Wednesday, May 23, 2007

Has Your Account Been Hacked?!

I was reading PC Magazine this afternoon, and they had a list of the 10 most common passwords people use. I've seen lists like these before, and they always amuse me. Who would USE such OBVIOUS passwords? The potential for hacking such accounts are enormous!

And I wondered--how accurate are these lists? There are nearly 10,000 accounts here on Atlas Quest, and I wondered how many of them would use such obvious passwords?

Passwords, I'm happy to report, here at AQ headquarters are always encrypted using a one-way encryption algorithm. Encryption is a fascinating topic in it's own right, but the interesting thing about this one is that it cannot be unencrypted. You might wonder what use is something that's encrypted if it can't be unencrypted. How can Atlas Quest possibly verify the password you type in is correct if it can't lookup your actual password? It doesn't. Not exactly, at least. It takes the password you type in, then encrypts it using the same algorithm that generated your encrypted password. If the two encryptions match, the same password was used. If they don't, the passwords don't match. At no point does Atlas Quest actually have to store your password in an unencrypted format.

Even if a hacker could get into Atlas Quest, they would never be able to see your real passwords. It's all very slick, and I think it's ludicrously stupid for companies to store passwords in anything but an encrypted format using a one-way only encryption algorithm. After all, what good does it do to encrypt a password if a hacker can just unencrypt it later? I always have my doubts about the security of any website that is able to re-send you your original password. It's either not encrypted at all in their databases, or they use an encryption algorithm that can be undone. There's never a good reason to allow this.

Anyhow, a good, encryption algorithm does nothing if people pick a terrible password to begin with. Atlas Quest doesn't really check for bad passwords. It expects a password to be at least five letters or numbers long, but that's about the only constraint. Out of exactly 9,887 account on Atlas Quest at this moment, let's see how many passwords I can "crack."

Here's the list of the ten most common passwords, and how many accounts I could crack using them:

1. password - 48
2. 123456 - 14
3. qwerty - 4
4. abc123 - 4
5. letmein - 3
6. monkey - 14 (say what?!)
7. myspace1 - 0
8. password1 - 1
9. blink182 - 0 (okay, I know this has to have some meaning, but I have no idea what. If you do, please let me know!)
10. (your first name)

I'm leaving that last one blank for now--there's some commentary I want to do with that which I'll get to in a bit. The nine most common passwords, though, could get you into 88 different accounts here on AQ. Are you one of them? I'd suggest you change your password so it's not so easy to guess.

I once read that "god" and "money" were two common passwords. "god" won't work since it's not at least five characters long, but "money" does so I tried that one as well and could break into one more account with that password.

Now back to that #10 on the most of most common passwords. It asked for first names, but I also wondered about last names and trail names, so I tried all three. Additionally, I figured most people type in their passwords in all lower case, but some people might not. Passwords are case-sensitive, so I tried both versions--with the name as all lowercase and exactly as the member spelled it on their account.

Holy jumpin' junipers, people!

First names: 99!
Last names: 62!
Trail names: 118!

Grand total, I was able to "break into" 368 accounts on Atlas Quest. That's nearly 4% of all the accounts on this site.

For kicks, I tried variations of the most common passwords. What about adding "123" to the word passwords? Like "qwerty123" instead of just "qwerty". Bang! Got into another account. What about "first name" + 123? Figured out another person's password. The last name plus 123 got me into two more. And the username plus 123 cracked another member's account.

The lesson to be learned here, if you really want your accounts to be safe, stay away from those passwords you see on this top ten list. I imagine I could break into many more accounts if I had additional personal information I could compare such as birthdays, pet names, children's names, etc.

The best passwords I've heard of people using do not use real words, include upper and lowercase characters, and include numbers. (Not numbers that's just a 1 at the end of the password, or 123 for that matter!)

For instance, think of your favorite song, then turn the first letter of each word of it's name into your password. For instance, I Love a Rainy Night, could be turned into Ilarn. It's by Eddie Rabbit, so I'll add his initials to the end as well and get IlarnER.

Nobody is going to guess that password, but it's still very easy to remember. It doesn't have to be song titles. Any easy to remember phrase can work. "A penny saved is a penny earned" could turn into "ApsiapeBF". Throw in a couple of numbers for good measure. "ApsiapeBF1776" perhaps.

I'll update the site to reject these easily guessed passwords soon, but I won't force those of you with poor passwords to change. But it's highly recommended, though. You can change your password at any time from the Account Info page.

Be safe. Choose your passwords wisely.

*** This public service has been brought to you by Ryan. No accounts were harmed in the making of this announcement.


Anonymous said...

Blink182 is a band and I am sure when forced to use a capitalletter +number combination, that jumps to mind for some people.

Anonymous said...

The boss I had 10 years ago taught me the trick of using a song title, or the first line of a song. And then tag on your birth year or HS graduation year if need be (but I always forget which one I've used!)

If you ever hack my password I'll be very impressed!

Kaaren said...

I am pretty sure mine's safe too. lol

Anonymous said...

Ryan, did you get in to my account? I am dying to know if I have chosen a safe password!
six stars

Anonymous said...

#10 - Why are so many people using Larry? :-)

Anonymous said...

Ok, I understand the need for a safe pasword, but here on AQ I am not so worried. After all, is there really that much sensitive info on this site? And what would someone gain by logging in as me that they cannot already see on my profile? Some malicious boxer out there that would want to plant boxes under my name? list finds? =o) Go right ahead...

But that being said, you did not mention anything close to my password either =o)But then again I realize that this is still one of my easier paswords because I am not as worried about anyone breaking in.