Passwords that should NEVER be used!

A friend sent me this link today...it's a bit old but I couldn't find it so oh well;)

Passwords that should NEVER be used!

Strong passwords are your first step in securing your systems. If a password can be easily guessed or compromised using a simple dictionary attack, your systems will be vulnerable to hackers, worms, Trojans, and viruses.

Trojan, virus, and worm authors have had great success attacking systems with weak and/or default passwords. Take IRC/Flood Trojan for example. McAfee’s virus profile states that IRC/Flood has over 120 variants and has infected over 60,000 machines in the last 30 days. IRC/Flood succeeds by checking for 22 different different easy to guess admin passwords (variants vary). Unfortunately, there are a lot more where IRC/Flood came from, W32/Tzet.worm, W32/Random.worm, and W32.HLLW.Gaobot.gen are in the wild just to name three.

Hackers also have no problem compromising systems with weak passwords. Programs like L0pthCrack for example make the process simple and efficient. Creating a password-cracking dictionary is not even a challenge. Type the words "Creating Password Cracking Dictionaries", without the quotes, in to your favorite search engine. A comprehensive dictionary can be downloaded or created from scratch in short order.

Below is a list of commonly used weak passwords that should NEVER be used. If any of these passwords look hauntingly familiar and are being used, you need to change the password immediately.

Source:http://www.pclinuxonline.com/article.php?sid=8823

Hey Hey,

I'd like to know who came up with some of those passwards, especially the ones that are like 20+ characters with special characters... or the ones with large numbers of special characters but that still contain alphanumerics. Some of those passwords are great and I'd love to see my users using them.

Sure there are definately a lot there that people shouldn't be using, but others on that list shouldn't be there... makes me question the minds of the people behind it.

Examples:
AURORA$ORB$UNAUTHENTICATED
AURORA@ORB@UNAUTHENTICATED
I5rDv2b2JjA8Mm
%username%1234 (unless they mean that as a variable as in HTRegz1234)
240653C9467E45
1RRWTTOOI

I think most people around here would be impressed if their users used passwords like that.


Peace,
HT

Hrmm.... so the more common passwords -- blank, password, username, realname, DOB -- are ok???

Personally I prefer ones like Th3M3@ng0fl1f42!!!

Actually I was wondering the same thing...some of them seemed pretty darned good for normal users to come up with..and did have atleast a few permuations and combinations that're generally adviced...

From the comments of the article

Quote:

---

OK, I give up, how come A52896nG93096a is an easy to guess password?

---

I am with you there MSM


I thought this was a good point

noname

Quote:

---

What this article does not mention is password policies that unintentionally encourage week passwords. A company that I once worked for forced user to change their passwords every 30 days with password ecpiring warnings within 15 days of expiry. Also, passwords could only be changed once in a 24 hour period and one could not reuse a password that had been used in the last 5 changes.

The result was that most users created very simple passwords that included a number representing the month of the year combined with a minumum number of other characters that satified the other character requirements for passwords (upper and lower case letters). This was common so the users could remember their frequently changing password.

I believe the end result was a computer network that was far less secure as a result of the policy.

Of course the policy was never changed because it was create for the sake of having a policy, whether it made the system more secure was less important.

---

MLF

At my college for our networking classes we all use "password" it makes things easier when dealing with a class test environment but, in real life if you used that you deserve to be shot.

Could have reduced the list alot just by saying passwords MUST contain at least.....

1 alpha and 1 numeric character
1 Special character
1 Uppercase character
be at least 7 characters long.

and then presented a list of commonly used passwords that adhere to policies like the one above. For example:

P@55w0rd
P@$$w0rd!
Password01!

Even better is that the password must not contain a dictionary word (eg Password in the case of Password01!) or have the username or users firstname or surname - although this is much harder to enforce particularly in the Windows environment.

I put together a tutorial for creating good passwords which is here:
http://www.antionline.com/showthread...hreadid=271347

MLF - I agree that you have to try and avoid unintentionally getting users to create weak passwords but some organisations have requirement for their passwords specified by other organisations. We for example have a guideline (from the Australian Government Computer Security Organisation) that a passwords SHOULD meet (note it is not a MUST but you must show cause why your passwords don't meet the standard if they don't). These standards are similar to the one I mentioned above.
I think changing passwords every 30 days is excessive if you have the policies in place to ensure the user creates strong passwords (such as the one I mentioned above).
The requirement specified in the Govt policy here is 90 days.

Quote:

---

Originally posted here by morganlefay
From the comments of the article

Quote:

---

OK, I give up, how come A52896nG93096a is an easy to guess password?

---

---

I quote from the comments in response to your question from above:

To qoute from this [archives.neohapsis.com] quote I googled. IBM 8237/8225(/others ?) have backdoor login/pass embedded in the firmware. IBM corrected this problem (or hided it better) on newer versions of the firmware. This problem was reported to bugtraq about two years ago, so I expect they cleaned up the act since then. Would be nice to see what other networking products from IBM were affected. Login: I5rDv2b2JjA8Mm
Pass: A52896nG93096a

A /lot/ of those passwords are default passwords from years ago for a myriad of products.

Yep, was thinking that as I read the list. A lot of the passwords that look pretty strong are indeed default passwords from a lot of hardware and app's and threfore pretty weak. T

hey may not show up in a dictonary attack but any software designed for cracking passwords that is worth its salt, should include default password in it's .txt.

AURORA@ORB@UNAUTHENTICATED = Oracle RDBMS 7 and 8 (Login)
AMI~ = AMI BIOS funny enough!
etc etc ....

JOOI, I recognized this one first dn_04rjc anyone know it?? (without the aid of goooogle!)


//JOOI = Just out of interest, Have I just made this one up?? :confused:

Quote:

---

Originally posted here by Nokia

JOOI, I recognized this one first dn_04rjc anyone know it?? (without the aid of goooogle!)


//JOOI = Just out of interest, Have I just made this one up?? :confused:

---

heh I didn't go through the list too much, but I do indeed know that one. It is an old BIOS password... I /think/ it was Micronics but it could be Phoenix. It has been a few years and I'm feeling a bit rusty.


Yeah I think you just made JOOI up :D

This is all just complete BS.

Quote:

---

Trojan, virus, and worm authors have had great success attacking systems with weak and/or default passwords. Take IRC/Flood Trojan for example. McAfee’s virus profile states that IRC/Flood has over 120 variants and has infected over 60,000 machines in the last 30 days. IRC/Flood succeeds by checking for 22 different different easy to guess admin passwords (variants vary). Unfortunately, there are a lot more where IRC/Flood came from, W32/Tzet.worm, W32/Random.worm, and W32.HLLW.Gaobot.gen are in the wild just to name three.

---

The real question is why do these systems allow remote administrative passwords? If they must, why is no PKI used? These systems had minimal security, weak passwords is almost a trivial concern.

Quote:

---

Hackers also have no problem compromising systems with weak passwords. Programs like L0pthCrack for example make the process simple and efficient. Creating a password-cracking dictionary is not even a challenge. Type the words "Creating Password Cracking Dictionaries", without the quotes, in to your favorite search engine. A comprehensive dictionary can be downloaded or created from scratch in short order.

---

L0pht requires access to a SAM file... not sure how your systems are configured, but mine requires SYSTEM a SID token to access either SAM file. And dictionary attacks? Did someone roll back the clock to 1992? Why not write a "Hacking with Telnet" tutorial next. Users should never be able to attempt more than a couple of passwords before being locked out.

Failure to apply such basic common sense like limiting attempts and restricting what/how users can login is a far more serious problem then weak passwords.

Would you crack this account in three guesses?
user: john.smith
pass: JOHNSMITH

I'd have bet a months pay on no. Passwords like johnsmiTh are even less likely to be guessed, yet still very easy for users to remember. This allows them to change their passwords frequently (which is more important due to accidental dissemination at cybercafes, other external systems, etc) while maintaining a low recovery requirement.

Seriously though... think about it, if someone that knows you very well stole your ATM card. could they guess your four digit pin? What makes you think they could guess an eight character password?

You have better things to worry about.

cheers,

catch

PS. It is however important that default passwords be changed.

Quote:

---

Originally posted here by catch
This is all just complete BS.


PS. It is however important that default passwords be changed.

---

Yup Pure Bull ****!!!!!!!

It's not about passwords folks, when it comes to network security. (Pay Attention) My Boss - The director of IT, has no more rights than any other average user. His password could be blank. WHO THE **** CARES. With his logon and permissions, two words. ACCESS DENIED

Now I have administrative accounts that do not have INHERITED permissions across the domain(s) I may have GOD rights on one subnet, even two or three but that admin account cannot access mission critical applications. And the account that can access those apps, does not have domain rights. WTF? This is basic security. IF your users can have a username and blank password and that is a security risk. BURGER KING is hiring - Get another JOB!

As Administrators, we control the level of access. We know that the average user only wants to do their job, i.e., spread sheets reports, customer service etc. If the average user can download the SAM and run L0pht against it.......

Strong passwords for average users are a risk in itself. AUP's and user manuals / directions on how to formulate a password is nothing more than a road map to how the Administrator creates their passwords.

Let the users do what they want. Protect the data by preventing access from unauthorized nodes, or (for those still needing help) computer/electronic networked devices not allowed on the network.

/end rant

I just wanna add... my favorite bullshit password


NIMDA (as in reverse of ADMIN)

IMHO Defence-in-depth is the key, implementing a number of controls (eg # failed logins etc) including strong passwords should make up your network/data security strategy.

Whilst you shouldn't 'hang your hat' on password strength as you primary form of network security I think it is also wrong to suggest that it doesn't matter, again for me the key is Defense-In-Depth the more layers of control you have in place the better.

In most standard Windows environments (aside from 2-factor and smart card) if I know your username and password, as far as the system is concerned I am you, and I have all the access that you have (including to any sensitive data) regardless of the privileges that I personally have been assigned.

Any control that makes that Username and password combination more difficult to guess (disclaimer: Without making them TOO difficult to remember that users have to write them down) , and minimising the risk of identity theft and inappropriate use of someone elses access is a good thing

No offense intended, but you need to also look at the fact that a LOT of people who might come here are simple home users. They have no concept of password security (at least most of them ), and therefore could learn a lot from the site referenced.

While I think a lot of the passwords listed in that site are very good for the average user, I noted some indicated that a lot of them are defaults for old programs/bios, etc...

Ok, I can accept that, but how many people really know that from so long ago? Yes, I did recognise a few defaults, but I really think that quite a number of them are pretty good for home users.

Most of them can be changed - even slightly - to provide good CompSec and still be difficult to break.

As long as you are using a combination of alpha/numeric/special characters you are practicing good computer security and making it more difficult for someone to hack into your system. Anyone think I'm wrong?

I would like to remind people of the original purpose of the userID/password. I am going back to the days of IBM 5250 dumb terminals and NO remote access. Or if there was it would be via a 9600Baud direct landline.

The purpose was authority, identity and audit trail. Users were limited to the number of logon attempts and in some cases to using a particular terminal or set of terminals (generally by department).

This was protection against the "enemy within" and intended to prevent fraud and malicious activity. This is still the case today, and blank passwords are generally unacceptable .

Their complexity should be sufficient to stop them being easily guessed, or the user runs the risk of being impersonated. That is what they should be made well aware of?

:)

off topic

Quote:

---

[B]I would like to remind people of the original purpose of the userID/password. I am going back to the days of IBM 5250 dumb terminals and NO remote access. Or if there was it would be via a 9600Baud direct landline.

---

5250? /3 systems? AS/400? Man, you are too old :)

Quote:

---

5250? /3 systems? AS/400? Man, you are too old

---

:)

very true....................S/34, S/38 and AS/400.............but the same was true of most mainframe environments in those days.

The idea was to provide internal security and enforce division of responsibility, which goes back way before computers :D

that is the worst reference I have ever seen. Besides the fact that they have a lot of common english words on there (you shouldn't use ANY simple word by itself, regardless if its on that list or not!), they are missing some of the WORST ones to use, eg:
qwerty
abc123
blue32

These are more important because users think they are being smart using random letters, or letter/number combos.

Anywho, thought those should have been on the list, among others as well. All the basic words on that list should be removed, and replaced by an english dictionary file :rolleyes:

Quote:

---

Originally posted here by nihil

S/34, S/38 and AS/400

---

heh, we /still/ have AS/400 and are one of a handful of companies that run their website off of one O_O

That is changing, but I still got a giggle out of the AS/400 being listed for us "old" guys :D

cross I don't know about you, but I get the impression that the guy just took some pass cracking file and copied what was in there?

There are certainly quite a few "defaults" from way back.

I don't think that lists such as that are very useful, other than that you would use them to check for known default passwords that migh be included in a cracking dictionary. Otherwise you would base it on a common language dictionary (English may not be appropriate :) )

I would say that the solution should lie in establishing an appropriate policy in the first instance, and checking that all passwords meet this policy before they are accepted.

:)

Quote:

---

I would say that the solution should lie in establishing an appropriate policy in the first instance, and checking that all passwords meet this policy before they are accepted.

---

http://www.antionline.com/showthread...&postid=868869

Singing a different tune from the start of that thread I see. ;)

cheers,

catch

Quote:

---

Originally posted here by cross
that is the worst reference I have ever seen. Besides the fact that they have a lot of common english words on there (you shouldn't use ANY simple word by itself, regardless if its on that list or not!), they are missing some of the WORST ones to use, eg:
qwerty
abc123
blue32

---

Hey, whats wrong with qwerty? And how do you know my AO password! :mad: