Slashdot Mirror

← Back to Stories (view on slashdot.org)

Passwords May Be Weakest Link

Posted by CmdrTaco on from the no-shock-there dept.

blankmange writes "ZDNet is carrying a piece on network security and employee passwords: "When a regional health care company called in network protection firm Neohapsis to find the vulnerabilities in its systems, the Chicago-based security company knew a sure place to look. Retrieving the password file from one of the health care company's servers, the consulting firm put "John the Ripper," a well-known cracking program, on the case. While well-chosen passwords could take years--if not decades--of computer time to crack, it took the program only an hour to decipher 30 percent of the passwords for the nearly 10,000 accounts listed in the file." Sounds like enforced password formats and mandatory changing of passwords would help, but how many companies actually make them policy and enforce it?"

6 of 495 comments (clear)

  1. Obvious by aridhol · · Score: 5, Interesting

    Did anybody think that passwords wouldn't be the weakest link in security? Remember that, in general, "easy-to-remember" and "secure" are mutually exclusive. And if we forgo "easy-to-remember" for "secure", we will have people writing their passwords on a piece of paper on their desk. There's security for you.

    --
    I can't say that I don't give a fuck. I've just run out of fuck to give.
  2. Microsoft password files... by antirename · · Score: 5, Interesting

    Are especially vulnerable when bonehead admins let you remotely dump the registry. I've seen that one a couple of times. They don't let the users change the time or date on their machine, but the users can dump the registry on the servers. One company told me that "of course, we know that could be a problem, but the users are'nt going to know how to exploit it". One of the dumbest examples of security by obscurity that I've ever seen.

  3. Here's the problem with that: by AMuse · · Score: 5, Interesting

    My company is a service based company. We're a group of professional sysadmins who contract to large customers to take over network and SysAdmin duties. We are also responsible for security of our systems.

    The problem with password policy enforcement is that users want weak passwords. Ordinarily this is no problem, since security often trumps user needs.

    However, since we're a service based organization, our salaries and bonuses are based on user satisfaction of our performance. Guess what our number one gripe is? You bet. Password enforcement. Our enforcement of the "Strong passwords only" policy has helped us be secure, but it's also eating into our employee bonuses because the users mark us off for it.

    It seems like we're caught between a rock and a hard place here, but since our customers are all senior civil servants, what're we to do? The more we enforce strong passwords, the closer they'll get to looking for someone who won't be so picky.

    1. Re:Here's the problem with that: by Waffle+Iron · · Score: 5, Interesting
      However, since we're a service based organization, our salaries and bonuses are based on user satisfaction of our performance. Guess what our number one gripe is? You bet. Password enforcement.

      I wonder if holding something like a "password cracker demo meeting" would help. Set up a test machine, let everyone enter a password of their choice, then run crack or similar on the password file. Let people watch as the program guesses their passwords and spits them out. Maybe give a prize to the best/worst passwords. It might get people to understand the problem and help them become more interested in solving it.

    2. Re:Here's the problem with that: by Darth_Burrito · · Score: 4, Interesting

      My university had a some sort of automated cracking script running weekly. If it cracked your password you were sent an email telling you your password had been cracked by their script. You were then instructed to change your password within 3 days (or something) or else your account would automagically be disabled.

      This system seemed to work well because users could see an actual threat. Also, since everything was handled via script, there was no one tangible to blame other than the user with the bad password.

  4. Re:The problem with strong passwords... by SomeoneGotMyNick · · Score: 5, Interesting

    I use a dissected CueCat for password entry. It allows me to use any bar code found on snack food, coupons, product ID's, etc. as a random sequence of alphanumeric characters of significant length. All I need to do is remember where I kept, stored, tucked, stuck, shoved the item with the code on it, scan it, and I'm logged onto the company network.

    People may find a myriad of scannable codes on or near my desk at any given time. The trick is to know which one it is unless I carry it with me. Five attempts at a wrong password locks out the account. Due to the significant amount of digits, the IT department STILL has yet to crack my password using their cracking tools.

    We're required (forced) to change our passwords at regular intervals. Since I've been scanning things, I have not found that an inconvenience.