Tagged: privacy

02
Jul
2020

123456 – I bet I Just Guessed Someone’s Password

A GitHub user going by the name FlameOfIgnis has published a very interesting repository that holds a lot of statistical data for more than 1 billion passwords. These passwords were found in data dumps from any number of the hundreds of data breaches over the past several years and analyzed for a number of different patterns. The most striking results to me are the following:

  • 1 in 142 passwords is 123456
  • 763,000 of the passwords match a pattern that suggests a random password generator is creating passwords with high complexity but low entropy. Meaning there are duplicates occurring far more often than there should be.
  • 34.4% of passwords end with digits but only 4.5% start with a digit.

The rest of the statistics are interesting but I see the above statistics as particularly impactful. If I were a bad actor looking to write a password cracking script either using dictionary attacks or brute force attacks, I would always start with 123456, then I would move in to dictionary attacks with a digit at the end, and then I would start generating passwords with the pattern found in the 763,000. Essentially, statistical analysis like these create a cookbook for deigning attack patterns against web applications protected by a login.

What does this all mean? It means that despite years of being told to do things differently to secure our digital lives, people haven’t taken the guidance to heart. We are still stuck in our old insecure ways, allowing criminals to easily steal our credentials and hijack our digital lives. It amazes me that we have yet to collectively realize just how vulnerable our inability to adapt and change our ways has made us. The threat is obvious and has been exposed for all to see, yet we put our blinders on. Those that are very unlucky only realize the error of their ways when they find their bank accounts drained because someone took over their accounts online.

Take Action

If this scares you like it scares me, take action to secure your information now. Here are some very easy suggestions that will make large positive difference in your online security if you start following them today:

  1. Use a well regarded password manager – I would suggest 1Password, LastPass, or Dashlane if you need a place to start looking.
  2. Never reuse passwords. This is why you have a password manager.
  3. Always generate random passwords that are long and complex. Again, you have a password manager now. Go crazy with that 20 character password containing lowercase letters, uppercase letters, numbers, and special characters.
  4. Always use two-factor authentication when available.
  5. If time-based one-time passcode support is available for two-factor authentication with a specific application, use it. Normally for this type of authentication you would use an app like Authy or Google Authenticator.
  6. Check if your user names and/or email addresses have been found in any data breach data dumps. I highly suggest using Have I Been Pwned for this.
  7. If you know one of your logins is compromised, change your password immediately. If you reused this password in other locations, change all of those too and use unique passwords everywhere.

Stay safe, protect yourself, and make sure your friends and family do the same.

03
Apr
2019

Facebook is at It Again

Our friends over at ZDNet just released another report on Facebook and their ongoing security woes. This time, Facebook has been caught asking users to confirm their identity by entering their email address and their password for their email service provider so that the platform can login to handle this confirmation. It goes without saying that anyone asking you for the user name and password you use at another service provider is not looking out for your best interests. With Facebook asking for these credentials and their recent issues, you know they are definitely not looking out for your best interests.

TL;DR – Don’t give Facebook your credentials to other services. It’s bad.

25
Mar
2019

Facebook Did It – They Lost All of Their Credibility

There is an interesting article over at Forbes today detailing how if you thought Facebook hadn’t lost their credibility yet on privacy, they certainly have now. For about the past six years, Facebook has been storing all the passwords you have used in clear text within an internal database that all of their staff have had access to. Yes, that means anyone in Facebook could have gotten into your account, or possibly just taken the whole database and dumped it for the world to have. Facebook is a little fuzzy on if anything nefarious has been done with this data or not.

The large implications, as the article’s author points out, is that this constant disclosure of personal data is desensitizing us to the serious implications that they truly have. Ultimately this could result in other companies taking the stance that there is no need to secure data any longer because no one really cares if it is protected or not. It comes down to us, as consumers and as the owners of this data, that we demand companies be held accountable to keep it safe. Either that, or we need to actively stop using these services. I don’t know how likely that will be in the case of an organization like Facebook since people are so invested in it that leaving is almost impossible to comprehend for many. Yet this is what is going to be required if these companies are going to be forced to change. Otherwise nothing will change and your data will be available to anyone, anywhere, anytime with no ability to control its spread.

The question then becomes, how important is your data, your private information, to you? Do you value it and if so how much? If the value is high then inaction is no longer acceptable and you must begin to advocate for stronger protections around that information. How can you advocate for this? Check out the resources below:

And of course, you can always write or call your elected officials to demand action on regulatory change.