I’ve blogged often about the issues of identity, passwords, lack of security and the whole gamut of how mobile internet combined with social media changes everything. Now it’s hit the mainstream media when British Airways magazine has its main front page talking about cybercrime.
The first line gives away the rhythm of the article: “How do hackers crack a corporation? Their top tool is you.”
The article talks about everything from using a USB stick, which immediately creates an opportunity for hijacking, to the vulnerabilities of copying corporate work to your private gmail account.
Scary stuff, and rightly so.
It also touches upon the commonest passwords used on the internet, which happened to sync up with a couple of other articles I was reading recently.
The first talked about the top passwords people use, with the number password being ... ‘password’.
Wanna know the rest?
Well here you go:
1. password
2. 123456
3. 12345678
4. abc123
5. qwerty
6. monkey
7. letmein
8. dragon
9. 111111
10. baseball
11. iloveyou
12. trustno1
13. 1234567
14. sunshine
15. master
16. 123123
17. welcome
18. shadow
19. ashley
20. football
21. jesus
22. michael
23. ninja
24. mustang
25. password1
The second talked about PIN numbers, and they’re pretty easy to crack too. Wanna know the #1 PIN? Yes, it’s ‘1234’.
If that doesn’t work, try anything from ‘0000’ to ‘9999’, and one of them will probably crack open the vault. For example, here’s the top 20:
1.
1234
2. 1111
3. 0000
4. 1212
5. 7777
6. 1004
7. 2000
8. 4444
9. 2222
10. 6969
11. 9999
12. 3333
13. 5555
14. 6666
15. 1122
16. 1313
17. 8888
18. 4321
19. 2001
20. 1010
So it’s pretty obvious that easy to remember numbers and words are the order of the day when cracking passwords and PINs.
In fact, company systems are also easy to crack, as illustrated by Paul Ducklin of Sophos who cracked open the Philips company databases this year by using the really difficult to find password: ‘Philips’.
Wow! Such high level security is unheard of and reminds me of my favourite story of Aaron Barr, the head of security at the leading US cybersecurity firm HBGary who got pawned by @Anonymous by using the same username and password for his LinkedIn account and corporate Google account.
Aaron is now on everyone’s z-list, but that doesn’t cut it.
The bottom line is that in today’s world of mobile internet with 24*7 access, passwords are just so 20th century.
We should be using biometrics of something similar.
Personally, my favourite is DNA as it would allow me to spit on my bank and they would welcome me for doing so.
I’m not sure it’ll take off however, as the technology is not quite right yet.
Thanks Chris. Who knows....in the days to come...even DNA may be duplicated.....
Posted by: Guru_raghavan | November 20, 2012 at 08:49 AM
The casual advocacy of biometrics really has to stop. These technologies are not what they seem.
Most people get all their understanding of biometrics from science fiction movies, and vendors do bugger-all to round out the public's understanding. There's an amazing double standard where the truism that there is no perfect security gets shoved aside by unquestioned assumptions of biometrics being "unique" (they're just not).
But with a few moment's reflection even lay people spot one of the fatal flaws: a biometric cannot be cancelled and reissued in the event it is stolen. With a little more time, business people can get a handle on crucial practical matters like the security-convenience tradeoff, the reality of Reverse Engineering (so much for biometrics being 'impossible to forge' as many vendors claim) and the inherent difficulty of card-less biometric ATMs (which will occasionally commit a False Match and this give you access to someone else's money).
So please, you shouldn't even joke about DNA as a biometric.
More at
http://lockstep.com.au/blog/2012/10/20/biometrics-and-privacy-basics
http://lockstep.com.au/blog/2012/05/06/biometrics-must-be-fallible
Posted by: Steve_Lockstep | November 20, 2012 at 11:15 PM
Raghavan quipped "in the days to come, even DNA may be duplicated". Indeed! Pluck someone's hair, or even shake their hand, and you've got enough of their DNA to spoof them.
Truly, of all the biometrics, DNA has to be the craziest.
Posted by: Steve_Lockstep | November 20, 2012 at 11:34 PM
Next generation authentication will be... (drumroll) your mobile phone. It's something you know, you have, you are.
Posted by: Iang [==> Something you know, you have, you are] | November 21, 2012 at 12:48 AM
So, once you give your DNA, everyone knows it, can replicate it and reuse it in whatever way they could think?
Posted by: Sava | November 21, 2012 at 08:28 AM