Lame passwords

Printable View

May 22nd, 2002, 08:12 PM
cwk9

Lame passwords

Quote:

Of nearly 3,300 passwords examined, the paper's authors, Ken Thompson and Robert Morris Sr., found about 17 percent consisted of three characters or less, nearly 15 percent had four characters that were a letter or a digit, and another 15 percent appeared in one of the dictionaries available at the time. In total, nearly half the passwords could be found in a search lasting less than six hours.

THE LINK: http://zdnet.com.com/2100-1105-920092.html

I think bad information on choosing a password holds some of the blame. Most system admins think that if you just throw a number on the end of a password it becomes uncrackable. Also many articles on choosing passwords suggest mixing up letters when in reality the password "snowboarding" is just as secure (random) as the password "zswerflpe". If you really want to give pasword crackes a hard time you should try a passwords like $/|/0\/\/B01Rd1ng (with a little alt + 255 at the end). Of course at some point you have to draw a compromise between what you can remember and what is secure.
May 22nd, 2002, 08:15 PM
TechieChick

First visit at a new clients, booted up a workstation and the network password box popped up.
User Name: justclickenter

DOH :rolleyes:
May 22nd, 2002, 08:16 PM
preep

adding all that **** just makes it longer to crack, but it depends on what software you use to crack it.

preep
May 22nd, 2002, 08:18 PM
preep

hey i knew a mate from college who used qwerty as his yahoo passwd.
how daft is that?
p.s i never done anything, just told hit is kick his ass if he didnt change it.
:P
preep
May 22nd, 2002, 08:20 PM
Specter6

One of my favorites is to come up with a phrase that is relevant and easy to remember and then convert it into alpha-numeric w/special characters:

Example - Uncle Bill needs to give me large quantities of money
Pwd - UBn2gmLqo$

Uppercase, lowercase, alpha, numeric, special characters, 10 digit, no repeats...

Damn - can't use that one anymore ;-)
May 22nd, 2002, 08:38 PM
gstudios

I was browsing through the 2600 mag, the other day, and someone wrote an article about how large a brute force file would be, if it contained every imaginable password. The size of the file was in the Terabytes.

I used to work for Circuit City, when you got hired you would get a 5 digit number, which was basically your employee number. Then you would get a new two character/digit "password" every month. Sometimes it was letters, letters+numbers, numbers. To clock in, you would have to "login" with your 5 digit number, plus the 2 digit password. Then when you went to release product, so you could take it out to the customer, you would enter in your 2 digit password, and then scan the UPC and Serial number.
That was before, they had the "access card". Which, does not replace the two passwords, but you must use it conjunction with them. Which makes it considerably harder to "crack". Unless of course you lose the Card, and someone else knows your 5 digit, and 2 digit passwords.

Before they issued the Cards, someone (anyone including customers) could "sell" the product, if they knew a salespersons 2 digit password, most employee's didn't and don't "logout" so that they are still logged in as the active user at the Kiosk.

Just some fun tidbits. :)
May 23rd, 2002, 01:23 AM
Scorp666

I was once told using characters such as ¬ ¹ @ ³ ¼ ½ | è ° õ µ ø could make the password hacking a challenge. I think using obscure chars is a step towards top security. Off course you aren't secure if you paste that pass on your Monitor... ;)
May 23rd, 2002, 01:43 AM
Kezil

Here's a good site on passwords (though I haven't read the whole thing). Has a chart near the middle with password size statistics. http://www.oit.duke.edu/security/password.html
May 23rd, 2002, 02:28 AM
Kezil

Fun with ASCII

Fun with the ASCII table(not even extended):

Password:
F!]2e & ![e:$0M3 $aY +H3 W0Rl|> wI1L 3Nd In F!]23,$0M3 $aY !N ![3.Fr0m Wh@ I'v3 +4s73|> 0F d3sIr3,! H0Ld W!7h 7h0s3 wH0 FaV0]2 fIr3.bUt If I+ Ha|> +0 p3rIsH +W![3,I +H!N|< I |<N0W 3N0UgH 0F h@3,+0 |<N0W +H@ f0r |>3$+]2u[+I0N ![3,Is 41$0 Gr3@,& W0U1|> sUfF![3.

Original text:
Fire and Ice

Some say the world will end in fire,
Some say in ice.
From what I've tasted of desire
I hold with those who favor fire.
But if it had to perish twice,
I think I know enough of hate
To know that for destruction ice
Is also great
And would suffice.

(credit to Robert Frost for poem)

Site with nonextended and extended ASCII tables: http://www.asciitable.com/

Imagine doing this with the Raven by Edgar Allan Poe using extended ASCII...the possibilities are endless... (For those of you who have never read it: http://www.student.virginia.edu/~ravens/raven.html )