Friday, August 7, 2009

One third of surfers admit they use the same password for all websites

Gmail accounts hacked via unpatched hole

The disclosure of a back door allowing bad guys to repeatedly guess Gmail passwords should remind us all to protect our accounts with long and strong character strings.There's a straightforward way to protect your online accounts — use signin phrases that are easy for you to remember but hard for others to guess.The latest vulnerability affecting Gmail accounts was recently revealed by security researcher Vicente Aguilera Díaz in a posting on the Full Disclosure security list.

According to Aguilera's new security alert, Google allows anyone with a Gmail account to guess another Gmail user's password 100 times every two hours, or 1,200 times per day. No "captcha" keeps hacker bots from guessing passwords in this way. Worst of all: If a hacker controls, say, 100 Gmail accounts, 120,000 guesses can be made per day.

Because Gmail accounts are free, many hackers control far more than 100 accounts, of course.To its credit, Gmail requires fairly long passwords of 8 characters or more. However, as Aguilera points out, Gmail allows users to create extremely weak passwords such as aaaaaaaa.A quick survey of my friends and relatives revealed that not one of them uses strong passwords. Most people have no idea how to create them. Yet everyone I asked expressed guilt at using easy-to-crack passwords: pet names, birthdays, and common dictionary words.Most people's passwords could be guessed in far fewer than 10,000 attempts. And, despite using weak passwords, the people I interviewed say they rarely change their signin strings. (One-third of the people surveyed use the same password for every Web site they sign in to, and the infamous Conficker worm needed to try only 200 common passwords to break into many systems, according to an analysis by the Sophos security firm.)

Many respondents to my informal survey admitted to keeping an unencrypted file on their systems that lists every password they use! You may not think the password to your webmail account is valuable. But anyone with access to your account can use it to send spam and ruin your online reputation. More seriously, you may have entered the same password at an online banking site, such as PayPal, or a site where your credit-card number is stored for easy ordering, such as Amazon.

No comments: