Graeme K. Le Roux, 1-Jul-2002
Some twenty years ago, I came across a report which estimated that 20% of system users chose really stupid passwords. Fast forward to the present, and it seems that nothing much has changed.
A recent conversation about basic security issues with a group of system and network administrators confirmed my suspicions. Even system administrators, it seems, are likely to choose stupid passwords.
Don’t believe me? Try getting hold of a freeware SNMP utility, use it to do a trace route to find the addresses of some of the routers on your network, and then try using the SNMP utility with the password “public”— i.e. the SNMP default.
Even if someone has changed the write password, I’ll bet that you will still be able to read the unit’s configuration by supplying “public” as the read password. And being able to read a router’s configuration can be very helpful to the average hacker.
Service names under Windows have no default other than running under the system login, but when a service establishes an account for itself as part of an automated install, the password it uses is probably going to be some predictable variation on the product’s or manufacturer’s name.
This is very helpful to a hacker who wants to plant a malicious service on a host; all they have to do is itemise the accounts on the system, load their software and wait for, or provoke, a reboot. Having a usable service account saves them all the trouble of creating one and having to hide it.
Of course a hacker has to get into your system before they can do any mischief and that requires hijacking a user account. And it is easy to do so when one in five system users is likely to have a really stupid password.
What’s stupid?
For me, a “really stupid” password is some variation on the user’s name, a relative’s name or some significant date. Almost as bad is picking a character name or phrase from a popular movie or book.
When Star Wars was released I found a number of “skywalker” passwords, “Illbeback” was popular when the Terminator films were shown and then there was the known trekkie whose password was ”klingon”. The same problems occur with sporting club’s and sports star’s names, club mottos and phrases from club songs, etc. Popular songs are another source of guessable passwords.
So is a good password something that’s really complex? No, because it’s no use having a password that the user can’t remember easily. So system administrators beware: if you try to force your users to use a complex password, then they are going to write it down.
I was once involved in a security assessment for a large client who proudly told me that they forced users to use 12 characters alpha-numeric passwords which were changed every two weeks. The IT department generated these passwords and kept a record of them in case a user lost their password.
When we did an after-hour walk around the client’s head office, we found that roughly one user in three had a post-it note with the current password written on it stuck to their terminal or PC–and the worst offenders were senior management.
Yes, such passwords are hard to crack, but from a user’s perspective they are almost impossible to remember and nobody likes to get chewed on for forgetting a password, so it’s no wonder people wrote passwords down.
I personally think that good and practical passwords are case-sensitive alpha-numeric representations of phrases.
One good one I came across some years ago was “I4gotit”. Another was “3BeeOrNot2B” (it may be abusing Shakespeare’s work, but it is a good password). The point about both these passwords is that they are easy to remember and hard to crack—and that is the basis of password security.
No comments yet.