An important thing in the world of information security is to learn from our past mistakes. With 24-hour news cycles and the Internet, netizens seem to have developed very short memories. In late 2010, Gawker Media was compromised, revealing 188,279 plaintext passwords online. Many researchers analyzed the data and found simple passwords heavily in use.
Last week, LinkedIn password data was posted online with a total of 6.5 million SHA1 hashes. Being that only unique hashes were released the same analysis that was done on the Gawker leak was impossible; however, we were able to investigate whether the passwords seen in the Gawker analysis were still being used in passwords today. It was easy to cross check the usage of the LinkedIn passwords against the Gawker ones by creating a ruby script. LinkedIn had allowed passwords as small as six characters, and all Gawker-related passwords of six or greater characters where still in use on LinkedIn. It's interesting that two years after the Gawker breach, these horrible passwords are still being used, despite extensive coverage at the time of the insecurity of such passwords. I believe that it's about time that organizations ban the use of bad or overly obvious passwords.
We also need to ban these known bad strings as a part of passphrases. I was able to access over 165,000 plaintext passwords from the LinkedIn list and noticed that many of the passwords contained words that are known weak passwords as a part of passphrases. Although it was impossible to determine how many times an individual password was used, it was possible to determine the frequency of known bad password patterns. Please see the infographic below.
In order to gain insight on whether or not people were using known bad passwords as a part of a larger password or passphrase, I created a list based on the Gawker top 50 passwords, as well as LinkedIn-related words, ie. "career", "link", etc. From my quick analysis it is clear that people are using known bad passwords as a part of a larger password/ passphrase.
Now is the time to apply lessons learned instead of moving forward making the same mistakes. I'll talk about this and other information assurance strategies and best practices in my upcoming webcast: "Life's a Breach! Lessons Learned from Recent High Profile Data Breaches", Thursday, June 2pm EDT.