The Imperva Application Defense Center (ADC) Summary In December 2009, a major password breach occurred that led to the release of 32 million passwords1. Further, the hacker posted White Paper to the Internet2 the full list of the 32 million passwords (with no other identifiable information). Passwords were stored in clear- text in the database and were extracted through a SQL Injection vulnerability3. The data provides a unique glimpse into the way that users select passwords and an opportunity to evaluate the true strength of these as a security mechanism. In the past, password studies have focused mostly on surveys4. Never before has there been such a high volume of real-world passwords to examine. The Imperva Application Defense Center (ADC) analyzed the strength of the passwords. ADC 1 http://www.rockyou.com/help/securityMessage.php 2 http://igigi.baywords.com/rockyou-com-passwords-list/ 3 http://www.techcrunch.com/2009/12/14/rockyou-hacked/ 4 http://blog.absolute.com/passwords-are-not-enough/
Consumer Password Worst Practices The shortness and simplicity of passwords means many users select credentials that will make them susceptible to basic, brute force password attacks. Furthermore, studies show5,6,7 that about one half of the users use the same (or very similar) password to all websites that require logging in. Ironically, the problem has changed very little over the past twenty years. In 1990, a study of Unix password security revealed that password selection is strikingly similar to the 32 million breached passwords8. Just ten years ago, hacked Hotmail passwords showed little change9. This means that the users, if allowed to, will choose very weak passwords even for sites that hold their most private data. Worse, as hackers continue to rapidly adopt smarter brute force password cracking software, consumers and companies will be at greater risk. To quantify the issue, the combination of poor passwords and automated attacks means that in just 110 attempts, a hacker will typically gain access to one new account on every second or a mere 17 minutes to break into 1000 accounts. Key findings: » About 30% of users chose passwords whose length is equal or below six characters. » Moreover, almost 60% of users chose their passwords from a limited set of alpha-numeric characters. » Nearly 50% of users used names, slang words, dictionary words or trivial passwords (consecutive digits, adjacent keyboard keys, and so on). The most common password among Rockyou.com account owners is “123456”. 5 http://www.telegraph.co.uk/technology/news/6125081/Security-risk-as-people-use-same-password-on-all-websites.html 6 http://www.readwriteweb.com/archives/majority_use_same_password.php 7 http://www.thetechherald.com/article.php/200911/3184/Internet-users-still-using-same-password-for-all-Web-sites 8 http://www.klein.com/dvk/publications/passwd.pdf 9 http://www.switched.com/2009/10/07/hotmail-scam-reveals-most-common-password-123456/ Imperva White Paper < 2 >
Consumer Password Worst Practices Analysis NASA provides the following Recommendations10 for strong password selection. The ADC used NASA’s standards to help benchmark consumers’ password selection: 1. Recommendation: It should contain at least eight characters. The ADC analysis revealed that just one half of the passwords contained seven or less characters. (Rockyou.com current minimal password length requirement is five). A staggering 30% of users chose passwords whose length was equal to or below six characters. Password Length Distribution 13 12 1.32% 2.11% 5 4.07% 11 3.57% 6 10 26.04% 9.06% 9 12.11% 7 8 19.29% 19.98% 2. Recommendation: It should contain a mix of four different types of characters – upper case letters, lower case letters, numbers, and special characters such as !@#$%^&*,;" If there is only one letter or special character, it should not be either the first or last character in the password. The ADC analysis showed that almost 60% of users chose their passwords from within a limited set of characters. About 40% of the users use only lowercase characters for their passwords and about another 16% use only digits. Less than 4% of the users use special characters. Password Length Distribution 3.81% 1.62% 36.94% 41.69% 15.94% In fact, after evaluating the passwords against two of NASA's recommendations only 0.2% of Rockyou.com users have a password that could be considered as strong password: » Eight characters or longer » Contain a mixture of special characters, numbers and both lower and upper case letters. 10 http://www.hq.nasa.gov/office/ospp/securityguide/V1comput/Password.htm Imperva White Paper < 3 >
Consumer Password Worst Practices 3. Recommendation: It should not be a name, a slang word, or any word in the dictionary. It should not include any part of your name or your e-mail address. Almost all of the 5000 most popular passwords, that are used by a share of 20% of the users, were just that – names, slang words, dictionary words or trivial passwords (consecutive digits, adjacent keyboard keys, and so on). The most common password among Rockyou.com account owners is “123456”. The runner up is “12345”. The following table depicts the top 20 common passwords in the database list: Password Popularity – Top 20 Number of Users with Number of Users with Rank Password Rank Password Password (absolute) Password (absolute) 1 123456 290731 11 Nicole 17168 2 12345 79078 12 Daniel 16409 3 123456789 76790 13 babygirl 16094 4 Password 61958 14 monkey 15294 5 iloveyou 51622 15 Jessica 15162 6 princess 35231 16 Lovely 14950 7 rockyou 22588 17 michael 14898 8 1234567 21726 18 Ashley 14329 9 12345678 20553 19 654321 13984 10 abc123 17542 20 Qwerty 13856 If a hacker would have used the list of the top 5000 passwords as a dictionary for brute force attack on Rockyou. com users, it would take only one attempt (per account) to guess 0.9% of the users passwords or a rate of one success per 111 attempts. Assuming an attacker with a DSL connection of 55KBPS upload rate and that each attempt is 0.5KB in size, it means that the attacker can have 110 attempts per second. At this rate, a hacker will gain access to one new account every second or just less than 17 minutes to compromise 1000 accounts. And the problem is exponential. After the first wave of attacks, it would only take 116 attempts per account to compromise 5% of the accounts, 683 attempts to compromise 10% of accounts and about 5000 attempts to compromise 20% of accounts. The following diagram depicts the expected effectiveness of attacks using a small, carefully chosen, attack dictionary: Accumulated Percent of Dictionary Attack Success 20% 15% 10% 5% 0 1 359 717 1075 1433 1791 2149 2507 2865 3223 3581 3939 4297 4655 Number of password tries Imperva White Paper < 4 >
Recommendations Users: 1. Choose a strong password for sites you care for the privacy of the information you store. Bruce Schneir’s advice is useful: “take a sentence and turn it into a password. Something like “This little piggy went to market” might become "tlpWENT2m". That nine-character password won't be in anyone's dictionary.”11 2. Use a different password for all sites – even for the ones where privacy isn’t an issue. To help remember the passwords, again, following Bruce Schneier’s advice is recommended: “If you can't remember your passwords, write them down and put the paper in your wallet. But just write the sentence – or better yet – a hint that will help you remember your sentence.”12 3. Never trust a 3rd party with your important passwords (webmail, banking, medical etc.) Administrators: 1. Enforce strong password policy – if you give the users a choice, it is very likely that they would choose weak passwords. 2. Make sure passwords are not transmitted in clear text. Always use HTTPS on login. 3. Make sure passwords are not kept in clear text. Always digest password before storing to DB. 4. Employ aggressive anti-brute force mechanisms to detect and mitigate brute force attacks on login credentials. Make these attacks too slowly for any practical purposes even for shorter passwords. You should actively put obstacles in the way of a brute-force attacker – such as CAPTCHAs, computational challenges, etc. 5. Employ a password change policy. Trigger the policy either by time or when suspicion for a compromise arises. 6. Allow and encourage passphrases instead of passwords. Although sentences may be longer, they may be easier to remember. With added characters, they become more difficult to break. 11 http://www.guardian.co.uk/technology/2008/nov/13/internet-passwords 12 ibid Imperva Headquarters 3400 Bridge Parkway Suite 101 Redwood Shores, CA 94065 Tel: +1-650-345-9000 Fax: +1-650-345-9004 Toll Free (U.S. only): +1-866-926-4678 www.imperva.com © Copyright 2010, Imperva All rights reserved. Imperva and SecureSphere are registered trademarks of Imperva. All other brand or product names are trademarks or registered trademarks of their respective holders. #WP-WORSTPRACTICES_PASSWORDS-0110rev1

Recommandé

Wp consumer password_worst_practices
Wp consumer password_worst_practicesWp consumer password_worst_practices
Wp consumer password_worst_practicesKorfinpl
 
Password best practices and the last pass hack
Password best practices and the last pass hackPassword best practices and the last pass hack
Password best practices and the last pass hackKevin OBrien
 
PASSWORD BEST PRACTICES
PASSWORD BEST PRACTICESPASSWORD BEST PRACTICES
PASSWORD BEST PRACTICESRazorpoint Security
 
Android Attacks
Android AttacksAndroid Attacks
Android AttacksMichael Scovetta
 
Strategic Surprise
Strategic SurpriseStrategic Surprise
Strategic SurpriseMichael Scovetta
 
Stackjacking
StackjackingStackjacking
StackjackingMichael Scovetta
 
Diabetes
DiabetesDiabetes
Diabetesdunzo13
 
Objetivos
ObjetivosObjetivos
ObjetivosFidel Diaz
 

Recommandé

Wp consumer password_worst_practices
Wp consumer password_worst_practicesWp consumer password_worst_practices
Wp consumer password_worst_practicesKorfinpl
 
Password best practices and the last pass hack
Password best practices and the last pass hackPassword best practices and the last pass hack
Password best practices and the last pass hackKevin OBrien
 
PASSWORD BEST PRACTICES
PASSWORD BEST PRACTICESPASSWORD BEST PRACTICES
PASSWORD BEST PRACTICESRazorpoint Security
 
Android Attacks
Android AttacksAndroid Attacks
Android AttacksMichael Scovetta
 
Strategic Surprise
Strategic SurpriseStrategic Surprise
Strategic SurpriseMichael Scovetta
 
Stackjacking
StackjackingStackjacking
StackjackingMichael Scovetta
 
Diabetes
DiabetesDiabetes
Diabetesdunzo13
 
Objetivos
ObjetivosObjetivos
ObjetivosFidel Diaz
 
Samantha Wilson
Samantha WilsonSamantha Wilson
Samantha Wilsonsawilson
 
Beyond Passwords (Guidorizzi)
Beyond Passwords (Guidorizzi)Beyond Passwords (Guidorizzi)
Beyond Passwords (Guidorizzi)Michael Scovetta
 
Wildfire future m presentation 2
Wildfire future m presentation 2Wildfire future m presentation 2
Wildfire future m presentation 2Gravity Summit
 
Scaling Cyberwarfare (Roelker)
Scaling Cyberwarfare (Roelker)Scaling Cyberwarfare (Roelker)
Scaling Cyberwarfare (Roelker)Michael Scovetta
 
Electric Vehicles Gr
Electric Vehicles GrElectric Vehicles Gr
Electric Vehicles Grslaine
 
μελαμίνη
μελαμίνημελαμίνη
μελαμίνηslaine
 
Samantha Wilson
Samantha WilsonSamantha Wilson
Samantha Wilsonsawilson
 
Resume 032811
Resume 032811Resume 032811
Resume 032811gselke
 
Carbohydrates
CarbohydratesCarbohydrates
Carbohydratesslaine
 
If You Don't Like the Game, Hack the Playbook... (Zatko)
If You Don't Like the Game, Hack the Playbook... (Zatko)If You Don't Like the Game, Hack the Playbook... (Zatko)
If You Don't Like the Game, Hack the Playbook... (Zatko)Michael Scovetta
 
A collection of examples of 64 bit errors in real programs
A collection of examples of 64 bit errors in real programsA collection of examples of 64 bit errors in real programs
A collection of examples of 64 bit errors in real programsMichael Scovetta
 
Don't Give Credit: Hacking Arcade Machines
Don't Give Credit: Hacking Arcade MachinesDon't Give Credit: Hacking Arcade Machines
Don't Give Credit: Hacking Arcade MachinesMichael Scovetta
 
Peter Norvig - NYC Machine Learning 2013
Peter Norvig - NYC Machine Learning 2013Peter Norvig - NYC Machine Learning 2013
Peter Norvig - NYC Machine Learning 2013Michael Scovetta
 
DARPA: Cyber Analytical Framework (Kaufman)
DARPA: Cyber Analytical Framework (Kaufman)DARPA: Cyber Analytical Framework (Kaufman)
DARPA: Cyber Analytical Framework (Kaufman)Michael Scovetta
 
Lecture1
Lecture1Lecture1
Lecture1slaine
 
Modern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and TechniquesModern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and TechniquesMichael Scovetta
 
Exploitation and State Machines
Exploitation and State MachinesExploitation and State Machines
Exploitation and State MachinesMichael Scovetta
 
IPv6 Adoption in the RIPE NCC Service Region
IPv6 Adoption in the RIPE NCC Service RegionIPv6 Adoption in the RIPE NCC Service Region
IPv6 Adoption in the RIPE NCC Service RegionRIPE NCC
 
Hacking Rapidshare
Hacking RapidshareHacking Rapidshare
Hacking RapidshareSais Abdelkrim
 
Wp consumer password_worst_practices
Wp consumer password_worst_practicesWp consumer password_worst_practices
Wp consumer password_worst_practicesIvonaPoyntz
 
Webinar: Top 5 Mistakes Your Don't Want to Make When Moving to the Cloud
Webinar: Top 5 Mistakes Your Don't Want to Make When Moving to the CloudWebinar: Top 5 Mistakes Your Don't Want to Make When Moving to the Cloud
Webinar: Top 5 Mistakes Your Don't Want to Make When Moving to the CloudInternap
 
AIS DIsaster Recovery & Business Continuity
AIS DIsaster Recovery & Business ContinuityAIS DIsaster Recovery & Business Continuity
AIS DIsaster Recovery & Business ContinuityAISDC
 

Contenu connexe

En vedette

Samantha Wilson
Samantha WilsonSamantha Wilson
Samantha Wilsonsawilson
 
Beyond Passwords (Guidorizzi)
Beyond Passwords (Guidorizzi)Beyond Passwords (Guidorizzi)
Beyond Passwords (Guidorizzi)Michael Scovetta
 
Wildfire future m presentation 2
Wildfire future m presentation 2Wildfire future m presentation 2
Wildfire future m presentation 2Gravity Summit
 
Scaling Cyberwarfare (Roelker)
Scaling Cyberwarfare (Roelker)Scaling Cyberwarfare (Roelker)
Scaling Cyberwarfare (Roelker)Michael Scovetta
 
Electric Vehicles Gr
Electric Vehicles GrElectric Vehicles Gr
Electric Vehicles Grslaine
 
μελαμίνη
μελαμίνημελαμίνη
μελαμίνηslaine
 
Samantha Wilson
Samantha WilsonSamantha Wilson
Samantha Wilsonsawilson
 
Resume 032811
Resume 032811Resume 032811
Resume 032811gselke
 
Carbohydrates
CarbohydratesCarbohydrates
Carbohydratesslaine
 
If You Don't Like the Game, Hack the Playbook... (Zatko)
If You Don't Like the Game, Hack the Playbook... (Zatko)If You Don't Like the Game, Hack the Playbook... (Zatko)
If You Don't Like the Game, Hack the Playbook... (Zatko)Michael Scovetta
 
A collection of examples of 64 bit errors in real programs
A collection of examples of 64 bit errors in real programsA collection of examples of 64 bit errors in real programs
A collection of examples of 64 bit errors in real programsMichael Scovetta
 
Don't Give Credit: Hacking Arcade Machines
Don't Give Credit: Hacking Arcade MachinesDon't Give Credit: Hacking Arcade Machines
Don't Give Credit: Hacking Arcade MachinesMichael Scovetta
 
Peter Norvig - NYC Machine Learning 2013
Peter Norvig - NYC Machine Learning 2013Peter Norvig - NYC Machine Learning 2013
Peter Norvig - NYC Machine Learning 2013Michael Scovetta
 
DARPA: Cyber Analytical Framework (Kaufman)
DARPA: Cyber Analytical Framework (Kaufman)DARPA: Cyber Analytical Framework (Kaufman)
DARPA: Cyber Analytical Framework (Kaufman)Michael Scovetta
 
Lecture1
Lecture1Lecture1
Lecture1slaine
 
Modern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and TechniquesModern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and TechniquesMichael Scovetta
 
Exploitation and State Machines
Exploitation and State MachinesExploitation and State Machines
Exploitation and State MachinesMichael Scovetta
 

En vedette (17)

Samantha Wilson
Samantha WilsonSamantha Wilson
Samantha Wilson
 
Beyond Passwords (Guidorizzi)
Beyond Passwords (Guidorizzi)Beyond Passwords (Guidorizzi)
Beyond Passwords (Guidorizzi)
 
Wildfire future m presentation 2
Wildfire future m presentation 2Wildfire future m presentation 2
Wildfire future m presentation 2
 
Scaling Cyberwarfare (Roelker)
Scaling Cyberwarfare (Roelker)Scaling Cyberwarfare (Roelker)
Scaling Cyberwarfare (Roelker)
 
Electric Vehicles Gr
Electric Vehicles GrElectric Vehicles Gr
Electric Vehicles Gr
 
μελαμίνη
μελαμίνημελαμίνη
μελαμίνη
 
Samantha Wilson
Samantha WilsonSamantha Wilson
Samantha Wilson
 
Resume 032811
Resume 032811Resume 032811
Resume 032811
 
Carbohydrates
CarbohydratesCarbohydrates
Carbohydrates
 
If You Don't Like the Game, Hack the Playbook... (Zatko)
If You Don't Like the Game, Hack the Playbook... (Zatko)If You Don't Like the Game, Hack the Playbook... (Zatko)
If You Don't Like the Game, Hack the Playbook... (Zatko)
 
A collection of examples of 64 bit errors in real programs
A collection of examples of 64 bit errors in real programsA collection of examples of 64 bit errors in real programs
A collection of examples of 64 bit errors in real programs
 
Don't Give Credit: Hacking Arcade Machines
Don't Give Credit: Hacking Arcade MachinesDon't Give Credit: Hacking Arcade Machines
Don't Give Credit: Hacking Arcade Machines
 
Peter Norvig - NYC Machine Learning 2013
Peter Norvig - NYC Machine Learning 2013Peter Norvig - NYC Machine Learning 2013
Peter Norvig - NYC Machine Learning 2013
 
DARPA: Cyber Analytical Framework (Kaufman)
DARPA: Cyber Analytical Framework (Kaufman)DARPA: Cyber Analytical Framework (Kaufman)
DARPA: Cyber Analytical Framework (Kaufman)
 
Lecture1
Lecture1Lecture1
Lecture1
 
Modern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and TechniquesModern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and Techniques
 
Exploitation and State Machines
Exploitation and State MachinesExploitation and State Machines
Exploitation and State Machines
 

Similaire à Consumer Password Worst Practices

IPv6 Adoption in the RIPE NCC Service Region
IPv6 Adoption in the RIPE NCC Service RegionIPv6 Adoption in the RIPE NCC Service Region
IPv6 Adoption in the RIPE NCC Service RegionRIPE NCC
 
Wp consumer password_worst_practices
Wp consumer password_worst_practicesWp consumer password_worst_practices
Wp consumer password_worst_practicesIvonaPoyntz
 
Webinar: Top 5 Mistakes Your Don't Want to Make When Moving to the Cloud
Webinar: Top 5 Mistakes Your Don't Want to Make When Moving to the CloudWebinar: Top 5 Mistakes Your Don't Want to Make When Moving to the Cloud
Webinar: Top 5 Mistakes Your Don't Want to Make When Moving to the CloudInternap
 
AIS DIsaster Recovery & Business Continuity
AIS DIsaster Recovery & Business ContinuityAIS DIsaster Recovery & Business Continuity
AIS DIsaster Recovery & Business ContinuityAISDC
 
From java to rails
From java to railsFrom java to rails
From java to railsjokry
 
Firefox3.5 And Next
Firefox3.5 And NextFirefox3.5 And Next
Firefox3.5 And NextChanny Yun
 
Mobile Cloud Architectures
Mobile Cloud ArchitecturesMobile Cloud Architectures
Mobile Cloud ArchitecturesDavid Coallier
 
Vikas swarankar portfolio_25_oct_2011
Vikas swarankar portfolio_25_oct_2011Vikas swarankar portfolio_25_oct_2011
Vikas swarankar portfolio_25_oct_2011Rakesh Ranjan
 
Getting started with Cloud Foundry
Getting started with Cloud FoundryGetting started with Cloud Foundry
Getting started with Cloud FoundryLode Vermeiren
 
Getting started with Cloud Foundry
Getting started with Cloud FoundryGetting started with Cloud Foundry
Getting started with Cloud FoundryLode Vermeiren
 
Digital Futures Presentation Sept 09
Digital Futures Presentation Sept 09Digital Futures Presentation Sept 09
Digital Futures Presentation Sept 09Traffika
 
An Ecological Case Study of Two Middle Schools' Technology Integration
An Ecological Case Study of Two Middle Schools' Technology IntegrationAn Ecological Case Study of Two Middle Schools' Technology Integration
An Ecological Case Study of Two Middle Schools' Technology IntegrationMichelle Fulks Read
 
Presentation Trends Session
Presentation Trends SessionPresentation Trends Session
Presentation Trends SessionPieter Maenhout
 
Using Database Constraints Wisely
Using Database Constraints WiselyUsing Database Constraints Wisely
Using Database Constraints Wiselybarunio
 
Vineet Choudhry Portfolio
Vineet Choudhry PortfolioVineet Choudhry Portfolio
Vineet Choudhry PortfolioRakesh Ranjan
 
The rise of the web 3.0 company, by Mr. Jacques Bughin
The rise of the web 3.0 company, by Mr. Jacques BughinThe rise of the web 3.0 company, by Mr. Jacques Bughin
The rise of the web 3.0 company, by Mr. Jacques BughinVlerick_Alumni
 

Similaire à Consumer Password Worst Practices (18)

IPv6 Adoption in the RIPE NCC Service Region
IPv6 Adoption in the RIPE NCC Service RegionIPv6 Adoption in the RIPE NCC Service Region
IPv6 Adoption in the RIPE NCC Service Region
 
Hacking Rapidshare
Hacking RapidshareHacking Rapidshare
Hacking Rapidshare
 
Wp consumer password_worst_practices
Wp consumer password_worst_practicesWp consumer password_worst_practices
Wp consumer password_worst_practices
 
Webinar: Top 5 Mistakes Your Don't Want to Make When Moving to the Cloud
Webinar: Top 5 Mistakes Your Don't Want to Make When Moving to the CloudWebinar: Top 5 Mistakes Your Don't Want to Make When Moving to the Cloud
Webinar: Top 5 Mistakes Your Don't Want to Make When Moving to the Cloud
 
AIS DIsaster Recovery & Business Continuity
AIS DIsaster Recovery & Business ContinuityAIS DIsaster Recovery & Business Continuity
AIS DIsaster Recovery & Business Continuity
 
From java to rails
From java to railsFrom java to rails
From java to rails
 
Firefox3.5 And Next
Firefox3.5 And NextFirefox3.5 And Next
Firefox3.5 And Next
 
Mobile Cloud Architectures
Mobile Cloud ArchitecturesMobile Cloud Architectures
Mobile Cloud Architectures
 
Vikas swarankar portfolio_25_oct_2011
Vikas swarankar portfolio_25_oct_2011Vikas swarankar portfolio_25_oct_2011
Vikas swarankar portfolio_25_oct_2011
 
Getting started with Cloud Foundry
Getting started with Cloud FoundryGetting started with Cloud Foundry
Getting started with Cloud Foundry
 
Getting started with Cloud Foundry
Getting started with Cloud FoundryGetting started with Cloud Foundry
Getting started with Cloud Foundry
 
Digital Futures Presentation Sept 09
Digital Futures Presentation Sept 09Digital Futures Presentation Sept 09
Digital Futures Presentation Sept 09
 
An Ecological Case Study of Two Middle Schools' Technology Integration
An Ecological Case Study of Two Middle Schools' Technology IntegrationAn Ecological Case Study of Two Middle Schools' Technology Integration
An Ecological Case Study of Two Middle Schools' Technology Integration
 
Presentation Trends Session
Presentation Trends SessionPresentation Trends Session
Presentation Trends Session
 
Using Database Constraints Wisely
Using Database Constraints WiselyUsing Database Constraints Wisely
Using Database Constraints Wisely
 
Are QR Codes Worth Their Ink?
Are QR Codes Worth Their Ink?Are QR Codes Worth Their Ink?
Are QR Codes Worth Their Ink?
 
Vineet Choudhry Portfolio
Vineet Choudhry PortfolioVineet Choudhry Portfolio
Vineet Choudhry Portfolio
 
The rise of the web 3.0 company, by Mr. Jacques Bughin
The rise of the web 3.0 company, by Mr. Jacques BughinThe rise of the web 3.0 company, by Mr. Jacques Bughin
The rise of the web 3.0 company, by Mr. Jacques Bughin
 

Plus de Michael Scovetta

The Listening: Email Client Backdoor
The Listening: Email Client BackdoorThe Listening: Email Client Backdoor
The Listening: Email Client BackdoorMichael Scovetta
 
DEFCON 18- These Aren't the Permissions You're Looking For
DEFCON 18- These Aren't the Permissions You're Looking ForDEFCON 18- These Aren't the Permissions You're Looking For
DEFCON 18- These Aren't the Permissions You're Looking ForMichael Scovetta
 
Systematic Detection of Capability Leaks in Stock Android Smartphones
Systematic Detection of Capability Leaks in Stock Android SmartphonesSystematic Detection of Capability Leaks in Stock Android Smartphones
Systematic Detection of Capability Leaks in Stock Android SmartphonesMichael Scovetta
 
High Assurance Systems (Fisher)
High Assurance Systems (Fisher)High Assurance Systems (Fisher)
High Assurance Systems (Fisher)Michael Scovetta
 
PROCEED and Crowd-Sourced Formal Verification
PROCEED and Crowd-Sourced Formal VerificationPROCEED and Crowd-Sourced Formal Verification
PROCEED and Crowd-Sourced Formal VerificationMichael Scovetta
 
National Cyber Range (Ranka)
National Cyber Range (Ranka)National Cyber Range (Ranka)
National Cyber Range (Ranka)Michael Scovetta
 
Scalable Cyber Deception (Ragsdale)
Scalable Cyber Deception (Ragsdale)Scalable Cyber Deception (Ragsdale)
Scalable Cyber Deception (Ragsdale)Michael Scovetta
 
Anomaly Detection at Multiple Scales (Waltzman)
Anomaly Detection at Multiple Scales (Waltzman)Anomaly Detection at Multiple Scales (Waltzman)
Anomaly Detection at Multiple Scales (Waltzman)Michael Scovetta
 
Secure Computer Systems (Shrobe)
Secure Computer Systems (Shrobe)Secure Computer Systems (Shrobe)
Secure Computer Systems (Shrobe)Michael Scovetta
 
Introducing the Ceylon Project
Introducing the Ceylon ProjectIntroducing the Ceylon Project
Introducing the Ceylon ProjectMichael Scovetta
 

Plus de Michael Scovetta (14)

Attacking the WebKit Heap
Attacking the WebKit HeapAttacking the WebKit Heap
Attacking the WebKit Heap
 
The Listening: Email Client Backdoor
The Listening: Email Client BackdoorThe Listening: Email Client Backdoor
The Listening: Email Client Backdoor
 
Smooth CoffeeScript
Smooth CoffeeScriptSmooth CoffeeScript
Smooth CoffeeScript
 
DEFCON 18- These Aren't the Permissions You're Looking For
DEFCON 18- These Aren't the Permissions You're Looking ForDEFCON 18- These Aren't the Permissions You're Looking For
DEFCON 18- These Aren't the Permissions You're Looking For
 
Systematic Detection of Capability Leaks in Stock Android Smartphones
Systematic Detection of Capability Leaks in Stock Android SmartphonesSystematic Detection of Capability Leaks in Stock Android Smartphones
Systematic Detection of Capability Leaks in Stock Android Smartphones
 
HTML5 Web Security
HTML5 Web SecurityHTML5 Web Security
HTML5 Web Security
 
High Assurance Systems (Fisher)
High Assurance Systems (Fisher)High Assurance Systems (Fisher)
High Assurance Systems (Fisher)
 
PROCEED and Crowd-Sourced Formal Verification
PROCEED and Crowd-Sourced Formal VerificationPROCEED and Crowd-Sourced Formal Verification
PROCEED and Crowd-Sourced Formal Verification
 
National Cyber Range (Ranka)
National Cyber Range (Ranka)National Cyber Range (Ranka)
National Cyber Range (Ranka)
 
Scalable Cyber Deception (Ragsdale)
Scalable Cyber Deception (Ragsdale)Scalable Cyber Deception (Ragsdale)
Scalable Cyber Deception (Ragsdale)
 
Anomaly Detection at Multiple Scales (Waltzman)
Anomaly Detection at Multiple Scales (Waltzman)Anomaly Detection at Multiple Scales (Waltzman)
Anomaly Detection at Multiple Scales (Waltzman)
 
Secure Computer Systems (Shrobe)
Secure Computer Systems (Shrobe)Secure Computer Systems (Shrobe)
Secure Computer Systems (Shrobe)
 
Introducing the Ceylon Project
Introducing the Ceylon ProjectIntroducing the Ceylon Project
Introducing the Ceylon Project
 
The Ceylon Type System
The Ceylon Type SystemThe Ceylon Type System
The Ceylon Type System
 

Dernier

Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxRemote DBA Services
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAnitaRaj43
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 

Dernier (20)

Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by Anitaraj
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 

Consumer Password Worst Practices

  • 1. Consumer Password Worst Practices The Imperva Application Defense Center (ADC) Summary In December 2009, a major password breach occurred that led to the release of 32 million passwords1. Further, the hacker posted White Paper to the Internet2 the full list of the 32 million passwords (with no other identifiable information). Passwords were stored in clear- text in the database and were extracted through a SQL Injection vulnerability3. The data provides a unique glimpse into the way that users select passwords and an opportunity to evaluate the true strength of these as a security mechanism. In the past, password studies have focused mostly on surveys4. Never before has there been such a high volume of real-world passwords to examine. The Imperva Application Defense Center (ADC) analyzed the strength of the passwords. ADC 1 http://www.rockyou.com/help/securityMessage.php 2 http://igigi.baywords.com/rockyou-com-passwords-list/ 3 http://www.techcrunch.com/2009/12/14/rockyou-hacked/ 4 http://blog.absolute.com/passwords-are-not-enough/
  • 2. Consumer Password Worst Practices The shortness and simplicity of passwords means many users select credentials that will make them susceptible to basic, brute force password attacks. Furthermore, studies show5,6,7 that about one half of the users use the same (or very similar) password to all websites that require logging in. Ironically, the problem has changed very little over the past twenty years. In 1990, a study of Unix password security revealed that password selection is strikingly similar to the 32 million breached passwords8. Just ten years ago, hacked Hotmail passwords showed little change9. This means that the users, if allowed to, will choose very weak passwords even for sites that hold their most private data. Worse, as hackers continue to rapidly adopt smarter brute force password cracking software, consumers and companies will be at greater risk. To quantify the issue, the combination of poor passwords and automated attacks means that in just 110 attempts, a hacker will typically gain access to one new account on every second or a mere 17 minutes to break into 1000 accounts. Key findings: » About 30% of users chose passwords whose length is equal or below six characters. » Moreover, almost 60% of users chose their passwords from a limited set of alpha-numeric characters. » Nearly 50% of users used names, slang words, dictionary words or trivial passwords (consecutive digits, adjacent keyboard keys, and so on). The most common password among Rockyou.com account owners is “123456”. 5 http://www.telegraph.co.uk/technology/news/6125081/Security-risk-as-people-use-same-password-on-all-websites.html 6 http://www.readwriteweb.com/archives/majority_use_same_password.php 7 http://www.thetechherald.com/article.php/200911/3184/Internet-users-still-using-same-password-for-all-Web-sites 8 http://www.klein.com/dvk/publications/passwd.pdf 9 http://www.switched.com/2009/10/07/hotmail-scam-reveals-most-common-password-123456/ Imperva White Paper < 2 >
  • 3. Consumer Password Worst Practices Analysis NASA provides the following Recommendations10 for strong password selection. The ADC used NASA’s standards to help benchmark consumers’ password selection: 1. Recommendation: It should contain at least eight characters. The ADC analysis revealed that just one half of the passwords contained seven or less characters. (Rockyou.com current minimal password length requirement is five). A staggering 30% of users chose passwords whose length was equal to or below six characters. Password Length Distribution 13 12 1.32% 2.11% 5 4.07% 11 3.57% 6 10 26.04% 9.06% 9 12.11% 7 8 19.29% 19.98% 2. Recommendation: It should contain a mix of four different types of characters – upper case letters, lower case letters, numbers, and special characters such as !@#$%^&*,;" If there is only one letter or special character, it should not be either the first or last character in the password. The ADC analysis showed that almost 60% of users chose their passwords from within a limited set of characters. About 40% of the users use only lowercase characters for their passwords and about another 16% use only digits. Less than 4% of the users use special characters. Password Length Distribution 3.81% 1.62% 36.94% 41.69% 15.94% In fact, after evaluating the passwords against two of NASA's recommendations only 0.2% of Rockyou.com users have a password that could be considered as strong password: » Eight characters or longer » Contain a mixture of special characters, numbers and both lower and upper case letters. 10 http://www.hq.nasa.gov/office/ospp/securityguide/V1comput/Password.htm Imperva White Paper < 3 >
  • 4. Consumer Password Worst Practices 3. Recommendation: It should not be a name, a slang word, or any word in the dictionary. It should not include any part of your name or your e-mail address. Almost all of the 5000 most popular passwords, that are used by a share of 20% of the users, were just that – names, slang words, dictionary words or trivial passwords (consecutive digits, adjacent keyboard keys, and so on). The most common password among Rockyou.com account owners is “123456”. The runner up is “12345”. The following table depicts the top 20 common passwords in the database list: Password Popularity – Top 20 Number of Users with Number of Users with Rank Password Rank Password Password (absolute) Password (absolute) 1 123456 290731 11 Nicole 17168 2 12345 79078 12 Daniel 16409 3 123456789 76790 13 babygirl 16094 4 Password 61958 14 monkey 15294 5 iloveyou 51622 15 Jessica 15162 6 princess 35231 16 Lovely 14950 7 rockyou 22588 17 michael 14898 8 1234567 21726 18 Ashley 14329 9 12345678 20553 19 654321 13984 10 abc123 17542 20 Qwerty 13856 If a hacker would have used the list of the top 5000 passwords as a dictionary for brute force attack on Rockyou. com users, it would take only one attempt (per account) to guess 0.9% of the users passwords or a rate of one success per 111 attempts. Assuming an attacker with a DSL connection of 55KBPS upload rate and that each attempt is 0.5KB in size, it means that the attacker can have 110 attempts per second. At this rate, a hacker will gain access to one new account every second or just less than 17 minutes to compromise 1000 accounts. And the problem is exponential. After the first wave of attacks, it would only take 116 attempts per account to compromise 5% of the accounts, 683 attempts to compromise 10% of accounts and about 5000 attempts to compromise 20% of accounts. The following diagram depicts the expected effectiveness of attacks using a small, carefully chosen, attack dictionary: Accumulated Percent of Dictionary Attack Success 20% 15% 10% 5% 0 1 359 717 1075 1433 1791 2149 2507 2865 3223 3581 3939 4297 4655 Number of password tries Imperva White Paper < 4 >
  • 5. Recommendations Users: 1. Choose a strong password for sites you care for the privacy of the information you store. Bruce Schneir’s advice is useful: “take a sentence and turn it into a password. Something like “This little piggy went to market” might become "tlpWENT2m". That nine-character password won't be in anyone's dictionary.”11 2. Use a different password for all sites – even for the ones where privacy isn’t an issue. To help remember the passwords, again, following Bruce Schneier’s advice is recommended: “If you can't remember your passwords, write them down and put the paper in your wallet. But just write the sentence – or better yet – a hint that will help you remember your sentence.”12 3. Never trust a 3rd party with your important passwords (webmail, banking, medical etc.) Administrators: 1. Enforce strong password policy – if you give the users a choice, it is very likely that they would choose weak passwords. 2. Make sure passwords are not transmitted in clear text. Always use HTTPS on login. 3. Make sure passwords are not kept in clear text. Always digest password before storing to DB. 4. Employ aggressive anti-brute force mechanisms to detect and mitigate brute force attacks on login credentials. Make these attacks too slowly for any practical purposes even for shorter passwords. You should actively put obstacles in the way of a brute-force attacker – such as CAPTCHAs, computational challenges, etc. 5. Employ a password change policy. Trigger the policy either by time or when suspicion for a compromise arises. 6. Allow and encourage passphrases instead of passwords. Although sentences may be longer, they may be easier to remember. With added characters, they become more difficult to break. 11 http://www.guardian.co.uk/technology/2008/nov/13/internet-passwords 12 ibid Imperva Headquarters 3400 Bridge Parkway Suite 101 Redwood Shores, CA 94065 Tel: +1-650-345-9000 Fax: +1-650-345-9004 Toll Free (U.S. only): +1-866-926-4678 www.imperva.com © Copyright 2010, Imperva All rights reserved. Imperva and SecureSphere are registered trademarks of Imperva. All other brand or product names are trademarks or registered trademarks of their respective holders. #WP-WORSTPRACTICES_PASSWORDS-0110rev1