F-Secure's April Fools Hack Article is No Joke

Friday, April 01, 2011

Headlines

69dafe8b58066478aea48f3d0f384820

F-Secure's Mikko Hypponen posted a nice April Fool's day article that was so subtle it slipped into several security news feeds unnoticed.

While the article itself may be just a fun prank, readers would be wise not to let the sardonic wit overshadow the important message about password security that is being conveyed.

The short article starts out with what sounds like a plausible news blip item of the day, announcing that the "passwords from over 3,000,000 user accounts were apparently set to 'password' late last night in a wide-spread hack that affected hundreds of news, retail and Web 2.0 sites. Most affected users are completely unaware of the attack."

By the middle of the article, the joke becomes apparent, stating that "users are reacting fiercely to the hack but even more so to the ban many sites are putting on one of the world's most popular passwords. Online riots are to be expected. The hacker group named 'Obvious' has claimed credit for last evening's attack. Thousands of hacked Twitter and Facebook accounts posted the message 'We are all Obvious! Don't Expect Us'."

The key line in the article which should not go unheralded, though, is that "according to current statistics, 62% of affected users would not notice such a change as their password was already 'password'."

Unfortunately, that is an accurate statement. Multiple studies have found that users often employ obvious passwords such as "password", "abcd", and "1234", making the job of criminal hackers all that much easier.

Any security expert will tell you, there is no such thing as absolute security. I like to add to that truthism the notion that, whether you are an individual or a corporation, there are only three reasons your have not been breached by criminal hackers:

  • One - you have not yet been targeted
  • Two - you have been targeted, but the hacker did have the necessary skills 
  • Three - you have been targeted, the hacker had the necessary skills, but the time and effort to required to defeat your security measures was too "costly" in comparison to the expected return

Strong security measures in general - and in this particular instance, the use strong passwords - dramatically decreases the likelihood that you will experience a compromise of your systems and your sensitive data.

Think of the classic castle siege scenario. There are no castle defenses so impenetrable that an enemy can not overcome them.

But when you build a high wall, dig a wide moat, and have lots of hot tar to pour on the assailants, you significantly increase the amount of resources they need to commit in order to successfully sack your castle.

The enemy understands that it would be much easier to focus on a target with less defensive structures. The same holds true for information security.

The last line in F-Secure's April Fool's Day article reads: "To avoid problems like this in the future, we are recommending users to change their password everywhere to "password1", which is obviously more secure."

Sarcastic? Yes. But statistically, "password1" is more secure than "password". Add a capital "P" and it becomes even more secure. Use a greater combination of capital letters, lowercase letter, and sprinkle more numbers in there, and it becomes exponentially more secure.

When the day comes that your password protected accounts are targeted by a criminal hacker, and they do have the necessary skills, the strength of your password will be the difference between being hacked and sending them on their way to find a more willing victim.
Possibly Related Articles:
11509
Network Access Control
Passwords breaches Access Control Headlines Security hackers April Fools
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.