When a website that creates and distributes self expression widgets for use on social networking services such as Facebook and MySpace got hacked in December last year, it left millions of online socialites dangerously exposed. The impact of the security breach, which took advantage of a decade-old exploit, was made worse when it was discovered that RockYou.com’s user data policies appeared to allow for ID and password data to be stored and transported without encryption.
That RockYou.com’s security measures were somewhat lacking, to say the least, is grave enough but now analytical data has been released which shows a more serious problem, not necessarily with the aforementioned company but maybe a bit closer to home – YOU!
Data security company Imperva had a closer look at the list of 32 million RockYou.com user passwords posted on the hacker’s blog (which thankfully were not linked to user identities or other personal data) and discovered that our worst enemy in the struggle to ensure that the information stored about us by the many websites on which we choose to register is not in fact those companies and institutions, it’s us.
According to Imperva, “the data provides a unique glimpse into the way that users select passwords and an opportunity to evaluate the true strength of these as a security mechanism. Further, never before has there been such a high volume of real-world passwords to examine.” You can have a look at the report if you wish but let me take a moment to present some of the highlights.
Top of the Charts
The winner of the most frequently used password that we hope will foil the hackers and keep our personal information, well, personal is… trumpet, fanfare or drum roll:
Although I would hope that no-one on TechnoBuffalo would ever use such an obvious password when registering for a website, people clearly do. This is both worrying and not entirely surprising. On the one hand the RockYou.com password list (top ten reproduced below) clearly shows that we don’t take our online security seriously enough. Just take a moment to think about all the websites that you are required to register for. Social networking, blogs, instant messaging, online banking, VOIP services, webmail, music download sites, online shops, and so on. The list is endless. Do you use the same password for all of them? Is that password amongst those shown in the list below?
The Top Ten RockYou.com Passwords Were:
The number one spot has already been mentioned but is so incredibly stupid that it needs to be repeated – it’s “123456“. Taking the silver medal is the slightly lighter but no less idiotic, “12345“. Running fingers along the top row of keys also seems a popular choice, with “123456789” taking third place. Not obvious in any way, fourth is “Password” and the ever-so-romantic “iloveyou” takes fifth. The remainder is made up of “princess“, ” rockyou” (which you’ll notice is the same as the name of the site), “1234567“, “12345678” and “abc123“. Are you feeling safe and secure now?
Be Careful Out There
Some services, like Twitter and GoogleMail, will let you know how strong your password is (the former site even having a list of easily cracked passwords you’re not allowed to use) but at the end of the day, online security is your responsibility. If you’re dumb enough to use an easily hackable password then you really shouldn’t complain if (or when) security is breached.
And you should also take some time to read the conditions and policies carefully before you sign your life away (such as this interesting snippet from RockYou.com: “We cannot, however, ensure or warrant the security of any information you transmit to RockYou! and you do so at your own risk.”), no matter how dull they appear to be.
I mentioned above that the choice of passwords on RockYou.com is not really a huge surprise. As our busy, increasingly online, lives see us regularly encounter numerous registration screens and long pages of conditions and policies, perhaps it’s simply the chore of having to come up with so many different passwords for so many sites that has led to such a serious lapse in personal security. Maybe trawling through the monotonous and dreary terms and conditions and privacy policies is just too much for us and so leads to laxity and misplaced trust.
Whatever the reason for the bad choices outlined above, it’s clear that we really need to start to take more control over our electronic existence. Choosing a good, strong, unique password for each service we use is a good first step. Trying to limit the amount of information we freely give away about ourselves might be another, albeit a sometimes difficult, one. I suspect that we also need to take more care when choosing who we do business with, whether it’s creating widgets for our Facebook pages or shopping on the web or checking our online bank account – taking more of an interest in the privacy and security policies of those you deal with is undoubtedly a good thing to do.
If nothing else happens, this massive security breach should at least serve to remind us that life online is not as safe and secure as we would all like it to be.
Are you guilty of using dumb passwords (no revealing details please)? Do you use a common password across different services? Has this article made you reconsider your habits?