You may snigger when you hear that a few months after the euphemistically named AdultFriendFinder was hacked, now Ashley Madison has had its turn. The site, which enthusiastically advertises its ability to connect people to have affairs, had its accounts compromised, according to security reporter Brian Krebs and confirmed by the company.
This site breach is the latest in a seemingly endless series of attacks against sites that have millions or tens of millions of user accounts, and in which that account information gets distributed widely. Crackers and white-hat hackers immediately start looking at the data, both to attack accounts and to warn users.
The conclusion that I draw from these breaches, and especially the recent LastPass account information compromise, is that we may be focusing too much on a strong password and not enough on unique passwords.
Now, I've been banging the drum of unique passwords for years, and regular readers may be tired of hearing me rant about it again. But because people still use the same password in many locations, and often one that's not strong to boot, it's worth explaining the rationale.
Strength through numbers
A strong password is one that can't be guessed from details about you: it's not a person's name in your family, the name of a pet, a past or current address in some form, or the like. It should also be highly resistant to brute force. You've probably seen in analyses of cracked sites that many people's passwords are "123456" or "password."
I spoke to a password and security researcher several months ago who noted that most of the sites that have detailed password requirements don't really improve the strength of a password, even when the red bar that shows a bad password switches to green--including Apple's own password-strength indicator. That's because those features only analyze whether or not you've got enough differentiation (or "entropy") in character choice--mixed case, numbers, and punctuation for instance. This increases the number of brute-force combinations that have to be tried, and thus are scored highly on the red-to-green quality bar.
But "Password1!" is very easy for a cracker to crack because they now walk down selective paths that are based on information derived from previous large-scale cracks. Their tools know that people will add the least amount of complexity and the simplest choice needed. Thus, they type "Password" (upper and lower case) plus the first number on the keyboard, plus the key-cap of that number. Green? Yes, if you look at the quality bar. But it's very red in actual fact.
As I've written about before, a set of a few words uncommonly found together and sufficiently long, like "Christmas penguin haircut" is many, many, many orders of magnitude harder to crack than "B@z00ka!!" or even "JWT74PV5JVaj". That's because even if the crackers know three words are involved, the number of iterations to find them is still enormously high if the combination isn't found in typical online texts--like webpages or books--in that language. (Don't pick "Call me Ishmael.")
Sign up for CIO Asia eNewsletters.