Phishing attacks that led to over 10,000 personal passwords from Hotmail, Gmail or Yahoo Mail accounts being disclosed this week have confirmed people will routinely use the weakest of passwords to secure their online identity.
Statistical analysis of the passwords by web application security firm Acunetix, revealed the most common was 123456. Some 19% of the leaked passwords used only numerals, and 42% lower case letters only.
Security experts advise passwords should be a mixture of letters, numbers, and symbols, and Google has recommended people choose a favoured phrase or statement and use the first letter of every word in that. Both will help minimise the risk of dictionary attacks.
MessageLabs said there was evidence of an increase in the number of brute-force password breaking attempts, where dictionary attacks are used against online webmail accounts, perhaps using POP3 or webmail to conduct the attacks.
“Users with simple or weak passwords are the most vulnerable. On the website, an attacker will be asked to solve a Captcha puzzle to prove they are a real person. Captchas can be easily bypassed using a variety of Captcha-breaking tools,” MessageLabs said.
The company noted another problem this is developing, in addition to the security of emails.
“A user’s unique email address is often used to authenticate a number of web sites, including social networking sites and instant messaging on a public IM network,” said Paul Wood of MessageLabs. “If your email address has been compromised, not only should you change the password there, you should also change it on any other site that uses that email address as a log in ID.”
Research commissioned by encryption supplier Stonewood Group has revealed that people are becoming increasingly concerned about these growing ID fraud threats, with 66% worried that they will be affected by identity loss in the future.
Ahead of next week’s National ID fraud week in the UK, Stonewood today called for the Government to set tougher penalties for Data Protection Act breaches, saying the latest figures show it costs Britons over £2 billion a year with as many as 29 million people affected by data loss in the past year alone.
Chris McIntosh, Stonewood CEO said, “Businesses can easily protect data by using hardware encryption and authentication, eradicating any risk of data loss and helping reduce the growing ID fraud threat. The problem is, until businesses understand there are massive consequences to DPA breaches, including heavy fines and the threat of jail, they are not going to invest in resolving the problem.”