Rampant Password Reuse

   "Rampant (Adjective) - Profuse, unbounded, widespread, everywhere, epidemic, prevalent, unrestrained, unchecked, running wild, uninhibited, wild, uncontrolled, predominant".  These are some of the synonyms for the word "rampant".  That may be a good word to use in regard to the latest information data about password reuse.

   The group LulzSec may be responsible for stealing from Sony the user information of over 100 million accounts.  As has been the recent practice of other attackers, they then posted this information online.  There have already been reports of this information being used to attack Sony customers (such as attackers purchasing equipment online and then charging it to the user's exposed credit card number).  Yet this now-public information has also been analyzed by security researchers, as occured when Imperva analyzed 32 million passwords stolen from RockYou (see Jan 28 2010 blog) and Duo Security looked at 1.3 million passwords stolen from Gawker Media (see Dec 15 2010 blog).

   An Australian security researcher looked at almost 40,000 passwords stolen from Sony that came from two separate Sony promotions that users signed up for.  He discovered that of the 2,000 users who had created accounts for both promotions, an astonishing 92% of them reused the same password.  He then went back and compared the Sony passwords against those stolen from Gawker Media and of the 88 accounts at both sites that had on the same e-mail address (and presumably belonged to the same user), 67% used the same password.  That would classify as being "rampant"!  The researcher also analyzed the stolen Sony passwords themselves and found most of them to be short dictionary words with a limited character set {Chapter 7 Security+ 3ed}.

   What can you do if you want to protect yourself?  First, create strong passwords by using letters, numbers, and special characters.  Second, never reuse passwords on multiple accounts.  And third, use a password management program like KeePass or LastPass to store and retrieve your passwords.  I love the quote of this security researcher: "The only secure password is one you can't remember"!

   You can read the analysis at http://www.troyhunt.com/2011/06/brief-sony-password-analysis.html.

   Stay secure!

http://www.cengage.com/community/infosec