Passwords that should NEVER be used! - Page 2
Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 23

Thread: Passwords that should NEVER be used!

  1. #11
    Banned
    Join Date
    May 2003
    Posts
    1,004
    This is all just complete BS.

    Trojan, virus, and worm authors have had great success attacking systems with weak and/or default passwords. Take IRC/Flood Trojan for example. McAfee’s virus profile states that IRC/Flood has over 120 variants and has infected over 60,000 machines in the last 30 days. IRC/Flood succeeds by checking for 22 different different easy to guess admin passwords (variants vary). Unfortunately, there are a lot more where IRC/Flood came from, W32/Tzet.worm, W32/Random.worm, and W32.HLLW.Gaobot.gen are in the wild just to name three.
    The real question is why do these systems allow remote administrative passwords? If they must, why is no PKI used? These systems had minimal security, weak passwords is almost a trivial concern.

    Hackers also have no problem compromising systems with weak passwords. Programs like L0pthCrack for example make the process simple and efficient. Creating a password-cracking dictionary is not even a challenge. Type the words "Creating Password Cracking Dictionaries", without the quotes, in to your favorite search engine. A comprehensive dictionary can be downloaded or created from scratch in short order.
    L0pht requires access to a SAM file... not sure how your systems are configured, but mine requires SYSTEM a SID token to access either SAM file. And dictionary attacks? Did someone roll back the clock to 1992? Why not write a "Hacking with Telnet" tutorial next. Users should never be able to attempt more than a couple of passwords before being locked out.

    Failure to apply such basic common sense like limiting attempts and restricting what/how users can login is a far more serious problem then weak passwords.

    Would you crack this account in three guesses?
    user: john.smith
    pass: JOHNSMITH

    I'd have bet a months pay on no. Passwords like johnsmiTh are even less likely to be guessed, yet still very easy for users to remember. This allows them to change their passwords frequently (which is more important due to accidental dissemination at cybercafes, other external systems, etc) while maintaining a low recovery requirement.

    Seriously though... think about it, if someone that knows you very well stole your ATM card. could they guess your four digit pin? What makes you think they could guess an eight character password?

    You have better things to worry about.

    cheers,

    catch

    PS. It is however important that default passwords be changed.

  2. #12
    THE Bastard Sys***** dinowuff's Avatar
    Join Date
    Jun 2003
    Location
    Third planet from the Sun
    Posts
    1,247
    Originally posted here by catch
    This is all just complete BS.


    PS. It is however important that default passwords be changed.
    Yup Pure Bull ****!!!!!!!

    It's not about passwords folks, when it comes to network security. (Pay Attention) My Boss - The director of IT, has no more rights than any other average user. His password could be blank. WHO THE **** CARES. With his logon and permissions, two words. ACCESS DENIED

    Now I have administrative accounts that do not have INHERITED permissions across the domain(s) I may have GOD rights on one subnet, even two or three but that admin account cannot access mission critical applications. And the account that can access those apps, does not have domain rights. WTF? This is basic security. IF your users can have a username and blank password and that is a security risk. BURGER KING is hiring - Get another JOB!

    As Administrators, we control the level of access. We know that the average user only wants to do their job, i.e., spread sheets reports, customer service etc. If the average user can download the SAM and run L0pht against it.......

    Strong passwords for average users are a risk in itself. AUP's and user manuals / directions on how to formulate a password is nothing more than a road map to how the Administrator creates their passwords.

    Let the users do what they want. Protect the data by preventing access from unauthorized nodes, or (for those still needing help) computer/electronic networked devices not allowed on the network.

    /end rant
    09:F9:11:02:9D:74:E3:5B8:41:56:C5:63:56:88:C0

  3. #13
    Banned
    Join Date
    Aug 2004
    Posts
    534
    I just wanna add... my favorite bullshit password


    NIMDA (as in reverse of ADMIN)

  4. #14
    Member
    Join Date
    Aug 2005
    Posts
    98
    IMHO Defence-in-depth is the key, implementing a number of controls (eg # failed logins etc) including strong passwords should make up your network/data security strategy.

    Whilst you shouldn't 'hang your hat' on password strength as you primary form of network security I think it is also wrong to suggest that it doesn't matter, again for me the key is Defense-In-Depth the more layers of control you have in place the better.

    In most standard Windows environments (aside from 2-factor and smart card) if I know your username and password, as far as the system is concerned I am you, and I have all the access that you have (including to any sensitive data) regardless of the privileges that I personally have been assigned.

    Any control that makes that Username and password combination more difficult to guess (disclaimer: Without making them TOO difficult to remember that users have to write them down) , and minimising the risk of identity theft and inappropriate use of someone elses access is a good thing

  5. #15
    Member carenath's Avatar
    Join Date
    Jan 2002
    Location
    Carlisle, PA
    Posts
    42
    No offense intended, but you need to also look at the fact that a LOT of people who might come here are simple home users. They have no concept of password security (at least most of them ), and therefore could learn a lot from the site referenced.

    While I think a lot of the passwords listed in that site are very good for the average user, I noted some indicated that a lot of them are defaults for old programs/bios, etc...

    Ok, I can accept that, but how many people really know that from so long ago? Yes, I did recognise a few defaults, but I really think that quite a number of them are pretty good for home users.

    Most of them can be changed - even slightly - to provide good CompSec and still be difficult to break.

    As long as you are using a combination of alpha/numeric/special characters you are practicing good computer security and making it more difficult for someone to hack into your system. Anyone think I'm wrong?
    [gloworange] Windows XP = Windows Xtra Problems[/gloworange]

  6. #16
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,178
    I would like to remind people of the original purpose of the userID/password. I am going back to the days of IBM 5250 dumb terminals and NO remote access. Or if there was it would be via a 9600Baud direct landline.

    The purpose was authority, identity and audit trail. Users were limited to the number of logon attempts and in some cases to using a particular terminal or set of terminals (generally by department).

    This was protection against the "enemy within" and intended to prevent fraud and malicious activity. This is still the case today, and blank passwords are generally unacceptable .

    Their complexity should be sufficient to stop them being easily guessed, or the user runs the risk of being impersonated. That is what they should be made well aware of?

    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  7. #17
    Senior Member
    Join Date
    Apr 2004
    Posts
    1,130
    off topic

    [B]I would like to remind people of the original purpose of the userID/password. I am going back to the days of IBM 5250 dumb terminals and NO remote access. Or if there was it would be via a 9600Baud direct landline.
    5250? /3 systems? AS/400? Man, you are too old
    Meu sítio

    FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
    If I die before I sleep, I pray the Lord my soul to encrypt.
    If I die before I wake, I pray the Lord my soul to brake.

  8. #18
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,178
    5250? /3 systems? AS/400? Man, you are too old


    very true....................S/34, S/38 and AS/400.............but the same was true of most mainframe environments in those days.

    The idea was to provide internal security and enforce division of responsibility, which goes back way before computers
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  9. #19
    Senior Member
    Join Date
    Feb 2002
    Posts
    500
    that is the worst reference I have ever seen. Besides the fact that they have a lot of common english words on there (you shouldn't use ANY simple word by itself, regardless if its on that list or not!), they are missing some of the WORST ones to use, eg:
    qwerty
    abc123
    blue32

    These are more important because users think they are being smart using random letters, or letter/number combos.

    Anywho, thought those should have been on the list, among others as well. All the basic words on that list should be removed, and replaced by an english dictionary file
    Ron Paul: Hope for America
    http://www.ronpaul2008.com/

  10. #20
    Senior Member
    Join Date
    Mar 2003
    Posts
    372
    Originally posted here by nihil

    S/34, S/38 and AS/400

    heh, we /still/ have AS/400 and are one of a handful of companies that run their website off of one O_O

    That is changing, but I still got a giggle out of the AS/400 being listed for us "old" guys

    Give a man a match and he will be warm for a while, light him on fire and he will be warm for the rest of his life.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides