Slashdot Mirror

← Back to Stories (view on slashdot.org)

Passwords That Should Never Be Used

Posted by timothy on from the not-even-worth-trading-for-chocolate dept.

The Original Yama writes "Strong passwords are your first step in securing your systems. If a password can be easily guessed or compromised using a simple dictionary attack, your systems will be vulnerable to hackers, worms, Trojans, and viruses. PCLinuxOnline provides an alphanumerical list of list of commonly used weak passwords that should never be used. If any of these passwords look hauntingly familiar and are being used, you should change the password immediately."

12 of 239 comments (clear)

  1. strong passwords = broken by design by eraserewind · · Score: 4, Insightful

    Your users shouldn't require anything more than a 4 digit pin & a magnetic card. If it's enough to protect their money, it's surely enough to protect some stupid data.

    Any lame brained security system that depends on people choosing difficult to remember passwords and changing them every 3-6 months is broken by design.

    1. Re:strong passwords = broken by design by John+Hasler · · Score: 2, Insightful

      > Your users shouldn't require anything more than a
      > 4 digit pin & a magnetic card. If it's enough to
      > protect their money...

      But it isn't.

      --
      Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
  2. Universal Passwords by Schezar · · Score: 3, Insightful

    The uni I work for (RIT) is working to migrate their entire campus to a Microsoft Active Directory environment. Part of the reason for this is to give users a universal username/password for any and all university services.

    Now, they enforce basic password etiquette (minimum length, non-alpha character requirement, etc...), which helps the situation somewhat (aside from the office biddies who write them on post-it notes on their CRTs), but the situation is far from secure.

    Students use their webmail (Exchange... I won't even get into that one...) and register for classes (telnet), and generally aren't careful with their passwords. I couldn't tell you how many times I've sat down at a public terminal to find someone else's account all set up for me to exploit. And since the password is universal, I can do anything I want.

    Myself, I use a different password for everything I connect to, and thus don't have to worry about being wholly compromised in an instant. Then again, I'm a geek, so I'm not exactly the norm.

    Does anyone else see this push toward universal logins/passwords as a problem?

    --
    GeekNights!
    Late Night Radio for Geeks!
    1. Re:Universal Passwords by jfdawes · · Score: 3, Insightful
      Now, they enforce basic password etiquette (minimum length, non-alpha character requirement, etc...), which helps the situation somewhat


      Er, no? Most "password etiquette" schemes are a complete crock. Generally all they do is reduce the key space and therefore make the passwords easier to brute force attack.

      You must have a password of at least 6 characters? Well, there goes everything 5 characters and less - don't have to check those.

      Hmm, and while we're at it, most people are going to have a password between 6 and 9 characters, don't bother trying anything else until the second pass.

      You have to have at least one non-alpha, well - I can reduce my attack to constrain my guesses around that requirement - just reduced the number of attempts necessary by 24%.

      Any other rules you want to add to make attacking the password easier?
    2. Re:Universal Passwords by jfdawes · · Score: 3, Insightful

      Yup. The length being constrained to greater than some number (typically 6 or 8) characters is about the only password constraint that makes sense some kind of sense, but still - any reduction in keyspace means less work.

      Assuming we take the example of the guy who had the 5 byte password that takes 18 days to crack, 1.9% still saves you 8 hours. Not an unuseful amount of time.

      It's the daft "must include an non-alpha" and "must start with an alpha (or worse, a capital)" and other brain dead, crack smoking, glue sniffing password "rules" that are the real killers

    3. Re:Universal Passwords by Eivind · · Score: 2, Insightful
      But 5 byte-and-under passwords aren't 1.9% of (say) a 8-byte password keyspace. If users use a small set of characters (64) then it's 0.00038 % of the keyspace. If they use a better (i.e. larger) set of characters, then it's even less.

      I agree that rules that restrict the keyspace *more* than they force users to increase entropy are pointless or even harmful. "Must start with a capital" is obviously in this category. "Must include some sign that is not a letter" is probably not, because, again, the rule excludes maybe 0.0005% of all passwords, but forces 10-30% of users, the ones which otherwise would choose "all alphas" to select a better password.

  3. Re:Some pretty complex ones are there too... by gl4ss · · Score: 2, Insightful

    it's just a stupid list to made up to get some 'content' into a contentless article, f'kin waste of time really(the whole article). they could have just linked to some dictionary file used in these attacks and saved the hassle since they can't possible cover the passwords one shouldn't use and since they decided to go for the default/master bios passwords and shit like that the whole point is lost.

    --
    world was created 5 seconds before this post as it is.
  4. PHBs seriously love "password" by Wylfing · · Score: 2, Insightful
    I can't count how many technologically ignorant managers I've met who, giggling and leaning in close, explain that they've thought up the cleverest password ever. It's "password"! It's so obvious no one will think of it!

    --
    Our intelligent designer has never created an animal that we couldn't improve by strapping a bomb to it.
  5. It's useless by toshka · · Score: 2, Insightful

    If you see some guy/gal trying to guess a password you're watching a movie. If someone has your passwd file you've already screwed up. At least that's what my experience as an ISP tech support, a network admin and a web programmer has taught me... In the real world we have security holes and yellow stickers with passwords on the monitors(no, I'm not talking about my workplace:)...

  6. Re:Top 10 Passwords Not to be Used by Anonymous Coward · · Score: 1, Insightful

    > I'm surprised "gandalf" is not there. Everyone knows that it's the password of every other root account in the world.

    Nah, at least make it Mithrandir or Olorin.

  7. Re:Password rules at IBM Watson Research by Anonymous Coward · · Score: 1, Insightful
    College I used to go to has an insane set of requirements
    similar to that. When trying to change a password,
    one can expect to spend an hour just trying to figure
    out a legal password. The only thing that saved
    me when changing passwords was the system never
    checked to see if you are using a different password. :)


    Yes, its wrong, but then again, a system where its
    almost impossible to create a new password is wrong too.

  8. Re:Remember Demolition Man by plover · · Score: 3, Insightful
    There are several important distinctions to be made between something you "have" vs something you "are".

    Here are some points to ponder regarding something you "are":

    • Your biometric data must be digitized before a computer system can make use of it.
    • Your biometric data is not secret.
    • Your biometric data is unchangeable.
    • Your biometric data cannot respond uniquely to every request made of it.
    • It may be difficult or impossible for the user to validate that they are being "read" by a legitimate scanner.

    And here are some points regarding something you can have - a smart card:

    • A smart card has an internal digital processor plus some data.
    • A smart card responds uniquely to every challenge made.
    • A smart card's contents cannot be casually read without sophisticated equipment.
    • A smart card can be deactivated or disposed of and replaced in the event of compromise.

    What do these points mean? Biometric information can be copied at many levels, and presented as "real" data at many points in the security perimeter. A fake fingerprint can be made for under $20 and almost no skill is required. Mallory can hold up a photo in front of an unattended camera to convince a system that Alice is at the reader. A "fake" retinal scanner could be placed in front of a "real" retinal scanner at the bank's Eye-ATM machine ('retinal skimming' just sounds evil.) Or, the thumbprint reader at the Bada Bing's cash register might actually be a thumbprint/DNA recorder manned by Tony Soprano. You, the biometric holder, have no way of validating every reader. And in every case, a compromised biometric is of negative value to the owner. If your thumbprint data is stolen, copies of it can be made forever and you can never get it back. Your own thumbprint is now a liability, not an asset.

    In contrast, a smart card does not divulge its secrets willingly. Smart cards do not require trust in the card reader nor in the merchant. The merchant issues a challenge to the card, collects the response, and ships both the challenge and response to the bank. The bank records the challenge, validates that the challenge was never authorized before, and then validates that the response matched the challenge according to the secret rules the bank placed inside the card at the time of issuance. If a card is lost, the bank marks it lost/stolen and never authorizes it again. If a duplicate challenge is made, the merchant presenting the duplicate can be immediately suspected of fraud.

    A smart card is good security, but poor authentication. But a biometric datum is poor security, and not necessarily good authentication.

    --
    John