It’s an old rule and a common-sense one: Passwords should not be simple, easy-to-guess words. It goes beyond the old TV trick of guessing the person’s birthday. “Dictionary attacks,” in which a list of hundreds or even more words are tested, are common. And yet people still get burned by having weak passwords.
Two recent episodes serve as good examples. One is the case of Downadup, also known as Conficker, a worm based in part on the Windows MS08-067 RPC service vulnerability from 2008. That vulnerability is just one way it spreads; once it has a toehold inside your network, Conficker will attack other systems in a variety of ways, including a dictionary attack.
The Microsoft analysis of this worm lists the passwords used by it to attack other systems and network shares. Take a look at the list to see if you’ve ever used any of them.
The other recent incident was the hacking of Twitter. The real problem here wasn’t that Twitter allowed weak passwords, although that is a problem, but that Twitter allowed unlimited failed log-on requests.
An 18-year-old student performed the attack by writing a program to do a rapid-fire dictionary log-on for the user Crystal, whose name he found frequently in Twitter feeds. He thought she was just popular, but in fact she was a Twitter staffer. When he got into her account, which had the weak password “happiness,” he had access to the administrative control panel for Twitter, and could change anyone’s password. From there it was off the races.
A Twitter developer blogged about the incident and how Twitter hasn’t been analyzed sufficiently for security. Why? There was no internal constituency for it. Now they’ll have to hire expensive consultants to do the work.
There are lots of guides on how to choose secure passwords. Here’s one from Microsoft. A few years ago I wrote about how if you have trouble remembering strong passwords, maybe you could remember a passphrase.
You might even want to do some hacking of your own network with a dictionary to see if there are any weak passwords in there. This is an old and honorable tradition. It’s been almost 18 years since the famous Unix crack program was publicly posted.
There are lots of publicly available password-cracking tools, and many are free. Consider Cain and Abel, which has a huge variety of tools, including dictionary tools that can read outside dictionaries. Click here for a good collection of dictionaries and remember, if you can download these tools, so can anyone else.
Finally, on the subject of how to administer passwords well on Windows, this blog entry has a list of useful links, although as I test them a couple are dead. I’ve already contacted the author.
Passwords are a mess and they’re everywhere. Dictionary attacks are usually easy to set up once you identify where you want to attack. It’s your job to think like the bad guys on this and find your weaknesses.
Security CenterEditor Larry Seltzer has worked in and written about the computer industry since 1983.
For insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer’s blog Cheap Hack.