Image via CrunchBase

On 12th July 2012, more than 400,000 emails and passwords for Yahoo! Voices were stolen via an SQL injection and published online. The passwords were reportedly stored in plaintext, making this security breach even more serious. If you are a member of Yahoo! Voices, change your password immediately, and if you use the same password on other sites, make sure to change them as well.

I performed the following password analysis with the help of pipal, a very popular and powerful password analyzing tool. The full pipal report is located here, with a longer report (showing the top 100 of each category) here.

10 Most Popular Passwords

123456 = 1667 (0.38%)
password = 780 (0.18%)
welcome = 437 (0.1%)
ninja = 333 (0.08%)
abc123 = 250 (0.06%)
123456789 = 222 (0.05%)
12345678 = 208 (0.05%)
sunshine = 205 (0.05%)
princess = 202 (0.05%)
qwerty = 172 (0.04%)

Despite numerous warnings by security professionals, the most popular password is still “123456″, followed by “password” in second place. These are highly insecure passwords, not just because of their length or complexity (which is very low), but because they are at the top of most password lists that attackers use to try to compromise an account. Remember, brute-forcing a password is always a last-ditch attempt at gaining access to an account; a clever attacker will always try common passwords first, and if your password appears in a password list online, you should never use it!

The fact that these passwords were even allowed reveals substandard practices in Yahoo’s password policy. To boost security, a user should be required to have a password that contains both upper and lowercase letters, as well as numbers and symbols. For additional security, the chosen password should be rejected if it matches one found in common password lists.

Password Length

8 = 119214 (26.92%)
6 = 79650 (17.99%)
9 = 66058 (14.92%)
7 = 65654 (14.83%)
10 = 54815 (12.38%)
12 = 21785 (4.92%)
11 = 21261 (4.8%)
5 = 5325 (1.2%)
4 = 2748 (0.62%)
13 = 2585 (0.58%)
14 = 1433 (0.32%)
15 = 773 (0.17%)
16 = 442 (0.1%)
3 = 303 (0.07%)
17 = 252 (0.06%)
20 = 169 (0.04%)
18 = 116 (0.03%)
1 = 116 (0.03%)
19 = 78 (0.02%)
2 = 67 (0.02%)
21 = 6 (0.0%)
22 = 4 (0.0%)
29 = 3 (0.0%)
30 = 2 (0.0%)
24 = 2 (0.0%)
28 = 2 (0.0%)

As you can see, most people are still using short passwords. Indeed, a whopping 61.66% of people are using a password that is 8 characters or shorter. If you include passwords with a length of 9 or 10, then the number jumps to 88.96%. When a dictionary attack fails, the main thing stopping a brute-force from succeeding in a specific amount of time is the length of the password. For each additional character a password has, the amount of time needed to brute-force it increases by a factor of 95 (assuming the brute-force is trying all types of character). Even if the password only contains lowercase letters, an additional letter will increase the time required by a factor of 26.

8 characters and longer is usually cited as the recommendation for password length, but with cracking speeds up due to improvements in processing power, that number should probably be closer to 12, if not more. Remember, a long complex password need not be hard to remember.

Complexity

Only lowercase alpha = 146512 (33.09%)

This small statistic shows a staggering lack of password complexity. Almost a third of passwords only contained lowercase letters, making the task of brute-forcing them much easier.

loweralphanum: 224085 (50.6%)
loweralpha: 146512 (33.09%)
numeric: 26080 (5.89%)
mixedalphanum: 23233 (5.25%)
loweralphaspecialnum: 6053 (1.37%)
mixedalpha: 5122 (1.16%)
upperalphanum: 3416 (0.77%)
mixedalphaspecialnum: 3327 (0.75%)
loweralphaspecial: 2103 (0.47%)
upperalpha: 1776 (0.4%)
mixedalphaspecial: 489 (0.11%)
upperalphaspecialnum: 233 (0.05%)
specialnum: 189 (0.04%)
upperalphaspecial: 51 (0.01%)
special: 20 (0.0%)

As these additional statistics show, more than half the passwords only contained lowercase letters and numbers (the numbers only increase the brute-forcing attack by a factor of 10). Barely one percent of the passwords could be considered “complex”, containing upper and lowercase letters, numbers, and symbols.

Conclusions

Yahoo! is of course to blame for the passwords being accessible to hackers, as well as storing them in such an insecure way. Their password policy which apparently lets users choose single characters for a password is absurd, and a full investigation should be carried out to find out how on earth the users were left this vulnerable. There were some decent passwords in the list, and those were made completely useless through Yahoo’s ineptitude.

That said, it should be noted that regardless of Yahoo’s ineffective defences and security policies, a great deal of these user chosen passwords were highly insecure. It is up to the user to choose a decent password, rather than relying on a system which you should not really trust (as users, we do not know what security weaknesses a system has, or how it stores important data). It is best, therefore, to create a unique complex password (or passphrase) for each account you have online, and to use a good password manager to help you keep track of them.

I’ve written and published two new security articles as part of the Yahoo! Contributor Network. The first is about reducing your digital footprint, which is something I’ve been interested in for a while now. If you aren’t careful, a lot of information about yourself can be found online. Some of it might be true, some of it might be false, but most of it you probably don’t want lingering in search engine results. My article will tell you how to best map your digital footprint, and then how to go about reducing it.

The second article is on the top 5 online password managers, something every sensible person on the Internet should have. With so many different websites, you can either have the same password (highly insecure) or generate a unique password for each. Online password managers mean you don’t have to remember all your passwords, though as I’ve pointed out before, you can generate highly secure and easy to remember passphrases for the most secure sites you visit.

I’ve been pretty absent from both blogging and tweeting recently as I left my job as a Security Researcher to do penetration testing for Convergent Network Solutions. This involved moving from Reading to London, which was great since I’ve always wanted to live there. Other than starting what I hope will be a long career as a Penetration Tester, I’ve also been working on my MSc, where I am developing a web application fuzz tester.

Of course, there are already a lot of fuzz testers out there, especially for web apps, so mine will be “special” in a number of ways. Firstly, it will be a command-line tool so that users can run it from machines without a display manager (always useful). Secondly, it will use an XML-based “scripting” language that I have developed, which will allow people not familiar with programming (QA teams for instance) to easily write tests in a structured way that they can understand. Finally, it will support multiple fuzzing methods including a simple list of values, incrementing numbers, and completely random data.

I hope to open source it at the end of development, and of course I’ll make any such announcements on this blog.

Various organisations have revealed the existence of yet another piece of malware used for targeted attacks against a country’s infrastructure. Flame (also known as Flamer and sKyWIper), was discovered jointly by Kaspersky Lab, Iran’s MAHER Center, and CrySyS Lab of the Budapest University of Technology and Economics.

The most visible difference between Flame and earlier pieces of targeted malware like Stuxnet and Duqu is the size, expanding to 20 megabytes when fully installed (Stuxnet was only half a megabyte). CrySyS Lab, which discovered Duqu in 2011, have described Flame as “arguably… the most complex malware ever found.”

More information on Flame can be found below:

Identification of a New Targeted Cyber-Attack - Iran National CERT (MAHER)

The Flame: Questions and Answers – Kaspersky Lab

sKyWIper: A complex malware for targeted attacks [PDF] – CrySyS Lab

Meet ‘Flame’, The Massive Spy Malware Infiltrating Iranian Computers – Threat Level (Wired)

Flame malware – more details of targeted cyber attack in Middle East – Naked Security (Sophos)

Flame: Massive cyber-attack discovered, researchers say – BBC News

A few months ago I joined the UK Yahoo! Contributor Network, which pays people to write specific articles that are then published on Yahoo! After a few assignments about movies and mobile technology, the editors were impressed enough to let me write on various security related topics.

I’ve written three so far, the first of which has just been approved and published, so please go read it and share it with friends:

How to secure your Facebook account

Unlike the rather technical and complex articles on this blog, my Yahoo! articles will apply to as many people as possible. If you’ve ever wondered about the security of your Facebook account, or have friends who need it drastically, this article should help you out.