Page 1 of 3 123 LastLast
Results 1 to 10 of 23

Thread: Passwords that should NEVER be used!

  1. #1
    Senior Member therenegade's Avatar
    Join Date
    Apr 2003
    Posts
    400

    Passwords that should NEVER be used!

    A friend sent me this link today...it's a bit old but I couldn't find it so oh well

    Passwords that should NEVER be used!

    Strong passwords are your first step in securing your systems. If a password can be easily guessed or compromised using a simple dictionary attack, your systems will be vulnerable to hackers, worms, Trojans, and viruses.

    Trojan, virus, and worm authors have had great success attacking systems with weak and/or default passwords. Take IRC/Flood Trojan for example. McAfee’s virus profile states that IRC/Flood has over 120 variants and has infected over 60,000 machines in the last 30 days. IRC/Flood succeeds by checking for 22 different different easy to guess admin passwords (variants vary). Unfortunately, there are a lot more where IRC/Flood came from, W32/Tzet.worm, W32/Random.worm, and W32.HLLW.Gaobot.gen are in the wild just to name three.

    Hackers also have no problem compromising systems with weak passwords. Programs like L0pthCrack for example make the process simple and efficient. Creating a password-cracking dictionary is not even a challenge. Type the words "Creating Password Cracking Dictionaries", without the quotes, in to your favorite search engine. A comprehensive dictionary can be downloaded or created from scratch in short order.

    Below is a list of commonly used weak passwords that should NEVER be used. If any of these passwords look hauntingly familiar and are being used, you need to change the password immediately.

    Source:http://www.pclinuxonline.com/article.php?sid=8823

  2. #2
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,915
    Hey Hey,

    I'd like to know who came up with some of those passwards, especially the ones that are like 20+ characters with special characters... or the ones with large numbers of special characters but that still contain alphanumerics. Some of those passwords are great and I'd love to see my users using them.

    Sure there are definately a lot there that people shouldn't be using, but others on that list shouldn't be there... makes me question the minds of the people behind it.

    Examples:
    AURORA$ORB$UNAUTHENTICATED
    AURORA@ORB@UNAUTHENTICATED
    I5rDv2b2JjA8Mm
    %username%1234 (unless they mean that as a variable as in HTRegz1234)
    240653C9467E45
    1RRWTTOOI

    I think most people around here would be impressed if their users used passwords like that.


    Peace,
    HT

  3. #3
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    Hrmm.... so the more common passwords -- blank, password, username, realname, DOB -- are ok???

    Personally I prefer ones like Th3M3@ng0fl1f42!!!
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  4. #4
    Senior Member therenegade's Avatar
    Join Date
    Apr 2003
    Posts
    400
    Actually I was wondering the same thing...some of them seemed pretty darned good for normal users to come up with..and did have atleast a few permuations and combinations that're generally adviced...

  5. #5
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    From the comments of the article

    OK, I give up, how come A52896nG93096a is an easy to guess password?
    I am with you there MSM


    I thought this was a good point

    noname

    What this article does not mention is password policies that unintentionally encourage week passwords. A company that I once worked for forced user to change their passwords every 30 days with password ecpiring warnings within 15 days of expiry. Also, passwords could only be changed once in a 24 hour period and one could not reuse a password that had been used in the last 5 changes.

    The result was that most users created very simple passwords that included a number representing the month of the year combined with a minumum number of other characters that satified the other character requirements for passwords (upper and lower case letters). This was common so the users could remember their frequently changing password.

    I believe the end result was a computer network that was far less secure as a result of the policy.

    Of course the policy was never changed because it was create for the sake of having a policy, whether it made the system more secure was less important.

    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  6. #6
    AO's Resident Redneck The Texan's Avatar
    Join Date
    Aug 2003
    Location
    Texas
    Posts
    1,539
    At my college for our networking classes we all use "password" it makes things easier when dealing with a class test environment but, in real life if you used that you deserve to be shot.
    Git R Dun - Ty
    A tribe is wanted

  7. #7
    Could have reduced the list alot just by saying passwords MUST contain at least.....

    1 alpha and 1 numeric character
    1 Special character
    1 Uppercase character
    be at least 7 characters long.

    and then presented a list of commonly used passwords that adhere to policies like the one above. For example:

    P@55w0rd
    P@$$w0rd!
    Password01!

    Even better is that the password must not contain a dictionary word (eg Password in the case of Password01!) or have the username or users firstname or surname - although this is much harder to enforce particularly in the Windows environment.

    I put together a tutorial for creating good passwords which is here:
    http://www.antionline.com/showthread...hreadid=271347

    MLF - I agree that you have to try and avoid unintentionally getting users to create weak passwords but some organisations have requirement for their passwords specified by other organisations. We for example have a guideline (from the Australian Government Computer Security Organisation) that a passwords SHOULD meet (note it is not a MUST but you must show cause why your passwords don't meet the standard if they don't). These standards are similar to the one I mentioned above.
    I think changing passwords every 30 days is excessive if you have the policies in place to ensure the user creates strong passwords (such as the one I mentioned above).
    The requirement specified in the Govt policy here is 90 days.

  8. #8
    Senior Member
    Join Date
    Mar 2003
    Posts
    372
    Originally posted here by morganlefay
    From the comments of the article

    OK, I give up, how come A52896nG93096a is an easy to guess password?
    I quote from the comments in response to your question from above:

    To qoute from this [archives.neohapsis.com] quote I googled. IBM 8237/8225(/others ?) have backdoor login/pass embedded in the firmware. IBM corrected this problem (or hided it better) on newer versions of the firmware. This problem was reported to bugtraq about two years ago, so I expect they cleaned up the act since then. Would be nice to see what other networking products from IBM were affected. Login: I5rDv2b2JjA8Mm
    Pass: A52896nG93096a


    A /lot/ of those passwords are default passwords from years ago for a myriad of products.

    Give a man a match and he will be warm for a while, light him on fire and he will be warm for the rest of his life.

  9. #9
    Right turn Clyde Nokia's Avatar
    Join Date
    Aug 2003
    Location
    Button Moon
    Posts
    1,696
    Yep, was thinking that as I read the list. A lot of the passwords that look pretty strong are indeed default passwords from a lot of hardware and app's and threfore pretty weak. T

    hey may not show up in a dictonary attack but any software designed for cracking passwords that is worth its salt, should include default password in it's .txt.

    AURORA@ORB@UNAUTHENTICATED = Oracle RDBMS 7 and 8 (Login)
    AMI~ = AMI BIOS funny enough!
    etc etc ....

    JOOI, I recognized this one first dn_04rjc anyone know it?? (without the aid of goooogle!)


    //JOOI = Just out of interest, Have I just made this one up??

  10. #10
    Senior Member
    Join Date
    Mar 2003
    Posts
    372
    Originally posted here by Nokia

    JOOI, I recognized this one first dn_04rjc anyone know it?? (without the aid of goooogle!)


    //JOOI = Just out of interest, Have I just made this one up??
    heh I didn't go through the list too much, but I do indeed know that one. It is an old BIOS password... I /think/ it was Micronics but it could be Phoenix. It has been a few years and I'm feeling a bit rusty.


    Yeah I think you just made JOOI up

    Give a man a match and he will be warm for a while, light him on fire and he will be warm for the rest of his life.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •