Most of us know we should be using strong passwords that are different for every single website. For every online account or app we use, we should have a password that is entirely unique. But how many of us actually follow that advice?
A recent study by mobile security firm AppBugs tested 100 of the most popular, password-protected Android and iOS apps to reveal that over half (53%) had password brute-force vulnerabilities. That means attackers could try as many guesses as they want until they crack a user’s password.
Combined with the fact that many people use weak or re-used passwords, those accounts are in danger. All the attackers would need is your email address or username to guess away. It will take practically no time at all for them to crack the password if you’re using one that’s weak, or one you’ve used before, or one that might have been used by someone else (because let’s face it, most of us are really bad at creating strong passwords). If a password was leaked in another breach, it’s easy for an attacker to guess the same username and password combination.
AppBugs explained that:
“According to this study on 70 million passwords, the strength of user passwords typically contains 10-20 bits of security. This means that it only takes the attacker 1024-1048576 guesses to find the correct one. Assuming the attacker makes login attempts to the vulnerable service 30 times per minute, it takes him half an hour to 24 days to guess a password, depending on the strength of the target password. This is a scary estimate. Attackers have no problem launching the attacks from multiple IP addresses on multiple user accounts in parallel and often can make guesses more than 30 times per minute. If today the attacker launches such an attack against most user accounts in parallel, he will be able to get most user passwords within 24 days.”
According to AppBugs, up to 600 million smartphone users could be affected by this security oversight. Despite the researchers responsibly disclosing the vulnerability and allowing 90 days, popular apps like CNN, Expedia, and Zillow still had not corrected the issue as of September 14th, according to the status listed on the AppBugs site.
Until then, you can increase your own security by generating new passwords with LastPass. Run the LastPass Security Challenge (from the LastPass browser extension just open the Tools menu to launch the Security Check) and identify which sites have old, weak, or re-used passwords. Auto-Password Change will help you replace many passwords in one click, and any others can be replaced with the LastPass password generator.
By using strong, different passwords for every app and web account, you’re taking a simple but very effective step in protecting yourself online.