Protecting over 200 million PCs, Macs, & Mobiles – more than any other antivirus

Archive

Posts Tagged ‘passwords’
August 7th, 2014

Russian hackers steal 1 billion passwords – now what?

Change your passwords every six months or after news of a breach

Change your passwords every six months or after news of a breach

Reports on “the biggest hack ever” recently surfaced. A Russian hacker group allegedly captured 1.2 billion unique username and password combinations.

With this latest security breach, AVAST encourages consumers to take necessary precautions. Change your passwords immediately and if you’re using the same password somewhere else, you must change it there, too. Choose complex passwords so it will be more difficult for hackers to de-encrypt them. In general, we recommend changing passwords every three to six months, or after news of a breach.

A password manager like avast! EasyPass helps encrypt and protect personal information online, with random, strong passwords. avast! Easy Pass generates complex passwords and removes the inconvenience of having to remember them.

If financial and credit card data is compromised in an online threat, AVAST advises users to monitor and check their accounts for unauthorized charges and to immediately report any suspicious activities to their bank or card provider.

Interested in reading more?

Try our articles on creating strong passwords:  Do you hate updating your passwords whenever there’s a new hack? and My password was stolen. What do I do now?

Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun and contest information, please follow us on FacebookTwitter and Google+. Business owners – check out our business products.

July 14th, 2014

Common passwords inspire uncommon dress

password dress

Lorrie Cranor models her famous Password dress in front of the “Security Blanket” quilt.

Weak passwords make for creative design.

If you use 123456 or password as your password, you may as well wear it for all to see. It’s THAT easy to crack.

To illustrate this point, Lorrie Cranor, quilt artist, and oh yeah,  director of the CyLab Usable Privacy and Security Laboratory at Carnegie Mellon University, designed fabric based on the extensive research she and her students conducted on the weaknesses of text-based passwords. The quilt she made is aptly named “The Security Blanket,” and is designed from a word cloud of the 1,000 most commonly found passwords from the 2010 RockYou.com hack. Professor Cranor made a Password dress to go with the password quilt. The fabric is available for purchase from Spoonflower.

Iloveyou, you little monkey

The most popular password, 123456, forms a backdrop across the whole quilt. But what intrigued Cranor was not the “the obvious lazy choices,” but what else people choose as passwords. She went through the list and organized the passwords into themes. Many passwords fell into multiple themes, so she tried to think like a RockYou user and extract some meaning from their choices.

Love is a strong theme, and the research found that love-themed words make up the majority of non-numeric passwords. Iloveyou in English and other languages is common. The names of pets are common, and Princess showed up in the top 1,000 and simultaneously on lists of popular pet names. Chocolate is the most frequent of the food-related passwords, with chicken and banana(s) coming up often.

Chicken was a surprise to me, as was monkey, the 14th most popular password. Could RockYou users have an affinity for monkeys because of a game, or do they just like monkeys? Is it related to bananas? Do gamers eat more bananas?

Some things we’ll just have to speculate about…

Swear words, insults, and adult language showed up in the top 1000 passwords, “but impolite passwords are much less prevalent than the more tender love-related words,” wrote Cranor in her blog.

Numbers are even better. Three times as many people chose 123456 over password, and 12345 and 123456789 were also more popular choices. It seems that when required to use a number in a password, people overwhelmingly pick the same number, or always use the number in the same location in their passwords.

Top 10 worst passwords

Security developer SplashData published the Worst Passwords of 2013. Check the list to see if you use any of these:

Rank Password Change from 2012
1 123456 Up 1
2 password Down 1
3 12345678 Unchanged
4 qwerty Up 1
5 abc123 Down 1
6 123456789 New
7 111111 Up 2
8 1234567 Up 5
9 iloveyou Up 2
10 adobe123 New

Tips and tricks

1. Use a random collection of letters (uppercase and lowercase), numbers and symbols

2. Make it 8 characters or longer

3. Create a unique password for every account

Read more from the AVAST blog

Do you hate updating your passwords whenever there’s a new hack?

Are hackers’ passwords stronger than regular passwords?

Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun and contest information, please follow us on FacebookTwitter and Google+. Business owners – check out our business products.

June 9th, 2014

Are hackers’ passwords stronger than regular passwords?

Hackers use weak passwords just like the rest of us.

librarian_dict_sm

Nearly two thousand passwords used by hackers were leaked this week, when I tried to decode a PHP shell without knowing the key. Because I did not know the exact content of the encoded file and searching the key could take me years, I chose a different approach. I decided to find out how strong passwords used by hackers are and create a dictionary. :)

Over the years of fighting malware, the avast! Virus Lab has gathered many samples of various back-doors, bots and shells. Some of them are protected with a password encoded in MD5, SHA1 or in plain text, so it was good way to start. I looked at 40,000 samples of hackers’ passwords and found that nearly 2,000 were unique and 1,255 of those were in plain text. Another 346 passwords were easily cracked from MD5 hashes, because they were shorter than 9 characters. That gave me a total of 1,601 passwords and 300 hashes. I created statistics from those words, and here are my findings.

1Passwords that nobody will guess

Percentage of characters used in hackers' passwords

About 10% of the passwords were beyond normal capabilities of guessing or cracking. Of those, I found words as long as 75 characters, probably generated by a computer. Some of them were in long sentence form mixed with special characters such as lol dont try cracking 12 char+. Too bad it was stored in plain text. ;)

There were also passwords that don’t use characters from an English keyboard. But there was still a 90% chance it could be a normal word, maybe with some number in it. No less than 9% of the passwords could be found in an English dictionary.

The table on the right shows which characters are used in hackers’ passwords. The first row means that 58% of passwords contained only lower-case alphabet characters a-z. Read more…

May 21st, 2014

eBay becomes victim of security breach

Auction giant eBay requests 128 million users to change their passwords after hack.

tweet ebay

In a blog post from the company, eBay Inc. said a cyberattack “compromised a database containing encrypted passwords and other non-financial data.” There is no evidence that the compromise resulted in users’ financial or credit card information being stolen, but the company is telling all users to change their passwords.

Users need to be alert even after their passwords have been changed. After a breach like this the risk that hackers will use their personal information to commit identity fraud and launch phishing attacks increases. As always, do not click on links in emails, or give personal information over the phone. If you need to discuss your account information, please contact eBay’s customer service by phone or via their website.

“The eBay breach is yet another password issue like Heartbleed. It is really important that people take this seriously, ” said Ondrej Vlcek, Chief Operating Officer of AVAST Software. “Data from our recent survey shows that nine out of ten people intended to change their passwords after Heartbleed, but only 40% took action. This careless attitude is completely irresponsible; people have to take the initiative to protect themselves.”

A password manager like avast! EasyPass helps encrypt and protect personal information online, with random, strong passwords. Learn about creating strong passwords by reading our blog, My password was stolen. What do I do now?

Two weeks ago, eBay discovered that cyberattackers broke into their corporate network through a small number of employee log in credentials. They revealed that the database was actually compromised in late February and early March, and included eBay customers’ name, encrypted password, email address, physical address, phone number and date of birth. However, the database did not contain financial information or other confidential personal information.

Another eBay compromise yesterday

Yesterday in an unrelated attack, eBay’s UK and French advertisement network was compromised and showed fake Java and Flash updates. This malicious advertising replaced the visited page and an installer offered a Potentially Unwanted Program (PUP).  As of last night, they were working to resolve the issue. avast! Antivirus detected the compromise and alerted users.

“Third party ad networks are useful to attackers because the number of connections delays taking malicious content down,” explained Honza Zika, malware analyst in the avast! Virus Lab. “Instead of a normal ad, the attacker deploys a code that redirects to the attacker’s page. It’s designed to look like an official Flash or Java page, but installs unwanted toolbars, addons, extensions or other PUPs. avast! detected this and protected our users.”

Thanks to independent researcher Malekal for his work on this compromise. Read more on his blog.

Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun and contest information, please follow us on FacebookTwitter and Google+. Business owners – check out our business products.

Categories: General Tags: , , ,
May 21st, 2014

Heartbleed: Almost Everyone Plans to Protect Themselves, but Less than Half of People Actually Have

Have you heard about Heartbleed? Yes? Then you belong to a minority. Following the Heartbleed threat, the bug that took advantage of a vulnerability in OpenSSL, AVAST conducted an online survey with 268,000 respondents worldwide and found that three out of four people were not aware of the the Heartbleed threat, which affected millions of sites and mobile apps.

AVAST then explained Heartbleed to these respondents. When asked if they would change their passwords after checking which sites were affected, nine out of ten said they would take action. This high number is interesting from a psychological standpoint as it shows how people think when initially confronted with a threat. People immediately plan on taking the appropriate measures to protect themselves against future threats, but how many actually follow through with their plans? In reality, less than half of people follow through with their security plans: Only 40% of the respondents who were aware of Heartbleed said they had actually changed their passwords. This number closely matches Pew’s Heartbleed report which found that 39% of Internet users have changed their passwords or canceled accounts.

Heartbleed, free antivirus, password, security

“This kind of thing never affects me”

Many respondents, both those aware and unaware of the threat, said they don’t want to change their passwords because they don’t believe their accounts have been compromised. This makes one wonder if the 41% of respondents who were aware of the threat, but don’t believe they have been affected, either think the media has exaggerated the issue – or if they have a “this kind of thing never affects me” attitude. One in ten respondents believes that the next security breach will happen soon and they therefore don’t see the point in changing their passwords. This laissez-faire attitude could be caused by the fact that many have not seen concrete repercussions of the threat or have not yet been directly notified of the threat by the platforms they use. One of the most concerning facts revealed by the survey is that many people lack the know-how to protect themselves. One in ten respondents hasn’t changed their passwords because they don’t know how to change them. 

Furthermore, almost half of both respondents, aware and unaware of the threat, said they would change their passwords once the affected platforms have implemented patches and informed them of the changes.

Passwords are like keys that protect our sensitive data online, just as locks protect the precious objects in our homes. It is recommendable to stay away from affected sites that have not yet issued patches. Once sites have implemented the necessary fixes, passwords should be changed and strengthened with the same manner of urgency as you would change the locks on your home if you were to lose your keys or if your key were to get stolen.

Use a password manager to protect all of your accounts with ironclad passwords 

Changing and memorizing new passwords over and over again isn’t easy, especially since passwords should consist of at least eight characters – or according to latest recommendations even sixteen or more. They should include a mix of letters, numbers and symbols.

A password manager like our avast! EasyPass helps encrypt and protect personal information online. avast! EasyPass creates strong, random passwords of up to 512 characters and secures your information via military-grade encryption, making password management simple and secure. avast! EasyPass is currently available at a discounted price of  $9.99 a year.

Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun and contest information, please follow us on FacebookTwitter and Google+. Business owners – check out our business products.

April 10th, 2014

Do you hate updating your passwords whenever there’s a new hack?

Advice about changing passwords from AVAST.

Change your passwords as a precaution against the Heartbleed bug.

We reported yesterday about the serious Heartbleed  bug which allows hackers to steal encryption keys from nearly two-thirds of all websites.

“This is probably the worst bug discovered this year. We believed in the security of SSL/TLS, and now discover that it comes with a hole that allows anyone to read our personal information such as passwords, cookies or even server’s private keys,” said Jiri Sejtko, Director of the AVAST Virus Lab. “We, as end users, simply can’t do anything, but make sure we are as secure as possible.”

That means changing your passwords. Again.

If just thinking about changing all your passwords makes you want to jump out the window, then here are a few tricks to help make it a little less painful. At the end of this post, we’ll share a tip on how to make password creation, as well as remembering them all, as easy-as-pie. So go all the way to the end. ;)

Why do cybercrooks want your password?

It takes serious effort to hijack accounts, so there must be some payoff at the end for cybercrooks.  Obviously, it’s not to get your vacation photos. Money is the most common motivation. Your money.

There are many ways of turning stolen data into money, but one of them is worth highlighting. Research shows that 55% of us reuse passwords on different sites. It is likely that you use the same password for Facebook  that you use for your bank account.  This means that cybercrooks can steal your money much easier. Never use the same passwords on different sites, especially for really important services.

Password basics

1. Use a random collection of letters (uppercase and lowercase), numbers and symbols

2. Make it 8 characters or longer

3. Create a unique password for every account

Tricks and tips

Maximum password security requires at least seven characters, a mix of upper and lower case, a few symbols, and a sense of humor.

Create an acronym using a meaningful, easy-to-remember piece of information. Use a sentence like My wedding anniversary is 28 December, 2001. That phrase turns into this password, Mwai28/Dec.01.

Many sites require a special symbol like ` ~ ! @ # $ % ^ & * ( ) _ – + = { } [ ] \ | : ; ” ‘ < > , . ? /. Use some of those to replace letters. Your password can be this, M<>ai28/Dec.0!.

Read more…

Categories: General, How to Tags: , ,
April 9th, 2014

Heartbleed affects much of internet. Time to change your passwords again.

Heartbleed security threat scares internetThe security community is buzzing with news of a threat called Heartbleed. The bug reportedly affects nearly two-thirds of all websites, including Yahoo Mail, OKCupid, WeTransfer, and others. The bug takes advantage of a vulnerability in OpenSSL, an open-source protocol used to encrypt vast portions of the web. It allows cybercrooks to steal encryption keys, usernames and passwords, financial data and other sensitive data they have no right to.

In a blog post to their users, Tumblr described it this way,

…that the little lock icon (HTTPS) we all trusted to keep our passwords, personal emails, and credit cards safe, was actually making all that private information accessible to anyone who knew about the exploit.

The latest version of OpenSSL fixes the problem and websites are already upgrading.

However, your popular social site, your company’s site, commerce site, hobby site, sites you download software from or even sites run by your government might be using vulnerable OpenSSL, warns Codenomicon on their site about Heartbleed. GitHub compiled a list of sites that are vulnerable, but some may have already been updated. AVAST’s website is safe from the Heartbleed threat.

You can check a site’s vulnerability status at the Heartbleed test site which enables users to enter domains. If a site comes back as an “uh-oh” but doesn’t say “heartbleed” then there may be something else wrong, but it’s not Heartbleed. Update: AVAST’s COO, Ondrek Vlcek recommends this checker, http://www.ssllabs.com/ssltest/analyze.html.

What can you do?

The best advice is to stay away from affected sites for a while. In their report on Heartbleed, Tor advises, “If you need strong anonymity or privacy on the Internet, you might want to stay away from the Internet entirely for the next few days while things settle.”

You need to change your passwords for any vulnerable sites as well. Once affected sites start making the updates, they will most likely advise their customers to change their passwords. Earlier today, Tumblr sent their users a note encouraging them to change passwords to all their online accounts immediately.

“This might be a good day to call in sick and take some time to change your passwords everywhere — especially your high-security services like email, file storage, and banking, which may have been compromised by this bug,” Tumblr said on their blog.

We have written tips about creating strong passwords in the avast! blog. Read My password was stolen. What do I do now? as a reminder.

Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun and contest information, please follow us on FacebookTwitter and Google+. Business owners – check out our business products.

Categories: General Tags: , ,
October 29th, 2013

How many variations of “qwerty” and “1234″ can you think of?

passwords strip_

http://www.dilbert.com/

I am quite surprised at how inventive people can be when it comes to the thinking up weak passwords. The obviously weak combinations like ’1234′ or ‘qwerty’ along with names and phone numbers are quite common parts of passwords.

Some background

The story begins with me fighting a familiar piece of malware, Bicololo, which is spyware designed to steal the identity from users of Russian social networks. A routine task you might say. This time the authors were less cautious with settings on their rogue servers, so I managed to get hundreds of freshly-stolen credentials. What to do with them? The first thing I tried was contacting support of the affected social network to get users warned and passwords reset. Unfortunately, my effort met no success there; they did not even bother to answer my mail! So instead of getting to warn hundreds of innocent users on the Russian social network,  I used this unique opportunity to analyze the habits users have regarding their passwords and share it with our AVAST readers.

Once I cleaned up the data, I received about 850 unique combinations of username-password pairs. This is not enough variants for the results to be widely  representative. The data was obtained from a rather specific group of (less experienced) users whose lack of knowledge allowed their computers to be infected. I expect the general reality to be a bit better than my results. Though my findings are not scientifically-correct, they can give us some insight into the problem and show us examples we should avoid while choosing our passwords. Read more…

Comments off
April 15th, 2013

WordPress sites hacked

wordpress-logoThere is a nasty botnet trolling WordPress sites trying to log in with the default admin user name and using “brute-force” methods to crack the passwords. Our advice to save your wordpress blog from being hacked is to change admin as the login name to something else and use strong passwords.

Matt Mullenweg, the founder of WordPress, advises the same thing on his blog. He also said to turn on the two-step authentication, which prompts you to enter a secret number you get from the Google Authenticator App on your smartphone. To make as secure an environment as you can, ensure that the latest version of WordPress is installed as well.

“Do this and you’ll be ahead of 99% of sites out there and probably never have a problem,” Mullenweg writes to assure 64 million WordPress users.

March 25th, 2013

Personal identification numbers (PINs) need protection too

ATM PINBy now, avast! users are aware of the importance of creating strong computer passwords, and guarding their Social Security number like a trained Doberman. But what about the humble four-digit personal identification number (PIN)? PINs are security features just like passwords. They give access to your mobile phone, credit card, bank account, and numerous other things. My garage door opener even has a keypad and PIN. Because it’s the key that unlocks so many doors, literally and figuratively, it pays to keep your PINs safe.

Here are some things to remember when choosing a PIN:

  • Be more original than 1234. One in 10 people use this number combination. Together with 1111 and 0000, these three combinations make up nearly 20% of PINs. Think of it this way, if you find an ATM card on the floor, you have a 1 in 10 chance of getting the correct number if you type 1-2-3-4 .
  • Using your birthdate as a PIN is a bad idea. Everyone carries their driver’s license in their wallet with their ATM card. The birthday information gives a wallet thief both the lock and key in a convenient location. One study said that one out of 15 wallet thief victim’s also had their ATM raided!
  • Forget about your address too. Your house or apartment number is also printed on your driver’s license, so it’s easily found.
  • Keep LOVE in your heart, not on your phone. 5683, which spells out “love” on the keypad is very popular.  Use a less popular word, maybe 9278, which spells “wart.”

Here are some tips to secure (and remember) your PIN:

  • Use the bank assigned number. Just don’t write it on your ATM card.
  • An old phone number, student or work ID is good, as long as they’re not listed anywhere.
  • Choose a meaningful number. The score of the big game (your favorite basketball team won 80-58, so the PIN is 8058).
  • Base the number on a phrase instead of a word, such as 2432 for “Avast is FREEking awesome” (AIFA).
  • Hide the number in a fake contact. If you have too many PINs to remember, make up a fake contact with a fake phone number and keep it in your phone. Just don’t let the battery run out!

Share your tips in for creating strong PINs and how to remember them in the comments section.  And please follow us on social media. We can be found on Facebook, Google+ and Twitter.