Slashdot Mirror

← Back to Stories (view on slashdot.org)

Passwords May Be Weakest Link

Posted by CmdrTaco on from the no-shock-there dept.

blankmange writes "ZDNet is carrying a piece on network security and employee passwords: "When a regional health care company called in network protection firm Neohapsis to find the vulnerabilities in its systems, the Chicago-based security company knew a sure place to look. Retrieving the password file from one of the health care company's servers, the consulting firm put "John the Ripper," a well-known cracking program, on the case. While well-chosen passwords could take years--if not decades--of computer time to crack, it took the program only an hour to decipher 30 percent of the passwords for the nearly 10,000 accounts listed in the file." Sounds like enforced password formats and mandatory changing of passwords would help, but how many companies actually make them policy and enforce it?"

3 of 495 comments (clear)

  1. As a Security Admin all I can say is..... by oobeleck · · Score: 5, Informative
    Duh!

    People at work hate me for enforcing hard passwords. (And other assorted security measures)

    Basically I am a BOFH so I don't care.

    Unfortunately the common joe/jill user has no clue when it comes to computer security.

    You just have to resign yourself to the fact that people are not going to like you. (i.e. Security Nazi)

    A good way to help *push* them towards secure passwords is to crack your own systems passwords.

    You can use John the Ripper for Unix passwords OR l0pht crack for Windows systems.

    Nothing disturbs an end user more then when you email them their old password,

    (You have changed it to something hideous now...) and warn them that you can read their email.

    If you use Microsoft systems then use the password "Account Policies" options to increase password length/complexity values.

    If you use Unix try npasswd to enforce difficult passwords.

    The most important factor is to get Management buy in. Try cracking some VP's passwords during a "standard audit".
    Help them come up with a creative password. (First letters of a phrase work good. Throw in some numbers/metachars..)

    Once I had Management buy in it was smooth sailing. Just hold their hand for a while.

  2. one password for life by tapiwa · · Score: 5, Informative

    OK, one password for life might be a bit extreme, but if a user is on to a good thing, do not get them to change.

    I have never understood why people think that passwords suffer from wear and tear. I have never seen evidence to convince me that the longer one uses a password, the more vulnerable it becomes.

    I remember in university, one of my courses had a module in something about maintenance/replacement of machinery, from a managerial perspective. One thing I recall is that with a lot of mechanical equipment, the older it got, the shorter the mean time between failure.

    Digital equipment was almost the opposite. New equipment had a high chance of failure. If it survived the first couple of weeks, then it became almost impossible to predict failure rates. It was entirely random. Hence replacing aging mechanical equipment made absolutely no sense, whereas replacing digital equipment actually introduced a danger of failure .. .. ok I have oversimplified things a bit but you get the point right?

    Well, passwords are like that. If you force users to change their passwords, and they change it from John, to Luke, to Mark to Peter, you have not really done much.

    If you get really funky, and force them to change from adf0708 to 1433lkh to kh432lk to 23HGLY9 then you are beginning to get somewhere. The problem with these is that users then tend to write them down, because just as soon as they remember them off by heart, they are force to change them. As long as a password is written down somewhere, it is not secure!

    A more thorough plan is to get users to choose one password, and set rules on numberics, caps, etc.. (or better yet issue passwords). At the same time, run a basic brute force dictionary cracker on the password file(s) and force *all* users with simple passwords to change them. Keep forcing them until they choose something sufficiently hard (or issue them with one that they can't change for the first 3 months or something).

    Once users have a robust password, allow them to use it indefinitely!

    --

    Live today. Tomorrow will cost a lot more!

    1. Re:one password for life by edp · · Score: 4, Informative

      "I have never understood why people think that passwords suffer from wear and tear."

      Using a password does indeed weaken it. Every now and then, a user will accidentally type a password into a user name field, and that results in a log entry with the incorrect password in plaintext. Every now and then, some users will give their passwords to a coworker or relative to "borrow" their account. Some users will use the same password on multiple systems. When a cracker gets into a system, they are likely to record the password file and attack it, or to collect passwords via spoofing or whatnot.

      So, the longer a password has been in use, the higher the probability it has been compromised. The password suffers from wear and tear. Changing passwords refreshes them. A cracker that formerly had access to the system would have to start from scratch (especially if all passwords are changed simultaneously). Also, that cuts the coworker off from access to other employees accounts. They might not have done anything with that access now, but, someday, maybe they'll be fired and would like to take some sort of revenge. Since you cut them off by a policy of regularly changing passwords, they can't do it that way.