The Unspoken Taboo - The Never Expiring Password

← Back to Stories (view on slashdot.org)

The Unspoken Taboo - The Never Expiring Password

Posted by CowboyNeal on Thursday December 8, 2005 @04:52PM from the silent-threats dept.

anon writes "Every security savvy professional lives with the daily fear of the "never expiring password" being exposed. It's the unspoken taboo, the wide open back door in every corporate network. But no-one ever acknowledges it or discusses it. All applications have got pre-defined passwords that never change. Which means developers, privileged users and hosting third party service providers will all have access to these passwords."

23 of 537 comments (clear)

I hate to do it.... by Strokke · 2005-12-08 16:56 · Score: 5, Funny

but I feel the need to expose the world's most sophisticated software. The password....is "password"
1. Re:I hate to do it.... by ppz003 · 2005-12-08 16:58 · Score: 5, Funny
  
  Really... My secret password is 1 2 3 4 5.
2. Re:I hate to do it.... by techfury90 · 2005-12-08 17:00 · Score: 5, Funny
  
  That's the same combination as my luggage!
  
  --
  I'm friends with the youngest daughter of the former head of the PowerPC division of IBM you insensitive clod!
3. Re:I hate to do it.... by double-oh+three · 2005-12-08 18:26 · Score: 5, Funny
  
  No no no, you don't jump straight to the combination on the luggage line. First comes the "that sounds like the kind of combination an idiot would have on his luggage" and then comes your line.
  
  Another +5 funny could have been milked from that joke, but noooo, you had to ruin it and skip a line.
  
  This ain't Soviet Russia ya know.
  
  --
  "For years, I struggled with reality... but I'm happy to say I finally won out over it." -- Elwood P. Dowd
4. Re:I hate to do it.... by j-turkey · 2005-12-09 02:28 · Score: 5, Funny
  
  My favorite bash.org password quote:
  
  [Cthon98] hey, if you type in your pw, it will show as stars [Cthon98] ********* see! [AzureDiamond] hunter2 [AzureDiamond] doesnt look like stars to me [Cthon98] ******* [Cthon98] thats what I see [AzureDiamond] oh, really? [Cthon98] Absolutely [AzureDiamond] you can go hunter2 my hunter2-ing hunter2 [AzureDiamond] haha, does that look funny to you? [Cthon98] lol, yes. See, when YOU type hunter2, it shows to us as ******* [AzureDiamond] thats neat, I didnt know IRC did that [Cthon98] yep, no matter how many times you type hunter2, it will show to us as ******* [AzureDiamond] awesome! [AzureDiamond] wait, how do you know my pw? [Cthon98] er, I just copy pasted YOUR ******'s and it appears to YOU as hunter2 cause its your pw [AzureDiamond] oh, ok.
  
  --
  
  -Turkey
guilty by LiquidMind · 2005-12-08 17:00 · Score: 5, Informative

how many of us computer-savvy are guilty of doing this for our login accounts, web banking, Email, etc? I know i am.

--
This sig contains repetition and redundancy.
1. Re:guilty by ATeamMrT · 2005-12-08 17:09 · Score: 5, Interesting
  
  how many of us computer-savvy are guilty of doing this for our login accounts, web banking, Email, etc? I know i am.
  I am not a cracker or hacker. But I know a guy who uses password trading websites for porn. According to him, once you get a password for one porn website, that same password will work for others. According to him, these porn members use the same password for all sites they subscribe to.
  Once companies start losing money to crackers/hackers, then they will start issuing more complex security.
2. Re:guilty by Anonymous+Crowhead · 2005-12-08 17:16 · Score: 5, Interesting
  
  I used to work for a free adult hosting site. We stored the passwords in plain text in a database. One day, just for the hell of it, I pulled out the top ten passwords. They accounted for something like 40-45% of the passwords for more than 250,000 accounts.
3. Re:guilty by The+Amazing+Fish+Boy · 2005-12-08 17:50 · Score: 5, Funny
  
  how many of us computer-savvy are guilty of doing this for our login accounts, web banking, Email, etc? I know i am.
  
  Sadly, I am guilty of this as well.
  
  He wasn't kidding, folks!
4. Re:guilty by JWSmythe · 2005-12-08 18:02 · Score: 5, Informative
  
  This is always a fun game. I won't say what site it's for, but it is adult. This is the top 20 from 600,000 expired accounts. Checking the top 1000 common passwords, I don't see a single strong one. I know, it shouldn't, since I'm grouping by count. I suspect this list will apply almost everywhere in very similar ratio's. SELECT COUNT(pass) AS count, pass FROM `users` WHERE expired = 1 GROUP BY pass ORDER BY count DESC | count | PASSWORD | | 1322 | password | | 994 | 123456 | | 824 | 12345 | | 569 | harley | | 536 | 696969 | | 434 | mustang | | 385 | qwerty | | 355 | baseball | | 307 | football | | 305 | hunter | | 305 | letmein | | 296 | shadow | | 294 | pussy | | 279 | maggie | | 276 | monkey | | 265 | golfer | | 260 | buster | | 260 | 12345678 | | 255 | bandit | | 241 | nascar | When a site password is compromised, the system automagically sets a strong password, and notifies the user. They get rather upset about that. I tell them, "You should have used a good password to start with." We will let them change it back to something else, but we won't let them use anything easy.
  
  --
  Serious? Seriousness is well above my pay grade.
5. Re:guilty by thebiggs · 2005-12-09 03:41 · Score: 5, Funny
  
  My password is a 256 character random string intialized by digitizing the braying of six donkeys on a semi-daily rotating basis. Once the braying is digitized, and the seven-factor hash table is used to generate the string, it is transfered via secured lasercable to the memory unit of a Sony Aibo. The Aibo has been specially modified with a woodburning unit, and the password is then burned onto a piece of burnished cherry wood, which I am then allowed to view for exactly twelve seconds before it is ground into a very fine sawdust.
  
  All of this takes place behind a triple-secure double-blind firewall, inside a bunker which is encased in twenty-three feet of reinforced concrete and surrounded by a moat with biometrically activated piranhas.
Oh no! by Anonymous Coward · 2005-12-08 17:02 · Score: 5, Funny

The locksmith just changed my locks! Did he keep a copy? Is he trustworthy? I don't know... Shit! All applications have passwords? Could someone tell me how to hack notepad? I forgot I needed a password. Someone must have left it unlocked on my rig. Probably a hacker.
!seineew by Leebert · 2005-12-08 17:03 · Score: 5, Funny

!seineew era sreenigne epacsteN
Write your changing password on a Post-It by Anonymous Coward · 2005-12-08 17:03 · Score: 5, Funny

After IT enforced monthly changing passwords requiring so many letters with numbers in between, now I write it on a post-it note and stick it on the monitor.
Well, this has to be done sooner or later... by Chris+Bradshaw · 2005-12-08 17:04 · Score: 5, Informative

And of course, this posting wouldn't be complete without a list well know default passwords and appliances...
http://www.governmentsecurity.org/articles/Default LoginsandPasswordsforNetworkedDevices.php

--
Get your Windows Malicious Software Removal Tool Here for FREE! - http://fedora.redhat.com
Re:All applications have what? by Dausha · 2005-12-08 17:07 · Score: 5, Funny

"Huh? What applications have these?"

Solitare, Minesweeper, Frogger.

--
What those who want activist courts fear is rule by the people.
Re:Revent case of that in Japan by Anonymous Coward · 2005-12-08 17:11 · Score: 5, Insightful

"...because there is no safety available if you live there."

Couldn't they just intall locks?
What's the problem w/ long non-expiring passwords? by QuantGuy · 2005-12-08 17:27 · Score: 5, Insightful

Maybe I'm missing something. It's conventional wisdom that "best practice" is that "everyone" should change their password every x number of days. But often times folks have to change their passwords so often they end up writing them on sticky notes, or choosing the same easy eight-character password over and over and over, with the only variant being the numbers stuck at the end. And this is good for security how?

At a previous company our policy was to have fairly long (16 character) passwords that never expired. For my own password, I chose a pnemonic one that had certain combinations of substituted numbers and special characters. It was never cracked, even though we ran password scans regularly on our Windows domain and Linux boxen.

Show me the empirical evidence that frequently-changing, short passwords are better than long, unchanging ones, and not only will I change my password, but I might even change my mind as well. Until then articles like this are just perpetuating a mythology that people have come to accept as fact.

As it happens, I think passwords have outlived their usefulness. But that's another thread entirely...
Re:Revent case of that in Japan by Belly · 2005-12-08 17:43 · Score: 5, Informative

No link? I call BS. I live in Tokyo, and the idea of a building not being marketable for this reason is silly. They would have just installed a new security system and that would have been the end of it - the cost of redoing the security system compared with the potential losses of unoccupied apartments is negligible. Developers here aren't that dumb.

With property prices the way they are here, if it was really 'bargain basement' prices, they would have sold regardless of the problem.
The Password by Ruff_ilb · 2005-12-08 17:45 · Score: 5, Funny

"
Many years ago I was acting as the system administrator for a test system in a large publicly held company. Periodically I would receive a call from someone who had not accessed the system recently, forgot their password and locked themselves out trying to logon. I would look up their password and unlock the system for them and they would go on their merry way.

One day I received a call from a young lady who was in just such a predicament. I looked up her password and informed her that it was 'DOME' and, just to be playful, told her the price for me being gracious enough to unlock her sign-on was an explanation of the meaning of her password. She became very embarrassed over the phone and pleaded that she could never reveal her secret. I of course replied that I would not give her system access until she did. After negotiating for several minutes she finally acquiesced but made me promise to never reveal her password meaning to any of her colleagues to which I gladly agreed.

"Well, what does it mean?", I asked.

She hesitated and then replied, "It's two words."

There was pregnant pause. I unlocked her system and simply said, "Have a nice day".

"

--
http://www.TheGamerNation.com/Forums
Re:COLO's the worst from experience scarly by Jaxoreth · 2005-12-08 18:30 · Score: 5, Funny

As a rule as a admin you should constantly try cracking your own systems passwords, each one you get that user owes you beer. Least they can do for potentialy saving there job and your company.
And don't invest in any firm whose sysadmin is constantly drunk...

--
In general, it is safe and legal to kill your children. -- POSIX Programmer's Guide
Re:Revent case of that in Japan by Anonymous Coward · 2005-12-08 18:34 · Score: 5, Funny

Couldn't they just intall locks?

No, of course not. That would ruin the story.
I Call Bullshit by npsimons · 2005-12-09 03:20 · Score: 5, Insightful

I am what I would consider a "security savvy professional", and I have to say that making people change passwords is the most time-wasting, useless, feel good security measure ever. You know why? Because people will pick easy to remember (and easier to crack) passwords rather than good passwords when they won't have time to memorize a good one. Or to look at it another way: why pick a good password when you are just going to be forced to change it? I know this is true, because I have experienced it from the other side; I am a user who is forced to change his password on a regular basis. On those accounts which force me to change my password (usually every 6 months), I won't even try to pick a good password. I'll pick one that meets the bare minimum requirements, because I'm just going to have to change it again in another six months. Why bother trying to create a good password?

On the other hand, on systems I administer, I don't have expiring passwords. I pick passwords that are 20 characters long and look like line noise. Sure, it's harder to memorize them, but I have more _time_ to memorize them because I never have to change them.

--
Nathan's blog