Scorpion Software Blog

So last night during game seven between Detroit and Anaheim, the cameras panned by the press box. Low and behold, look what was broadcast to millions of viewers:

Thats right... the wireless password in the Detroit Press Box is redwings1926. Any significance? Well, 1926 was the year the club were founded, under the team name of Cougars. I was surprised that in my living room my 50" HDTV was displaying the password to the Detroit Press Box wireless network. 

Not a very strong password. We set a DLink WAP in the lab today and ran it with aircrack using Detroit's password. Took no time at all to break through that.

Point is... no matter how simple or complex your password is... if its easy to SHARE, STEAL or CIRCUMVENT, the game is over. Kinda like the Ducks. (sorry... couldn't resist) And it is especially important if you might have cameras that can easily record written down passwords.. and broadcast it to MILLIONS of users world wide in an instance! 

Researchers at the University of California, Santa Barbara recently published a report about their findings after taking over a botnet codenamed Torpig. This massive botnet is collecting passwords of unsuspecting users and allowed researchers to crack over 56,000 passwords in an hour, and allowed them to collect over 70 GB of financial and personal data in the matter of 10 days before the code was updated to lock them out.

Although the sheer volume of the stolen data itself is rather impressive, the research had more interesting statistics on how users manage passwords. They found that most users reused the same passwords for multiple sites, allowing the malware to steal credit card numbers and bank logins with ease. In the hundreds of thousands of passwords that were collected, more than 40% of them were cracked and recovered in just over an hour. A further 30% of the passwords (over 30,000) were cracked in the next 24 hours.

Some of the more popular sites with compromised accounts included:

• FaceBook
• MySpace
• Yahoo.com
• Live.com

So if you ever wondered if your passwords are strong enough, the chances are... they're not. The fact that 70% of the passwords collected were compromised in 24 hours in a sampling of hundreds of thousands of passwords collected show that people continue to use weak static passwords, and are using the same passwords across multiple systems.

And you wonder why we encourage people to use dynamic one time passwords (OTPs) provided with strong two-factor authentication systems like AuthAnvil. Complex password policies aren't solving the problem. As more and more systems require passwords, people are reusing them across different systems... and as we can see... most of these passwords are easily recoverable within hours or days.

Now something could be said that this research seemed to be focused on social media and personal email websites like Yahoo.com and Live.com. The fact is, in our own research, we have found many users use the same password for their business accounts for Windows logon, Exchange email and even separate VPN accounts that they do for their Hotmail and GMail accounts. Why? Because they have too many passwords to use each day, and this way it is easier to remember.

So you still think static passwords are safe to protect your most critical business resources?