Re: Good passwords and security priorities
From: Moe Trin (ibuprofin_at_painkiller.example.tld)
Date: 04/26/05
- Previous message: Security Alert: "SSRT5954 rev.0 - HP-UX TCP/IP Remote Denial of Service (DoS)"
- In reply to: sinister: "Good passwords and security priorities"
- Next in thread: sinister: "Re: Good passwords and security priorities"
- Reply: sinister: "Re: Good passwords and security priorities"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 25 Apr 2005 17:22:14 -0500
In article <MQTae.6584$Fc.872@trnddc01>, sinister wrote:
>Isn't it true that a policy enforcing good passwords is critical, and a set
>of security policies that overlooks that is flawed?
Do you remember the "Deloder" worm from March 2003? This was a network
worm that looked for administrator accounts on windoze boxes with "weak"
passwords. The worm tried about 90 different passwords, such as
admin 1234567 pass Internet 0
Admin 12345678 passwd super 110
password 123456789 database 123asd 111111
Password 654321 abcd ihavenopass 121212
1 54321 abc123 godblessyou 123123
12 111 oracle enable 1234qwer
123 000000 sybase xp 123abc
1234 00000000 123qwe 2002 007
12345 11111111 server 2003 alpha
123456 88888888 computer 2600 a
Before you start laughing at the stupidity of windoze users, you might
not want to know that these "passwords" will also open a lot of Unix
accounts as well. This is about half of the passwords the worm looked for.
Now, one might ask why such stupid passwords were used. The answer is
very simple. A lot of people don't want to try to remember a complex
word, because it's to hard. If you require a "good" password (not a
dictionary word in ANY language, not a name, mix of numbers, letters and
punctuation, minimum 8 characters long), your users will go out of their
way to avoid using such a password, OR will write the password on a
sticky note that they tape to their monitor (or if they're really
sneaky, tape it to the underside of the keyboard). Thus, you are between
a rock and a hard place. In the list above, why do you think you find
"123qwe" ? Look at your keyboard. (If using a Belgian or French keyboard,
think "123aze" - same idea).
No matter how much effort you put into trying to teach your users how to
create a good password (word interleaving, first character of each word of
a phrase, etc), they will ALWAYS whine that it's to hard. Oh, and less you
think this is totally ridiculous, the most common admin password I've heard
about (and it was one of the first looked for by the worm above) is the
Enter key - meaning no password at all.
Your security policy has to balance security with reality. I can make a
password that is unlikely to be guessed or brute forced, merely by piping
/dev/random through uuencode (or mimencode). Will _anyone_ be able to
remember it? Of course not. Likewise, I can use a password Nazi program
that rejects passwords that contain a word or two, a word spelled backwards,
all numbers, and so on - the result will be the same as using /dev/random.
The users won't be able to remember the password, and will write it down
on that sticky note.
A solution is user training which includes mechanisms for creating good
passwords (preferably with a number of examples that your password Nazi
program will reject as being "to well known").
Old guy
- Previous message: Security Alert: "SSRT5954 rev.0 - HP-UX TCP/IP Remote Denial of Service (DoS)"
- In reply to: sinister: "Good passwords and security priorities"
- Next in thread: sinister: "Re: Good passwords and security priorities"
- Reply: sinister: "Re: Good passwords and security priorities"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
