Slashdot Mirror

← Back to Stories (view on slashdot.org)

Poor Passwords A Worse Problem Than Poor Antivirus

Posted by timothy on from the sure-is-for-me dept.

dasButcher writes "Viruses and worms get all the headlines, but poor password management is a worse problem according to a new study by Channel Insider and CompTIA. As Larry Walsh writes in his Security Channel blog, VARs and security service providers say they find more problems with password management than antivirus applications when they do security assessments. While password problems are nothing new, Walsh and those posting on his blog correctly assert that users remain cavalier about passwords and businesses are doing too little to address this serious vulnerability."

5 of 247 comments (clear)

  1. The Article is poor.... by Manip · · Score: 4, Informative

    The article repeats the same Myths of password security that we have been repeating for the last thirty years. Let me review them for you:
      - Password Length is important
      - Password Complexity is key (e.g. A-Z with at least one special, one number)
      - Password Expiration is important

    Like all good myths these have elements of truth in them but fail to really hit the nail on what the problems actually are, or namely:
      - Strong login auditing is important (failed attempts, unusual patterns, etc)
      - Login speed should be throttled (e.g. No 60/guesses per minute)
      - Failed logins should be capped (e.g. Login wrong five times? Consult technical support)

    Now we are talking about password security. You can also throw on a five length minimum. Now even if your password was "password" they would still find it extremely difficult to compromise the system since it would be slow and would break after the first five. If you tried to spread out the attempts over several weeks (making it slower still) the audit logs should be alerting the administrator to 14/failed attempts per week from China.

    1. Re:The Article is poor.... by Coriolis · · Score: 3, Informative

      Oh, come on.

      If you're in a pure Windows 2000 or greater environment, you can turn off NTLM and LM altogether. This reduces you to sniffing Kerberos packets, which are substantially harder to crack - you're talking hours for a single weak password. And you've still got to be on the same network segment.

      As for getting the hashes off the domain controller, by what magic do you intend to obtain sufficient remote access to a properly-secured DC? That's the equivalent of saying that if you don't use shadow passwords it's really easy to crack UN*X. Well, duh.

      --
      Rgasuya aata! : I have been coding Perl and cannot tell where my fingers are now!
  2. Re:Biometrics by Hal+The+Computer · · Score: 4, Informative

    Okay, I'll bite. Because you're too cheap. Seriously, biometrics that actually work (are hard to fool) are going to make your keyboard several hundred to several thousand dollars more expensive.

    Those fingerprint readers that come for "free" build into laptops are snake oil.
    Some educational reading:
    http://www.theregister.co.uk/2002/05/16/gummi_bears_defeat_fingerprint_sensors/
    http://mythbustersresults.com/episode59

    --

    int main(void){int x=01232;while(malloc(x));return x;}
  3. Re:Sunflowers aren't so bad by MadnessASAP · · Score: 3, Informative

    Try searching for "axis-cgi", you may be suprised what you can find.

    --
    I may agree with what you say, but I will defend to the death your right to face the consequences of saying it.
  4. Re:Author parrots common fallacy by ScrewMaster · · Score: 4, Informative

    Just assign the damn things! When I was in college (about thirty years ago, now) the school's mainframe would assign users a strong password when you got your account. Choosing a poor one wasn't an option. The system did manage to come up with interesting and easy-to-memorize combinations, I must say. It was actually fairly impressive: I never saw anyone writing down their password because they didn't need to. However, they weren't just random combinations of characters, and they weren't subject to a dictionary attack.

    Depending upon individuals to come up with strong passwords is utterly hopeless: you tell them what their password is. However, you can't just give them something like "pz039yq53t" because they'll get frustrated and stick it on a Post-IT note. Come up with an algorithm that generates strong but easy-to-remember passwords and you'll be in good shape.

    --
    The higher the technology, the sharper that two-edged sword.