[ISN] Why passwords have never been weaker -- and crackers have never been stronger

From: InfoSec News <alerts_at_private>
Date: Tue, 21 Aug 2012 04:04:46 -0500 (CDT)
http://arstechnica.com/security/2012/08/passwords-under-assault/

By Dan Goodin
Ars Technica
Aug 20, 2012

In late 2010, Sean Brooks received three e-mails over a span of 30 hours 
warning that his accounts on LinkedIn, Battle.net, and other popular 
websites were at risk. He was tempted to dismiss them as hoaxes -- until 
he noticed they included specifics that weren't typical of mass-produced 
phishing scams. The e-mails said that his login credentials for various 
Gawker websites had been exposed by hackers who rooted the sites' 
servers, then bragged about it online; if Brooks used the same e-mail 
and password for other accounts, they would be compromised too.

The warnings Brooks and millions of other people received that December 
weren't fabrications. Within hours of anonymous hackers penetrating 
Gawker servers and exposing cryptographically protected passwords for 
1.3 million of its users, botnets were cracking the passwords and using 
them to commandeer Twitter accounts and send spam. Over the next few 
days, the sites advising or requiring their users to change passwords 
expanded to include Twitter, Amazon, and Yahoo.

"The danger of weak password habits is becoming increasingly 
well-recognized," said Brooks, who at the time blogged about the 
warnings as the Program Associate for the Center for Democracy and 
Technology. The warnings, he told me, "show [that] these companies 
understand how a security breach outside their systems can create a 
vulnerability within their networks."

The ancient art of password cracking has advanced further in the past 
five years than it did in the previous several decades combined. At the 
same time, the dangerous practice of password reuse has surged. The 
result: security provided by the average password in 2012 has never been 
weaker.

[...]
Received on Tue Aug 21 2012 - 02:04:46 PDT

This archive was generated by hypermail 2.2.0 : Tue Aug 21 2012 - 02:08:38 PDT