The Unspoken Taboo - The Never Expiring Password

← Back to Stories (view on slashdot.org)

The Unspoken Taboo - The Never Expiring Password

Posted by CowboyNeal on Thursday December 8, 2005 @04:52PM from the silent-threats dept.

anon writes "Every security savvy professional lives with the daily fear of the "never expiring password" being exposed. It's the unspoken taboo, the wide open back door in every corporate network. But no-one ever acknowledges it or discusses it. All applications have got pre-defined passwords that never change. Which means developers, privileged users and hosting third party service providers will all have access to these passwords."

6 of 537 comments (clear)

Min score:

Reason:

Sort:

guilty by LiquidMind · 2005-12-08 17:00 · Score: 5, Informative

how many of us computer-savvy are guilty of doing this for our login accounts, web banking, Email, etc? I know i am.

--
This sig contains repetition and redundancy.
1. Re:guilty by JWSmythe · 2005-12-08 18:02 · Score: 5, Informative
  
  This is always a fun game. I won't say what site it's for, but it is adult. This is the top 20 from 600,000 expired accounts. Checking the top 1000 common passwords, I don't see a single strong one. I know, it shouldn't, since I'm grouping by count. I suspect this list will apply almost everywhere in very similar ratio's. SELECT COUNT(pass) AS count, pass FROM `users` WHERE expired = 1 GROUP BY pass ORDER BY count DESC | count | PASSWORD | | 1322 | password | | 994 | 123456 | | 824 | 12345 | | 569 | harley | | 536 | 696969 | | 434 | mustang | | 385 | qwerty | | 355 | baseball | | 307 | football | | 305 | hunter | | 305 | letmein | | 296 | shadow | | 294 | pussy | | 279 | maggie | | 276 | monkey | | 265 | golfer | | 260 | buster | | 260 | 12345678 | | 255 | bandit | | 241 | nascar | When a site password is compromised, the system automagically sets a strong password, and notifies the user. They get rather upset about that. I tell them, "You should have used a good password to start with." We will let them change it back to something else, but we won't let them use anything easy.
  
  --
  Serious? Seriousness is well above my pay grade.
2. Re:guilty by JWSmythe · 2005-12-08 18:17 · Score: 3, Informative
  
  Your friend was full of shit. Well, mostly.
  
  Some sites allow users to select their username, some don't. Some set arbitrary passwords, some don't.
  
  If you're real lucky, you may find a combination like "user:pass". But why should anyone think someone who has the username of "bullshit" has the password of "my_password", and everyone who's chosen the username of "bullshit" would select the same one.
  
  We've had many users complain that their username was taken. It's always funny too, on common first names, or something simple like that. How many username "bob" can there be? ;)
  
  More than likely, he's finding multiple sites in the same 'family' of sites. I've seen that happen before. Buying a membership at one site will allow access to many, usually because they use the same password file on the same server. :) In those cases, obviously it will work.
  
  The password sites do work though.
  
  I've become very familar with passwordz sites over the years. We were hit pretty hard when we started doing one of the largest on the Internet. We have a bot who builds pretty interesting reports for us, and I had included the sites which we were linked on.
  
  Most people are using something like 'AccessDiver'. Many sites now set firewall rules against IP's using those tools, start showing them a bogus valid login page, or any of a number of tricks to mess with them. I know some of the 'hackers' were using multiple proxies after a while, but really, when you have to do tens of thousands of attempts to even think you're getting one password, how many proxies could you possibly have at your disposal.
  
  When we see x number of attempts come in from an IP, it gets blocked. If we see that a valid password was acquired in the attempes from that IP, we automatically change that password, and notify the user. We have a few other tricks too. I very rarely see our sites showing up any more, simply because by the time they get a password posted, it's no longer any good. It does the same thing to the casual 'hacker', so if you start scanning through multiple proxies and leave for a while, when you get back, you still won't have a good password. :)
  
  I use hacker in quotes above, because they're not real hackers. They're barely crackers. I classify them with script kiddies. They found a tool, run it, and now they've accomplished something with no work. They don't know how it happened, they just know it did.
  
  --
  Serious? Seriousness is well above my pay grade.
The most dangerous? by JabberWokky · 2005-12-08 17:00 · Score: 4, Informative

I'd say the most dangerous is an unchanged default password.
--
Evan

--
"$30 for the One True Ring. $10 each additional ring!" -- JRR "Bob" Tolkien
Well, this has to be done sooner or later... by Chris+Bradshaw · 2005-12-08 17:04 · Score: 5, Informative

And of course, this posting wouldn't be complete without a list well know default passwords and appliances...
http://www.governmentsecurity.org/articles/Default LoginsandPasswordsforNetworkedDevices.php

--
Get your Windows Malicious Software Removal Tool Here for FREE! - http://fedora.redhat.com
Re:Revent case of that in Japan by Belly · 2005-12-08 17:43 · Score: 5, Informative

No link? I call BS. I live in Tokyo, and the idea of a building not being marketable for this reason is silly. They would have just installed a new security system and that would have been the end of it - the cost of redoing the security system compared with the potential losses of unoccupied apartments is negligible. Developers here aren't that dumb.

With property prices the way they are here, if it was really 'bargain basement' prices, they would have sold regardless of the problem.