Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Passwords May Be Weakest Link

CmdrTaco posted more than 12 years ago | from the no-shock-there dept.

Security 529

blankmange writes "ZDNet is carrying a piece on network security and employee passwords: "When a regional health care company called in network protection firm Neohapsis to find the vulnerabilities in its systems, the Chicago-based security company knew a sure place to look. Retrieving the password file from one of the health care company's servers, the consulting firm put "John the Ripper," a well-known cracking program, on the case. While well-chosen passwords could take years--if not decades--of computer time to crack, it took the program only an hour to decipher 30 percent of the passwords for the nearly 10,000 accounts listed in the file." Sounds like enforced password formats and mandatory changing of passwords would help, but how many companies actually make them policy and enforce it?"

Sorry! There are no comments related to the filter you selected.

Sarah! (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#3566174)

Kiss Gizmo for me!

Moderate this!!!!!! (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#3566179)

Weeeee! roflmao I like cheese

Very good analysis. (5, Funny)

tshak (173364) | more than 12 years ago | (#3566181)

Passwords May Be Weakest Link

And in other news, "The Earth May Not Be Flat".

Re:Very good analysis. (2, Interesting)

Spazzz (577014) | more than 12 years ago | (#3566200)

Agreed! What good does the latest, greatest super-whizbang password hashing scheme do when users pick easily guessed usernames? I used to work for a dialup ISP who had approximately 10,000 entries in /etc/passwd. Just for the heck of it not long after I started working there, I ran Crack against it, and in a matter of about 30 minutes I had myself a nice little list of about 1,500 passwords. -J

Re:Very good analysis. (0)

Anonymous Coward | more than 12 years ago | (#3566207)

Our company do enforce passwords to have certain characteristics and have them expire regularly.
Unfortunately their suggested style does not always work on all the systems that we are accessing. It is a pain in the buck to come up with one after 10 different iteration and still remember the new and old password to get the darn thing to work. Worse of all, these procedure has to be repeated quite often. :(

Re:Very good analysis. (3, Funny)

pacman on prozac (448607) | more than 12 years ago | (#3566237)

A conflicting article at the Center for Stating the Bloody Obvious this week stated that infact:

Humans are the weakest link. Without them there would be no need for passwords.

Re:Very good analysis. (1)

kirn_malinus (159763) | more than 12 years ago | (#3566246)

thanks for saying this. i thought it was commonly known that passwords were the weakest link in computer security....

i can't even troll right (0, Funny)

Anonymous Cowrad (571322) | more than 12 years ago | (#3566188)

damnit

Did somebody say... (0, Funny)

Anonymous Coward | more than 12 years ago | (#3566189)

Passwords, you are the weakest link... Goodbye!

Re:Did somebody say... (1)

beebware (149208) | more than 12 years ago | (#3566233)

Whose password is weaker than water? Whose access rights have been abused? Whose login allowed the servers to be 0wn3d? Silly users, you are the weakest link - Goodbye!
Ok, bit lame, but I've just wanted to do a "Whose..." bit for days now :). But honestly, who didn't suspect that user-end security would be the weakest part: 9 times out of 10 you probably don't need to run a crack program, you'll be amazed at how many people will willingly give you their login name and password!

The problem with forced passwords: (2, Insightful)

Anonymous Coward | more than 12 years ago | (#3566190)

If you know the methods of forced passwords you can write a program around them. All of a sudden not only do you have a ton of passwords that are unnacceptable, you can predict patterns of tricks people will use to fool the force password picker into letting them choose an easy to remember password.

The problem with strong passwords... (3, Insightful)

Anonymous Coward | more than 12 years ago | (#3566191)

...people will write them down.
Preferrably on post-it notes and stuck to the keyboard or the screen.

I have seen it all.

Re:The problem with strong passwords... (2, Funny)

blacksmith (42129) | more than 12 years ago | (#3566271)

...people will write them down. Preferrably on post-it notes and stuck to the keyboard or the screen.

But that's not always a problem. In some situations, where outsiders don't wander round offices, this can be a good technique. If the office is "secure", writing down passwords is fine. This can certainly be put to good effect in the home.

Post-its stuck to monitors might not be the best place to write them down, I grant you.

Well DUH! (0)

Anonymous Coward | more than 12 years ago | (#3566196)

Based on the number of hit's I'm getting from the
current rampage of SQLsnake, this is a very astute observation.

Obvious (5, Interesting)

aridhol (112307) | more than 12 years ago | (#3566198)

Did anybody think that passwords wouldn't be the weakest link in security? Remember that, in general, "easy-to-remember" and "secure" are mutually exclusive. And if we forgo "easy-to-remember" for "secure", we will have people writing their passwords on a piece of paper on their desk. There's security for you.

Not neccessarily (3, Insightful)

enkidu (13673) | more than 12 years ago | (#3566296)

For instance: How about the first letters of phrases mixed in with numbers and symbols? "Tis not too late to seek a newer world" becomes "Tnt82saNW" which ain't gonna come up in any matching scheme. Or my sig "There is no trap so deadly as the trap you set for yourself" becomes "T1ntsDa%tys4y". Of course, none of these examples fit the 8 char limit (which personally I think we need to increase. Computers will become fast enough to brute force even totally random 8 char strings, but that's not the point of this post) but I'm sure you get the point.

Now "dictionary word" -> "easy to remember" -> "insecure" but that doesn't imply "insecure" -> "easy to remember". Far from it in my opinion.

EnkiduEOT

Not to mention... (1)

Black Aardvark House (541204) | more than 12 years ago | (#3566201)

...the potentially costly consequences [slashdot.org] of weak or non-existant passwords.

There is a reason that passwords exist. It's for security and yes, privacy. The same privacy that most people complain about being invaded.

Think about your privacy when coming up with your next password.

I've heard this before... (3, Insightful)

vicviper (140480) | more than 12 years ago | (#3566202)

Sounds like they put a password cracking utility against the NT sam file. The thing is that if your security is done right, you should at least need the Administrator password to access that file, no?

Re:I've heard this before... (2, Informative)

janda (572221) | more than 12 years ago | (#3566261)

One word - SQLSnake

The fact that you need "x" access in order to get to the password file is no protection against the password file being stolen and cracked.

Re:I've heard this before... (2)

Bazman (4849) | more than 12 years ago | (#3566340)

Or on unix, they got /etc/shadow, which you'd normally need root privs to read anyway. That's why crypted pws are stored in /etc/shadow...

However, hacked user passwords are useful if they give you user-level access to another system, since then you can use a non-remote root exploit to get root.

Baz

just one problem (2, Funny)

mpweasel (539631) | more than 12 years ago | (#3566203)

...secure passwords are usually difficult to remember. Thus users tend to use the month (05 for may, etc) for the mandatory digits, and sometimes cusswords to vent their frustration at the secure password policy. Also, it's not too difficult to find sticky notes with obscure strings a la "h0tgr1tz99" stuck on people's monitors. Hmmmm, wonder what that could mean?

Sources: interviews and sticky notes on monitors

--
martin

guess my password (-1)

neal n bob (531011) | more than 12 years ago | (#3566236)

Tom T. Hall is in your head, and he is gonna take a dump on your medula oblongata.

Boys and girls take warning, if you go near the lake
Keep your eyes wide open, and look for Sneaky Snake
Now maybe you won't see him, maybe you won't hear
But he'll sneak up behind you, and drink all your root beer

And then Sneaky Snake goes dancin', wigglin' and a-hissin'
Sneaky Snake goes dancin', gigglin' and a-kissin'
I don't like old Sneaky Snake; he laughs too much you see
When he goes wigglin' through the grass, it tickles his underneath

Well, Sneaky Snake drinks root beer, and he just makes me sick
When he is not dancin', he looks just like a stick
Now, he doesn't have any arms or legs, you cannot see his ears
And while we are not lookin', he's stealin' all of our beer

And then Sneaky Snake goes dancin', wigglin' and a-hissin'
Sneaky Snake goes dancin', gigglin' and a-kissin'
I don't like old Sneaky Snake; he laughs too much you see
When he goes wigglin' through the grass, it tickles his underneath

Re:just one problem (3, Funny)

Waffle Iron (339739) | more than 12 years ago | (#3566260)

Also, it's not too difficult to find sticky notes with obscure strings a la "h0tgr1tz99" stuck on people's monitors. Hmmmm, wonder what that could mean?

It's probably their /. username...

Microsoft password files... (5, Interesting)

antirename (556799) | more than 12 years ago | (#3566205)

Are especially vulnerable when bonehead admins let you remotely dump the registry. I've seen that one a couple of times. They don't let the users change the time or date on their machine, but the users can dump the registry on the servers. One company told me that "of course, we know that could be a problem, but the users are'nt going to know how to exploit it". One of the dumbest examples of security by obscurity that I've ever seen.

Netware makes us change... (3, Funny)

Kiaser Zohsay (20134) | more than 12 years ago | (#3566208)

...every 39 days, and it remembers an ungodly number of old ones, so you can't recycle. I don't have enough kids to come up with that many passwords.

Re:Netware makes us change... (3, Funny)

TeamSPAM (166583) | more than 12 years ago | (#3566319)

...I don't have enough kids to come up with that many passwords.

You must not be Catholic. >;-)

Re:Netware makes us change... (1)

jratcliffe (208809) | more than 12 years ago | (#3566334)

That's the danger, seriously. There's a clear tradeoff here: if software is too restrictive in what it will allow for a password (i.e. frequent changes, very complex passwords with no actual words, etc.), then the average user will give up trying to remember them, and start to write them down. You'll trade a situation where, by dedicating a lot of processing power to the task, you'll be able to crack some passwords, to one where every second keyboard has a Post-It stuck to the underside with this month's password. \

Not a problem. (2)

Kenja (541830) | more than 12 years ago | (#3566209)

I had my password tattooed on my forehead so I'll never forget it. Its much better then using a slip of paper that can get lost or stolen.

However not everything is rosy. Its a pain to remember to bring a mirror with me all the time and reading mirrored letters can cause eye strain.

Ask a stupid question (2)

los furtive (232491) | more than 12 years ago | (#3566210)

Sounds like enforced password formats and mandatory changing of passwords would help, but how many companies actually make them policy and enforce it?

IBM for one. Sure it's a pain keeping track of them all, but weak minds are no excuse for lack security.

Re:Ask a stupid question (0)

p4ul13 (560810) | more than 12 years ago | (#3566331)

At my company, I have IDs on 30 or so different servers that my group is directly responsible for. Many of them have different methods for connecting and gaining access, so that means we have IDs for our systems as well as the passtrough systems. Next we have 5 or so different problem management and ticketing systems to track them all. On top of that we have client systems that connect to our servers, each supporting very roughly 50 clients.

Ok, so we know the problem: too many systems and IDs for a person to track. What then is the solution?? Fingerprint readers for all? Retinal scanners? Integrate a central Identification scheme that any of the different environments can tie into?

Thoughts?

Two things you might want to do: (2, Interesting)

Wumpus (9548) | more than 12 years ago | (#3566211)

1. Have a program generate a random password for you.
2. Write it down on a card, and put it in your wallet. Treat it like your credit card number - you wouldn't post that on your monitor, would you?

Re:Two things you might want to do: (1)

e2d2 (115622) | more than 12 years ago | (#3566309)

I try this method myself with a little card in my wallet I use as a cheat sheet. I was actually thinking of purchasing this personal password mananger to handle all of my different passwords across systems:

http://www.thinkgeek.com/stuff/gadgets/5a60.shtm l

It would help me to keep from repeating passwords across systems just because they are asy for me to remember.

Re:Two things you might want to do: (0)

Anonymous Coward | more than 12 years ago | (#3566311)

Better would be to write most of it on the card and remember a small portion of it.

(To stick with the credit card analogy, you don't write your PIN on your credit card.)

people dont care (5, Interesting)

digitalsushi (137809) | more than 12 years ago | (#3566212)

They dont. They wonder why their websites get hacked. It's cause they INSIST on having HORRIBLE passwords. I know, I know, the counter argument is "so stop being a wuss and enforce a better password policy". Two things. The customer is always right, even when they're blatantly wrong. Second, is that a small call center can't battle today's new Internet user's unwillingness to accept that the Romanized alphabet has two cases, that a 1 is not an I, and well.. a lot of you know what I mean.

So customers don't care. Then some kid tries their URL as the password or whatever and gets in. And the site goes down. The customer calls in and we tell them what the deal is. Restore the website, and suggest they choose a stronger password this time around. *sigh*

But it doesnt matter. It's not one of those "change the settings" things. As long as people can pick their passwords, passwords are going to suck, and people will gain access they dont deserve. Period. Always, Always, Always.

Re:people dont care (1)

alouts (446764) | more than 12 years ago | (#3566284)

But is it really the "new internet users" of the world that have access enough to bring down systems? Sure, your customers may be boneheads, and you're not going to get them to create tough passwords, but if every customer in the system has enough power to take down your whole infrastructure, you have some problems well beyond password guessing. If someone can guess my admittedly weak slashdot password and use my account to bring down the entire site, that's not because I'm an idiot for choosing something easy to guess, it's because the site's infrastructure sucks ass.

Only the tech staff should have enough access to systems to cause any real damage, and they should absolutely be told to put up or shut up when it comes to secure passwords.

Tongue in Cheek (0)

Anonymous Coward | more than 12 years ago | (#3566213)



My password is generally: ButtBlower

Old News? (1)

Torgo's Pizza (547926) | more than 12 years ago | (#3566214)

Is Slashdot just recycling old news today or is it just me? Duh, a poor password just invites trouble. Any good admin knows that. So why is this news for nerds?

Also, when are people going to catch on that ZDNet and C|NET are the same thing and feature the same content? [com.com]

soon (1)

jck9626 (578944) | more than 12 years ago | (#3566307)

... and some day Mr. Ziff Davis will own the world! woot woot

Answer: Microsoft (1, Interesting)

Anonymous Coward | more than 12 years ago | (#3566215)

8 characters.
Upper and lower case.
Numbers
Symbols
Must change every 60 days.

...and it's enforced.

Here's the problem with that: (5, Interesting)

AMuse (121806) | more than 12 years ago | (#3566216)

My company is a service based company. We're a group of professional sysadmins who contract to large customers to take over network and SysAdmin duties. We are also responsible for security of our systems.

The problem with password policy enforcement is that users want weak passwords. Ordinarily this is no problem, since security often trumps user needs.

However, since we're a service based organization, our salaries and bonuses are based on user satisfaction of our performance. Guess what our number one gripe is? You bet. Password enforcement. Our enforcement of the "Strong passwords only" policy has helped us be secure, but it's also eating into our employee bonuses because the users mark us off for it.

It seems like we're caught between a rock and a hard place here, but since our customers are all senior civil servants, what're we to do? The more we enforce strong passwords, the closer they'll get to looking for someone who won't be so picky.

Put that in the contract next time. (0)

Anonymous Coward | more than 12 years ago | (#3566322)

Maybe that will solve your problem.

Re:Here's the problem with that: (5, Interesting)

Waffle Iron (339739) | more than 12 years ago | (#3566343)

However, since we're a service based organization, our salaries and bonuses are based on user satisfaction of our performance. Guess what our number one gripe is? You bet. Password enforcement.

I wonder if holding something like a "password cracker demo meeting" would help. Set up a test machine, let everyone enter a password of their choice, then run crack or similar on the password file. Let people watch as the program guesses their passwords and spits them out. Maybe give a prize to the best/worst passwords. It might get people to understand the problem and help them become more interested in solving it.

Password change policies are just annoying (0)

Anonymous Coward | more than 12 years ago | (#3566217)

But they need to use intelligent password change policies... I hate having to change my password every thirty days... I even wrote a program that would automatically change my password 30 times and then change it back to what it was originally just to get around this.

No one is going to break my password with a cracker and if someone uses a sniffer and picks it up then the company is in trouble anyway so a password change policy is just an annoyance... in fact it is probably a security flaw as people will begin to just write their password on postit notes.

Nothing shocking... (0)

Anonymous Coward | more than 12 years ago | (#3566218)

it's just another article that proves that many people have shit for brains and should not be allowed anywhere near a computer.

Password are not the weakest link (3, Insightful)

Raleel (30913) | more than 12 years ago | (#3566219)

Users are the weakest link. Always has been. The user chose the password.

Re:Password are not the weakest link (0)

Anonymous Coward | more than 12 years ago | (#3566270)

Is this supposed to be astute?

Is your girlfriend really that ugly?

Re:Password are not the weakest link (1)

MagnaMark (468484) | more than 12 years ago | (#3566282)

In that case, there's only one solution. We'll have to do away with users.

Or maybe, just maybe, this could be a case for genetic engineering. Scientists can identify the dumb password gene, DPW12, and replace it with something from a banana that will somehow make future users pick good passwords.

Password Recycling (1)

tSade (29856) | more than 12 years ago | (#3566222)

In my opinion, I think that a good, secure password is a good approach, but forcing someone to change it every 15, 30, or even 60 days sort of defeats the purpose. Too many people can't remember 10 digit passwords with a minimum of 2 numbers and/or special characters. After a while, they start picking something somewhat secure and taking on numbers or random garbage in the middle or end. For those sites that require X characters change, they just use the same X+1 number of passwords, to get around the system.

I would rather see a good policy on creating a password (including automated password cracking) and let them keep it for an extended time. In sites where password snooping is important (not as many as needing a secure password), then it should be rotated, but someone snooping the password isn't going to wait 15 days before using it, they are going to use it in about... say... 10 minutes, or that night.

Give a good password (10-15 characters with all those extras that people seem to think is important) and let them keep it. Let them use the same password on multiple machines, but don't expire it as often as possible. It just makes more insecure passwords because they don't want to remember as many damn passwords that keep changing every 5 hours and require everything to be different.

Yes, I have a lot of passwords. More than I need, but that is a different issue.

Yeah, we got strong passwords for what it's worth (1)

jlower (174474) | more than 12 years ago | (#3566224)

Our company requires strong passwords, changed every 45 days. I suspect that there are a lot of cubicles scattered around where you could find passwords jotted on a scap of paper placed under keyboards, in desk drawers, etc.

What would be cool, since we all have to wear (stinking) badges anyway, would be to have a card reader at each workstation and use the badge. Probably cost-prohibitive but it would make life a lot simpler.

How long have we known this? (1)

Marty200 (170963) | more than 12 years ago | (#3566225)

I think most of us have know this for ages. I regularly give my users crap for using crappy passwords. My favorite was when I came into the job of Sys admin the old admins password was his username followed by the number one. To this day I still hear well so and so said that would be a good way to remeber my password.

MG

Making complex passwords should be an IQ test (2, Interesting)

scarpa (105251) | more than 12 years ago | (#3566226)

After dealing with multiple incidents of hacking at my former work, we formed a security policy that included enforced, complex passwords. Luckily we did the same analysis on existing passwords to justify the change because it caused quite an uproar.

Our heuristic was simple (to me)- inlcude one character from each of the following subsets of characters; UPPERCASE, lowercase and Numbers, minimum of 8 digits.

I must have spent at least 10 minutes with most people helping them choose passwords that fit the criteria. The worst ones of course were the executives, one made me sit with them for over a half an hour while they figured it out.

Luckily it was a small company of 40 people or so, I might have gone crazy.

AOTC Spoilers (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#3566227)

1)Anakin's mothers dies
2)The clone army is all clones of Jengo Fett, of which Boba is an unaltered clone.
3)Jengo dies.
4)The separatists have the plans to the death star.
6)Anakin gets is hand cut at the end, and marries Amidala

Our Policy (1)

Xaoswolf (524554) | more than 12 years ago | (#3566228)

Where I work, we enforce that passwords have to be a minimum of five characters, and that they are change every quarter. Plus we do not allow them to use old passwords.

Also we instituted a policy where, if we see a password on a post-it note on your monitor, you get your password changed and a warning. Second offense, we walk over, unplug your system, and take it away.

Did I mention that we will still require you to do your job?

What they don't tell you: (3, Interesting)

Telastyn (206146) | more than 12 years ago | (#3566229)

probably 60-75% were cracked within 8 hours.

People do not understand how computers work. If they do not understand how computers work they cannot understand how computer security works. If they do not understand how computer security works, they will likely never ever understand the gravity of a password no matter how much it's explained to them.

To users a password is an annoyance. And they are trained to not be secure with their identities. How many people just give out their SSN? Something that is a definative source of identity, and allows access to tons of things: bank accounts, medical info, home addy. People will just give this to pretty much any customer service Joe.

Why shouldn't they do the same with a password?

Mandatory Password changes (2)

Triv (181010) | more than 12 years ago | (#3566231)

Sounds like enforced password formats and mandatory changing of passwords would help, but how many companies actually make them policy and enforce it

Mine did. Every 3 months our payroll server refused to let us in if we didn't send in a new Password, then and there. Same thing with the filesharing/print server. The cool thing is, they were staggered so that you've have to change one of your passwords every six weeks or so. Kept it regular, kept it part of routine.

Triv

So vote them off! (1)

Guitarzan (57028) | more than 12 years ago | (#3566234)

"You are theweakestlink! Good-BYE!"

Consistent Password Policies? (2)

devnullkac (223246) | more than 12 years ago | (#3566239)

In my experience, in a large corporation, there are hundreds of independently managed password domains, at least a dozen of which any one person will usually have to deal with on an ongoing basis. Differences in password change frequency, minimum lengths, differentials from prior passwords (sometimes from ANY password used by ANYONE on that system in the last year), and digit inclusion rules vary in a tower of Babel that make it difficult to even maintain passwords, let along ensure they are all maintained securely.

IBM (0)

Anonymous Coward | more than 12 years ago | (#3566241)

I can tell you that IBM makes us change our passwords on a regular basis and they have to be all kinds of random. Even my standard passwords that I consider pretty random don't stand up to their scrutiny sometimes.

changing passwords too often is not good either. (0)

Anonymous Coward | more than 12 years ago | (#3566244)

when i started at this company i had 20 character password with all kinds of 3l1te stuff. but they make chage password eveyr 30 days. and start remidning about it after 15 days. i changed it once, twice, but than got bored making up new passwords and remembering them and just switched to month stuff. dont care any more

Expiring Passwords (2, Insightful)

pz (113803) | more than 12 years ago | (#3566247)

In what way does changing a well-chosen password increase security on a non-compromised system?

George Lucas for God! (0)

Anonymous Coward | more than 12 years ago | (#3566248)

All hail Attack of the Clones!
Attack of the Clones Rules!

Yah! Stick it to the users! (4, Insightful)

jehreg (120485) | more than 12 years ago | (#3566249)

This is so tech-elitist... "The users are the problem!"

Give a look at any paper by Sasse, Brostoff and Adams, such as this one [mdx.ac.uk] , and then re-think your sysadmin I-never-change-my-dictionary-password-but-I-force- all-my-users-to-32-char-monthly-passwords bullshit attitude.

The answer is not to forget the human aspect. Find a better way to help users generate better passwords, through education and assistance, not automated password rules, and forced password expiry.

Re:Yah! Stick it to the users! (1)

FooGoo (98336) | more than 12 years ago | (#3566337)

Whoa, user education and assistance?!? That's blasphemy is these parts. Better watch your cornhole dude.

Yeah...yeah (2)

teslatug (543527) | more than 12 years ago | (#3566250)

Can we have some evidence as to how harmful weak passwords really are? I know people that would be a lot more trouble if they were forced to remember good passwords (They'd probably end up wrighting it on a piece of paper). I think it's a lot better to make sure that the compromise of the account could not do much damage by restricting priviledges.

ah that explains it.... (0)

Anonymous Coward | more than 12 years ago | (#3566251)

no wonder so many people are using this Anonymous Coward account. I forgot to put a damn good password on it!

Simple solution (1)

CrazyJim0 (324487) | more than 12 years ago | (#3566253)

Get the database of passwords that "John the ripper" and other popular crack utilities try.

If an employee tries to enter a password found in these programs(tested against database)

"Your password is too easy, try again,"

Management and whining users (1)

thing_from_space (449789) | more than 12 years ago | (#3566254)

I wouldn't be too quick to judge the admins with this one. I know the last time I tried to impliment a more secure password format, the users whined their way up to my boss and demanded that it be changed back. Despite my insistance for a more secure environment, they made me change it back. It was too much for them to remember more than 6 charaters with non-alphanumerics every 90 days. And these are academic types.

Shadow passwords (2)

Beliskner (566513) | more than 12 years ago | (#3566255)

Haven't they heard of shadowed password files?

THIS is what you get when you hire people with lots of experience and not fresh graduates. The more modern security measures that are taught in University in NetSecurity 101 such as using shadowed password files instead of using /etc/passwd for everything simply get "lost in the woodwork".

Therefore by hiring only EXPERIENCED people these old security threats remain until these EXPERIENCED people retire.

Re:Shadow passwords (2)

Beliskner (566513) | more than 12 years ago | (#3566315)

This link [hackerthreads.org] gives further info. Scroll the the bottom, shadowed passwords can be enhanced by the administrator changing the encryption algorithm used to something strong like Rijndael or whatever plus a bigger salt to thwart dic attacks. Lazy *EXPERIENCED* admins.

Talking to yourself is the first sign of going nuts. Heh

Re:Shadow passwords (2)

teslatug (543527) | more than 12 years ago | (#3566352)

The problem is not that they were able to get the passwords, the problem is that the passwords were so weak that it didn't take the program long to figure them out.

isn't this the same point that as the (1)

JeanBaptiste (537955) | more than 12 years ago | (#3566259)

SQLSnake story that just got posted? Passwords suck because people are lazy, with all the stuff they(end users) already have to remember... pin numbers, telephone numbers, ssn, I think their (end users) small brains are full and cant remember one more pwd.
I know of plenty of my customers that have really, really easy passwords.

1 hour? BAH! (1)

EvilMagnus (32878) | more than 12 years ago | (#3566266)

I did the same thing on our NT SAM database a while back. 75% of all passwords fell in about five seconds. ;-)

Anything less than six characters, no matter what they are, goes so fast it's not even funny. Well, it is funny, but not in a good way.

We now have a password policy of 8 chars, letters and numbers, and we run cracks against them every so often to make sure folks are complying.

Mine does...sorta. (2)

ocbwilg (259828) | more than 12 years ago | (#3566267)

The company I work for (large, national insurance company with over 50,000 users) has a "strong" password policy that is enforced by the system. A password for our domain must be a minimum of 8 characters with a mix of upper and lower case letters plus numbers. Password changes are forced every 2 months, and a previously used password is not able to be reused for the next dozen password changes. That being said, just yesterday I was working with a user whose password was their first name with a number one tacked onto the end of it. I imagine that she started with Firstname1 and then just incremented it on subsequent changes.

The problem isn't just forcing "strong passwords" onto the end users, but making sure that end users understand the reasoning behind it. Making someone use complex password formulas is useless when a large number of the users are going to use something that can still be easily guessed that conforms to the formula.

Stupid Admins are worse...... (0)

Anonymous Coward | more than 12 years ago | (#3566268)

where I use to work use to provide easier access than even guessing passwords (which was quite easy). They use to place the remote desktop software on the fileserver in the root directory for them to use from other work PCs (and any-bloody-body else of course) for everyone to access and then forget to set a password on the server software installed to the main servers.

This means anyone could install the software and be able to do whatever they liked to the servers.... I use to sit there and just observe while waiting for my reply back to my offer of a slow painful death from being "cheese grated" on the back of an old Compaq server network card.

.... then there was the belief that they didn't need to apply NT 4.0 security patches on a regular basis..... if the link to the outside world from this server wasn't so shit the servers would of been trashed a long time ago.

Bellsouth DSL routers for business accounts... (1)

antirename (556799) | more than 12 years ago | (#3566272)

Also generally have no passwords. An install technician told me that they don't like to put passwords on them because it makes it harder for tech support to remotly troubleshoot. When I told them that that wasn't acceptable, they used "12345", explaining that it would be easy to remember and that the technician "always used that one when the customer wanted a password". Maybe a combination of a strong password policy and a beating with a clue-by-four would be a good start for people like this.

People don't choose good passwords? (1)

PhysicsGenius (565228) | more than 12 years ago | (#3566277)

Shyeah, right. Next you'll be telling me they buy stuff from Ronco and Nautilus.

Those people are a liberal myth, dude.

Use RSA keys and SSH/SSL whenever possible (2)

jabbo (860) | more than 12 years ago | (#3566279)

crack this with JTR:

MIIBuwIBAAKBgQCvUCC9yWCa83yU3Ebjc5su9pFCoENwPEuK wa U3KprZ4oidOjSw
J9Q4Or2FqIK9zd/VDvTsbW875/pKe13BNu UAWW/X1NxdC1Dog2 ra/sUWmNYClJWC
vHz4JGz6HRSNWyW0KweCNN6oNAiICks870 LOXSfpvL8HgEBMG4 eibA124QIVAMzn
RJxmFVhZ5gF4/Pt1GHkFSAyHAoGBAJ/7pc 3oJ/BAr7IMDyCBF1 Iidf0ou4PvaeBj
VkcsSYMizrbP9O4Gwtt30MdWqUxY21NFAm ZyUyMT7zrCZtQC2C 7ZUbow5vPlVSbr
7RWmzF4P+xN8zZABbHXlv01uDGZvnmK9WV Eb1Uko7F0Z/914Tc 4qx3/wW3eBheNm
elSArUMLAoGAO4cO0FqefRT6VshGt4T3vF RHt/fL/6qgLhInab nXiOn4N8egBuuN
7hBy56BNWMuP7Z/ixROhxv59gCJTsKEFtR 5p0icOY6L/zaBMqw iGn3gm3LgE9MkK
Gk8LxtdRBPgpoK0BwmEQhZEAL5pfemW94y KAhM5hHU1GyoYUSe +OV6wCFCBN9faK
BQG08IhGGotd8mBIfO4s

no, of course that is not my private key. But it proves a point. Don't rely on false randomness to enforce security. Do it the right way.

While you're at it, read Schneier's book(s) and subscribe to Crypto-Gram. I force-feed it to my network users every time it comes out...

Good passwords aredefinately the key (1)

Gaewyn L Knight (16566) | more than 12 years ago | (#3566285)

At our institution [andrews.edu] we have implemented password patterns that must be used. These rules have greatly inhanced security and we have yet to have one of the passwords cracked (we are running a cracker ourselves).
The ruleset it easy:
#1 Passwords must not contain a dictionary word
#2 All passwords must contain a at least 1 number and 1 special character (ie #$%^&....)
#3 The at least 1 number and 1 special character can not be the first or last character of the password.

As for password rotation. I actually believe that harms password integrity. If you are using passwords good enough to stand to crack attacks then changing them only encourages people to write them down someplace and thereby loosing all the benefits of a better password.

proposed solution (1)

kippy (416183) | more than 12 years ago | (#3566290)

cycling passwords are a pain and there are ways around them: change your password N times if there's an N cycle password history.

requiring a symbol, lowercase, uppercase, and number is better but you're limiting your keyspace.

has anyone thought of just checking a user's password against a host of password cracers and seeing if it stands up?

you would ask users to enter a new password, have some password crackers workon it for a few seconds and if it holds up, let it go through.

even if you don't use it when creating passwords, wouldn't it be a good idea if sysadmins ran crackers on the password files regularly and notified the users that they need to change their password from "bunny" to "Bek4!r9f"?

Passwords will always be the weakest link (1)

Zeekamotay (115667) | more than 12 years ago | (#3566293)

> Sounds like enforced password formats and
> mandatory changing of passwords would help

These measures only force users to choose an easily guessable algorithm instead of an easily guessable password. Make your passwords expire every 30 days, and your users will switch from password == userid to password == month name.

Re:Passwords will always be the weakest link (2)

SuiteSisterMary (123932) | more than 12 years ago | (#3566325)

Yup. Passwords need to be done away with, wherever possible, in lieu of things like smart cards, SecureID style schemes, and other such thingies. Otherwise, you get an email address from a company, divine from that, probably, the login name scheme, then start randomly trying names, using all the usual suspects for the password, and you'll get in eventually. Don't even need to try any more.

'Secure' passwords. Hah. (1)

Corvaith (538529) | more than 12 years ago | (#3566295)

My last office job, we had a defined amount of time between which we had to change passwords. No minimum lengths, which would have been good, too, but it was something, right?

Every time passwords got changed, people would take down their old post-it and write up a new one. And you were also required to keep your password on file with your supervisor. Most people just kept incrementing the default password, which was a very short word--so you probably could have gotten 75% of the company just by using default1, default2, etc. ('Default' wasn't the word itself.)

Now, I'm headed off to college in the fall. I've just gotten my university email account, and been informed that you cannot, in fact, have a password longer than eight characters. You just aren't allowed. (Thankfully, they also don't allow less than 6.) We were then recommended to keep it all lower-case and something we could easily remember.

For non-geeks, I've concluded, ease of use trumps security every time. Nothing's ever going to change that, and nothing easy is ever going to be truly secure. Such is life.

Let them try... (1)

antitribue (524882) | more than 12 years ago | (#3566303)

My password would never get cracked this way, I use caps, numbers, and characters

B#d!ACc-0 I mean look at it..
Of course I need to keep it written on the monitor to remember it, and since it is had to type every time I need my password until recently I had to have a file on my desktop (labeled password of course) that had the text to copy and paste, but now I have a programable button on my keyboard with the code in it to save time. This is all still secure right?

Password expiration -- Bad (2)

spencerogden (49254) | more than 12 years ago | (#3566306)

In my experience password expiration just forces you to pick memorable passwords. I have several passwords thatt haven't changed in years, but they are secure by most definitions, 8 chars, upper lowercase and numbers. They would be impossible to remember except that I have been using them for years. The only thing password expiration protects against is limiting the damage of a password which has already been compromised.

Mandatory password changing has its flaws (1)

isoteareth (321937) | more than 12 years ago | (#3566308)

In an environment where passwords are forbidden to be recorded for any reason, constant password changing can lead to the selection of weak passwords. I for one can easily manage a small number of random passwords, but if I have to be constantly changing them I have to resort to less secure but easier to recall passwords.

Passwords and joe user (1)

Neil Watson (60859) | more than 12 years ago | (#3566312)

Ever try an make a non technical user to create a good password. They can never remember it. I either end up having them create a new password or I find their password written on a post-it note near their monitor.

Secure but easy to remember passwords (0)

Anonymous Coward | more than 12 years ago | (#3566316)

People should use passwords that are easy to remember but still long and tough to crack, such as the style of "block+audible" that my old AOL account used years ago, or using the first letter of each word in a phrase like "TitbmoE" for "Taco is the biggest moron on Earth"

fingerprint scanners? (1)

KunstCleaver (248052) | more than 12 years ago | (#3566317)

funny fingerprint scanners should be offered as a
solution when we all know how insecure those are:
http://slashdot.org/article.pl?sid=02/05/15/ 223321 4&mode=thread&tid=172

That's no surprise (3, Insightful)

Chardish (529780) | more than 12 years ago | (#3566320)

In the corporate non-IT environment, you would be absolutely astonished at the stupidity of the passwords involved.

  • A great deal of passwords are simply PASSWORD. Try it, you'll be amazed
  • If you know the names of the target's immediate family (and possibly pets), you've just gained 1-5 more possible passwords.
  • Many people simply make their passwords 'qqqq' or some chain of identical letters. This is because they don't want to have to bother with remembering a password.
  • On a similar note, try QWERTY, ASDFGH, ZXCVBN, etc. Look for strings of letters on the keyboard that fit the minimum password length (typically either 4 or 6.
  • If you have access to the target's desk, you've hit pay dirt. The password is likely written down somewhere. It would be nice if most software didn't say write down your password, etc.
Good password creation tips...

Mother's maiden name is too obvious. But what about just any random name, or maybe a confirmation name (if you're Catholic)? For example, my confirmation name is Anthony. Here's what we do. We reverse the characters, and it becomes ynohtna. Let's remove the vowels. We get ynhtn. Screw around with case. Make it YnHtN. Then throw some easy to remember chain of numbers in there. For example, the last 4 digits of your phone number (0799 for me.) So it becomes Y0n7H9t9N - a password that would take weeks to bruteforce, and can be remembered fairly easily with a bit of practice.

Also consider biometrics. But the problem with biometric input devices is if your password is cracked, you can't really change it...

I've rigged up a :CueCat barcode scanner to just generate raw text input. This way, you can take another piece of paper that has a barcode on it and use that as a password. For instance, keep your library card in your wallet and use the barcode on that as your password by scanning it with a :CueCat. That's always a viable option.

But hey, if you have your password set to PASSWORD, let me tell you, you're asking for it.

-Evan

wow...this is really OLD (2)

Archfeld (6757) | more than 12 years ago | (#3566321)

news, and in other news, Computer systems are 100% safe except for the users. Anyone who has been in any sort of IT environment can tell you this, and probably for a whole lot les money than the consulting firm charged. Unless your policy is enforced and dictionary used on passwords, (L)Users will compromise security for ease of use almost ALL the time.

Strong Passwords (2)

JoeWalsh (32530) | more than 12 years ago | (#3566324)

At my company, I initiated a policy requiring strong passwords (8+ chars, at least 1 uppercase, 1 lowercase, 1 digit, one punctuation, no dictionary words beyond two characters in length allowed). The policy also requires monthly password audits (using programs like John the Ripper).

I got the policy signed off on by the board, then I wrote a memo that explained the policy and showed how it is easy to come up with and remember good passwords (through the phrase --> password method, for example).

So far, it's worked out well. There was some grumbling at first, but once people came up with their first passwords, they realized how easy it was and it didn't bother them any more.

-Joe

Heh (1)

rmadmin (532701) | more than 12 years ago | (#3566327)

I work at a small ISP (400 customers), I ran this on our password list once just out of curriosity on how stupid the customer passwords were.. sad part was, some how 10% of the passwords were the same as the usernames...... No more letting users change their own passwords.

Use authentication tokens (0)

Anonymous Coward | more than 12 years ago | (#3566332)

The best solution to the password problem are authentication tokens like Cryptocard [cryptocard.com] or SecurID [rsa.com] .

jon.sable@sympatico.ca

How about this (1)

wompser (165008) | more than 12 years ago | (#3566335)

For years I've been creating my passwords not based on words, but on easy to remember hand motions. to give a very simple example: Qwerty78 a simple rolling left to right motion, plus a few numbers. Very easy to remember, tough to crack if you try a brute force attempt.

You! are the weakest link (1)

stoolpigeon (454276) | more than 12 years ago | (#3566338)

Good Bye!

.

I've been saying this for years! (2)

farrellj (563) | more than 12 years ago | (#3566341)

Tokenized fobs, or one-time passwords are the best answer, I think. Too bad an ACE server costs so much. :-(

ttyl
Farrell

This and many more (0, Redundant)

bhsx (458600) | more than 12 years ago | (#3566347)

IT revelations in this month's edition of Duh!

Complex Passwords... (2)

Orne (144925) | more than 12 years ago | (#3566349)

Here at work, the DBAs are setting up strong-password checks on all of the Oracle databases. Passwords are restricted to more than seven characters, and must contain an upper-case alpha, lower-case alpha, a numeric, cannot be one of your last 10 passwords, and cannot have similar substring matches with your last password.

However, with Oracle versions 8.1+, there is a bug with the supplied verify function that rejects nearly ALL passwords supplied, even passwords that are completely random strings (such as g8kLK58sS). Anything used in the "ALTER USER [NAME] IDENTIFIED BY [PASS]" will fail, and we users are getting a bit angry that we've lost the ability to change our own passwords.

What this has resulted in is an abundance of ORA-28003: password verification for the specified password failed messages. This is the default error message when your password is not complex enough. Note that by default, Oracle passwords are NOT case sensitive.

In other news... (1)

bobdehnhardt (18286) | more than 12 years ago | (#3566350)

ZDNet recently announced the following earth-shattering revelations:
  • The sun may be hot
  • Bears may shit in the woods
  • Bill Gates may be reasonably wealthy
  • The Pope may be Catholic
  • Michael Jordan may be (or have been at one time) an athlete
  • Wars may cause people to die
  • Disease may be bad
  • Drinking massive quantities of beer may get you drunk

"There is still some speculation about that last announcement," said Norman P. Obvious, ZDNet spokesman and 1997 StarSearch Spokesmodel winner. "We're planning on doing some more testing over the next few weekends."

Draconian Password Policies Are Not The Answer (3, Interesting)

YankeeInExile (577704) | more than 12 years ago | (#3566353)

This is a touchy area.

You need to have a password policy that encourages better passwords without requiring a specific password makeup.

If I encounter a system where my password must include mixed case and digits and punctuation, I'm going to make up a random string, and then have to write it down.

Some Unices I've encountered had a passwd(1) that would NOT allow you to enter a "bad" password, while others would nag you gently depending on how "bad" it was, but would eventually relent and let you set your password to "flower" if that's what you REALLLY wanted.

The REAL answer is not "password" but "pass phrase" where the text can be lengthy and meaningful to none but the user.

Furthermore Opie [inner.net] is a neat project to avoid keyboard snooping.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?