When it comes to being targeted by a hacker, you’re more likely to be a fish than a deer.
Unlike in the movies, where cybercriminals are able to pinpoint their victims (deer), real-life bad guys are automating attacks across large pools of people (fish) in hopes of stealing data from a few.
A recent hack on a social-gaming company called RockYou suggests that hackers can be more efficient when they target large groups of people rather than trying to crack one person’s password. By casting a wide net, a hacker gained control of over 32 million RockYou user passwords. Security company Imperva, which discovered and announced the security hole in RockYou’s database systems, analyzed the stolen passwords and published a paper based on the password data.
Here’s what Imperva found: The most common password used was “123456,” followed by “12345″ and “123456789.” All in all, more than half a million people chose passwords composed of only consecutive numbers. So, if a hacker tried to log in to all RockYou accounts with just one password attempt–123456–every hundred or so attempts would yield a compromised account. Dozens of attempts can be scripted every second, so Imperva estimates that using this technique would only take around 15 minutes to hack 1,000 accounts.
“The entire operation of password breaking … looks very different than what we’ve been used to thinking,” says Imperva Chief Technologist Amichai Shulman.
The RockYou password sample is biased towards people who play social games on sites like MySpace. Moreover, programmers can mitigate the threat of automated attacks by building lock-outs and other security mechanisms into their Web applications.
But for the most part, programmers aren’t taking the key steps to prevent automated attacks, says security analyst Kevin Johnson, who teaches a course on hacking Web applications for the SANS Institute, a security training outfit.
“The majority of Web applications aren’t protected against that kind of attack,” says Johnson. “Security is not something on most people’s mind.”
In a world where hackers are merely looking to pluck “the low hanging fruit,” good security is less about being impenetrable and more about picking better passwords. Here are some tips from security experts:
–Make your password easy to remember. Johnson says passwords don’t have to be hard to remember, just hard to crack. He suggests typing a sentence with lots of words and including punctuation. With enough words, it keeps the password sufficiently long but makes them easier to type and remember.
–Change up your password. Arbor Networks’ Jose Nazario suggests changing your passwords more often based on the sensitivity of the content they protect. He says accounts protecting financial information, for example, should have strong passwords that are changed often and are never reused.
–Use different passwords for different accounts. Jeremiah Grossman, chief technologist at consultancy WhiteHat Security, notes that you wouldn’t have the same key for your home, car and office–so don’t keep the same password for different sites either. That way, he notes, if one account is compromised you won’t give the attacker a foothold into the rest of your accounts.
So just remember: Attacks happen, and you probably shouldn’t take them personally. And you likely can out-smart a hacker merely by giving a little thought to your password.
Source : Forbes