Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Unspoken Taboo - The Never Expiring Password

Posted by CowboyNeal on from the silent-threats dept.

anon writes "Every security savvy professional lives with the daily fear of the "never expiring password" being exposed. It's the unspoken taboo, the wide open back door in every corporate network. But no-one ever acknowledges it or discusses it. All applications have got pre-defined passwords that never change. Which means developers, privileged users and hosting third party service providers will all have access to these passwords."

13 of 537 comments (clear)

  1. guilty by LiquidMind · · Score: 5, Informative

    how many of us computer-savvy are guilty of doing this for our login accounts, web banking, Email, etc? I know i am.

    --
    This sig contains repetition and redundancy.
    1. Re:guilty by JWSmythe · · Score: 5, Informative

        This is always a fun game.  I won't say what site it's for, but it is adult.  This is the top 20 from 600,000 expired accounts.  Checking the top 1000 common passwords, I don't see a single strong one.  I know, it shouldn't, since I'm grouping by count.  I suspect this list will apply almost everywhere in very similar ratio's.

      SELECT COUNT(pass) AS count, pass
      FROM `users`
      WHERE expired = 1
      GROUP BY pass
      ORDER BY count DESC

      | count | PASSWORD    |
      |  1322 |    password |
      |   994 |      123456 |
      |   824 |       12345 |
      |   569 |      harley |
      |   536 |      696969 |
      |   434 |     mustang |
      |   385 |      qwerty |
      |   355 |    baseball |
      |   307 |    football |
      |   305 |      hunter |
      |   305 |     letmein |
      |   296 |      shadow |
      |   294 |       pussy |
      |   279 |      maggie |
      |   276 |      monkey |
      |   265 |      golfer |
      |   260 |      buster |
      |   260 |    12345678 |
      |   255 |      bandit |
      |   241 |      nascar |

      When a site password is compromised, the system automagically sets a strong password, and notifies the user.  They get rather upset about that.  I tell them, "You should have used a good password to start with."  We will let them change it back to something else, but we won't let them use anything easy.

      --
      Serious? Seriousness is well above my pay grade.
    2. Re:guilty by JWSmythe · · Score: 3, Informative

      Your friend was full of shit. Well, mostly.

          Some sites allow users to select their username, some don't. Some set arbitrary passwords, some don't.

          If you're real lucky, you may find a combination like "user:pass". But why should anyone think someone who has the username of "bullshit" has the password of "my_password", and everyone who's chosen the username of "bullshit" would select the same one.

          We've had many users complain that their username was taken. It's always funny too, on common first names, or something simple like that. How many username "bob" can there be? ;)

          More than likely, he's finding multiple sites in the same 'family' of sites. I've seen that happen before. Buying a membership at one site will allow access to many, usually because they use the same password file on the same server. :) In those cases, obviously it will work.

          The password sites do work though.

          I've become very familar with passwordz sites over the years. We were hit pretty hard when we started doing one of the largest on the Internet. We have a bot who builds pretty interesting reports for us, and I had included the sites which we were linked on.

          Most people are using something like 'AccessDiver'. Many sites now set firewall rules against IP's using those tools, start showing them a bogus valid login page, or any of a number of tricks to mess with them. I know some of the 'hackers' were using multiple proxies after a while, but really, when you have to do tens of thousands of attempts to even think you're getting one password, how many proxies could you possibly have at your disposal.

          When we see x number of attempts come in from an IP, it gets blocked. If we see that a valid password was acquired in the attempes from that IP, we automatically change that password, and notify the user. We have a few other tricks too. I very rarely see our sites showing up any more, simply because by the time they get a password posted, it's no longer any good. It does the same thing to the casual 'hacker', so if you start scanning through multiple proxies and leave for a while, when you get back, you still won't have a good password. :)

          I use hacker in quotes above, because they're not real hackers. They're barely crackers. I classify them with script kiddies. They found a tool, run it, and now they've accomplished something with no work. They don't know how it happened, they just know it did.

      --
      Serious? Seriousness is well above my pay grade.
    3. Re:guilty by JWSmythe · · Score: 2, Informative


          You can't reverse a hash. That's the problem. The hash is like a fingerprint of the data, not an encrypted version of the data. You can compare hashes to see if they're from the same original data, but you can't take the hash and find the original data (recent Slashdot story aside).

          So, if you want one of those whiz-bang features like password recovery, it has to be encrypted or encoded, not hashed.

      --
      Serious? Seriousness is well above my pay grade.
  2. The most dangerous? by JabberWokky · · Score: 4, Informative
    I'd say the most dangerous is an unchanged default password.

    --
    Evan

    --
    "$30 for the One True Ring. $10 each additional ring!" -- JRR "Bob" Tolkien
  3. Well, this has to be done sooner or later... by Chris+Bradshaw · · Score: 5, Informative
    And of course, this posting wouldn't be complete without a list well know default passwords and appliances...

    http://www.governmentsecurity.org/articles/Default LoginsandPasswordsforNetworkedDevices.php

    --
    Get your Windows Malicious Software Removal Tool Here for FREE! - http://fedora.redhat.com
  4. passwords by lsblogs · · Score: 2, Informative

    ALL applications DO NOT have built in unchangeable passwords, some may, but most dont. Stating ALL apps have a certain feature is plain crazy - unless you have written every app that exists on the planet.

    --
    Free Blog submission, find blogs, tools and more at LS Blogs
  5. Re:Revent case of that in Japan by Belly · · Score: 5, Informative

    No link? I call BS. I live in Tokyo, and the idea of a building not being marketable for this reason is silly. They would have just installed a new security system and that would have been the end of it - the cost of redoing the security system compared with the potential losses of unoccupied apartments is negligible. Developers here aren't that dumb.

    With property prices the way they are here, if it was really 'bargain basement' prices, they would have sold regardless of the problem.

  6. Re:What's the problem w/ long non-expiring passwor by smallpaul · · Score: 2, Informative

    s. But often times folks have to change their passwords so often they end up writing them on sticky notes, or choosing the same easy eight-character password over and over and over, with the only variant being the numbers stuck at the end. And this is good for security how?

    Did you RTFA? It isn't about passwords "folks" use to access applications. It is about the passwords that applications use to access other applications, and the fact that changing these passwords risks downtimes but not changing them means that anyone with access to the source code or configuration has access to your data collections.

  7. Never expiring accounts are the problem by erik_norgaard · · Score: 2, Informative

    As you read the article, the first thing you note is really that this "trusted" person may still be able to authenticate after he leaves his job. The problem is not that the password never expires, but that his account never expires or there is just one shared account.

    Any system that requires authentication should also require identification, and each account should expire at some time. It should be posible to lock individuals out without imposing change of password on all other authorized users.

    In fact never expiring passwords may increase security in everyday systems: When people are regularly required to change their passwords chances are that they will choose even worse passwords, simply because it takes time to find and learn a good password.

    Repeated change of password gives no protection against brute force attack simply because you have no idea wether the hacker will go sequentially through all posibilities or if the new password has already been tried and hence has low probability of being tried again.

    Instead, system administrators should make sure that chosen passwords has sufficiently high entropy before they are accepted in the first place and continuously try to crack user passwords - if a password is cracked, it is weak and must be changed.

  8. So, no security whatsover? by Shivetya · · Score: 2, Informative

    If you can retrieve the password how can you tell a user their information is secure?

    The first rule of password security for me is that there is no way to retrieve the password from the system. If that cannot be done then you have no security at all.

    --
    * Winners compare their achievements to their goals, losers compare theirs to that of others.
  9. Browser Security by cb0nd · · Score: 2, Informative

    How about the security of the password management in browsers? I mean, if you share your computer IE, AFAIK, doesn't even allow you to password protect your passwords. Firefox lets you do this, but just exactly how safe is it??

  10. Re:I hate to do it.... by dan+dan+the+dna+man · · Score: 2, Informative

    Actually its a comic from UserFriendly

    --
    I don't read your sig, why do you read mine?