Page - 252 - in The Future of Software Quality Assurance

252 K. Yorkston and $3.50 USD, with the potential for the purchaser to make up to 20 times the cost price.6 This is why we are continuously told not to replicate passwords over multiple sites. Account stuffing relies on a people-based weakness, we cannot rememberlong,complex,uniquepasswords, sowecheat!Andinadvertently,create avulnerability. 5 AboutPassword Security Passwords demonstrate the battle between security and usability. A long, complex password might be good for an organisation’s security, but if security procedures becomeonerous in theviewofusers, theywill findawayof subvertingoravoiding them. The procedure thus becomes ineffective. Consider the following password rules (whichmight lookfamiliar tomany)and thesubsequentpasswords: 1. Must bea minimum8 characters (12345678) 2. Must containat least 1upperand1 lowercase character (Qwertyui) 3. Must containat least 1number(Qwertyu1) 4. Must containat least 1 special character (Qwerty1!) 5. must bechangedevery30days (Qwerty2”) These listed passwords would take at most minutes to break for tools like John the Ripper or Hashcat. Various lists exist of the “Top 25” passwords used—all of whichvaryslightlyduetothedataonwhichtheydraw,butcontainmanyofthesame passwords (and yes, “password” is in there!) But they point to a common theme— that is when we think we are being “random”, we aren’t. There is a reason why “qwertyuiop” isn’t a good password—look at the top row of keys on a keyboard. Humansfollowpatterns,and thosepatternscanbepredictedand replicated. An interesting point is during the infamous Sony email hack relating to the release of the movie The Interview. The then CEO of Sony, Michael Lynton, had a password of Sonyml3.7 Any prizes for guessing what his next password might havebeen? We need to forget passwords. Any password of eight characters is broken very quickly,andjustbecausetheMINIMUMiseight, itdoesn’tmeanEXACTLYeight. Andeven if it cannotbebroken inseconds, the attackermaynotmind.Theywould have all the time they need to crack the password, as even when an alert goes out from the attacked site, how many people actually change THAT password, let alone all the other accounts using that same one. It should be noted that the encrypted password isn’t decrypted, but a known word is encrypted to see if the encryptedresult matchesany passwords in the stolen set. The longer the password, the exponentially more combinations could be used to create a password. And, it 6“The Economy of Credential Stuffing Attacks” listed on https://www.recordedfuture.com/ credential-stuffing-attacks/ 7https://twitter.com/kevinmitnick/status/545432732096946176?lang=en