dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
11999
share rss forum feed


NetWatchMan
Premium
join:2001-03-13
Alpharetta, GA

Stupid User Tricks: Password Selection - "WORD1"

For about the last 12 hours I operated one node of a mySpace phishing botnet (serving up a fake login page). Each and every hour between 5 and 10 mySpace users surfed to my page (there were nearly 200 other systems in this botnet serving the same page!) and giving up their login credentials.

I initially thought the usernames/passwords that were being submitted were bogus as they all following an extremely similar pattern:

(ACTUAL passwords used):
sunshine1
baggy1
doctor1
etc...

Psloss then pointed me at the Washington Post article on work done by Bruce Scneier who had access to a slightly larger pool of passwords used for mySpace accounts:

»www.schneier.com/blog/archives/2···ure.html

Somehow, users have translated the password choosing best practices of:

* Don't just use dictionary words
* Use numerics

To:

Use dictionary words with a numeric suffix (preferable a "1")!

(Shakes head in disgust)

I found the stat by the password recovery company that they are able to recover the user's password in 100,000 guesses 25% of the time...simply by using 1000 dictionary words and 100 common suffixes.

I know that malware that does SSH and term service brute force attacks can easily to 25 login attempts/second...at that rate they could break into 25% of servers exposing these services (many do!) in less than 1 hour.

Let's hope that the folks choosing SSH and Windows Administrator passwords do a slightly better job than the pool of users using that password recovery company.

Hey I know we have a global security problem, but this brings my impression of just how bad it is to an even lower low.
--
Lawrence Baldwin
myNetWatchman
The Internet Neighborhood Watch



JohnInSJ
Premium
join:2003-09-22
Aptos, CA

1 recommendation

It's bad. Especially with 'leet haxxor tools' downloadable to any 10 year old in Poland (so it seems, based on my logs anyway) everyone is jumping in on the hacking craze.

I've set up a few nice honeypots on my server and am merrily collecting IP addresses for these zombies and blocking them at the firewall automatically - I was adding about 10 IPs/sec at first, it's trailed down a bit now. Looks like I'da saved a lot of time by just IP banning most of eastern eruope, russia, china, africa, and apparently one town in Japan.

Dealing with the dumb dictionary attack on ssh is really simple. You don't allow logins, just preshared keys.

Personally, I'm sick of it. I can't even imagine the crap BBR has to filter out.

The Internet is Broken. I fear the cure as much as the disease, but it's sad that yet another good human creation turns into the same old crap.
--
My place : »www.schettino.us



Doctor Four
My other vehicle is a TARDIS
Premium
join:2000-09-05
Dallas, TX
reply to NetWatchMan

The MySpace crowd aren't really all that security savvy
to begin with. So encountering this is not surprising
in the least.



mozerd
Light Will Pierce The Darkness
Premium,MVM
join:2004-04-23
Nepean, ON
reply to NetWatchMan

said by NetWatchMan:

Hey I know we have a global security problem, but this brings my impression of just how bad it is to an even lower low.
And WHY would that be a surprise ... in actual fact its a lot worse than anyone person actually believes especially in a western society where mostly everything is taken for granted due to inherent laziness and sublime ignorance.
--
David Mozer
IT-Expert on Call
Information Technology for Home and Business

astirusty
Premium
join:2000-12-23
Henderson, NV
reply to NetWatchMan

said by NetWatchMan:

Use dictionary words with a numeric suffix (preferable a "1")!

(Shakes head in disgust)
Not much of a surprise. We used to run a password cracking program on the Unix platforms back in the mid 1990s to detect poorly chosen user passwords. The program had its own database of commonly used passwords, along with its own instruction set (rules for creating passwords) to create the test passwords with.

For example one of the rules was to switch letters like "i" to "1" (numeric one) in the passwords of the database and possible passwords created from the user's account information. This first time it was run, a lot of passwords were broken. The commonly broken passwords were part of the users name or UID followed by the digits 1-12 (month of the year). Things got better after user education was tied to manager / job reviews.
--
Do yourself a favor, just say no to anything Windows.


Kilroy
Premium,MVM
join:2002-11-21
Saint Paul, MN
reply to NetWatchMan

This normally is cuased by web sites that require you to meet their "secure" password qualities. Sites need to suggest good security, but not force users to fit their passwords into their molds.
--
How hard does DRM have to bite before business abandon it?



EGeezer
zichrona livracha
Premium
join:2002-08-04
Midwest
kudos:8
reply to NetWatchMan

I'm thinking about using dictionary passwords, but encrypted in ROT-26. Twice as secure as ROT-13 ...



av8r7
I'd Rather Be Flying
Premium
join:2002-06-14
Boca Raton, FL

1 recommendation

While ROT-26 is certainly twice as secure as ROT-13, I have found that encoding once, and then encoding the encoded password is more effective. Double ROT-13 should be used as a minimum. I will admit, I have not yet tried Double ROT-26.
--
If I am not for myself, Who will be for me? If I am only for myself, What am I? If not now, When? -- Hillel


MorpheusUK

join:2003-09-09
reply to NetWatchMan

Could it be that some of these users don't consider myspace a site worth securing? I personally operate grades of password from relatively weak but easy to remember for places where access to my account would in reality not be a significant issue (to me) to very strong for places which involve financial information. The reasoning behind this, if someone impersonates me on a forum about widgets as far as personal info goes they will get one of my spam catcher e-mails (easily disposable in case they get flooded) maybe my full name and some PM's which would be highly unlikely to contain any further info about me. and that's it everything else would be visible via my profile. OK they could make a prat of themeselves and get me banned before I spot something is up but the potential damage is low.

Now a site like myspace would qualify for a more secure password by virtue of the type of site it is and possible info it contains but I think password strength at times can be context sensitive. However i do tend to use different usernames and passwords between various sites unless there is a good reason to maintain the same persona in multiple places and even then the password changes on each.

Also if a site has insited on other info to register other than a valid e-mail address there is a high probability that all the info may not be correct further muddying the waters when trying to use it for anything else.
--
Just because you're paranoid, it doesn't mean they are not after you



David
I start new work on
Premium,VIP
join:2002-05-30
Granite City, IL
kudos:101
Reviews:
·DIRECTV
·AT&T Midwest
·magicjack.com
·Google Voice
reply to av8r7

Well if I may offer this little diblet this is the best password generator I have seen and seems to work rather well.

»www.pctools.com/guides/password/

Now there is no excuse as to why the myspace croud can't create a more complex password.
--
If you have a topic in the direct forum please reply to it or a post of mine, I get a notification when you do this.
Koetting Ford, Granite City, illinois... YOU'RE FIRED!!



NY Tel
Premium
join:2004-04-09
Smithtown, NY
kudos:3
reply to Kilroy

Personally, I prefer to use Password1, password or us3rnam3....



FiL
Premium
join:2005-08-16
Silver Spring, MD
reply to NetWatchMan

Its friggin' myspace tho...

How much damage can be done through that shitty ass service? Maybe PS a few pics, steal email addy, bla bla...most of the people that logon in my experience use throw away email addys.



mr_slick

join:2003-05-22
Lynnwood, WA

1 recommendation

reply to NetWatchMan

My little thread hijack rant:

While I always try to use complex passwords for stuff that really matters, the thing that really tics me off is that there are so many sites of a financial nature (or other important stuff) that do not allow special characters or are limited to 8 characters! I have complained and even stopped doing business with these fools, but until enough joe surfers are hit where it hurts, nothing will change. Some kind of token key or bio-ident is the only way it will change...



EGeezer
zichrona livracha
Premium
join:2002-08-04
Midwest
kudos:8
Reviews:
·Callcentric

1 edit

1 recommendation

reply to FiL

Re:what damage

said by FiL:

Its friggin' myspace tho...

How much damage can be done through that shitty ass service? Maybe PS a few pics, steal email addy, bla bla...most of the people that logon in my experience use throw away email addys.
Child molesters would love to be able to hijack a "trusted" kid's account - at least long enough to social engineer personal information from the kid's contacts or set one or more of them up for a meeting. It takes little imagination to think of ways to use or abuse a stolen online identity, or to cause trouble for or damage the reputation of the real owner.
--
The society which scorns excellence in plumbing as a humble activity and tolerates shoddiness in philosophy because it is an exalted activity will have neither good plumbing nor good philosophy: neither its pipes or its theories will hold water.

C DM

join:2002-12-31

1 edit

1 recommendation

reply to NetWatchMan

Re: Stupid User Tricks: Password Selection - "WORD1"

So is it considered OK to run phishing sites and/or use botnets (even if they are for "research" purposes)?



JohnInSJ
Premium
join:2003-09-22
Aptos, CA

said by C DM:

So is it considered OK to run phishing sites and/or use botnets (even if they are for "research" purposes)?
I think he looks like a white hat to me. Know your enemy and all that.
--
My place : »www.schettino.us

8744675

join:2000-10-10
Decatur, GA
reply to NetWatchMan

Somewhere I heard that the most commonly used password is 'password', and I believe it.

A few years ago I accidentally accessed someone elses Verizon account on their website. I don't go there often and forgot my login info, so tried the one I normally used, and then clicked the "Forgot Your Password Link" to go through the validation steps to have them e-mail it.

The security question was "What is your favorite color?". That is about 6 possible colors to guess at for 90% of the population. I entered 'Blue" and it took me right to a screen to enter a new password. After that it took me right to the account, but when I went to check my bill it was somebody elses account! Name, address, and a place to hold credit card number for billing. I found the persons e-mail address and e-mailed the person to tell them what happened since I changed their password.

I also e-mailed Verizon with all the details and pointed out their poor security, and they never every replied.

I went back to the login screen and started trying common words for a user name to see how many I hit that used the favorite color question. Just about any word I entered was a valid user name, especially Verizon1, Verizon2 and it would only take a few guesses to access the account.


JRVS

join:2001-06-01
Houston, TX
reply to NetWatchMan

Hey it ain't just MySpace. I'm a computer consultant to mid-sized businesses. You'd think adults with a business at stake would take passwords seriously.

But I actually guessed the CEO's password in one try. It was...you guessed it...the company name followed by a 1.

They have to change passwords every 90 days, and Windows is set to remember the last 10. His other passwords are CompanyName2, CompanyName3, etc., and he starts over with 1 once he gets to 10.

Similarly, before the company finally agreed to turn on the password filter in (at the time) Windows NT 4.0, his password was 9999.

He has access to the most sensitive data in the company. They are BEGGING to be hacked.



alanhdsl
Premium
join:1999-10-09
Phoenix, AZ
reply to David

Those may be good passwords, but now you're inviting a yellow sticky note with "3REfrure" written on it.

The challenge is that good passwords are hard to remember, so people either pick simple ones and/or write them down. I'm not sure there's a good solution.



PolarBear03
The bear formerly known as aaron8301
Premium
join:2005-01-03
reply to NY Tel

You MUST be kidding... right?



PolarBear03
The bear formerly known as aaron8301
Premium
join:2005-01-03
reply to alanhdsl

But it's VERY hard for a MySpace phishing bot to get the password from the yellow sticky note on the side of your monitor. Or any hacker, for that matter. All you have to worry about is the FBI raiding your house, and your evil little sister...
--
A computer lets you make more mistakes faster than any other invention, with the possible exceptions of handguns and Tequilla. -- Mitch Ratcliffe



AB
Premium
join:2006-04-04
Leesburg, VA
kudos:3

1 edit
reply to alanhdsl

said by alanhdsl:

Those may be good passwords, but now you're inviting a yellow sticky note with "3REfrure" written on it.

The challenge is that good passwords are hard to remember, so people either pick simple ones and/or write them down. I'm not sure there's a good solution.
Actually, the only challenge is to use something that's complicated, unique, and easy to remember-- or to discover if forgotten.
Sound tough? Not so! (Provided long passwords are allowed, at any rate.)

An example: #MoM:(555)893-12743215#

This is my mother's phone number (obviously not really) followed by her street address number.
All I have to remember, besides the phone number and street address, is that I use a lower case 'o' (or upper case 'm's) at the beginning along with a colon, and surround it with 'pound' signs.
Or I could put 'MoM' at the end instead of the beginning if I wanted to.
And of course my mother's phone number & street address are things that I'm likely to have memorized anyway. As well as that they are easily recovered should I forget them.

The point is that this is a very complicated password that's also not very difficult to remember, therefore negating any need to write it down.
All of my important passwords are structured similarly, and are written down nowhere-- certainly not as passwords, at any rate.
I've always found this to be a quite workable solution.

For stuff like logging into newspaper sites, it's 123 or whatever, because who cares?

Now, getting someone to actually spend the 5 or 10 minutes it takes to come up with a decent password is an issue of it's own.

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5

The problem with long passwords, and especially all those numbers, is that you can't see what you are typing. Way too easy to transpose numbers. I'd probably type that a dozen times and never get it right and some sites only allow three attempts. I only use complex passwords for banking sites and didn't do it for them until recently.

There is no reason to x out passwords on the screen if the user isn't somewhere that others look over his shoulder or take photos from a distance. I always have wondered why that is done. That should be something that a user turns on if they need it otherwise what you are typing should show up on the screen. I'm always mistyping a password, even one that is not complicated and that I have typed many times, and it irritates me that I can't tell what I am typing.
--
"The same ferocity that our founders devoted to protect the freedom and independence of the press is now appropriate for our defense of the freedom of the internet. The stakes are the same: the survival of our Republic". Al Gore, The Assault on Reason



RARPSL

join:1999-12-08
Suffern, NY
reply to 8744675

said by 8744675:

Somewhere I heard that the most commonly used password is 'password', and I believe it.
There are two reasons. First it is easy to remember for those who use it. Second, and I think an even more important reason - The user is not that sophisticated/computer-literate and when the computer asks for the password (by saying "Enter Password"), the user thinks it is telling him/her to enter "PASSWORD" so they do .


caffeinator
Coming soon to a cup near you..
Premium
join:2005-01-16
WA, USA
kudos:4
reply to Mele20

I use "normal" length and complexity passwords on the average sites, althought I don't use anything less than 8 chars and mixedcase with numbers.

I have a textfile for the really long ones like banking and Paypal.

Those ones are mixed-case alphanumeric with symbols and over 12 chars long. (one is over 32chars)

I Copy/Paste 'em, so no worries.

-CaFF
--
"Only two things are infinite, the universe and human stupidity, and I'm not sure about the former." - A. Einstein

Need an Avatar? Check out Wafen's Avatar Pages



NetWatchMan
Premium
join:2001-03-13
Alpharetta, GA
reply to C DM

said by C DM:

So is it considered OK to run phishing sites and/or use botnets (even if they are for "research" purposes)?
*I* was not running a phishing site...the malware, the botnet, and the miscreant were...I only allowed it to be active for a short period of time....the only reason I let it run for 12 hours was I thought it wasn't doing anything.

My goals are not "research" oriented...unfortunately, I can't elaborate on that point.

I agree that these tactics push the envelope but believe they are essential to countering cybercrime.
--
Lawrence Baldwin
myNetWatchman
The Internet Neighborhood Watch


nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
kudos:7
Reviews:
·AT&T U-Verse
reply to Mele20

The problem with long passwords, and especially all those numbers, is that you can't see what you are typing.
My most important passwords are, I hope, hard to guess but easy enough for me to remember. There are very few of these.

For the rest, the passwords are in an encrypted file (actually an encrypted email to myself). I can decrypt, then cut and paste, to be sure I type it in correctly. The encryption pass phrase is one of those "most important passwords."
--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 2.0.0.4

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5

Gee, mine are all in two different folders. One for banking and another for all other passwords. All passwords for the past more than 8 years are there...lots and lots of them. It is quite irritating to have to go look up a password every time I have login somewhere. The one for here is the only one I remember. I wish a fingerprint thingy worked with Fx...I think those still work only with IE.

I never have understood why I can't turn offthe hiding of the password I type. There is no one here to see it so why can't I turn that off? I should be able to do that. It should be turned off by default for home users seems to me.
--
"The same ferocity that our founders devoted to protect the freedom and independence of the press is now appropriate for our defense of the freedom of the internet. The stakes are the same: the survival of our Republic". Al Gore, The Assault on Reason



natedj
Elected
Premium
join:2001-06-06
Columbia, SC

2 edits
reply to NetWatchMan

To me passwords are a headache, but it is even more so if not used. So to simplify my passwords I use a line in a song, a favorite movie line or a bible verse.
E.g.. Movie quote "My name is Bond, James Bond" = password MNIBJB. If an alpha-numeric password is required, I'll add something pertinent to the phrase ... like 007
That way you can never forget it, its not found in the dictionary and it can be really long too, if you know the lyrics to a favorite song, or whatever you choose.
--
Good judgement comes with experience...Experience comes after bad judgements



Owlbet
Ignite the Ice
Premium,MVM
join:2002-09-24
Palmer, AK
reply to PolarBear03

said by PolarBear03:

But it's VERY hard for a MySpace phishing bot to get the password from the yellow sticky note on the side of your monitor.
Silly move on my part but done out of convenience for another adult member of my household: I wrote the user name and password for our router on the top of the router.

I recently had DTV installed. The first thing I did after the installer left was change the password on the router and black out the information I had previously written on it.

The other adult member now carries a laminated business card in his wallet with the router information on it.