Re: Good passwords and security priorities

From: sinister (sinister_at_nospam.invalid)
Date: 04/28/05 

Date: Wed, 27 Apr 2005 22:52:15 GMT

"Moe Trin" <ibuprofin@painkiller.example.tld> wrote in message
news:slrnd6qrcd.nn9.ibuprofin@compton.phx.az.us...
> In article <MQTae.6584$Fc.872@trnddc01>, sinister wrote:
>
>>Isn't it true that a policy enforcing good passwords is critical, and a
>>set
>>of security policies that overlooks that is flawed?
>
> Do you remember the "Deloder" worm from March 2003? This was a network
> worm that looked for administrator accounts on windoze boxes with "weak"
> passwords. The worm tried about 90 different passwords, such as
>
> admin 1234567 pass Internet 0
> Admin 12345678 passwd super 110
> password 123456789 database 123asd 111111
> Password 654321 abcd ihavenopass 121212
> 1 54321 abc123 godblessyou 123123
> 12 111 oracle enable 1234qwer
> 123 000000 sybase xp 123abc
> 1234 00000000 123qwe 2002 007
> 12345 11111111 server 2003 alpha
> 123456 88888888 computer 2600 a
>
> Before you start laughing at the stupidity of windoze users, you might
> not want to know that these "passwords" will also open a lot of Unix
> accounts as well. This is about half of the passwords the worm looked for.
>
> Now, one might ask why such stupid passwords were used. The answer is
> very simple. A lot of people don't want to try to remember a complex
> word, because it's to hard. If you require a "good" password (not a
> dictionary word in ANY language, not a name, mix of numbers, letters and
> punctuation, minimum 8 characters long), your users will go out of their
> way to avoid using such a password, OR will write the password on a
> sticky note that they tape to their monitor (or if they're really
> sneaky, tape it to the underside of the keyboard). Thus, you are between

At my workplace, there's very little risk of someone unauthorized coming by,
looking at the stickynote, and then later breaking in. By "little risk", I
mean as compared to getting broken into by someone God knows where in
cyberspace. The stickynote doesn't help the latter break in, as they're
coming from somewhere physically remote.

> a rock and a hard place. In the list above, why do you think you find
> "123qwe" ? Look at your keyboard. (If using a Belgian or French keyboard,
> think "123aze" - same idea).
>
> No matter how much effort you put into trying to teach your users how to
> create a good password (word interleaving, first character of each word of
> a phrase, etc), they will ALWAYS whine that it's to hard. Oh, and less you
> think this is totally ridiculous, the most common admin password I've
> heard
> about (and it was one of the first looked for by the worm above) is the
> Enter key - meaning no password at all.
>
> Your security policy has to balance security with reality. I can make a
> password that is unlikely to be guessed or brute forced, merely by piping
> /dev/random through uuencode (or mimencode). Will _anyone_ be able to
> remember it? Of course not. Likewise, I can use a password Nazi program
> that rejects passwords that contain a word or two, a word spelled
> backwards,
> all numbers, and so on - the result will be the same as using /dev/random.
> The users won't be able to remember the password, and will write it down
> on that sticky note.
>
> A solution is user training which includes mechanisms for creating good
> passwords (preferably with a number of examples that your password Nazi
> program will reject as being "to well known").
>
> Old guy

Relevant Pages

  • Re: help! "your system is shutting down"
    ... "putting up with" the security gap represented by these messages is ... Messenger Service Window That Contains an Internet Advertisement ... Popup-killer from http://12ghosts.com/ghosts/popup.htm, Pop-Up Stopper ... What You Should Know About the Blaster Worm ...
    (microsoft.public.security.virus)
  • Cisco Security Advisory: MS SQL "Sapphire" Worm Mitigation Recommendations
    ... Cisco Security Advisory: MS SQL "Sapphire" Worm Mitigation Recommendations ... set security acl ip WORM deny udp any eq 1434 any ...
    (Bugtraq)
  • CERT Advisory CA-2001-20
    ... in compromises of home user machines. ... to date with security patches and workarounds, ... worm after it has infected a victim system. ... used to initially compromise the machine may not be enough. ...
    (Cert)
  • [Full-Disclosure] Cisco Security Advisory: MS SQL "Sapphire" Worm Mitigation Recommendatio
    ... Cisco Security Advisory: MS SQL "Sapphire" Worm Mitigation Recommendations ... set security acl ip WORM deny udp any eq 1434 any ...
    (Full-Disclosure)
  • Beware new SOBER worm
    ... mbies Boost New Sober Variant ... Anti-virus and e-mail security companies warned Internet users Tuesday ... editions of the same worm. ... Opening the file launches the Sober worm and infects the computer, ...
    (uk.telecom.broadband)