Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Applications
    • Applications
    • Cybersecurity
    • IT Management

    Weak Passwords Make for Weak Networks

    By
    Larry Seltzer
    -
    January 15, 2009
    Share
    Facebook
    Twitter
    Linkedin

      It’s an old rule and a common-sense one: Passwords should not be simple, easy-to-guess words. It goes beyond the old TV trick of guessing the person’s birthday. “Dictionary attacks,” in which a list of hundreds or even more words are tested, are common. And yet people still get burned by having weak passwords.

      Two recent episodes serve as good examples. One is the case of Downadup, also known as Conficker, a worm based in part on the Windows MS08-067 RPC service vulnerability from 2008. That vulnerability is just one way it spreads; once it has a toehold inside your network, Conficker will attack other systems in a variety of ways, including a dictionary attack.

      The Microsoft analysis of this worm lists the passwords used by it to attack other systems and network shares. Take a look at the list to see if you’ve ever used any of them.

      The other recent incident was the hacking of Twitter. The real problem here wasn’t that Twitter allowed weak passwords, although that is a problem, but that Twitter allowed unlimited failed log-on requests.

      An 18-year-old student performed the attack by writing a program to do a rapid-fire dictionary log-on for the user Crystal, whose name he found frequently in Twitter feeds. He thought she was just popular, but in fact she was a Twitter staffer. When he got into her account, which had the weak password “happiness,” he had access to the administrative control panel for Twitter, and could change anyone’s password. From there it was off the races.

      A Twitter developer blogged about the incident and how Twitter hasn’t been analyzed sufficiently for security. Why? There was no internal constituency for it. Now they’ll have to hire expensive consultants to do the work.

      There are lots of guides on how to choose secure passwords. Here’s one from Microsoft. A few years ago I wrote about how if you have trouble remembering strong passwords, maybe you could remember a passphrase.

      You might even want to do some hacking of your own network with a dictionary to see if there are any weak passwords in there. This is an old and honorable tradition. It’s been almost 18 years since the famous Unix crack program was publicly posted.

      There are lots of publicly available password-cracking tools, and many are free. Consider Cain and Abel, which has a huge variety of tools, including dictionary tools that can read outside dictionaries. Click here for a good collection of dictionaries and remember, if you can download these tools, so can anyone else.

      Finally, on the subject of how to administer passwords well on Windows, this blog entry has a list of useful links, although as I test them a couple are dead. I’ve already contacted the author.

      Passwords are a mess and they’re everywhere. Dictionary attacks are usually easy to set up once you identify where you want to attack. It’s your job to think like the bad guys on this and find your weaknesses.

      Security CenterEditor Larry Seltzer has worked in and written about the computer industry since 1983.

      For insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer’s blog Cheap Hack.

      Larry Seltzer
      Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

      MOST POPULAR ARTICLES

      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Cloud

      Yotascale CEO Asim Razzaq on Controlling Multicloud...

      James Maguire - May 5, 2022 0
      Asim Razzaq, CEO of Yotascale, provides guidance on understanding—and containing—the complex cost structure of multicloud computing. Among the topics we covered:  As you survey the...
      Read more
      Big Data and Analytics

      GoodData CEO Roman Stanek on Business Intelligence...

      James Maguire - May 4, 2022 0
      I spoke with Roman Stanek, CEO of GoodData, about business intelligence, data as a service, and the frustration that many executives have with data...
      Read more
      Applications

      Cisco’s Thimaya Subaiya on Customer Experience in...

      James Maguire - May 10, 2022 0
      I spoke with Thimaya Subaiya, SVP and GM of Global Customer Experience at Cisco, about the factors that create good customer experience – and...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2021 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×