I want to draw your attention though to the fact that previously we spoke about the vulnerability of passwords. At that time, we speculated and tried to convince people that they were insecure, but since then the world has changed significantly in the following ways:
- The highly publicized attack of Anonymous group to HBGary. What is interesting in the analysis of the attack from ARSTechnica is that, although the attack was a combination of several techniques like SQLInjection, Rainbow tables, Social Engineering, etc., the main cause was the same old problem: Simple passwords (each was just six lower case letters and two numbers) and the same passwords used for different systems such as email, Twitter accounts, and LinkedIn, were also used for the administration of Google Apps email.
- Through the increased activity of exploits to websites that protect their user accounts with passwords, and the publication of those passwords from groups such as Anonymous and Lulzsec, it is finally possible to scientifically analyze how inept we are in effectively using passwords, especially different passwords for different sites. One such analysis by Joseph Bonneau of HBGary rootkit.com and gawker.com regarding passwords show that nearly 30% of users with the same email address use the same password.
- The continuous exploitation and the sheer number of leaked passwords mean that the quantitative analysis of the passwords used makes it proportionally easier for the attacker to have a progressively more educated ‘guess’ for a random account password to attack.