Slashdot Mirror

← Back to Stories (view on slashdot.org)

Passwords That Should Never Be Used

Posted by timothy on from the not-even-worth-trading-for-chocolate dept.

The Original Yama writes "Strong passwords are your first step in securing your systems. If a password can be easily guessed or compromised using a simple dictionary attack, your systems will be vulnerable to hackers, worms, Trojans, and viruses. PCLinuxOnline provides an alphanumerical list of list of commonly used weak passwords that should never be used. If any of these passwords look hauntingly familiar and are being used, you should change the password immediately."

12 of 239 comments (clear)

  1. Hmm, not really trolling... by smoondog · · Score: 4, Informative

    OK, every once in a while we get an article similar to this. The links change but the article is the same. Passwords are inherently insecure to some sort of guessing attack, is the statement.

    I'm going to suggest something here that is perhaps a little controversial. Perhaps, if password zealots spent less time complaining about passwords and spent more time protecting machines from this sort of attack (w/o making an easy path to a DOS attack) this wouldn't be an issue. Imagine this: Passwords are never transfered as plain text. Any systematic attempt at guessing a password is prevented before the attacker gains access. Users make mistakes a few times, even for the most simple passwords, one must sample tens of passwords to break in. Systematic attempts are predictable, just like trolls on slashdot are (generally) identifiable (remember those page lengthening posts?) and spam is filterable.

    In my not so humble opinion, password guessing attacks are an administrator problem, not a user problem. And the administrators seem more interested in pestering users than actually developing systems to prevent this type of attack.

    -Sean

  2. Some pretty complex ones are there too... by Artega+VH · · Score: 3, Informative

    As a comment at the bottom says:
    A52896nG93096a

    but also:
    dn_04rjc
    ksdjfg934t
    sldkj754

    ----
    I was going to ask why how this list was compiled,
    but since I got really interested I happened to
    google these and found the following:
    This seems to indicate that ksdjfg934t is a default
    password for a SuperMicro PC BIOS Console.

    And from the same site: Micronics has a PC-BIOS
    which uses dn_04rjc as the default password as
    does Micron for the password sldkj754.

    I want to know how often these passwords are used
    for services that a open to the internet, or even
    to the local network. I would imagine that these
    bios passwords are only able to be entered
    locally? If so why does that merit a place on this
    "Passwords that should NEVER be used!" list...
    apart from the fact that now this list will be
    used in lame dictionary attacks....

    --
    groklaw, wired and slashdot. The holy trinity of work based time wasting.
  3. John the Ripper by Dammital · · Score: 4, Informative
    Last July I installed John the Ripper on my home firewall. John is a password cracker, something like crack and l0phtcrack. I wanted to see how vulnerable my own passwords were.

    From what I can tell, John runs a dictionary-based attack against your master.passwd file, then runs the dictionary with various shifts in capitalization, then runs the dictionary again with an assortment of numeric digits inserted into its guesses.

    Finally John just runs a brute-force attack, generating passwords with successively longer and longer lengths until it lucks out.

    In my case John finally did luck out, finding one of my passwords after 18 days of crunching numbers. This particular account had a relatively weak password -- though no dictionary attack would have found it, it was still only five bytes long. That's a wakeup call for me. I've been using shorter passwords for years, thinking that by avoiding common words I was safe. But I can see that they're breakable now.

    It's one thing for someone to preach that you should really have longer passwords; it's quite another to see it for yourself. If your passwords are easy to guess, or are variants of dictionary words, or can be generated easily by brute force -- there are widely available tools that can give the keys to the city to any lowlife that wants into your machine.

    Run one of the password crackers on your own system today, and become enlightened! And don't be comforted by the 18 days it took to crack my easy five-character password on a 300MHz Celeron notebook: there's also a distributed version of John the Ripper that divides up the work of cracking your password file among many computers.

    The more I learn about security, and the tighter I make my systems, the more afraid I am. If you aren't afraid, you are either very very good at what you do -- and I humbly bow before you -- or you haven't much of a clue.

  4. Re:Universal Passwords by CanSpice · · Score: 2, Informative

    Limiting passwords to 6 characters or longer doesn't significantly reduce your keyspace. If you only allow lowercase letters, there are 12356630 possible combinations that are 5 characters and shorter, and there are 321272406 that are 6 characters and shorter. Thus if you don't allow anything shorter than 6 characters you've reduced your keyspace by roughly 3 percent.

    If you allow upper and lowercase characters, there are 387659012 combinations that are 5 characters and shorter, and 20158268676 that are 6 characters and shorter. If you limit your passwords to being exactly 6 characters long then you've reduced your keyspace by 1.9 percent.

    Those percentages only go up if you allow passwords that are longer than 6 characters, and if you allow characters other than letters in your passwords.

    Sure, you're reducing your keyspace but it's not nearly as catastrophic as you make it sound.

  5. Re:missed one... by Prior+Restraint · · Score: 5, Informative

    I'm sure a thousand people will reply, but here: THX 1138.

  6. Re:huh? by jfdawes · · Score: 4, Informative

    Google is your friend

    Explained

  7. Re:huh? by m.koch · · Score: 5, Informative
    Q54arwms is a commonly used password? Is this some part of the collective unconscious I'm unaware of? Half the things in the list seem like they came out of a random generator, yet they are common?

    As google told me, these are default passwords from this list which is in fact much more useful.
  8. When I was working in IT by einTier · · Score: 3, Informative
    When I was working in IT, I often said, "give me the names of a given person's children, their pets, their significant others, the kind of car they drive, their job title, and any hobbies, and I'll guess 95% of all passwords."

    It's scary how many people think the name of their child makes a great password.

    --
    -------------------------------------------------- $665.95 -- retail price of the beast.
  9. US Army does this by Amata · · Score: 2, Informative

    The US Army (and the rest of the military) is in fact going to this type of approach. Every soldier, for an ID card, is issued a card with a smart chip. This card, among other uses, is inserted into a smart card reader that is hooked up to every Army AIS (around here at least) to log on. The old user/pass method may also be used to log on, but I'm not sure how long that will last.

    Brief overview may be found here: army.carlisle.mil

  10. Re:huh? by jrumney · · Score: 2, Informative

    SAP R/3 was released. They use those as default passwords for their software.

  11. Re:Yeouch... [ot] by JediTrainer · · Score: 3, Informative

    Well, if you're using Java, you'd use a PreparedStatement.

    But if you're smart, you'd know that storing a password in plaintext is insecure (in case your database is compromised). You should be using encryption. Something like MD5 or SHA would do the trick.

    If you take the input string, then MD5sum it and store/compare THAT in the database, you should be fine.

    Of course, you should still check all of your other input for any other queries you do, but I'll save that as an exercise for the reader.

    /me is wondering how many people read the parent and instantly went into a panic :)

    --

    You can accomplish anything you set your mind to. The impossible just takes a little longer.
  12. 'Leet speak and letter/number substitution by dspyder · · Score: 3, Informative
    I had always recommended and sometimes used passwords written 'leet speak style, with numbers instead of letters.

    I then found out somebody wrote a password cracker that uses those rules... out went that idea!

    I have always suggested the following:
    • non-dictionary words
    • non-related to you words (kids, pets, town, etc.)
    • Combination of numbers, in the middle of a word or 2
    I once worked with a sysadmin who used song titles... I thought he was really clever until I learnt 2atgilb4 was "To All the Girls I Loved Before"... kinda clever... a bitch to type.

    Our current sa password to most of our databases is !myday (not my day).

    --D