Passwords as Easy as 123
For a peak into what passwords people choose - and just how easy they are to break - check out <a href="http://www.boston.com/bostonglobe/ideas/articles/2010/04/11/passwords_we_love/">this article</a> the <em>Boston Globe</em> published on April 11. (It accompanied a <a href="http://www.boston.com/bostonglobe/ideas/articles/2010/04/11/please_do_not_change_your_password/">larger article</a> on a study that concluded the cost of changing passwords outweighs the benefits - another interesting read.) A security firm analyzed 32 million passwords stolen from the social applications producer called RockYou and posted online. (A hacker had broken into the system in December 2009.) The most popular passwords were a form of 123456. And No. 4 on the list? "Password."
For a peek into what passwords people choose - and just how easy they are to break - check out this article the Boston Globe published on April 11. (It accompanied a larger article on a study that concluded the cost of changing passwords outweighs the benefits - another interesting read.) A security firm analyzed 32 million passwords stolen from the social applications producer RockYou and posted online. (A hacker had broken into the system in December 2009.) The most popular passwords were a form of 123456. And No. 4 on the list? "Password."
How many times have you received a new password for an application from your systems administrator that had the temporary password set to "password" - and then never changed it? There are lots of other temporary passwords that are widely known.
That's why it is so easy for hackers like Robert Moore, who was convicted in 2007 for breaking into servers to steal Voice over Internet Protocol time, to infiltrate networks. The analysis of passwords reminded me of what Moore said in an interview before he began his two-year prison term:
You would not believe the number of routers that had 'admin' or 'Cisco0' as passwords on them. We could get full access to a Cisco box with enabled access so you can do whatever you want to the box. We also targeted Mera, a Web-based switch. It turns any computer basically into a switch so you could do the calls through it. We found the default password for it. We would take that and I'd write a scanner for Mera boxes and we'd run the password against it to try to log in, and basically we could get in almost every time. Then we'd have all sorts of information, basically the whole database, right at our fingertips.