Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Unspoken Taboo - The Never Expiring Password

Posted by CowboyNeal on from the silent-threats dept.

anon writes "Every security savvy professional lives with the daily fear of the "never expiring password" being exposed. It's the unspoken taboo, the wide open back door in every corporate network. But no-one ever acknowledges it or discusses it. All applications have got pre-defined passwords that never change. Which means developers, privileged users and hosting third party service providers will all have access to these passwords."

5 of 537 comments (clear)

  1. guilty by LiquidMind · · Score: 5, Informative

    how many of us computer-savvy are guilty of doing this for our login accounts, web banking, Email, etc? I know i am.

    --
    This sig contains repetition and redundancy.
    1. Re:guilty by JWSmythe · · Score: 5, Informative

        This is always a fun game.  I won't say what site it's for, but it is adult.  This is the top 20 from 600,000 expired accounts.  Checking the top 1000 common passwords, I don't see a single strong one.  I know, it shouldn't, since I'm grouping by count.  I suspect this list will apply almost everywhere in very similar ratio's.

      SELECT COUNT(pass) AS count, pass
      FROM `users`
      WHERE expired = 1
      GROUP BY pass
      ORDER BY count DESC

      | count | PASSWORD    |
      |  1322 |    password |
      |   994 |      123456 |
      |   824 |       12345 |
      |   569 |      harley |
      |   536 |      696969 |
      |   434 |     mustang |
      |   385 |      qwerty |
      |   355 |    baseball |
      |   307 |    football |
      |   305 |      hunter |
      |   305 |     letmein |
      |   296 |      shadow |
      |   294 |       pussy |
      |   279 |      maggie |
      |   276 |      monkey |
      |   265 |      golfer |
      |   260 |      buster |
      |   260 |    12345678 |
      |   255 |      bandit |
      |   241 |      nascar |

      When a site password is compromised, the system automagically sets a strong password, and notifies the user.  They get rather upset about that.  I tell them, "You should have used a good password to start with."  We will let them change it back to something else, but we won't let them use anything easy.

      --
      Serious? Seriousness is well above my pay grade.
  2. The most dangerous? by JabberWokky · · Score: 4, Informative
    I'd say the most dangerous is an unchanged default password.

    --
    Evan

    --
    "$30 for the One True Ring. $10 each additional ring!" -- JRR "Bob" Tolkien
  3. Well, this has to be done sooner or later... by Chris+Bradshaw · · Score: 5, Informative
    And of course, this posting wouldn't be complete without a list well know default passwords and appliances...

    http://www.governmentsecurity.org/articles/Default LoginsandPasswordsforNetworkedDevices.php

    --
    Get your Windows Malicious Software Removal Tool Here for FREE! - http://fedora.redhat.com
  4. Re:Revent case of that in Japan by Belly · · Score: 5, Informative

    No link? I call BS. I live in Tokyo, and the idea of a building not being marketable for this reason is silly. They would have just installed a new security system and that would have been the end of it - the cost of redoing the security system compared with the potential losses of unoccupied apartments is negligible. Developers here aren't that dumb.

    With property prices the way they are here, if it was really 'bargain basement' prices, they would have sold regardless of the problem.