If you're not banning weak passwords, as well as hunting down and killing off the ones left on your network, then you're not doing your security job. Weak passwords are an unlocked door into your network.
It's an old rule and a common-sense one: Passwords should not be simple,
easy-to-guess words. It goes beyond the old TV trick of guessing the person's
birthday. "Dictionary attacks," in which a list of hundreds or even
more words are tested, are common. And yet people still get burned by having
Two recent episodes serve as good examples. One is the case of Downadup,
also known as Conficker,
a worm based in part on the Windows
MS08-067 RPC service vulnerability
from 2008. That vulnerability is just
one way it spreads; once it has a toehold inside your network, Conficker will
attack other systems in a variety of ways, including a dictionary attack.
Microsoft analysis of this worm
lists the passwords used by it to attack
other systems and network shares. Take a look at the list to see if you've ever
used any of them.
other recent incident was the hacking
The real problem here wasn't that Twitter allowed weak
passwords, although that is a problem, but that Twitter
allowed unlimited failed log-on requests.
An 18-year-old student performed the attack by writing a program to do a
rapid-fire dictionary log-on for the user Crystal, whose name he found
frequently in Twitter feeds. He thought she was just popular, but in fact she
was a Twitter staffer. When he got into her account, which had the weak
password "happiness," he had access to the administrative control
panel for Twitter, and could change anyone's password. From there it was off
developer blogged about the incident
and how Twitter hasn't been analyzed
sufficiently for security. Why? There was no internal constituency for it. Now
they'll have to hire expensive consultants to do the work.
There are lots of guides on how to choose secure passwords. Here's
one from Microsoft.
A few years ago I wrote about how if
you have trouble remembering strong passwords, maybe you could remember a
You might even want to do some hacking of your own network with a dictionary
to see if there are any weak passwords in there. This is an old and honorable
tradition. It's been almost 18 years since the famous Unix crack
was publicly posted.
There are lots of publicly available password-cracking tools, and many are
free. Consider Cain and Abel,
has a huge variety of tools, including dictionary tools that can read outside
dictionaries. Click here
for a good collection of dictionaries
and remember, if you can download
these tools, so can anyone else.
Finally, on the subject of how to administer passwords well on Windows, this
blog entry has a list of useful links,
although as I test them a couple are
dead. I've already contacted the author.
Passwords are a mess and they're everywhere. Dictionary attacks are usually
easy to set up once you identify where you want to attack. It's your job to
think like the bad guys on this and find your weaknesses.
Editor Larry Seltzer
has worked in and written about the computer industry since 1983.
For insights on security coverage around the Web, take
a look at eWEEK.com Security Center Editor Larry Seltzer's blog Cheap Hack.