Linux Security -- Choosing passwords

Subject: Linux Security -- Choosing passwords
From: <Linux_Security@itw.itworld.com>
Date: Tue, 3 Jul 2001 03:53:01 -0700
LINUX SECURITY --- July 03, 2001
Published by ITworld.com -- changing the way you view IT
http://www.itworld.com/newsletters
__________________________________________________________________________

HIGHLIGHTS

* The weakest link in the security chain continues to be the end user. 
  By selecting easy and common passwords, end users are keeping hackers 
  in business. 
__________________________________________________________________________


Bad Password Trends
By Rick Johnson

Spanning from the ATM to your voicemail, passwords are part of our everyday 
lives. Although those are nothing compared to the vast number of 
computer passwords some of us have to remember. Human nature leads 
people to pick a password that will be easy to remember, usually 
something from our daily lives.

ZDNet ran a story about a British study commissioned by the Internet 
domain name registry, CentralNic, regarding passwords 
(http://www.zdnet.com/zdnn/stories/news/0,4586,2781327,00.html). The 
study claims that the most common type of password attack comes in the 
form of "social engineering". The poll, which questioned 1,200 office 
workers, revealed four distinct categories of people regarding 
passwords.

Nearly half of the employees questioned fall into the "family" group, 
choosing their own name, nickname, or the name of their partners, 
children, or pets for their login. Typically, such passwords can be 
guessed by simply looking around at pictures on their office desk.

According to the study, a second class of office workers fall into 
the "fan" category, as they choose sports stars, cartoon characters, or 
pop stars. Yet again, if you know their habits, then the information is 
only a few guesses away.

The more "self-obsessed" employee comprised 11 percent of those 
questioned, making up group number three. This group's chosen passwords 
included "sexy," "stud," "slapper," and "goddess".

The smallest and most security conscious group is the "cryptics," with 
just 9 percent of the total. They select passwords that mix lower and 
upper case letters, numbers, and punctuation to create cryptic 
passwords.

Not being prone to blindly trusting others, I naturally ran my own test 
against a passwd file containing over 5,000 users. My tool of choice 
was the password-cracking tool known as John the Ripper 
(http://www.openwall.com/john/); the results were as expected.

I witnessed so many passwords consisting of "god," "temp," and "1234" 
that I started laughing. However, these paled in comparison to the vast 
number of identical username/password combinations -- a normal practice 
when setting up accounts in large volume for someone else. Another 
alarming trend is the use of a common dictionary word with a few 
numbers attached, such as "potato45" or "1999news".

Due to the popularity of such obvious passwords, most cracking programs 
run through these combinations first. The defense? Choose a more 
difficult password. Make up a word that sounds real and is easy to 
remember, but still doesn't exist in the real world. Better yet, use a 
mixed case password. Holding down the shift key is a small price to pay 
for a secure account.

About the author(s)
-------------------
Rick Johnson is the CTO and Head of Development for IPDex Technologies 
(http://www.ipdex.com). During his off hours, Rick is a 
consultant, writer, and developer for various open source projects. 
Rick may be contacted via email at rick@pointman.org or on the Web at
http://www.pointman.org.
__________________________________________________________________________
______

ADDITIONAL RESOURCES

Social Engineering
http://www.seas.rochester.edu:8080/CNG/docs/Security/node9.html

Social Engineering: What is it, why is so little said about it and what 
can be done?
http://www.sans.org/infosecFAQ/social/social.htm

Building blocks to security: Passwords -- the first line of defense 
People are still making the same basic mistakes that they were making 
10 years ago 
http://www.itworld.com/AppDev/1313/UIR010509buildingblocks/
__________________________________________________________________________
______
Prev by Date: Linux Security -- Making ISPs accountable revisited
Next by Date: Linux Security -- Perks of the job
Index(es):
- Date