Posts tagged: Passwords

Jan 22 2014

’123456′ Declared Worst Internet Password of 2013

Worst Passwords 2013 The 2013 list of worst passwords, influenced by postings from the Adobe breach, demonstrates the importance of not basing passwords on the application or website being accessed.

SplashData has announced its annual list of the 25 most common passwords found on the Internet. For the first time since SplashData began compiling its annual list, “password” has lost its title as the most common and therefore Worst Password, and two-time runner-up “123456″ took the dubious honor. “Password” fell to #2.

According to SplashData, this year’s list was influenced by the large number of passwords from Adobe users posted online by security consulting firm Stricture Consulting Group following Adobe’s well publicized security breach.

“Seeing passwords like ‘adobe123′ and ‘photoshop’ on this list offers a good reminder not to base your password on the name of the website or application you are accessing,” says Morgan Slain, CEO of SplashData.

SplashData’s list of frequently used passwords shows that many people continue to put themselves at risk by using weak, easily guessable passwords. Some other passwords in the Top Ten include “qwerty,” “abc123,” “111111,” and “iloveyou.”

“Another interesting aspect of this year’s list is that more short numerical passwords showed up even though websites are starting to enforce stronger password policies,” Slain said. For example, new to this year’s list are simple and easily guessable passwords like “1234″ at #16, “12345″ at #20, and “000000″ at #25.

Sources:
1] SplashData News – Worst Passwords of 2013
2] Stricture Group – Top 100 Adobe Passwords with Count

Oct 01 2011

EPPB – BlackBerry, iPhone Password Recovery Tool

EPPBElcomsoft Phone Password Breaker (EPPB) enables forensic access to password-protected backups for smartphones and portable devices based on RIM BlackBerry and Apple iOS platforms. The password recovery tool supports all Blackberry smartphones as well as Apple devices running iOS including iPhone, iPad and iPod Touch devices of all generations released to date, including the latest iPhone 4 and iOS 4.3.

The new tool recovers the original plain-text passwords protecting encrypted backups for Apple and BlackBerry devices. The backups contain address books, call logs, SMS archives, calendars and other organizer data, camera snapshots, voice mail and email account settings, applications, Web browsing history and cache.

BlackBerry Password CrackerBut, there is a catch. The new feature requires Media Card encryption to be switched on and set to either “Security Password” or “Device Password” mode. If this condition is met, EPPB will be able to run password recovery against device security password. What is also important and rather exciting is that you don’t need the BlackBerry device itself. All that is needed is a media card that was used in that device. Actually, that only need one specific file from that media card, so yes, the recovery can be off-loaded and the password can be recovered offline.

Download : EPPB 1.80

Dec 28 2010

Mozilla site exposed encrypted passwords

addons.mozilla.org disclosure
12.27.10 – 10:35pm

On December 17th, Mozilla was notified by a security researcher that a partial database of addons.mozilla.org user accounts was mistakenly left on a Mozilla public server. The security researcher reported the issue to us via our web bounty program. We were able to account for every download of the database. This issue posed minimal risk to users, however as a precaution we felt we should disclose this issue to people affected and err on the side of disclosure.

The database included 44,000 inactive accounts using older, md5-based password hashes. We erased all the md5-passwords, rendering the accounts disabled. All current addons.mozilla.org accounts use a more secure SHA-512 password hash with per-user salts. SHA-512 and per user salts has been the standard storage method of password hashes for all active users since April 9th, 2009.

It is important to note that current addons.mozilla.org users and accounts are not at risk. Additionally, this incident did not impact any of Mozilla’s infrastructure. This information was also sent to impacted users by email on December 27th.

Chris Lyon
Director of Infrastructure Security – Mozilla

Dec 16 2009

RockYou Hacked – 32 Million Account Passwords Potentially Exposed

RockYou Hacked
RockYou has suffered a serious hacker attack that has exposed 32 million of its customer usernames and passwords to possible identity theft. And it has apparently taken RockYou more than 10 days to inform its users of the breach.

The security firm Imperva informed RockYou that its site had a serious SQL injection flaw, according to reports. Imperva said that some users’ passwords had already been compromised as a result of the vulnerability by the time it notified RockYou of its findings. RockYou acted quickly to fix the flaw, but perhaps not fast enough. One hacker claimed to have gotten access to the accounts and posted some data as proof. Apparently, the database included the full list of unencrypted passwords in plain text.

The flaw is a big one because RockYou usernames and passwords are, by default, the same as users’ email names and passwords. Security experts are advising RockYou users to change their emails and passwords. RockYou has some of the most popular apps on Facebook, and it ranks third among Facebook developers with 55 million monthly active users, according to AppData.

SQL injection exploits a vulnerability in an app’s database layer and is a very common attack. It potentially lets hackers steal private information, and Yahoo’s jobs site recently suffered a similar attack. Imperva chief technology officer Amichai Shulman told eWeek Europe that users are particularly vulnerable if they use the same usernames and passwords for all of the sites that they visit.

In a statement to Techcrunch, RockYou said, “On December 4, RockYou’s IT team was alerted that the user database on RockYou.com had been compromised, potentially revealing some personal identification data for approximately 30M registered users on RockYou.com. RockYou immediately brought down the site and kept it down until a security patch was in place. RockYou confirms that no application accounts on Facebook were impacted by this hack and that most of the accounts affected were for earlier applications (including slideshow, glitter text, fun notes) that are no longer formally supported by the company. RockYou has secured the site and is in the process of informing all registered users that the hack took place.”

RockYou said it is planning to notify users. As others have noted, 10 days after it learned of the breach is far too late.

Source: DigitalBeat

Nov 18 2009

Cain & Abel v4.9.35 Released

Cain & Abel

Cain & Abel is a password recovery tool for Microsoft Operating Systems. It allows easy recovery of various kind of passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, recovering wireless network keys, revealing password boxes, uncovering cached passwords and analyzing routing protocols.

New Features:

  • Added support for Windows 2008 Terminal Server in APR-RDP sniffer filter.
  • Added Abel64.exe and Abel64.dll to support hashes extraction on x64 operating systems.
  • Added x64 operating systems support in NTLM hashes Dumper, MS-CACHE hashes Dumper, LSA Secrets Dumper, Wireless Password Decoder, Credential Manager Password Decoder, DialUp Password Decoder.
  • Added Windows Live Mail (Windows 7) Password Decoder for POP3, IMAP, NNTP, SMTP and LDAP accounts.
  • Fixed a bug of RSA SecurID Calculator within XML import function.
  • Fixed a bug in all APR-SSL based sniffer filters to avoid 100% CPU utilization while forwarding data.
  • Executables rebuilt with Visual Studio 2008.
  • Added Windows Firewall status detection on startup.
  • Added UAC compatibility in Windows Vista/Seven.
  • Winpcap library upgrade to version 4.1.1.

Download: ca_setup.exe