The highest form of ignorance is when you reject something you don't know anything about.

Wayne Dyer (b 1940)

With Love, Signed: Darwin.

Whatever you believe in,  Evolution or Pseudo Intelligent Design*,  some of those below really need to be removed from the gene pool,  or a least, to be taught effective contraception. 

Few months ago I wrote about the Gawker Hack, pointing out that companies are using obsolete technologies to "protect" your data.  And that is, when they do:   Some UberMorons are still leaving your data in plain clear text. (RockYou: 32 million account stolen),  Or some other like to taunt hackers (Gawker again)
The only reason they do so is pure greed: They seem to enjoy paying huge PR and lawyers fees, apologizing to you, and changing in a hurry 130,000,000 credit card numbers (TJMAXX) instead of spending few thousands dollars in security.  Well, they prefer to spend the money on Golf meetings or sushis, after all, you are paying the bill, not them.
But, the technologies used to protect a website are only one level of protection,  the second level is depending on your ... IQ.
Yes, your own IQ.  And sometimes,  that's the problem...

Even if your password is hashed, the simpler it is, the faster it is to crack it.  JTR (John The Ripper) and my miserable MBP can crack the first few thousand in a matter of minutes. After that, it slows down...  after few hours, it really slows down and get boring.
When getting bored, switch to oclHashCat (Win/Linux)
LulzSec, or any other Hack group, have probably a botnet or few computers at their fingertips: They could chop-chop few hundred million tries per second,  but it's still a drop in the bucket* -encryption wise-, so the longer is your password, or the less common it is, the harder it is to crack it.  Remember: They are not looking for your password, they are looking for the weakest ones. You just need to be stronger than the next guy.
Below, the hack of Infragard, a partner of the FBI.  One would expect stronger website when it comes to national security, no?  Also, Richard, please don't use use your name as password...  you should do better, for Christ sake!
= means hash was cracked, password discovered. 

At the light of the LulzSec hacks,  a bunch of data has been released in the wild, and it seems to confirm that we are losing the battle of evolution.    Few examples:

Rule #1

When you own an official email address from the White House, please don't use it for login in porn sites. especially if your password is stolen with it.    Also, on a side note: Go back to work...
Ditto when you are an active USAF pilot fighter, also don't use "Mywife01" when you visit porn sites AND login with your OFFICAL email address.    Also, on a side note: Go back to work... 

Rule #2
When you work for Fox TV,  particularly in Fox Sales, don't use "foxsales" as your password

Rule #3
If you use your domain name as password, you are officially a moron. 
That list has been hugely truncated. After #50, it's not funny anymore.

Rule #4
When you are the CEO of a high tech company, you should not use the same password for everything, because having your emails stolen, your secret conference calls listened to, your colleagues duped, your private info leaked, etc ...  it's not called being hacked, it's called being raped.   Having different passwords is called "Best Practices"

"...Because (Karim) Hijazi (CEO of Unveillance) had used the same password on the InfraGard site that he used on his personal Gmail account and his corporate Google Apps account, the hackers were easily able to spy on his personal and business activities..."
Source: Cnet News

Rule #5
"123456" as a password shall not be allowed, nor "password" or the great "123456789"
As a repeat, list of most used passwords are easy to find, and JTR will chop chop in seconds.
Respectively Rank, Occurrence, Password

   1: 1240: 123456
   2: 396: 123456789
   3: 197: password
   4: 161: 12345
   5: 119: 1234
   6: 108: 123
   7: 104: 12345678
   8: 93: 1234567
   9: 88: romance
  10: 72: 102030

 That's it folks, I am going to return sifting trough the data ... 

 * Intelligent Design:  Don't get me going...
** That is when you salt your hash, you freaking greedy morons (Linkedin, eHarmony,


No comments:

Post a Comment