Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: Stealing password? What could be easier?

  1. #1
    AO French Antique News Whore
    Join Date
    Aug 2001
    Posts
    2,126

    Stealing password? What could be easier?

    Almost all internet and online banking users leave themselves open to fraudsters by using predictable passwords and ingnoring elementary requirements of computer security.

    The research claims that 21% of people used their own or their partner's nicknames for their passwords, 15% used their birthdays or anniversaries and 15% used names of their pets. About 14% had a family members' name as their password, 7% relied on a memorable date, and 2% even unimaginatively used the word password. Just under a third of people admitted they had shared their password with their partner, while 16% had told a member of their family, and just half of those questioned were confident no-one else knew their log-in details.

    It is not surprising that malefactors don't even use their hackers skills attempting to break into someone else's computer network. Knowing details of private lives of their victims helps much more. The most reliable way to sort out a password is so-called "brute force" - simple figuring out the key among all possible words in the ductionary.

    Hugo Bottelier, vice president of Visa Europe, said,"Of course, it is important that our passwords are personal and meaningful to us, but also that they are difficult to decipher and not easily guessed."

    Survey Shop questioned 1,005 internet users by telephone during March.
    Source : http://www.crime-research.org/news/17.08.2004/567/
    -Simon \"SDK\"

  2. #2
    Senior Member
    Join Date
    Jun 2004
    Posts
    460
    once again, you can't beat the news post whore -- j/k -- anyway, this article seems to be a little broad -- i did a study like this of college students for a class i had last semester and 43% used family or partner's names, 17% used pet's names, 14% used dates, 10% used home towns and the rest used secure passwords...
    [gloworange]find / -name \"*your_base*\" -exec chown us:us {} \\;[/gloworange] [glowpurple]Trust No One[/glowpurple][shadow] Use Hardened Gentoo [/shadow]
    CATAPULTAM HABEO. NISI PECUNIAM OMNEM MIHI DABIS, AD CAPUT TUUM SAXUM IMMANE MITTAM

  3. #3
    Senior Member
    Join Date
    Apr 2002
    Posts
    634
    Two or three years ago, a listing of 151000 passwords from a major hosting provider had been published by a hacking group. Results were simply horrible: If we except the classical "1234", "qwerty" and "abcdef", the couple of n°1 passwords was "sun" and "hello"!!!

    Time had passed, but results have remained the same. It's really an education issue.
    Life is boring. Play NetHack... --more--

  4. #4
    Senior Member DeadAddict's Avatar
    Join Date
    Jun 2003
    Posts
    2,583
    There is only one way to prevent users from using easy to guess passwords is to enforce some guidelines in the operating system or web site that the user will have to follow to create passwords and it also should prompt them to change it every so often. plus prevent the user from using the same password twice or a better measure of the two is to use one time password use it once throw it away.

  5. #5
    Senior Member
    Join Date
    Apr 2004
    Posts
    1,130
    Network admins password rank:

    1) master
    2) root
    3)admin
    4) cisco
    5) system
    6) product name

    so most sysadmins can be on "dumbass" list too...
    Meu sítio

    FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
    If I die before I sleep, I pray the Lord my soul to encrypt.
    If I die before I wake, I pray the Lord my soul to brake.

  6. #6
    Macht Nicht Aus moxnix's Avatar
    Join Date
    May 2002
    Location
    Huson Mt.
    Posts
    1,752
    Then to interpulate the data from those two sources: The original artical had 19% that 'could' have been using secure passwords and good security practices and in djscribble's data only 16% were secure. 3% difference is not alot, so to say they were virtually the same is valid.

    Any way you look at it 85% of the users on the internet (give or take 5%) use very shitty passwords andn ultra poor security practices.

    That extreamly good odds for the hacker/cracker/conman (person) to draw to. Now damn it all.....why am I honest.....oh yes, moral values.
    \"Life should NOT be a journey to the grave with the intention of arriving safely in an attractive and well preserved body, but rather to skid in sideways, Champagne in one hand - strawberries in the other, body thoroughly used up, totally worn out and screaming WOO HOO - What a Ride!\"
    Author Unknown

  7. #7
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Back when I was an NT admin I used to check our password strength every now and then.
    I usually found 80-90% of the passwords during the dictionary fase, in about 5 min.
    Unfortunately some of those found within 5 min. belonged to other admins
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  8. #8
    Senior Member kr5kernel's Avatar
    Join Date
    Mar 2004
    Posts
    347
    Ouch. Its starting to get a little better though, you can now at least set group policy to demand a stronger password. Your story is similair to a lot of peoples I am sure, including me.
    kr5kernel
    (kr5kernel at hotmail dot com)
    Linux: Making Penguins Cool Since 1994.

  9. #9
    Senior Member
    Join Date
    Jun 2004
    Posts
    460
    what is nice is that in microsoft policy you can enable password complexity requirements, HOWEVER, i do wish that rather than just length you could also specify that a password must have 3 of the 4 following elements

    capital letters
    lowercase letters
    numbers
    symbols

    i also wish that windows would check the password to make sure that it isn't something stupid like Bunny45 since i know in programs like l0phtcrack there is the option where you can have some type of advanced dictionary attack where it mutates the dictionary slightly...
    [gloworange]find / -name \"*your_base*\" -exec chown us:us {} \\;[/gloworange] [glowpurple]Trust No One[/glowpurple][shadow] Use Hardened Gentoo [/shadow]
    CATAPULTAM HABEO. NISI PECUNIAM OMNEM MIHI DABIS, AD CAPUT TUUM SAXUM IMMANE MITTAM

  10. #10
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Hmm...............I can see that people use passes that are easy to remember, but that is not necessarily bad IMHO.

    For example, if you have a dog called "Bouncer" then that would be an easily cracked pass using simple dictionary methods, but how about:

    ^BoUnCeR~123$%abc9*

    Not that much more difficult to remember, but a hell of a lot more difficult to crack?

    Just a thought, and as I have commented before, a lot of users are ignorant, rather than stupid..........do you run any sort of security awareness programme on your site?


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •