Quoting Ed Skoudis from “Counter Hack” ,
“Passwords are the most commonly used computer security tool in the world today. In many organizations, the lowly password often protects some of the most sensitive secrets imaginable, including health care information, confidential business strategies, sensitive financial data and so on.
Unfortunately, with this central role in security, easily guessed passwords are often the weakest link in the security of our systems.”
From a security standpoint it’s key to understand that it only takes one weak password to allow an attacker to gain a foothold into your computer.
Even if the attacker was only fortunate enough to have breached an account with lesser privileges such as a standard user account in a Microsoft Windows network, they now have a foothold on your computer.
A place from which to execute various attacks that might just get them a higher privilege like administrator level access.
Not good if you like your system and data just the way it is.
To use a real world analogy the hacker is no longer the attacking army at the gates of the city; they’re an undercover agent working from within.
To understand how this might happen lets look at some of the standard methods employed by these attackers.
Default Passwords
It may sound silly but this is the equivalent of leaving the keys in the ignition of your car.
Many items such as firewalls, routers and other computer system devices are shipped, by necessity, from the maker with a default login and password in place. It is expected that during installation these critical items will be changed.
All to often, particularly with small businesses, the simple goal is to “Get it Working”.
And in most cases when this is accomplished no security measures are taken. A fully understandable but very dangerous situation.
Hackers love it when you make it easy for them.
A random test
A few years back, while driving from my office to a nearby customer site, I left my Dell notebook running with the wireless card on and a program used to detect the presence of wireless networks. In a matter of driving 1.5 miles I detected 27 wireless networks with the following statistics:
1. Five (5) of the networks were secured. (Good show!)
2. Twenty-Two (22) were unsecured and nineteen (19) of the twenty-two (22) were using the default network identifier.
Of particular concern here are the 19 routers that were using the default network identifier. Let’s see why.
If the default network identifier is in use it’s almost a sure bet that the system is using the default password as shipped from the factory. Something any hacker can find within 20 seconds using a search on Google.
Is this starting to sound bad? Good because it is.
In other words, for the nineteen (19) systems mentioned above going back to our auto theft metaphor, “The keys are in the ignition.”
Come to think of it maybe even the motor is running. They’re a hack waiting to happen!
Common Passwords
Less I sound pedantic let me say up front I’m well aware “People Hate Passwords!”
I’m a people, too and I’m likewise not overly fond of having to log in to things constantly. Particularly since I find myself in my work logging in to something between 20-30 times a day.
Conversely I’m all too aware of the potential cost of my being lazy in choosing weak passwords.
I don’t like the idea of having a bad guy snooping around my computer. And perhaps stealing my PayPal login info.
The fact here is that simple passwords are so easily broken that they are the real world equivalent of the default passwords covered above.
Which means that back at our metaphorical auto the keys are in the ignition, the motor is running …. and the Internet can be a real bad neighborhood.
As every hacker is aware there’s a set of common passwords that will get you into the kingdom (the computer system or network) with frightening regularity.
You can bet “12345″ is high on the list of “first tries” when attempting a hack a system. “qwerty” (first six key across the top of the standard English keyboard) is probably second on the list.
Do you know the system owner’s dog’s name? There’s about a 40-50% chance that will do the trick. How do I know; I’ve used this fact legitimately more than once when I had to service a business computer and the particular user wasn’t around to supply the password.
But why even bother being innovative when you can get a list of commonly used passwords right off the Internet. How to try them all? Enter the dictionary attack!
Dictionary Attacks
As the name might imply such an attack is conducted by using a dictionary attack program and a file containing common words. For example I have a master text file (dictionary file) containing over 1 million words from English and other languages that can be utilized by such programs.
The software, widely available on the Internet, simply takes words from the dictionary file, processes them in a manner that the attacker guesses might have been used from his knowledge of the system being attacked, and then attempts that password in the login module. Similar attack methods are used when the attacker has been able to obtain copies of the scrambled files that contain user or system passwords.
While trying all these possible passwords may sound like a daunting task the fact is that a modern computer with average resources can process from hundreds to thousands of words per second. Add to this an experienced attacker’s knowledge of human behavior and it gets even more probable that a high percentage of passwords can be broken in a very short period.
What’s the upshot of all the tech stuff above?
A simple password such as “ImCool” or “hotdog” will be broken within five minutes.
Passwords from Phrases – Stronger Passwords Made Easy
If you work in a larger company or anywhere you come in contact with good security practices it’s likely you have heard the following mantra for password selection. Probably enough times that you want to scream.
- Passwords must be at least 8 (or more) characters in length.
- Use a combination of upper and lower case letters, numbers and special characters such as punctuation.
Screaming aside all of this is excellent advise.
Excellent advise except for the fact that most of us humans aren’t real good at remembering “w#3jI0!!&” which is probably a darn good password if anyone can remember it!
Enter the concept of pass phrases. A nice way to remember a complex password without the pain.
In fact by choosing cool phrases the entering of a password can be fun. Even make you laugh.
Let’s do an example
Suppose you have a big old lovable chocolate Lab named Coco (yes I know I said no dog names…see the tendency?). If I wanted to hack your system and I knew that your dog’s name was “Coco” that would probably be my third guess.
Not a real good thing from a security standpoint for you.
But what if you made up a phrase?
Let’s say Coco freaks out at walk time every day at 6 PM and it’s a fun thing to head out for 1/2 hour and take him for a walk.
Here’s your pass phrase: “Crazy Dog Coco and I walk each day at 6!”
Turning that into a password by taking the first character of each word gives: “CDCaIweda6!”
Now we add some pizzazz to it by substituting common characters such as “0″ for “o”, “1″ for “i” and “3″ for “e”, “@” for the word “at” etc. Use your imagination as long as you can remember what you use!
So using common substitutions we have: CDCa1w3d@6!
And there we have a killer password that’s easily remembered.
Even the IT jocks at work will give you points for that one.
Summary
This article is by intent non-technical in nature and relatively short. It’s purpose is as an introduction to the basic issues surrounding passwords to help users avoid the most common of mistakes such as leaving default passwords in place and using common, simple terms for passwords.
Take Away
- Today’s electronic criminals are highly skilled professionals playing a multi-billion dollar game. They make BIG money doing this and they aren’t going to quit just because it makes you mad. It’s up to you to CYA (cover your assets) and use strong passwords!
- “1111″ and “qwerty” aren’t safe passwords. Any hacker knows there are about 50 common passwords that will get you in one hech of a lot of machines. “1111″ and “qwerty” are high on the list.
- Some amount of modern malicious software contain a simple password testing component that tries the 50 or so most common passwords. If you get infected your password of “1111″ will be cracked within seconds.
- “Hotdog” and “simpsons” aren’t safe passwords either. They’re just slightly behind “1111″ for being ineffective. Never use words, particularly common words, for a password. They’re easy prey for a pro to hack using a dictionary attack.
- Change default passwords. It only takes a minute or so and keeps your system much safer from hackers.
- If you want a password that works consider using the pass phrase guidelines above. An eight or more character password created from a pass phrase as shown is harder for the bad guys to break.
- Want to make a password that is effective but even easier to remember? Create a four character password as per above and then type it twice when you enter/change the password. That is if you choose “1234″ then your password is “12341234″.
It’s fun beating the bad guys. With a bit of knowledge and a little effort you can. Enjoy!