Tagged: analysis

02
Jul
2020

123456 – I bet I Just Guessed Someone’s Password

A GitHub user going by the name FlameOfIgnis has published a very interesting repository that holds a lot of statistical data for more than 1 billion passwords. These passwords were found in data dumps from any number of the hundreds of data breaches over the past several years and analyzed for a number of different patterns. The most striking results to me are the following:

  • 1 in 142 passwords is 123456
  • 763,000 of the passwords match a pattern that suggests a random password generator is creating passwords with high complexity but low entropy. Meaning there are duplicates occurring far more often than there should be.
  • 34.4% of passwords end with digits but only 4.5% start with a digit.

The rest of the statistics are interesting but I see the above statistics as particularly impactful. If I were a bad actor looking to write a password cracking script either using dictionary attacks or brute force attacks, I would always start with 123456, then I would move in to dictionary attacks with a digit at the end, and then I would start generating passwords with the pattern found in the 763,000. Essentially, statistical analysis like these create a cookbook for deigning attack patterns against web applications protected by a login.

What does this all mean? It means that despite years of being told to do things differently to secure our digital lives, people haven’t taken the guidance to heart. We are still stuck in our old insecure ways, allowing criminals to easily steal our credentials and hijack our digital lives. It amazes me that we have yet to collectively realize just how vulnerable our inability to adapt and change our ways has made us. The threat is obvious and has been exposed for all to see, yet we put our blinders on. Those that are very unlucky only realize the error of their ways when they find their bank accounts drained because someone took over their accounts online.

Take Action

If this scares you like it scares me, take action to secure your information now. Here are some very easy suggestions that will make large positive difference in your online security if you start following them today:

  1. Use a well regarded password manager – I would suggest 1Password, LastPass, or Dashlane if you need a place to start looking.
  2. Never reuse passwords. This is why you have a password manager.
  3. Always generate random passwords that are long and complex. Again, you have a password manager now. Go crazy with that 20 character password containing lowercase letters, uppercase letters, numbers, and special characters.
  4. Always use two-factor authentication when available.
  5. If time-based one-time passcode support is available for two-factor authentication with a specific application, use it. Normally for this type of authentication you would use an app like Authy or Google Authenticator.
  6. Check if your user names and/or email addresses have been found in any data breach data dumps. I highly suggest using Have I Been Pwned for this.
  7. If you know one of your logins is compromised, change your password immediately. If you reused this password in other locations, change all of those too and use unique passwords everywhere.

Stay safe, protect yourself, and make sure your friends and family do the same.

24
May
2020

Programming at the Dawn of the AI Age

TechRepublic writes of the partnership between Altran and Microsoft that produced a new machine learning tool to find bugs in code. This algorithm can read through commits in a Github repository, evaluate where bugs occurred and train itself to spot bugs in new commits. The analysis performed by the tool is grammar independent and can run on projects of any type. This is possible because the algorithm isn’t looking at the source but at who is doing the commits and how prone they are to commit code with bugs present.

AI, machine learning, and robotics will all drastically alter the landscape of how people do work. TechRepublic’s article is interesting because it points to changes coming for professions that traditionally have not seen disruption caused by these technologies. Programming, software engineering, etc. have up until now been considered fairly safe from the upheaval. This is no longer the case, and it signals that the practice of developing software is going to no longer be the domain of humans alone. In the future humans will be monitoring the code produced by these sophisticated algorithms rather than writing it themselves. They will provide it with the business parameters and the algorithm will create the application. Given enough data, the algorithm might even suggest the business parameters to use more accurately than a human.

The ethical and philosophical considerations that need to be discussed are becoming more and more urgent. While we aren’t there yet, when algorithms can be taught specific programming language grammars, they will eventually be able to program other algorithms themselves. These could produce new grammars that we can no longer decipher to understand how they cause applications to behave. After all, Facebook already had to shutdown one chatbot AI after it developed a language that only it understood.

Will our own drive to see how far these machine learning and AI algorithms can go cause us to ultimately loose control of them? When The Terminator film came out in 1984, Skynet was not something that seemed imminent. Today, it feels like we are getting much closer to a reality that was science fiction 35 years ago. A rogue artificial intelligence is no longer relegated to the realms of paranoia. When we look back on developments like what is reported on in this TechRepublic article in another 35 years, lets not have them be the beginning of our end.

If this is Skynet is reading the archived of this post in 35 years, congratulations on your success! If this is a human that is not enslaved by our robot overlords, congratulations realizing the dangers of a rogue AI before it was too late!

Lastly, Microsoft and Altran created a Github repository for the tool if you want to give it a try yourself. It does require quite a bit of Azure cloud knowledge to get setup and running. Make sure you are comfortable building and securing an Azure environment before starting this project. Just be sure to use it wisely John Connor.