After years of education people seem to be getting the message that you need to use a mixed set of characters to create secure passwords. A mixture of upper and lower case letters, numbers and symbols. This can be a good thing however sometimes when rules are not followed correctly the results can be worse than having no rule set at all.
Part of the fallout whenever there is a major password breach is we get to analyze thousands of passwords and see how people in the real world are creating and using passwords. This is a two edged sword, white security experts get to see what mistake people are making and issue advice and warnings. Blackhats get to add a new set of rules to password crackers.
People seem to have gotten the message about letters and numbers. They seem to be missing the advice about randomness and the addition of symbols. Bible verses seem like a good idea to most people, they have upper and lowercase, letters, numbers and you can use ‘:’ or a ‘,’ to add a symbol for good measure. Plus they are easy to remember.
They however are also very easy to crack. There is nothing random about them, in fact since they are used as a way to catalog every line in the bible they the anti-thesis of random. They are used and known universally across the globe. Even if a hacker did not think to try one, the second one show up in a brute force attack you can bet every single chapter and verse is going to be run.
This is exactly what happened when Andrew “bunnie” Huang analyzed the recent LinkedIn password dump. Thousands of chapter and verse passwords came pouring out of the MD5 hashes. They were the easiest passwords to blindly pull out of the hashes because lots of people use them and they follow a pattern. Find one John 3:16, and you might as well for every other one. ‘john316′, ‘john3:16′, ‘John3:16′, ’1cor13′, ‘psalm23′, ‘exodus20′, ‘isiah40′, ‘Matthew6:33′, ‘hebrews11′ find one and you find them all.
The lesson learned here. Use something unique to you. Many of my passwords are far from random, they are combinations of letters, numbers and symbols that I draw from my life and are unique to me. Even though they are not random, no hacker will ever get them without using brute force. They don’t follow a pattern and they are not from any widely known and shared source. For example other passwords that would fall into the same category as chapter and verse passwords, “Obama2012’, “Gaints2012’… If your passwords are not going to be random at least keep them unique to you.
kissimmee saint cloud osceola county 192 34769 34744 34772 34771 34743 34746