Thursday, April 30, 2009

Password Trivia

MySpace Passwords Aren't So Dumb

How good are the passwords people are choosing to protect their computers and online accounts?

It's a hard question to answer because data is scarce. But recently, a colleague sent me some spoils from a MySpace phishing attack: 34,000 actual user names and passwords.

The attack was pretty basic. The attackers created a fake MySpace login page, and collected login information when users thought they were accessing their own account on the site. The data was forwarded to various compromised web servers, where the attackers would harvest it later.

MySpace estimates that more than 100,000 people fell for the attack before it was shut down. The data I have is from two different collection points, and was cleaned of the small percentage of people who realized they were responding to a phishing attack. I analyzed the data, and this is what I learned.

Password Length: While 65 percent of passwords contain eight characters or less, 17 percent are made up of six characters or less. The average password is eight characters long.

Specifically, the length distribution looks like this:

1-40.82 percent
51.1 percent
615 percent
723 percent
825 percent
917 percent
1013 percent
112.7 percent
120.93 percent
13-320.93 percent

Yes, there's a 32-character password: "1ancheste23nite41ancheste23nite4." Other long passwords are "fool2thinkfool2thinkol2think" and "dokitty17darling7g7darling7."

Character Mix: While 81 percent of passwords are alphanumeric, 28 percent are just lowercase letters plus a single final digit -- and two-thirds of those have the single digit 1. Only 3.8 percent of passwords are a single dictionary word, and another 12 percent are a single dictionary word plus a final digit -- once again, two-thirds of the time that digit is 1.

numbers only1.3 percent
letters only9.6 percent
alphanumeric81 percent
non-alphanumeric8.3 percent

Only 0.34 percent of users have the user name portion of their e-mail address as their password.

Common Passwords: The top 20 passwords are (in order):

password1, abc123, myspace1, password, blink182, qwerty1, fuckyou, 123abc, baseball1, football1, 123456, soccer, monkey1, liverpool1, princess1, jordan23, slipknot1, superman1, iloveyou1 andmonkey. (Different analysis here.)

The most common password, "password1," was used in 0.22 percent of all accounts. The frequency drops off pretty fast after that: "abc123" and "myspace1" were only used in 0.11 percent of all accounts, "soccer" in 0.04 percent and "monkey" in 0.02 percent.

For those who don't know, Blink 182 is a band. Presumably lots of people use the band's name because it has numbers in its name, and therefore it seems like a good password. The band Slipknot doesn't have any numbers in its name, which explains the 1. The password "jordan23" refers to basketball player Michael Jordan and his number. And, of course, "myspace" and "myspace1" are easy-to-remember passwords for a MySpace account. I don't know what the deal is with monkeys.

We used to quip that "password" is the most common password. Now it's "password1." Who said users haven't learned anything about security?

But seriously, passwords are getting better. I'm impressed that less than 4 percent were dictionary words and that the great majority were at least alphanumeric. Writing in 1989, Daniel Klein was able to crack (.gz) 24 percent of his sample passwords with a small dictionary of just 63,000 words, and found that the average password was 6.4 characters long.

And in 1992 Gene Spafford cracked (.pdf) 20 percent of passwords with his dictionary, and found an average password length of 6.8 characters. (Both studied Unix passwords, with a maximum length at the time of 8 characters.) And they both reported a much greater percentage of all lowercase, and only upper- and lowercase, passwords than emerged in the MySpace data. The concept of choosing good passwords is getting through, at least a little.

On the other hand, the MySpace demographic is pretty young. Another password study (.pdf) in November looked at 200 corporate employee passwords: 20 percent letters only, 78 percent alphanumeric, 2.1 percent with non-alphanumeric characters, and a 7.8-character average length. Better than 15 years ago, but not as good as MySpace users. Kids really are the future.

None of this changes the reality that passwords have outlived their usefulness as a serious security device. Over the years, password crackers have been getting faster and faster. Current commercial products can test tens -- even hundreds -- of millions of passwords per second. At the same time, there's a maximum complexity to the passwords average people are willing to memorize (.pdf). Those lines crossed years ago, and typical real-world passwords are now software-guessable. AccessData'sPassword Recovery Toolkit would have been able to crack 23 percent of the MySpace passwords in 30 minutes, 55 percent in 8 hours.

Of course, this analysis assumes that the attacker can get his hands on the encrypted password file and work on it offline, at his leisure; i.e., that the same password was used to encrypt an e-mail, file or hard drive. Passwords can still work if you can prevent offline password-guessing attacks, and watch for online guessing. They're also fine in low-value security situations, or if you choose really complicated passwords and use something like Password Safe to store them. But otherwise, security by password alone is pretty risky.

Via Wired

Friday, April 17, 2009

Taliban Exploit Class Rifts to Gain Ground in Pakistan

Taliban Exploit Class Rifts to Gain Ground in Pakistan

Rashid Iqbal/European Pressphoto Agency

Supporters of Islamic law on Thursday in the Swat Valley, a Pakistani region where the Taliban exploited class rifts to gain control.

PESHAWAR, Pakistan — The Taliban have advanced deeper into Pakistan by engineering a class revolt that exploits profound fissures between a small group of wealthy landlords and their landless tenants, according to government officials and analysts here.

The strategy cleared a path to power for the Taliban in the Swat Valley, where the government allowed Islamic law to be imposed this week, and it carries broad dangers for the rest of Pakistan, particularly the militants’ main goal, the populous heartland of Punjab Province.

In Swat, accounts from those who have fled now make clear that the Taliban seized control by pushing out about four dozen landlords who held the most power.

To do so, the militants organized peasants into armed gangs that became their shock troops, the residents, government officials and analysts said.

The approach allowed the Taliban to offer economic spoils to people frustrated with lax and corrupt government even as the militants imposed a strict form of Islam through terror and intimidation.

“This was a bloody revolution in Swat,” said a senior Pakistani official who oversees Swat, speaking on the condition of anonymity for fear of retaliation by the Taliban. “I wouldn’t be surprised if it sweeps the established order of Pakistan.”

The Taliban’s ability to exploit class divisions adds a new dimension to the insurgency and is raising alarm about the risks to Pakistan, which remains largely feudal.

Unlike India after independence in 1947, Pakistan maintained a narrow landed upper class that kept its vast holdings while its workers remained subservient, the officials and analysts said. Successive Pakistani governments have since failed to provide land reform and even the most basic forms of education and health care. Avenues to advancement for the vast majority of rural poor do not exist.

Analysts and other government officials warn that the strategy executed in Swat is easily transferable to Punjab, saying that the province, where militant groups are already showing strength, is ripe for the same social upheavals that have convulsed Swat and the tribal areas.

Mahboob Mahmood, a Pakistani-American lawyer and former classmate of President Obama’s, said, “The people of Pakistan are psychologically ready for a revolution.”

Sunni militancy is taking advantage of deep class divisions that have long festered in Pakistan, he said. “The militants, for their part, are promising more than just proscriptions on music and schooling,” he said. “They are also promising Islamic justice, effective government and economic redistribution.”

The Taliban strategy in Swat, an area of 1.3 million people with fertile orchards, vast plots of timber and valuable emerald mines, unfolded in stages over five years, analysts said.

The momentum of the insurgency built in the past two years, when the Taliban, reinforced by seasoned fighters from the tribal areas with links to Al Qaeda, fought the Pakistani Army to a standstill, said a Pakistani intelligence agent who works in the Swat region.

The insurgents struck at any competing point of power: landlords and elected leaders — who were usually the same people — and an underpaid and unmotivated police force, said Khadim Hussain, a linguistics and communications professor at Bahria University in Islamabad, the capital.

At the same time, the Taliban exploited the resentments of the landless tenants, particularly the fact that they had many unresolved cases against their bosses in a slow-moving and corrupt justice system, Mr. Hussain and residents who fled the area said.

Their grievances were stoked by a young militant, Maulana Fazlullah, who set up an FM radio station in 2004 to appeal to the disenfranchised. The broadcasts featured easy-to-understand examples using goats, cows, milk and grass. By 2006, Mr. Fazlullah had formed a ragtag force of landless peasants armed by the Taliban, said Mr. Hussain and former residents of Swat.

At first, the pressure on the landlords was subtle. One landowner was pressed to take his son out of an English-speaking school offensive to the Taliban. Others were forced to make donations to the Taliban.

Then, in late 2007, Shujaat Ali Khan, the richest of the landowners, his brothers and his son, Jamal Nasir, the mayor of Swat, became targets.

After Shujaat Ali Khan, a senior politician in the Pakistan Muslim League-Q, narrowly missed being killed by a roadside bomb, he fled to London. A brother, Fateh Ali Mohammed, a former senator, left, too, and now lives in Islamabad. Mr. Nasir also fled.

Later, the Taliban published a “most wanted” list of 43 prominent names, said Muhammad Sher Khan, a landlord who is a politician with the Pakistan Peoples Party, and whose name was on the list. All those named were ordered to present themselves to the Taliban courts or risk being killed, he said. “When you know that they will hang and kill you, how will you dare go back there?” Mr. Khan, hiding in Punjab, said in a telephone interview. “Being on the list meant ‘Don’t come back to Swat.’ ”

One of the main enforcers of the new order was Ibn-e-Amin, a Taliban commander from the same area as the landowners, called Matta. The fact that Mr. Amin came from Matta, and knew who was who there, put even more pressure on the landowners, Mr. Hussain said.

According to Pakistani news reports, Mr. Amin was arrested in August 2004 on suspicion of having links to Al Qaeda and was released in November 2006. Another Pakistani intelligence agent said Mr. Amin often visited a madrasa in North Waziristan, the stronghold of Al Qaeda in the tribal areas, where he apparently received guidance.

Each time the landlords fled, their tenants were rewarded. They were encouraged to cut down the orchard trees and sell the wood for their own profit, the former residents said. Or they were told to pay the rent to the Taliban instead of their now absentee bosses.

Two dormant emerald mines have reopened under Taliban control. The militants have announced that they will receive one-third of the revenues.

Since the Taliban fought the military to a truce in Swat in February, the militants have deepened their approach and made clear who is in charge.

When provincial bureaucrats visit Mingora, Swat’s capital, they must now follow the Taliban’s orders and sit on the floor, surrounded by Taliban bearing weapons, and in some cases wearing suicide bomber vests, the senior provincial official said.

In many areas of Swat the Taliban have demanded that each family give up one son for training as a Taliban fighter, said Mohammad Amad, executive director of a nongovernmental group, the Initiative for Development and Empowerment Axis.

A landlord who fled with his family last year said he received a chilling message last week. His tenants called him in Peshawar, the capital of North-West Frontier Province, which includes Swat, to tell him his huge house was being demolished, he said in an interview here.

The most crushing news was about his finances. He had sold his fruit crop in advance, though at a quarter of last year’s price. But even that smaller yield would not be his, his tenants said, relaying the Taliban message. The buyer had been ordered to give the money to the Taliban instead.

NYT

Thursday, April 16, 2009

Tuesday, April 7, 2009

India's government battles Maoist fighters - 4 Apr 09 - Al- Jazeera

India's election commission has reduced polling hours in some states due to the influence of Maoist Naxalite fighters.

Al Jazeera's Divya Gopalan reports.


Link to video