EASY TO GUESS PASSWORDS

LONGITUDE n. 111

by Danilo Broggi

Nobody is 100% hack proof, but you don't have to make it easy to become a victim either. Weak Wi-Fi passwords, shared laptops open doors to hackers and are the stuff of cyber-security nightmares. Even Trump’s Twitter account was hacked. 

As I am writing, the news reports the latest sensational digital attack that targeted the United States Department of Energy and the National Nuclear Security Administration (which keeps nuclear weapons depots) and several federal agencies. The hackers, which press sources speculate come from Russia, have stolen information through a breach in Solar-Winds' Orion platform, used by 275,000 organizations around the world. 

The attack therefore depended on the vulnerability of the Orion platform but, and herein lies the surprise, also on the password to access the update server, too simple and trivial: "solarwinds123". Whenever updates were downloaded, the site opened for Sunburst malware which, after a couple of weeks of lying low, began stealing information. 

NordPass (a password management company) recently published the 2020 ranking of the most used passwords in the world: in first position the easiest of all, the most trivial, the least secure because violated 23.5 million times according to data collected by NordPass: “123456”. A classic, we could say, since it also excelled in 2016, 2017, 2018 and 2019. The same result was published by “Flame Of Ignis” – alias Ata Hak??l, a Cypriot computer engineering student - in her report on GitHub after analyzing over a billion credentials recovered on the net. 

In a nutshell, a hacker who knows 10 million of the most common passwords has a more than 50% chance (hit-rate) of discovering anyone's passwords, exactly 54% of the time to be precise. According to Keeper Security, the average cost of a data breach to a business is approximately $7million, and 81% of breaches are also due to password “weakness”. 

Examples abound: from the famous LinkedIn case of 2012 when 164 million credentials were stolen (put up for sale in 2016) - including that of Mark Zuckerberg who used the same password on LinkedIn (it was "dadada") and on his Twitter and Pinterest accounts. In the same days, the same hackers also attacked the Twitter account of Jack Dorsey, the founder of Twitter, and the Quora and Twitter accounts of Sundar Pichai, CEO of Google. More recently, we can add the 65 million hashed passwords hacked by Tumblr (microblogging and social networking platform), and the 100 million accounts for VKontakte (VK), the Russian Facebook, which were then put on sale in the dark web. 

Not to mention what happened between 2012 and 2016 at Yahoo, when the profiles of 200 million users in the US and over 3 billion email accounts around the world were hacked on several occasions. 

In an increasingly digital world – our password is the tool that allows us in fact to live. And if someone takes possession of it, they enter de facto into our life and can do what they want in our name, causing unimaginable damage. 

President Trump Twitter account used continuosly throughout his presidency, was hacked late October in the middle of the election campaign, by Victor Gevers, Dutch, "ethical hacker" and cybersecurity expert, who works for the non-profit organization GDI Foundation. He hacked Trump's account without sophisticated phishing techniques, he simply guessed the password on the fifth attempt: MAGA2020!, MAGA standing for Make America Great Again. 

Verizon Business in its Data Breach Investigations Report 2020, explains that in 2019 86% of attacks aimed for financial gain, Web application attacks doubled compared to the previous year and SMEs have been increasingly targeted in over half of the incidents analyzed. Experts and institutions continually recommend not to reuse old passwords, change them often, lengthen them, insert capital letters, numbers, unusual symbols, etc. But how do you keep up with the approximately 100 passwords that some studies say are the average per user in the United States? 

Password Managers, specialized companies using cryptographic keys often of military origin, allow users to easily generate complex passwords for their online accounts and store them securely for later use. Every password is encrypted on the user's device, and the password managers don't keep a list of them – this means in case of an attack, while some customer data could be compromised, no passwords would be stolen. 

All of us, citizens and businesses, are dangerously exposed to identity theft, violation and appropriation of our passwords that make us very fragile and exposed to risks of all kinds – reputational, economic, political, professional. 

In 2013 the "World Password Day" was established on the initiative of Intel Security, born from the idea of cybersecurity researcher Mark Burnett, author in 2005 of the book "Perfect Passwords". World Password Day, which is celebrated on the first Thursday of May each year, aims to create awareness of the need for good password security. The next one will be in May 6, 2021. Planning this event is necessary: the password manager Last-Pass reported that 53% of users have not changed their keyword in the last 12 months, even after a breach; 44% use a similar or equal one everywhere and 41% do not think their accounts are interesting for a hacker. 

The only way out is an effort of imagination. 

The name of Elon Musk’s seventh son is "X ? A-12 Musk". I wonder what his password could be when he gets older?