imedo Development Blog

Most web applications depend on user name password combinations in order to authorize user access. Hence one of the biggest security problems in the world wide web are weak passwords. Users choose easy to guess password because they are easy to remember. In this article some hints are given which should help choosing a good password and remembering it, because good user passwords increase the overall security of a web application.

In 2006 Bruce Schneier, a well known security expert, analyzed 34,000 MySpace passwords which were collected by a pishing attack. The most common of these passwords were password1, abc123, myspace1, password, blink182, qwerty1, fuckyou, 123abc, baseball1, football1, 123456, soccer, monkey1, liverpool1, princess1, jordan23, slipknot1, superman1, iloveyou1, and monkey.

Recently Microsoft published the results of a one year study in which Microsoft monitored automated attacks against user accounts with a fake FTP server. From the collected data they generated statistics of the most common used user names and passwords for this kind of attack. In case of passwords the top 10 consists of password, 123456, #!comment:, changeme, Fuckyou, abc123, peter, Michael, andrew, and matthew.

Both analysis underline the basic thesis of this article. Users tend to choose simple passwords which would not resist a dictionary attack and the bad guys are aware of this vulnerability and try to exploit it.

From their analysis Microsoft derived three basic hints which should be remembered when choosing a password. These hints should be presented to users of web applications during signup.

1. Use a combination of letters, numbers and special characters. Also, remember that some dictionaries used in attacks have a “l33t” mode, which allows common letter/number-to-special character substitutions (like changing a-@, i-1 ,o-0 and s=$, for example, password = p@$$w0rd). Therefore, mix them in different ways so that they are not predictable.
2. Use a combination of upper and lower case letters.
3. Make it lengthy. A longer password does not necessarily mean it is strong but it can help in some cases.

Bruce Schneier recommends to write passwords down and keep them with your valuable things in e.g. your wallet, since passwords which are not based on a dictionary are hard to remember. But remember to change them like you cancel your credit card in case you lose your wallet.

Popularity: 7% [?]

Wow, that’s one of a kind rant!

In a leaked email Bill Gates is complaining about usability issues of microsoft products like windows or the microsoft.com site.

Check it out here: An epic Bill Gates e-mail rant it’s pretty long and very detailed, but well worth the read.

Thanks to Amy Hoy for posting it on her blog Slash 7

Popularity: 1% [?]