Passwords, Password
Attacks & Security
Overview
Quoting Ed Skoudis from "Counter Hack" , "Passwords
are the most commonly used computer security tool in the world today.
In many organizations, the lowly password often protects some of the
most sensitive secrets imaginable, including healthcare information,
confidential business strategies, sensitive financial data and so on.
Unfortunately, with this central role in security, easily guessed passwords
are often the weakest link in the security of our systems."
From a security standpoint it's key to understand that it only takes
one weak password to allow an attacker to gain a foothold into the
system. Even assuming that the attacker was only fortunate enough to
have breached an account with lesser system privileges such as a standard
user account in a Microsoft Windows network, they now have an operable
environment from which to execute various attacks that allow escalation
of privileges.
To use a real world analogy they are no longer the attacking army at
the gates of the city but an undercover agent working from within.
To understand how this might happen lets examine some of the standard
methods employed by these attackers.
Default Passwords
It may sound silly but this is the equivalent
of leaving the keys in the ignition. Many items such as firewalls,
routers and other computer system devices are shipped, by necessity,
from the production facilities with default login and passwords in
place. It is expected that during installation and configuration appropriate
steps will be taken to change these critical items and security related
settings.
All to often, particularly with home systems and small businesses and
other organizations, the simple goal is to "Get it Working" and when
this is accomplished no security measures are taken. A fully understandable
but very dangerous act if anything of any sensitivity is conducted
over that network.
As a random testing of this situation one day in July 2005,
while driving from my office to a nearby customer site, I left my Dell
notebook running with the wireless card on and a program used to detect
the presence of wireless networks running. In a matter of driving 1.5
miles I detected 27 wireless networks with the following statistics:
- Five (5) of the networks were secured. (Good show!)
- Twenty-Two (22) were unsecured and nineteen (19) of the twenty-two (22) were using
the default network identifier.
Those with knowledge of wireless systems will
readily realize some additional points of concern here. First let me
say that I didn't attempt to "hack" any of the unprotected systems
as it's both illegal and as a consultant in my viewpoint unethical
if even just to find out who owns the system to warn them. As an aside I would
note the latter idea was suggested to me by another well meaning, highly
ethical individual I know who also works in the IT world.
To return to the core point is that first if the software can identify
the network by name that means that the SSID has been left on in the
configuration area. The SSID ("service set identifier") is a code attached
to all packets on a wireless network to identify each packet as part
of that network.
Moreover it's almost a sure bet that if the system:
- Hasn't had some security encryption activated such as WEP,
- Is broadcasting the SSID,
- And is using the default SSID, then
That the system is using the default password
as shipped from the factory. Something any hacker can find within 20
seconds using a search on Google.
In other words, for the nineteen (19) systems mentioned above "The
keys are in the ignition."
Come to think of it maybe even the motor is running. They're a hack
waiting to happen!
Common Passwords
Less I sound pedantic in this work let me say
up front I'm well aware "People Hate Passwords!" I'm a people, too
and I'm likewise not overly fond of having to log in to things constantly.
Particularly since I find myself in my work logging in to something
between 20 to 50 times a day.
Conversely I'm all too aware of the potential cost of my sloth in choosing
weak passwords. The fact here is that simple passwords are so easily
broken that they are the real world equivalent of the default passwords
covered above.
The keys are in the ignition... and the Internet can be a real bad
neighborhood.
As every hacker is aware there's a set of common passwords that will get you into the kingdom (the computer system or network) with frightening
regularity. You can bet "12345" is high on the list of "first tries" when
attempting a hack. "qwerty" (first six key across the top of the standard
English keyboard) is probably second on the list. Know the system owner's
dog's name? There's about a 40-50% chance that will do the trick.
But why even bother being innovative when you can get a list of commonly
used passwords right off the Internet. How to try them all? Enter the
dictionary attack!
Dictionary Attacks
As the name might imply such an attack is conducted
by using a dictionary attack program and a file containing common words.
For example I have a master text file (dictionary file) containing
over 1 million words from English and other languages that can be utilized
by such programs.
The software, widely available on the Internet, simply takes words
from the dictionary file, processes them in a manner that the attacker
guesses might have been used from his knowledge of the system being
attacked, and then attempts that password in the login module. Similar
attack methods are used when the attacker has been able to obtain copies
of the files that contain user or system passwords.
While trying all these possible passwords may sound like a daunting
task the fact is that a modern computer with average resources can
process from hundreds to thousands of words per second. Add to this
an experienced attacker's knowledge of human behavior and it get's
even more probable that a high percentage of passwords can be broken
in a very short period.
In sum a simple password such as "hotdog" or similar is likely to be
broken within minutes.
Passwords from Phrases - Stronger Passwords
Made Easy
If you work in a larger company or anywhere you
come in contact with good security practices it's likely you have heard
the following mantra for password selection ad nauseam:
- At least 6 (or 7 or 8) characters in length.
- Use a combination of letters, numbers and special characters such
as punctuation.
All of this is excellent advise except for the
fact that most of us humans aren't real good at remembering "w#3jI0(;".
Probably a darn good password if anyone can remember it! Enter the
concept of pass phrases. A nice way to remember a complex password
without the pain. In fact by choosing fun phrases the entering of the
password becomes a more pleasant event.
Let's do an example. Suppose you have a big old lovable chocolate Lab
named Coco (yea I know I said no dog names...see the tendency?). If
you used "Coco" and I wanted to hack your system that would probably
be my third guess. Not a real good thing from a security standpoint
for you. But what if you made up a phrase?
Let's say Coco freaks out at walk time every day and it's a fun thing
to head out for 1/2 hour at 6PM and take him for a walk.
Here's your pass phrase: "Coco and I walk each day at 6!"
Turning that into a password by taking the first character of each
gives: "CaIweda6!"
Now we add some pizzazz to it by substituting common characters such
as "0" for "o", "1" for "i" and "3" for "e" etc. Use your imagination
as long as you can remember what you use!
So using common substitutions we have: "Ca1w3d@6!"
And there we have a rather secure password!
Summary
This article is by intent non-technical in nature
and relatively short. It's purpose is as an introduction to the basic
issues surrounding passwords to help users avoid the most common of
mistakes such as leaving default passwords in place and using common,
simple terms for passwords. |
Passwords,
Attacks & Security
- Default Passwords
- Common Passwords
- Dictionary Attacks
- Passwords from Phrases
- Summary
|
