Ping Identity > Blogs > PingTalk 

PingTalk Blog

Now that’s a bad day for passwords

  • By ,
  •  | 

One day, two attacks, 1.4 million passwords pilfered.

Between Yahoo and an Android forum called Phandroid, Thursday proved to be a fruitful day for hackers looking to steal passwords.

Yahoo, 400,000. Phanandroid, 1 million. 

(I'm not including Formspring, which reset 28 million passwords the previous day).

And it was another black eye for the proliferation of passwords and those that create them. Both Yahoo and Fandroid had the same advice – change your password and change your passwords on other sites if you re-use passwords. 

The previous day I wrote a ZDNet column explaining how BestBuy.com customers are under attack by hackers using usernames and passwords the hackers stole at another site as long as a year ago.

So don’t discount those re-used passwords as just another pain in the keyboard to change.

My colleague over at ZDNet, Emil Protalinski, reported the facts of the Yahoo and Android cases. You can read the Yahoo story here and the Android story here.

Yahoo tried to lessen the blow saying the file that was stolen was “old” and that only 22,000 or so accounts were valid. But that is not much relief for those who might have re-used those passwords say on banking sites or sites where they store credit cards (as in the Best Buy case).

Perhaps the most telling part of the story were statistics posted on Pastebin that broke down how the Yahoo passwords were configured.

Below are the top ten passwords from the Yahoo breach. The sad part is how familiar (123456) they sound from other hacks over the past decade or so. Progress seems stuck in neutral.

All this comes on the same day that the National Strategy for Trusted Identities in Cyberspace (NSTIC) announced that Trusted Federal Systems would oversee the Steering Group that will create policies and guidelines for NSTIC.

The goal of NSTIC is to create an "identity ecosystem" that provides secure identities for online transactions while limiting the disclosure of personal information.

Debate whether NSTIC is the answer or not, but don't miss the point - change is needed.

If you are going to the Cloud Identity Summit next week, this will all be up for discussion and dissection. See you there.

Top 10 passwords in Yahoo hack.

  1. 123456 = 1666 (0.38%)
  2. password = 780 (0.18%)
  3. welcome = 436 (0.1%)
  4. ninja = 333 (0.08%)
  5. abc123 = 250 (0.06%)
  6. 123456789 = 222 (0.05%)
  7. 12345678 = 208 (0.05%)
  8. sunshine = 205 (0.05%)
  9. princess = 202 (0.05%)
  10. qwerty = 172 (0.04%)

Add your comment