The Pathetic Reality of Adobe Password Hints

AdobeThe leak of 150 million Adobe passwords in October this year is perhaps the most epic security leak we have ever seen. It was huge. Not just because of the sheer volume of passwords, but also because it’s such a large dump from a single site, allowing for a much better analysis than earlier sets. But there’s something unique about the Adobe dump that makes it even more insightful–the fact that there are about 44 million password hints included in this dump. Even though we still haven’t decrypted the passwords, the data is extremely useful

One thing I have pondered over the years in analyzing passwords is trying to figure out *what* the password is. I can determine if the password contains a noun or a common name, but I can’t always determine what that noun or name means to the user.

For example, if the password is Fred2000, is that a dog’s name and a date? An uncle and his anniversary? The user’s own name and the year they set up the account? Once we know the significance of a password we gain a huge insight into how users select passwords. But I have never been able to come up with a method to even remotely measure this factor. Then came the Adobe dump.

The sheer amount of data in the Adobe dump makes it a bit overwhelming and somewhat difficult to work with. But if you remove the least common and least useful hints the data becomes a bit more manageable. Using a trimmed down set of about 10 million passwords, I was able to better work with the data to come up with some interesting insights.

Just glancing at the top one hundred hints, several patterns immediately become clear. In fact, what we learn is that a large percentage of the passwords are the name of a person, the name of a pet, the name of a place, or an important date.

Take dates for example. Consider the following list of top date-related hints:

Hint Total Note
birthday 29425
bday 17697
date 15272
birth 14956
DOB 13109
niver 9484 Spanish: Anniversary (short for aniversario)
fecha 8899 Spanish: Date
naissance 7892 French: Birth
anniversary 6959

In all, there are about 420,000 passwords with a date-related hint which represents about 3.6% of the passwords in the working set.

We see similar trends with dog names which account for 375,000 passwords or 3.2% of the total (plus another 120,00 that mention “pet”):

Hint Total Note
dog 70550
dogs name 13559
my dog 9780
dog’s name 8191
dog name 8187
perro 8000 Spanish
hund 7185 German, Danish, Swedish,  Norwegian
first dog 5653
chien 5542 French
doggy 5184

One interesting insight offered here is something we already know but find difficult to measure: password reuse. Surely a large percentage of these users have the same password across multiple sites, but it is interesting to see that about 361,000 users (or 3.11%) state this fact in their password hints:

Hint Total Note
same 44565
password 14634
always 13329
la de siempre 8559 Spanish: as always or the usual
same as always 8289
usual password 5277
same old 5111
siempre 4163 Spanish: always
normal password 3898
my password 3022

Keep in mind that these are just those passwords that admit to reuse in the hint. The number of passwords actually in use across multiple sites certainly is much greater than this.

Looking at the three lists above, we see that nearly 10% of the passwords fall into just these 3 categories. Adding names of people and places will likely account for 10% more.

So what did we learn by analyzing these hints?  First, that you should never use password hints. If users forget their password, they should use the password reset process. Second, that decades of user education has completely failed. No matter how much we advise not to use dates, family names or pet names in your passwords and no matter how much we tell people not to use the same passwords on multiple sites, you people will just do it anyway.

This is why we can’t have nice password policies.

 

 

Ars Technica Says Don’t Punish the Users

I was reading this ars technica article that talks about how some are angered by LulzSec releasing a sample of their Sony passwords. They quoted one Twitter user who basically told them to not punish the users for Sony’s sake.
But here’s the problem with that argument: those one million accounts accounts have already been hacked, and at least a few people already have that information. Making the list public forces Sony and the users to take this seriously. If the list is not made public it is too easy to get lazy about it.
Hiding the passwords really doesn’t protect those users one bit whereas making this stuff public will bring a lot of attention to the matter.

It’s been a decade, how secure are you now?

A month ago I downloaded a well-known shareware application from a download web site–a site that has been around long enough for me to recognize the name. I wanted to test the download speeds on a freshly installed Windows 2008 server in my data center and multi-threaded download managers are a good way to load up your bandwidth pipe. I double-clicked on the installer, saw my mouse turn to an hourglass, and then disappear. I saw the hard drive lights flicker a few times, and then nothing else happened.

I knew right away something wasn’t right and that was quickly confirmed when I realized I couldn’t launch Task Manager or Regedit: I was infected with malware. A trojan to be more specific.

In the last ten years I have been infected once or twice before–usually by something minor like spyware attached to a game my kids downloaded–but I had never anything major like this. Bringing up a command prompt, I quickly fought the infection with my arsenal of cmdlines I had gathered over the years. But once I thought I had the thing completely gone, it once again would appear in my task lists and runonce entries.

It didn’t take long for me to realize that it was using WMI events to keep itself alive on my system. Because these types of infections are difficult to detect and even more difficult to remove, I went after the file system, removing any binaries related to the trojan. Using timestamps and several SysInternals tools, I was able to eliminate all of the infected files, although the trojan was still active–albeit neutered–on my system.

I spent two days working on the server and ultimately ended up with a system that would blue screen before loading Windows. I finally just gave up and reinstalled the system to a fresh state. What bothered me most wasn’t the time I had wasted fighting this trojan, it was the fact that it had beat me. In fact, it beat me using the very same tactics I myself had developed and used over the years.

But as I got thinking I realized that what really bothered me is that this was a fully patched server running Windows 2008 behind two firewalls. And I was downloading a trusted application from a web site I recognized. And most of all, it bothered me that this is 2009 and I still got infected.

A decade ago I remember telling my clients that it would take ten years for the tech industry to get caught up with security. There was simply too much stuff to fix and not enough talent to fix it. Well that ten years has come and I wonder how those clients are doing now. The daily security headlines nowadays really aren’t much different than they were in 1999. Some new worm threatens the Internet infrastructure. Some .gov or .mil was hacked, probably by The Chinese, and it turns out you can still get hacked no matter how many initials you have after your signature and no matter how many standards you comply with.

It’s 2009 and I am still forced to use ancient, unencrypted protocols like FTP, Telnet, and SNMP. And even where public key encryption is commonplace, like with SSL encrypted protocols, I still find myself faced with things like having to decide whether I should trust a self-signed certificate or not.

Then there’s e-mail. Not only is it unencrypted, but it is unauthenticated and also subject to tampering. Nevertheless, I finally stopped installing PGP on all my computers because no one ever sends me PGP-encrypted e-mails and no one is ever able to read the ones I send encrypted. And this is 2009.

Even though it’s 2009, so many are still fooled by those fake e-mails from their banks. And even though spam filters work pretty well at protecting us from seeing our spam, there are still thousands of spam messages that end up on my servers every day.

And when I send an e-mail, there’s no guarantee that only the recipient will receive my message. There’s no guarantee that other’s can’t read or even modify my message.

Ten years ago we knew exactly what it would take to fix our security problems. We got the firewalls down pretty good. Code is generally more secure now. And most of us are good at keeping our systems up-to-date with patches.

But we still don’t have widely-adopted solutions for authentication, encryption, and data integrity. We still have weak passwords and our mother’s still have the same maiden names. And most people are simply too underequipped or undermotivated to combat the skills of the malware developers.

That means that despite all our advances in security technology, the best ways to hack someone are the same as they have always been—through a malicious e-mail attachment, or some infected download, or simply guessing someone’s password.

This is a serious problem, a problem that will take a decade to fix.

A CAPTCHA Nightmare

What distinguishes an effective CAPTCHA from a poor CAPTCHA is the ability to make things hard on non-humans without making things hard on humans. Most of the CAPTCHAS I see out there fail in one of those two features.

But while I thought I had seen the worst CAPTCHAs ever, I stumbled across RapidShare’s new CAPTCHA. Now in the past I have actually praised their CAPTCHA because of it was so user friendly. It wasn’t case-sensitive and when there were ambiguous characters (number 0 vs letter o), it always seemed to work.

Obviously the CAPTCHA was flawed and a number of people wrote some bots and other tools to bypass it. RapidShare felt a need to tighten things up a bit so they came up with the Cat CAPTCHA:

Cat CAPTCHA

Now it is important to note that if you are not a RapidShare member you often have to wait to be able to download a file. In this case I had to wait three minutes before I even got to the point where I could enter the CAPTCHA. Already thinking this was an annoying CAPTCHA I also grabbed a screen shot.

Now if you look closely, it says to enter all letters having the image of a cat. Looking at the image, I saw both numbers and letters so, while it made me pause and think more than most CAPTCHAs would, I figured the answer was NTPS. The caption says there are four letters, the text box limits your input to four characters, everything was all caps, and so I figured I was all set.

It turned out that NTPS wasn’t the correct answer and it put me back into the queue to wait another three minutes. After the timer finished counting down, RapidShare presented me with another CAPTCHA to solve:

RapidShare CAPTCHA

This CAPTCHA was all letters and they all had little cats on them so this seemed easier, but as I started typing I remembered that the text input box only allowed four characters. So which four are the answer? I tried the first four but that didn’t work.

Thinking it might be a browser issue, I tried different browsers,but quickly discovered that after three failures it locks you out. And it doesn’t do this based on a cookie it’s based on your IP address! Being behind a NAT’d connection I guess I just locked out my entire ISP from using RapidShare.

At this point I did some searching and found out that I am just one of hundreds of people blogging about this.

It turns out that I wasn’t being too careful because what RapidShare doesn’t tell you is that some of those images on the letters are actually dogs, not cats. I must be a bot.

Looking (very) close I finally determined that the correct answer to the CAPTCHA above would have been NERW. Geez, they could at least start showing the CAPTCHA during the countdown so you can get started working on it.

This CAPTCHA fails in so many ways it is amazing:

  1. They rely too much on their description, which pretty much eliminates anyone who doesn’t speak that language.
  2. They lock you out by IP address.
  3. If you have to squint or enlarge the picture to figure out the CAPTCHA then something is probably wrong. Try entering this thing on your iPhone outside in the sun.
  4. If someone needs to post on Yahoo! Answers to figure out your CAPTCHA then something is probably wrong.
  5. If a Yahoo! search for “rapidshare captcha” returns 79,500 results, then something is probably wrong.

RapidShare’s response to the issue is this:

“As every free user should have noticed, we are experimenting once again with the CAPTCHA system. The reason is that RapidShare is popular enough for people to create tools to download from RapidShare as a free user as if they were a premium user. This has a negative impact for our paying premium users, since they expect a fast download.”

In the meantime they are probably losing a lot of visitors and completely destroying the already fragile user experience with CAPTCHAs.

So many Windows to break

I just finished writing patch reports for Windows systems I must support for my clients or for my own business. After you put together all the Vistas, XP’s, 2000′s, 2003′s, SP’s, R2′s, x64′s, and IE6 and 7′s, the list of patches that need testing is quite long. And confusing.
Fortunately I don’t have to support any Itanium systems. Nor do I have to deal with XP Media Center, XP Tablet, Small Business Server, Home-editions, or non-English versions. So there are people much worse off than me. I do, however, have to deal with patching Office XP, 2003 and 2007.

And it seems that very soon we will have to address Windows 7, which could come as soon as next year, and Microsoft has extended the availability of XP home for ultra-low-cost PC’s up to June 2010 so those XP patches could still be around for quite some time.

Nevertheless, I imagine that my headache is nothing compared to what Microsoft has to deal with getting ready for Patch Tuesday. While Microsoft has made tremendous progress in patch management over the last five years, this obviously is an area with lots of room for improvement.

10 Ways to add to my paranoia

A couple of years ago I wrote an article at SecurityFocus.com about my security paranoia, which ended up in a lot of people thinking I went way too far and perhaps needed some mental help. In the article I wrote that instead of the word paranoia, I prefer meticulous precaution.

With astronomical growth in spyware and an increase in search engine poisoning, how is my meticulous precaution doing? Well, it’s just plain paranoia now.

So in addition to all the well-known best practices and the stuff I mentioned a couple years ago, here are some additional precautions I feel compelled to take:

1. I have an isolated virtual machine always open that I use just for e-mail and instant messaging. This machine is a member of my domain because I need to move stuff in and out of there so often, but firewall rules and other precautions limit its exposure. Plus I never browse the web from this machine.

2. I have another virtual machine always open for general web browsing and downloading. In this VM I have IE7, Firefox, Netscape, Opera, and Safari installed, as well as all the file downloaders, proxies, filters, and anything else cool I find. The browser security settings themselves are moderately secure, but relaxed enough for good web compatibility. This is where I do all my web 2.0 stuff.

3. I have another extremely isolated and extremely hardened virtual machine for more adventurous web browsing and other risky internet stuff. Just IE7 and Firefox here but lots of scanners, blockers, filters, and just about every security-related add-in I can find. I usually keep scripts, active content, and even images turned off in the browsers. Oh yeah and this vm isn’t even on my physical machine here, it’s at my data center and I connect to it via Terminal Services.

4. And of course I have a separate virtual machine on standby (suspended) for all my financial stuff. There are also a few other VM’s I keep on standby for other dedicated and potentially sensitive tasks. All these virtual machines means I need 4GB RAM and 3 monitors to get any work done.

5. Speaking of financial stuff, whenever I create a new financial account, I set up a new e-mail alias just for that account. In the case of PayPal, I created the account under that unique e-mail address but I added several other e-mail aliases that I can give out to people when they pay me so I never have to reveal my secret login address. When I get an e-mail from PayPal to any address but the secret one my Outlook rules will automatically discard it. And speaking of PayPal, I highly recommend spending five bucks to get a security key for your account.

6. I also use secret e-mail addresses for handling sensitive information. The fact that GMail keeps every e-mail forever is kind of scary, especially since it is a web-based app that could so easily fall prey to a cross-site scripting or similar attacks. This is especially a problem because so many web sites insist on sending you a plaintext e-mail with the account information you just barely set.

So I have an incoming mail filter on my GMail account that looks for words like “password” and “login information,” automatically forwards them on to another non-public e-mail address, and then deletes GMail’s archive copy. If you use Gmail, do a search for “password” and see what it comes up with. In case you were wondering, yes I do need a spreadsheet to keep track of all my e-mail accounts.

7. I frequently exit out of then re-open my web browsers, which are set to clear cache, history, and cookies upon exiting. I don’t want some cross-site scripting attack stealing any session cookies. And I never log out from a sensitive web site, I always exit the browser.

8. Occasionally I use the snapshots feature of VMWare to roll back the OS partition of my most sensitive machines. It’s my version of a Crazy Ivan.

9. And most importantly I back up frequently so I have no problem wiping a machine and starting from scratch if I suspect a malware infection or security breach.

10. Ok, well I’m withholding number 10 because I’m just too paranoid to tell you about it.

There’s always a good analogy in an old lady driving down the road dragging a mattress

Today I was driving on the freeway and couldn’t avoid driving over a flattened cardboard box. I looked in my rearview mirror waiting for it to fly out behind me but it never did. Great, I was driving down the freeway with a box stuck to my car. Continue reading “There’s always a good analogy in an old lady driving down the road dragging a mattress” »

Why I miss hacking

I have a problem with my two-year old: he keeps getting out of his bedroom. This morning it was 4am and he was climbing over me and my wife, patting us on our heads.

It’s not like we haven’t tried containing him. It started when he wouldn’t go down for naps. As a quick fix I just hooked a bungee cord from his door to the closet door in the hall, which really didn’t work and was probably kind of dangerous. Continue reading “Why I miss hacking” »

Mandatory Integrity Control

I thought I would write about a technology introduced in Windows Vista called Mandatory Integrity Control (MIC), which is an access control scheme that Microsoft developed partially based on previous work by others, in particular the Biba model. Continue reading “Mandatory Integrity Control” »

Superbowl commercials, a broken window, and a virus

This morning, after being startled by two of my sons arguing over who had the longest turn playing Guitar Hero, and still not quite ready to get out of bed, I grabbed the remote control and started up the DVR recording of the Super Bowl. As my eyes were still trying to focus, I sped forward to the first commercial break then hit play. Continue reading “Superbowl commercials, a broken window, and a virus” »