The term “black swan event” was introduced by Nassim Nicholas Taleb in the book Fooled By Randomness. Black swan events have three major characteristics: they are rare, they cause a significant or extreme impact, and upon retrospection, they are actually predictable. As described very well in this Wired article, “getting hacked” is a black swan event. While “getting hacked” can mean many different things, let’s take the example as used in the Wired article of having your identity stolen by hackers. It is rare enough that many of us will probably never experience it. Some cases have an extreme impact such as having your identity stolen, losing funds from your bank account, or having your computer or mobile devices wiped. And as this blog and any number of[…]

We are working with a security policy that treats two passwords of equivalent strength: 8 character password with two character sets represented (pick two of upper/lower/number/symbol) 6 character password with three character sets represented (pick three of upper/lower/number/symbol) The question arises, how equivalent (or not) are they? Well, it’s time to do some math. Total Possible Passwords One way to measure password strength is in the total number of passwords that one might be able to generate that meet that criteria. More would be better. There are 26 uppercase, 26 lowercase, 10 digit, and 33 ASCII-printable symbols available on the average keyboard (totaling 95 options). If we simply asked how many possible 6 character passwords are there, you can multiply 95 for[…]

You might have heard that LinkedIn had its password database breached, and news of it is trickling out today. There are a number of write-ups about it in most of the usual places, and Martin McKeay has a post with links to some of the better ones. The reason I’m writing about this is not to alert you, or that I’m annoyed I have to change another password. Two things really bother me about this. The first is the eerie similarity between this event and the Gawker password breach I wrote about almost exactly eighteen months ago. Both of these events made news because they were leaks of unsalted password hashes. And, although I didn’t write it in my blog post that day, two[…]

Recently, Imperva released a study (pdf) of the passwords extracted from the December 2009 RockYou security breach that resulted in the compromise of over 32 million user accounts. This study examined some statistics of the passwords retrieved, including the number and variation of characters use to construct them. The results were pretty bad. Here are the highlights: -30% of users had passwords made up of 6 characters or less. Most brute force attempts are moderately successful against short passwords. -Over 50% of passwords were all lowercase, or all numbers. This is bad because the keyspace is reduced. Even a password that is longer than 6 characters is weakened if it has a small character set distribution. On the surface, these[…]