Weak Passwords Make for Weak Networks

By Larry Seltzer  |  Posted 2009-01-15 Print this article Print

If you're not banning weak passwords, as well as hunting down and killing off the ones left on your network, then you're not doing your security job. Weak passwords are an unlocked door into your network.

It's an old rule and a common-sense one: Passwords should not be simple, easy-to-guess words. It goes beyond the old TV trick of guessing the person's birthday. "Dictionary attacks," in which a list of hundreds or even more words are tested, are common. And yet people still get burned by having weak passwords.

Two recent episodes serve as good examples. One is the case of Downadup, also known as Conficker, a worm based in part on the Windows MS08-067 RPC service vulnerability from 2008. That vulnerability is just one way it spreads; once it has a toehold inside your network, Conficker will attack other systems in a variety of ways, including a dictionary attack.

The Microsoft analysis of this worm lists the passwords used by it to attack other systems and network shares. Take a look at the list to see if you've ever used any of them.

The other recent incident was the hacking of Twitter. The real problem here wasn't that Twitter allowed weak passwords, although that is a problem, but that Twitter allowed unlimited failed log-on requests.

An 18-year-old student performed the attack by writing a program to do a rapid-fire dictionary log-on for the user Crystal, whose name he found frequently in Twitter feeds. He thought she was just popular, but in fact she was a Twitter staffer. When he got into her account, which had the weak password "happiness," he had access to the administrative control panel for Twitter, and could change anyone's password. From there it was off the races.

A Twitter developer blogged about the incident and how Twitter hasn't been analyzed sufficiently for security. Why? There was no internal constituency for it. Now they'll have to hire expensive consultants to do the work.

There are lots of guides on how to choose secure passwords. Here's one from Microsoft. A few years ago I wrote about how if you have trouble remembering strong passwords, maybe you could remember a passphrase.

You might even want to do some hacking of your own network with a dictionary to see if there are any weak passwords in there. This is an old and honorable tradition. It's been almost 18 years since the famous Unix crack program was publicly posted.

There are lots of publicly available password-cracking tools, and many are free. Consider Cain and Abel, which has a huge variety of tools, including dictionary tools that can read outside dictionaries. Click here for a good collection of dictionaries and remember, if you can download these tools, so can anyone else.

Finally, on the subject of how to administer passwords well on Windows, this blog entry has a list of useful links, although as I test them a couple are dead. I've already contacted the author.

Passwords are a mess and they're everywhere. Dictionary attacks are usually easy to set up once you identify where you want to attack. It's your job to think like the bad guys on this and find your weaknesses.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

For insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's blog Cheap Hack.

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel