First let me clarify – this is not a sinister post.
Just like we know a business or a person has just been hacked, we know ~2,239 Tesco customer logins were publicly posted.
And in both cases, we’ll try to ignore it. If we can’t, no matter, soon enough we’ll forget about it. Either way, very soon we’ll move on. Unchanged.
So this time let’s try something new – pause, review, learn and change.
If you’re keen to find out more about how over 2,000 email and password combinations that work on the Tesco website were released, read Troy Hunt’s post suggesting reasonable attack vectors.
So Troy’s nailed reviewing how it may have been done, but what about whether we can learn anything from the data posted?
I’ve sifted the data and here’s the interesting bits…
The top 10 passwords:
What does a hacker see?
- Find out the target’s childrens’ names. (I wonder how many people have posted their childrens’ names on Twitter, G+ or Facebook?)
- And where they live. (Easy.)
- It’ll be lower case. (That helps.)
- And just letters. (That helps too.)
Quick test: Does your password include your childrens’ names or your location? Maybe your football club?
If this is a good sample, what do passwords look like in 2014?
- 56% of passwords do not include a number
- 90% of passwords do not contain an upper case letter
- 0.1% of passwords contain a non-letter, non-number (eg an underscore)
- Every password is 6-10 characters
- 6 long – 25.01%
- 7 long – 17.46%
- 8 long – 31.26%
- 9 long – 15.86%
- 10 long – 10.41%
Quick test: Are your passwords 6-10 long, no upper case letters, and no symbols?
Let’s learn. Let’s change.
I know changing your passwords will be a pain but how painful could not be doing it?
Here’s some new rules:
- Make your password longer than 10 characters
- Do not include a direct relation
- Use at least one number
- Use a mix of upper case and lower case letters
- Use at least one symbol
Ignoring the social engineering (if that) side and looking solely at brute force…
An 8 character password of only lower case letters equates to 1,562,275 permutations. Not bad, but assuming no protection is in place, that shouldn’t take too long.
An 8 character password of lower and upper case letters, numbers and just six symbols equates to 7,392,009,760 permutations. 4,371 times greater.
Please, please improve your passwords. We’re regularly warned.