Every year, I take a look at the published list of worst passwords. I gave you this list back in October, but it occurred to me that there is something you can do about it if, heaven forbid, you are using any password on this list. Surprisingly, the list changes little from year to year, usually with just a few new ones being added. I guess people don’t change their passwords very often, if at all.Here is an excerpt from a TIME report posted at CNN Tech:
SplashData, which makes password management applications, has released its annual “Worst Passwords” list compiled from common passwords that are posted by hackers. The top three — “password,” “123456,” and “12345678″ — have not changed since last year. New ones include “jesus,” “ninja,” “mustang,” “password1,” and “welcome.” Other passwords have moved up and down on the list.
And here is the list showing what has changed:
1. password (Unchanged)
2, 123456 (Unchanged)
3. 12345678 (Unchanged)
4. abc123 (Up 1)
5. qwerty (Down 1)
6. monkey (Unchanged)
7. letmein (Up 1)
8. dragon (Up 2)
9. 111111 (Up 3)
10. baseball (Up 1)
11. iloveyou (Up 2)
12. trustno1 (Down 3)
13. 1234567 (Down 6)
14. sunshine (Up 1)
15. master (Down 1)
16. 123123 (Up 4)
17. welcome (New)
18. shadow (Up 1)
19. ashley (Down 3)
20. football (Up 5)
21. jesus (New)
22. michael (Up 2)
23. ninja (New)
24. mustang (New)
25. password1 (New)
So, what can you do about it if you are using any of these passwords? There is a simple fix: Append or prepend a pattern of characters that you will remember. I call this a Personal Password Pad and discussed it in “A simple password recycling method” back on January 16, 2012. You don’t have to come up with a bunch of different ones as that article suggests, though. You could use the method I suggest in “Another way to create easy-to-remember complex passwords.”
You will want to use a minimum of four characters for your pad. For example, let’s say you choose a year: 1988. Your pad could be !(** or 1(8* or !9*8. You get the idea. Now, just stick that on the front or back or both of the worst password, e.g., !9*8password1, and you have a strong, easily remembered password that will probably never show up on any such list.
Have a very Merry Christmas and enjoy a safe and secure gathering with those you cherish.
More than 2000 years ago, Sun Wu wrote Sun Tzu – The Principles of Warfare (The Art of War), a book that has been used by military generals and other savvy leaders ever since. While I don’t know if our modern techno-generals are applying this to the new cyber-warfare theater, I have to assume that savvy cyber-warriors have their own interpretation. I am in the process of writing a book that applies my interpretation of the principles of The Art of War to cyber-warfare and combat. Granted, I won’t be the first one to look at this, but there’s always room for a fresh viewpoint. I will be posting key excerpts here as the book progresses.
Here is more information from sonshi.com, who claim to have the most accurate translation from the original Chinese text, the reference I will be using as source material. :
Sun-tzu ping-fa (Sun Tzu The Art of War) is one of those rare texts that transcends time. Though it was written more than 2,000 years ago, it is arguably still the most important work on the subject of strategy today.
Written by a brilliant and experienced Chinese general named Sun Wu, The Art of War was intended only for the military elite of his time period. However, this treatise would later be absorbed by others of influence — from the fearless samurai in feudal Japan to the shrewd business leaders of the 21st century.
The new title will be: Sun Tzu Sai Bo: The Art of Cyber War
I can think of nothing better than starting off a new month with an amusing video. The jury’s still out as far as I’m concerned, but I haven’t really tested the new version of IE yet.
A colleague sent me a link to this article in The Register: Microsoft Security Essentials loses AV-TEST certification. Here is my emailed response:
Well, yeah, but I still recommend it to friends, family and students as one of the best free AV tools. It maintains the VB100 rating. Besides, absolutely NOTHING prevents against malware installing on the PCs of those ID-10-T users who click on links and agree to be infected.
Me, I don’t even run AV on any of my personal computers at home and haven’t for at least 5 years. I have had zero infections of any kind. On the other hand, I have cleaned PCs that were positively toxic with malware and were members of every known botnet despite their running fully updated versions of commercial AV software.
Naturally, I question the efficacy of AV software for the savvy amongst us.
What do YOU think? Hit the comments and let me know.
If you receive any email with a subject line similar to “Re: Changlog 10.2011,” or something similar, delete it immediately: it’s malware. This isn’t a new one, it just seems to be going through a resurgence at the moment. Sophos identified it and wrote about it in February 2012:
Internet users are receiving emails claiming to contain a changelog – but the files attached are really designed to infect computers.
Here’s what a typical email looks like, although the precise wording can vary.
Subject: Re: Your Changelog
as promised chnglog attached (Open with Internet Explorer)
The subject lines and attachment names can also be different from email to email – here’s a small selection.
Make sure your anti-malware software is up to date and you should be OK. Just don’t click the link (but you already knew that, eh?)
Like it or not, we are still saddled with using passwords for almost everything we do online. The biggest problem with passwords is–and always will be–that good, complex passwords tend to be hard to remember. There are scads of articles on the interwebs about how to create easy-to-remember complex passwords and I’m guilty of contributing my own volume of them. Not that there is anything wrong with this, but the hackers read, too. That’s how and why they have refined their cracking programs to take into account commonly used password creation habits. For example, most people when mixing case will capitalize the first letter, so the cracking program tries that first. You want to avoid using common patterns and the best way to do this is with a personal password algorithm (PPA).
A PPA is a set of rules or steps that you use to create passwords such as this one by Luigi Montanez (though he calls it a “recipe”). There are endless variations you could apply to that one alone (and you should definitely vary it from the published version for obvious reasons). Here’s a simple algorithm that I just invented for the purpose of writing this article:
- Write down any two words that are memorable to you. In my case, I could use kenpeggy
- Starting at the end, write down all of the consonants, skipping all the vowels: ggpnk
- Now, capitalize the last two letters: ggpNK
- Determine the two-digit numerical value of the first two letters based on the alphabet: gg would be 06 and 06
- Append that to the letters: ggpNK0606
- Choose two special characters that you like and append one to the front and one to the back: !ggpNK0606%
You can apply this to any two (or more) memorable words or names and as long as you consistently follow the algorithm, you’ll always know what the password is.
As you probably know by now, I love the Sophos puzzles. Here’s the latest one that is already over with, but that doesn’t mean you can’t have fun with it anyway:
This time, the theme is Skyfall and Bond, James Bond. You’ll handle a field message from another agent, decode a data file stolen from M’s computer, and unravel a secret location – all in a day’s work for the world’s best-dressed secret agent.
To get started with the puzzle, put your tuxedo on, pick up martini, and join Bond at the craps table (that’s by way of a hint, albeit a slightly oblique one).
Apply a touch of lateral thinking and a bit of search engine tinkering to work out how to convert the text below into a URL:
44516 54221 43313 slash SHAKE DON’T STIR
Then head over to the URL to take on the next stage of the puzzle.
Enjoy and hit the comments if you figure it out.
A serious security flaw in Microsoft-owned Skype allowed hackers to hijack accounts just by knowing the user’s email addresses. Details from this article at TechCrunch:
Skype faced a fairly serious security threat today [Nov. 14, 2012], thanks to a flaw in the system replicated by The Next Web that allowed people to sign up with email addresses already in use by other users and then force password resets for any accounts associated with those emails. Reset tokens could be delivered to the Skype client itself, meaning people didn’t need access to email accounts to reset passwords associated with them.
Very shortly after The Next Web notified Microsoft, the issue was fixed.
The flaw was actually more of a design issue than a security hole, according to Steve Gibson of Security Now! He discussed this flaw in Security Now! Episode #378:
Microsoft shut down the vulnerability, the aspect of vulnerability, which was password recovery. They took that part offline immediately, then looked at the problem, understood it, fixed it, and then brought password recovery back. So that’s what I mean by this being a design problem. As soon as someone told them, they’re like, oh, my god. And so it was easy to fix.