Catch of the Day? ... Your information
The danger of “single passwords”
Popular online retailer, Catch of the Day, announced last week that hackers have stolen their customer database. Included in the theft were the names, home addresses, email addresses, “hashed” or “encrypted” passwords and in some cases credit card details of their customers – i.e: Probably YOU!!!!
The problem is, the theft took place more than 3 years ago! And changing your password for Catch of the Day is the least of your problems!
At my Executive Briefing on Data Security last week, I spoke about the problem of Single Passwords – the issue where your employees use the same password to access multiple systems. Perhaps your marketing staff use the same password for your business LinkedIn account as they do for their personal Catch of the Day account? We all have tens, if not hundreds, of passwords to remember!
And if just one of these shared passwords is stolen, hackers now have access to all of your accounts!
Catch of the Day claims that their passwords were ‘hash encrypted’. Sounds secure, right? But unless you use complex passwords, such as That!Adam#guy-from&VISITS%is_cool, encryption is not as good as it seems!
What’s a hash you ask?
Online stores don’t want to store your actual password. So they create a hash from your password - a 32 character code generated by running your password through an encryption algorithm. For example, when you sign up using Password99 as your ‘secure’ password, the online store will create and store the hash C3C1B6B43180C597C85A1ED7DC04BBEE. Every time you re-enter your password, the store compares the hash of the password you entered, with the one they stored initially. If they match, you’re in!
It’s true - cracking the encrypted hash is next to impossible!
But, a hacker doesn’t need to crack the encryption. They can simply use a special ‘dictionary’ of common passwords and their corresponding hashes. They simply find the matching hash, and they now have your password! Or they can try the ‘brute force’ method - calculating the hash of every possible combination of letters, numbers and characters until they find the right hash.
It sounds hard, but it’s not.
These dictionaries contain upwards of 400 BILLION pre-determined hashes. Using the brute-force method, your average PC can attempt more than 3 million combinations a second! A password of less than 6 characters can be cracked within a minute.
Still not convinced? Try it yourself
Go to www.md5online.org and enter any of these three hashes:
Now you see how easy it is once you have the dictionary.
- To avoid a ‘dictionary’ attack, do not use common words or phrases. Replacing I’s with 1’s, or adding numbers to the beginning or end of the word make no difference, as the dictionary includes these combinations.
- To avoid a ‘brute force’ attack, passwords should be at least 8 characters long.
- Phrases, mixed with additional characters can be very strong. Thenameofmydog$isFido is a strong password!
- Try to use different passwords for every system, particularly the important ones (those with confidential, private or financial information).