According to iMPERVA

In December 2009, a major password breach occurred that led to the release of 32 million passwords. Further, the hacker posted to the Internet the full list of the 32 million passwords (with no other identifiable information). Passwords were stored in cleartext in the database and were extracted through a SQL Injection vulnerability. The data provides a unique glimpse into the way that users select passwords and an opportunity to evaluate the true strength of these as a security mechanism. In the past, password studies have focused mostly on surveys. Never before has there been such a high volume of real-world passwords to examine.

The Imperva Application Defense Center (ADC) analyzed the strength of the passwords and here is what they found:

• About 30% of users chose passwords whose length is equal or below six characters.
• Moreover, almost 60% of users chose their passwords from a limited set of alpha-numeric characters.
• Nearly 50% of users used names, slang words, dictionary words or trivial passwords (consecutive digits, adjacent keyboard keys, and so on). The most common password among Rockyou.com account owners is "123456".

NASA provides the following Recommendations for strong password selection:

1. It should contain at least eight characters.
2. It should contain a mix of four different types of characters – upper case letters, lower case letters, numbers, and special characters such as !@#$%^&*,;" If there is only one letter or special character, it should not be either the first or last character in the password.
3. It should not be a name, a slang word, or any word in the dictionary. It should not include any part of your name or your e-mail address.

After the analysis of that over 32 mln exposed passwords, iMPERVA came to the following conclusion:

Almost all of the 5000 most popular passwords, that are used by a share of 20% of the users, were just that – names, slang words, dictionary words or trivial passwords (consecutive digits, adjacent keyboard keys, and soon).

Below are the top 20 common passwords in the database list:

Rank	Password	Number of Users with Password (absolute)
1	123456	290731
2	12345	79078
3	123456789	76790
4	Password	61958
5	iloveyou	51622
6	princess	35231
7	rockyou	22588
8	1234567	21726
9	12345678	20553
10	abc123	17542
11	Nicole	17168
12	Daniel	16409
13	babygirl	16094
14	monkey	15294
15	Jessica	15162
16	Lovely	14950
17	michael	14898
18	Ashley	14329
19	654321	13984
20	Qwerty	13856

And finally here are the Recommendations.

• USERS
  
  1. Choose a strong password for sites you care for the privacy of the information you store. Bruce Schneir's advice is useful: "take a sentence and turn it into a password. Something like "This little piggy went to market" might become "tlpWENT2m". That nine-character password won't be in anyone's dictionary."
  2. Use a different password for all sites – even for the ones where privacy isn't an issue. To help remember the passwords, again, following Bruce Schneier's advice is
     recommended: "If you can't remember your passwords, write them down and put the paper in your wallet. But just write the sentence – or better yet – a hint that will help you remember your sentence."
  3. Never trust a 3rd party with your important passwords (webmail, banking, medical etc.)
  
  
• ADMINISTRATORS
  
  1. Enforce strong password policy – if you give the users a choice, it is very likely that they would choose weak passwords.
  2. Make sure passwords are not transmitted in clear text. Always use HTTPS on login.
  3. Make sure passwords are not kept in clear text. Always digest password before storing to DB.
  4. Employ aggressive anti-brute force mechanisms to detect and mitigate brute force attacks on login credentials. Make these attacks too slowly for any practical
     purposes even for shorter passwords. You should actively put obstacles in the way of a brute-force attacker – such as CAPTCHAs, computational challenges, etc.
  5. Employ a password change policy. Trigger the policy either by time or when suspicion for a compromise arises.
  6. Allow and encourage passphrases instead of passwords. Although sentences may be longer, they may be easier to remember. With added characters, they become more difficult to break.

What are your or the company you work for policies on this question?
Please share your thoughts and experience.

I just want to congratulate ALL women with 8 March that is the International Women Day.
This is not celebrated in the most part of the world, but we here love our women very much and at least in this day try to do everything possible to have them happy.

First of all here are 2010 Academy Awards Winners with results from expers and Yahoo! Users:

NOMINATION	WINNER	Y! Users	EXPERT PICK
Best Picture	The Hurt Locker	Avatar	The Hurt Locker
Best Director	Kathryn Bigelow - The Hurt Locker	James Cameron - Avatar	Kathryn Bigelow - The Hurt Locker
Best Actor	Jeff Bridges - Crazy Heart	Jeff Bridges - Crazy Heart	Jeff Bridges - Crazy Heart
Best Actress	Sandra Bullock - The Blind Side	Sandra Bullock - The Blind Side	Sandra Bullock - The Blind Side
Best Supporting Actor	Christoph Waltz - Inglourious Basterds	Christoph Waltz - Inglourious Basterds	Christoph Waltz - Inglourious Basterds
Best Supporting Actress	Mo'Nique - Precious	Mo'Nique - Precious	Mo'Nique - Precious
Best Original Screenplay	The Hurt Locker	Inglourious Basterds	The Hurt Locker
Best Adapted Screenplay	Precious	Precious	Up in the Air
Best Animated Feature	Disney/Pixar's Up	Disney/Pixar's Up	Disney/Pixar's Up
Best Foreign Language Film	El Secreto De Sus Ojos	The White Ribbon	The White Ribbon
Best Documentary Feature	The Cove	The Cove	The Cove
Best Animated Short	Logorama	French Roast	French Roast
Best Documentary Short	Music by Prudence	China's Unnatural Disaster: The Tears of Sichuan Province	Music by Prudence
Best Art Direction	Avatar	Avatar	Nine
Best Cinematography	Avatar	Avatar	Avatar
Best Costume Design	The Young Victoria	Nine	Nine
Best Film Editing	The Hurt Locker	Avatar	District 9
Best Live Action Short	The New Tenants	Miracle Fish	The New Tenants
Best Original Score	Disney/Pixar's Up	Avatar	Disney/Pixar's Up
Best Original Song	"The Weary Kind" - Crazy Heart	"Take It All" - Nine	"The Weary Kind" - Crazy Heart
Best Makeup	Star Trek	Star Trek	Star Trek
Best Visual Effects	Avatar	Avatar	Avatar
Best Sound Editing	The Hurt Locker	Avatar	Disney/Pixar's Up
Best Sound Mixing	The Hurt Locker	Avatar	Avatar

Now let's get some stats from here:

All 3 results are same: 9 of 24

Y! Users right, Experts wrong: 2 of 24

Experts right, Y! Users wrong: 7 of 24

Y! Users and Experts had same answer, but the wrong one: 4 of 24

Y! Users and Experts had different answers and both was wrong: 2 of 24

So, what does this results tell us? mmm Nothing much i guess, except the fact that neither the community or the experts can be considered a truthful source of final results.

A new BUZZ is knocking in our doors that being ChatRoulette. The site appeared around November 2009 and is getting more and more popular with each day. Even big media as Yahoo starts to "see" it with their yesterday's (i think) article.
Is it to be the next BIG thing or the interest for it will low down very soon and in a month or two noone will even remember about it? I don't know. I also don't know if this is the thing that will have it's word in tomorrow's internet. Or this is just something ridiculous? Or just crazy?

What do YOU think about it?

ColdFusion is at version 9 already but we still seem to have problems where i would believe all has to be nice for years. I'm talking about CFHTTP tag here.
Yesterday i had to make for a client a script that will

1. connect to a site
2. login
3. move to other internal page from where data should be taken

So what the usual process would be in such a case?

1. make a CFHTTP request
2. using the cookies from previous step, if any exists, make the CFHTTP call with login credentials
3. using the cookies from previous step (here should be present session cookies), make the CFHTTP call to the internal page
4. do with the data whatever you need

Sometimes step 1 may not be needed.

Everything looks fine so far and in most of the cases works as supposed, but NOT everytime. Sometimes on step 3 instead of going to the internal page it "lose the session" and as result you get there the login page instead. This is exactly what happened for me for this particular client. I have no idea what the problem is but i remember such an issue even back in 2003. I tried all i could think of: passing cookies in CFHTTPPARAMs, puttin the heder with cookies and all in USERAGENT parameter of CFHTTP (yes this one looks a bit weird, but i remember this solving the problem for some sites within last 7-8 years). Nothing helped. Then i tried CFX_HTTP that i was using years ago in such situations and of course everything worked great.

So the question is - WHAT THE HECK ?!
After so many years we still should have such problems with CFHTTP? Weird.

For this particular client it happened there to be a 64-bit system, so instead of CFX_HTTP i had to rewrite the script to use CFX_HTTP5. But this doesn't change the fact that it wasn't possible to be done with CFHTTP itself. Googling for solutions from other's experience didn't help. So i thought - if ColdFusion is Java, why not try a Java solution?
Another half day in googling, trying, testing and i've created a function that not only do a GET HTTP connection, but also works fine for the situation described above. It's far from being universal enough, but it worked well for my situation. So if anyone need it, here is the code:

<cffunction name="makeHTTPRequest" output="yes" returntype="any">

   <cfargument name="requestURL" required="Yes" type="any">

   <cfargument name="requestCookies" required="No" type="any" default="">

   

   <cfset var result = StructNew()>

   <cfset var i = 1>

   <cfset var urlConnection = createObject("java", "java.net.URL").init("#arguments.requestURL#").openConnection()>

   <cfset var inputReader = "">

   <cfset var bufferedReader = "">

   <cfif Len(arguments.requestCookies)>

      <cfset urlConnection.setRequestProperty("Cookie", arguments.requestCookies)>

   </cfif>

   <cfset urlConnection.connect()>

   

   <cfset inputReader = createObject("java", "java.io.InputStreamReader").init(urlConnection.getInputStream())>

   <cfset bufferedReader = createObject("java", "java.io.BufferedReader").init(inputReader)>



   <cfset result.headers = "">

   <cfset result.headerNoCookie = "">

   <cfset result.cookies = "">

   <cfset result.content = "">



   <cfscript>

      do

      {

         headerName = urlConnection.getHeaderFieldKey(i);

         lineCheck = IsDefined("headerName");

         if (lineCheck)

         {

            if (Len(result.headers))

            {

               result.headers = result.headers & "|" & headerName & "=" & urlConnection.getHeaderField(i);

            }

            else

            {

               result.headers = headerName & "=" & urlConnection.getHeaderField(i);

            }

            if (headerName.equals("Set-Cookie"))

            {

               result.cookies = result.cookies & ListGetAt(urlConnection.getHeaderField(i), 1, ";") & "; ";

            }

            else

            {

               if (Len(result.headerNoCookie))

               {

                  result.headerNoCookie = result.headerNoCookie & "|" & headerName & "=" & urlConnection.getHeaderField(i);

               }

               else

               {

                  result.headerNoCookie = headerName & "=" & urlConnection.getHeaderField(i);

               }

            }

         }

         i = i + 1;

      } while(lineCheck);

      

      do

      {

         line = bufferedReader.readLine();

         lineCheck = IsDefined("line");

         if(lineCheck)

         {

            result.content = result.content & line;

         }

      } while(lineCheck);

   </cfscript>

   

   <cfreturn result>

</cffunction>

It takes at input the URL and optionally a string with cookies and returns a structure with 4 keys headers, headerNoCookie, cookies, content

And here is an usage example:

<!--- make first request to firstURL with login credentials --->

<cfset firstCall = makeHTTPRequest(firstURL)>

<!--- make second request to secondURL using the cookiens from the first request --->

<cfset secondCall = makeHTTPRequest(secondURL, firstCall.cookies)>

Hope it will help somebody.

HAPPY CODING !!!

P.S.: If anyone want to comment on it, please do so.

You already like Google Buzz? Don't get excited so easy. Check this out.

So ColdFusion is definitely not dead. If you need further proof of that, you can check out isColdFusiondead.com, where we have a lot of detailed information about that question. But no, it's a funny thing that we hear, you know, every couple of years ColdFusion shifted from companies, from starting at Allaire to Macromedia to Adobe and any time that sort of happens, there's always this "What's going to happen?" sort of thing.

But no, thankfully Adobe is really, really helping ColdFusion and it's really starting to blossom, what we're seeing is what we're calling like a "ColdFusion Renaissance." In the last few years, the ColdFusion community has almost tripled in size, going from about 250,000 developers about four or five years ago to about 800,000 developers today.

We're anticipating even getting close to a million developers worldwide, hopefully maybe by sometime next year. We've really increased how many companies are using ColdFusion, as well. So 75 of the top Fortune 100 companies are running ColdFusion. About 12,000 companies worldwide have ColdFusion installed for internal applications and public websites development.

Check full interview here .