Isn’t it a challenge to remember complex passwords? You might question the necessity of creating them. Most platforms are content if your password includes a symbol, number, or capital letter, or any combination thereof. “Ronan1997!” seems to fit the bill, right? But what if we add an extra symbol for good measure, “Ron@n1997!”? Seems complex enough, doesn’t it? However, if I were to use this password, a classic blend of my name, birth year, and a few symbols for good measure, I’d be in for a shock if my passwords were registered with Rock You in 2009…
The Incident
Rock You, a developer company that created Widgets for social media platforms like MySpace, suffered a massive breach in 2009. An ambitious hacker infiltrated their domain, compromising 32 million user accounts. But how did this occur?
The Missteps of Rock You (and Its Users)
While Rock You bears a significant portion of the blame, their users also made some critical mistakes. Rock You’s domain lacked an encrypted certificate, leading to passwords being outputted in cleartext format. This highlights the importance of encrypted certificates, which store passwords as strings, rendering them as indecipherable gibberish to any potential hackers. However, even encryption can be vulnerable if it’s weak, a point I’ll revisit later. Surprisingly, Rock You even emailed cleartext passwords to users who requested password recovery, a practice that would be unthinkable today.
As for the users, their downfall was the use of simple passwords, like the example I mentioned earlier. The leaked data revealed a plethora of common names and phrases used as passwords, such as “Princess1234567”, “RockYou4567”, “Nicole”, “BabyGirl”, and “monkey”. Moreover, Rock You didn’t allow users to include special characters in their passwords, which made the hackers’ job easier by narrowing down the pool of potential passwords.
The Hackers’ Advantage (and How They Could Exploit You Too!)
The hackers exploited a decade-old vulnerability in the SQL version the domain was running on, gaining access to the database. Since the database was in cleartext, they could freely test user accounts and passwords. The database also contained passwords for connected accounts on partner sites like Facebook and Myspace.
Even if Rock You had used encryption, hackers could potentially crack weak encryption. They can compare encrypted common phrases with the list of encrypted passwords obtained from the breach and deduce the rules used to create the passwords. Hackers often use powerful computers and botnets to cycle through all possible combinations.
The Importance of Strong Passwords
Hopefully, you now understand why complex passwords, though harder to remember, are crucial. They are less likely to appear on hackers’ lists of “common phrases” or “common passwords”. The accompanying video provides tips on creating strong passwords, such as using the first letters of each word in a movie quote and adding symbols and numbers as needed.
For further assistance or advice on setting secure passwords and other security measures for your business, feel free to contact our team at Affirm IT. You can reach us at 01157530123, email us at support@affirmit.co.uk, or connect with us on LinkedIn!