What We Learned from 2012 Password Hacks

By Ehsan Foroughi and Nima Dezhkam

In the past few months we have evidenced frequent news headlines on password breaches at major websites such as LinkedIn, Yahoo! Voices, DropBox, Gamigo, and Phandroid, an Android Forum. The list does not stop there.

These incidents motivated us to perform some high-level analysis on the leaked data, review the root causes, and look into the related work covering these incidents. This post is a summary of our observations from a password best practices point of view.

Password Reuse

Reports show that some of the aforementioned compromises, most notably that of Yahoo! Voices, extend beyond the targeted site and affect user accounts for other websites such as Gmail, AOL, and Hotmail. This is mainly due to the reuse of usernames (or emails) and passwords between different websites.

This is by no means an isolated incident. Microsoft, for example, on average sees successful password matches of around 20% of the leaked usernames that match Microsoft account usernames.

We believe the rate for password reuse to be higher, specifically between popular sites, if we match by the individual owner rather than the username. This is due to limited availability of popular/shorthand usernames, which results in different usernames being used on each site.

Password Complexity

Password reuse is only one part of a bigger problem. An analysis of the leaked LinkedIn passwords reveals the usage of passwords generated by variation of publicly available information such as: linkedin, LinkedIn, linkedinsecret, and linkedinpassword. Note that the frequency of usage of these passwords can not be determined in this specific case as the leaked file only included unique hashes. These passwords lack the recommended password complexity requirements as outlined in the OWASP best practices.

The analysis done by Errata Security on the same LinkedIn leaked data reveals that the list contains an indicator revealing the passwords hackers were able to extract at the time the data was published. It verifies that all passwords with length 6 or less were cracked, most likely using brute force combined with rainbow table speedup techniques.

In addition, the same study suggest that roughly 25% of the unique passwords had a length of six (6) characters, which is considered an unsafe length according to the best practices that require passwords to be eight (8) characters at a minimum. Considering the normal distribution of frequency vs password length, we can deduce that the number of passwords with length of six (6) is more than 25%. This demonstrates how a weak password policy can lead to a large set of weak passwords.

An analysis of the leaked Yahoo! Voices passwords by our research team, revealed the following as the top 20 most commonly used passwords. The “123456” password appeared over 1600 times in the disclosed list of almost 400K passwords:

1) 123456
2) password
3) welcome
4) ninja
5) abc123
6) 123456789
7) 12345678
8) sunshine
9) princess
10) qwerty
11) writer
12) monkey
13) freedom
14) michael
15) 111111
16) iloveyou
17) password1
18) shadow
19) baseball
20) tigger


The above analyses can lead to the following conclusions about the password usage in the affected websites:

1) neither of the password length and password complexity requirements, as recommended by best practices, are being actively followed and enforced in the affected websites.
2) despite spreading public knowledge about password security, a considerable number of users still choose simple passwords such as “123456” or dictionary words over complex ones.
3) users tend to reuse their passwords between different websites at an alarming rate.

Item 1 is related to the password policy of the websites, and items 2 and 3 are often linked to the hardship of remembering multiple complex passwords by the users.

Commonly used and dictionary word passwords are typically the first ones to be cracked during attacks such as brute forcing, and using them significantly increases the likelihood of a compromise. In addition, password reuse between different sites increases the impact of any such compromise.

In summary, it is safe to believe that weak passwords and password reuse are common password security weaknesses in many of the popular websites that we use on a daily basis. Actively enforcing password best practices by the websites and providing users with flexible choices to securely manage, store, and use their complex passwords are two approaches that can help us move towards a safer web experience.

Previous Article
Nish & Subu at Countermeasure 2012
Nish & Subu at Countermeasure 2012

Nish Bhalla and I were at Countermeasure 2012 conference in Ottawa. Please click here to download the prese...

Next Article
The Operational Reality of Opt-In Security Controls
The Operational Reality of Opt-In Security Controls

TL;DR: We thought we found arbitrary command execution due to an absence of class-whitelisting. We actually...