This List Of 2014’s Worst Passwords, Including ‘123456,’ Is Embarrassing

The year of 2014, in many respects, was all about digital security. It wasn’t just tech pundits or early adopters who were victimized – Snapchat, Target, and Sony Entertainment all showed us that no one is immune. And don’t get me started on theNSA. It’s our responsibility as internet explorers to protect ourselves. But according to SplashData’s yearly list of the worst passwords on the internet (as compiled by more than 3 million leaked passwords from 2014), we are kind of lazy about the whole “digital security” thing. At least when it comes to properly locking the gates with a strong password.

Seriously.

Just take a look at the full list:

1. 123456
2. password
3. 12345
4. 12345678
5. qwerty
6. 123456789
7. 1234
8. baseball
9. dragon
10. football
11. 1234567
12. monkey
13. letmein
14. abc123
15. 111111
16. mustang
17. access
18. shadow
19. master
20. michael
21. superman
22. 696969
23. 123123
24. batman
25. trustno1

Last year, ‘password’ topped the list so I guess we can find some small progress in the fact that most people are literally just typing integers as their passwords as opposed to robotically typing in literally the worst password you could ever use. Heck, we’re even using ‘dragon,’ a symbol of strength and fiery vengeance that is, sadly, also a horrible password.

There are easy ways to handle the problem of passwords. And the blame is not entirely on you — the whole password system is flawed and messy. But there are easy steps you can take to be more secure. One is using password management software to ensure that your passwords are strong enough, updated, and securely locked down and in a place you can find them.

For folks who can’t be bothered to take that step, you can still do more. Even if your password isn’t entirely random and disconnected from you personally (which is best), you can still choose your same obvious passwords and spruce them up a bit.

You can use the placement of keys on a keyboard to do this — for example, folks who use ‘123456’ or ‘qwerty’ can simply jumble those together based on the keys, making something like ‘q1w2e3r4t5′. Want to make it easier? Take something you’ll remember: “My uncle lives in Kansas” and make it your password “MyUncleLivesInKansas” and add his street address: “MyUncleLivesInKansas207.” These long, complex passwords are actually quite difficult to hack and are easy to remember. While these won’t stop great hackers from getting into your stuff, at least you’ll be taking steps to get out of the top 

Microsoft Outlook Hacked In China, New Report Finds

Only a few weeks after Google’s Gmail service was blocked in China, a new report from online censorship monitoring organization GreatFire.org released this morning states that Microsoft’s email system Outlook was recently subjected to a “man-in-the-middle” attack in China. This is a form of eavesdropping where the attacker inserts himself in between the victims’ connections, relaying messages between them while the victims’ continue believe they have a secure, private connection. Meanwhile, the attacker is able to read all the content they’re sharing.

GreatFire.org was able to verify the attack itself, after receiving reports of its existence on January 17. It noted that IMAP and SMTP for Outlook were affected, but the web interfaces for Microsoft’s webmail services were not. (That is, Outlook.com and Login.live.com were not affected).

The attack continued for a about a day, and has since stopped, the report states.

Affected users were shown warning messages in their email clients that weren’t as immediately worrisome as those web browsers display, which means that some users may not have been aware that an attack was taking place. For example, in an example screenshot GreatFire.org posted, an iPhone warning message says “Cannot Verify Server Identity,” but asks if the user wants to continue anyway. However, when GreatFire.org reproduced the same result via the Firefox web browser, the message the browser offers is far more detailed, saying also that the error could means “that someone is trying to impersonate the site, and you shouldn’t continue.”

During this attack, users would only see the pop-up warning when their email client tried to automatically retrieve new messages. In most cases, they would simply hit “continue” to dismiss the message, likely thinking that a network problem was to blame. But by doing so, their emails, contacts and passwords were able to be logged by the hacker.

The self-signed certificate is suspected to be from CNNIC (China Internet Network Information Center), which is governed by the Cyberspace Administration of China, as this would be consistent with previous man-in-the-middle (MITM) attacks in China.

“Given the dangerous nature of this attack on Outlook, we again strongly encourage organizations, including Microsoft and Apple, to immediately revoke trust for the CNNIC certificate authority,” says GreatFire.org.

Below: What happens when a Chinese user accesses Outlook in their email client: 

The attack comes within a month of China blocking Gmail, which despite aslight recovery, is still inaccessible in China. It’s also one of many recent MITM attacks in China, including those affecting services from Google, Yahoo, and Apple in the past.

“We once again suspect that Lu Wei and the Cyberspace Administration of China have orchestrated this attack or have willingly allowed the attack to happen,” writes GreatFire.org in its report. “If our accusation is correct, this new attack signals that the Chinese authorities are intent on further cracking down on communication methods that they cannot readily monitor.”

We’ve reached out to Microsoft for comment on this attack, and will update if they offer a response.

ISIS “Cyber Caliphate” Hacks U.S. Military Command Accounts

The Cyber Caliphate, a hacker group claiming association with terrorist group ISIS, today seized control of the @CENTCOM Twitter and YouTube accounts that represents U.S. central military command.

The hackers tweeted a Pastebin message titled “Pentagon networks hacked. AMERICAN SOLDIERS WE ARE COMING, WATCH YOUR BACK. ISIS. #CyberCaliphate”. The message includes links to supposedly confidential US Army files, though there’s indication that some of these files may have previously been made public or aren’t highly confidential.

Even if only the CENTCOM social accounts were compromised, it shows the sorry state of cybersecurity in the US government. And if the hackers were able to access confidential documents, it could show that ISIS is a more formidable cyber-opponent than some expected.