Stupid User Tricks: Password Selection

Stupid User Tricks: Password Selection - "WORD1" in Security http://www.dslreports.com/forum/r18569022 en Tue, 07 Oct 2008 19:31:47 EDT Tue, 07 Oct 2008 19:31:47 EDT Re: Stupid User Tricks: Password Selection - "WORD1" http://www.dslreports.com/forum/remark,18582120 pog : I often just use old street names and dead phone numbers from my relatives' pasts.

For eg, sesame18085551212 ...long, no trouble remembering, very easy to type into a masked field. I can also write these down in part (ie, just the person's name) without risking much if someone "bad" finds the list...

My bank password is similarly structured using my grandmother's info from 1972. :)
--
My Site]]> http://www.dslreports.com/forum/remark,18582120 Thu, 28 Jun 2007 15:47:08 EDT Re: Stupid User Tricks: Password Selection - "WORD1" http://www.dslreports.com/forum/remark,18581441 Thug21 : For medium security, I come up with a long phrase that is easy to remember and then use the first letter of each word. It might not be totally random but it's better than a lot of things. ]]> http://www.dslreports.com/forum/remark,18581441 Thu, 28 Jun 2007 13:38:20 EDT Re: Stupid User Tricks: Password Selection - "WORD1" http://www.dslreports.com/forum/remark,18581231 anon :

said by NetWatchMan

said by C DM

:

So is it considered OK to run phishing sites and/or use botnets (even if they are for "research" purposes)?

Let me guess...related to this story?

»blog.washingtonpost.com/securityfix/

Nicely done. This appears to be ramping up to be an interesting summer, and year. ]]> http://www.dslreports.com/forum/remark,18581231 Thu, 28 Jun 2007 13:00:46 EDT Re: Stupid User Tricks: Password Selection - "WORD1" http://www.dslreports.com/forum/remark,18580371 Portmonkey : For those who don't like to memorize long passwords, the use of a device like a fingerprint scanner could be beneficial. Create long complex passwords for each site that requires a login and enter them into the scanner. Now each site the user visits has its own strong password, and there's no longer a need to have them all memorized or written down on a piece of paper for viewing each time the user needs to login. You'd want to change the passwords every so often and have them written down and tucked away in a safe place where they won't be lost. Some if not all fingerprint scanners allow you to make a backup password in case the device fails, but this reduces the level of security. I would guess that fingerprint scanners introduce their own set of security risks, but for the average user who is dead set in creating simple passwords such as Rover1, then a fingerprint scanner is likely a step up in security.

I hope that with future improvements in such technology and price drops, we'll see an increase in these devices and practicality for the lazy password creators.
--
Eating a steady diet of government cheese and livin in a van down by the river.]]> http://www.dslreports.com/forum/remark,18580371 Thu, 28 Jun 2007 10:03:21 EDT Re: Stupid User Tricks: Password Selection - "WORD1" http://www.dslreports.com/forum/remark,18578052 Grail Knight : Searching for an answer before asking a question is the norm as many times the question has already been asked and answered.

PEBKAC: »/nsearch?q=PEBKAC&cat=

Here is one tool that will reveal passwords which I found through a search engine. There are many others if you look for them. This one is freeware and no I have not used it as the asterisks are a security measure no matter where you are inputting the password. Just because a person is inside their home does not mean that someone is not peaking over your shoulder.

AsterWin
--

Edit* Corrected last sentence.]]> http://www.dslreports.com/forum/remark,18578052 Wed, 27 Jun 2007 20:49:46 EDT Re: Stupid User Tricks: Password Selection - "WORD1" http://www.dslreports.com/forum/remark,18577820 Mele20 : I transposed the letters as quite a few folks do all the time..I don't do it often thank goodness. I do it with numbers a great deal though.

If you are into playing games instead of answering my question...obviously it is irrelevant what it is. If I had wanted to use Scroogle to figure it out, I would have done so instead of politely asking you what you meant when the correct thing would have been for you to state what you meant in the first place. I asked for a fix for the stupid xxxx that one sees when typing a password. You gave me an acronym instead of a fix. Telling folks here who ask for help to use Google ...gee, why do we have these forums then? Everyone should just use a search engine if they need help. :(
--
"The same ferocity that our founders devoted to protect the freedom and independence of the press is now appropriate for our defense of the freedom of the internet. The stakes are the same: the survival of our Republic". Al Gore, The Assault on Reason]]> http://www.dslreports.com/forum/remark,18577820 Wed, 27 Jun 2007 20:00:49 EDT Re: Stupid User Tricks: Password Selection - "WORD1" http://www.dslreports.com/forum/remark,18577572 AB :

said by Mele20

:

What's "PBEKAC"?

Is that what I said? I thought I said "PEBKAC".

Google is your friend (well, my friend anyway.) ;)

»en.wikipedia.org/wiki/PEBKAC]]> http://www.dslreports.com/forum/remark,18577572 Wed, 27 Jun 2007 19:07:53 EDT Re: Stupid User Tricks: Password Selection - "WORD1" http://www.dslreports.com/forum/remark,18577510 Mele20 : What's "PBEKAC"?]]> http://www.dslreports.com/forum/remark,18577510 Wed, 27 Jun 2007 18:54:25 EDT Re: Stupid User Tricks: Password Selection - "WORD1" http://www.dslreports.com/forum/remark,18576701 Lanik : A place I used to work at had Passw0rd as their admin password on all the Windows machines that was always fun and to make things more secure it also matched everyones' initial password when they joined the company. I often wondered who thought that one up. ;)
--
"If it ain't broke don't fix it."]]> http://www.dslreports.com/forum/remark,18576701 Wed, 27 Jun 2007 16:58:25 EDT Re: Stupid User Tricks: Password Selection - "WORD1" http://www.dslreports.com/forum/remark,18576486 AB :

said by Mele20

:

The problem with long passwords, and especially all those numbers, is that you can't see what you are typing. Way too easy to transpose numbers. I'd probably type that a dozen times and never get it right and some sites only allow three attempts. I only use complex passwords for banking sites and didn't do it for them until recently.

There is no reason to x out passwords on the screen if the user isn't somewhere that others look over his shoulder or take photos from a distance. I always have wondered why that is done. That should be something that a user turns on if they need it otherwise what you are typing should show up on the screen. I'm always mistyping a password, even one that is not complicated and that I have typed many times, and it irritates me that I can't tell what I am typing.

Sounds like a PEBKAC issue.]]> http://www.dslreports.com/forum/remark,18576486 Wed, 27 Jun 2007 15:48:17 EDT Re: Stupid User Tricks: Password Selection - "WORD1" http://www.dslreports.com/forum/remark,18576214 anon : Myspace has a password policy, it only specifies that you must use unmbers and letters for a password, therefore if you have an all alphabetic passwrod you'll have to add at least one number.

This is just a case of people having bad passwords but being forced to include something else on it. I'm not down playing its badness, just putting in my info.]]> http://www.dslreports.com/forum/remark,18576214 Wed, 27 Jun 2007 14:56:55 EDT Re: Stupid User Tricks: Password Selection - "WORD1" http://www.dslreports.com/forum/remark,18576178 exocet_cm :

said by Doctor Four

:

The MySpace crowd aren't really all that security savvy
to begin with.

I concur :)
--
"I have measured out my life with coffee spoons..." - T.S Eliot
Ma Blog »www.johndball.com

]]> http://www.dslreports.com/forum/remark,18576178 Wed, 27 Jun 2007 14:49:54 EDT Re: Stupid User Tricks: Password Selection - "WORD1" http://www.dslreports.com/forum/remark,18575956 av8r :

said by Drunkula

:

Actually I never heard of ROT-26 but wouldn't that be the same as not encoding it at all?

Sorry - neglected the [sarcasm] tags :)
--
If I am not for myself, Who will be for me? If I am only for myself, What am I? If not now, When? -- Hillel]]> http://www.dslreports.com/forum/remark,18575956 Wed, 27 Jun 2007 14:08:38 EDT Re: Stupid User Tricks: Password Selection - "WORD1" http://www.dslreports.com/forum/remark,18575761 Krispy :

said by ZOverLord

:

If everyone ran a bot for research, would there be any hackers?

Be careful, there are laws that say what your did was illegal, depending on where you were located, and a "Paris Hilton" defense these days, won't help much, and you did get real logons and passwords ;-)

I wouldn't worry about NetWatchMan, he knows what he's doing and what legalities are involved.
--
you can lead a horse to the water but you cannot make him drink...you can put a man through school but you cannot make him think --ben harper
]]> http://www.dslreports.com/forum/remark,18575761 Wed, 27 Jun 2007 13:34:30 EDT Re: Stupid User Tricks: Password Selection - "WORD1" http://www.dslreports.com/forum/remark,18575537 caffeinator :

said by EGeezer

:

I'm thinking about using dictionary passwords, but encrypted in ROT-26. Twice as secure as ROT-13 ...

Oh, JFYI, here's an online tool to encrypt/decrypt a piece of text according to the algorithms ROT5, ROT13, ROT18 or ROT47

»netzreport.googlepages.com/onlin···_47.html

-CaFF]]> http://www.dslreports.com/forum/remark,18575537 Wed, 27 Jun 2007 12:54:20 EDT Re: Stupid User Tricks: Password Selection - "WORD1" http://www.dslreports.com/forum/remark,18575414 Drunkula : ROT-13? ROT-26? Not very secure at all! Actually I never heard of ROT-26 but wouldn't that be the same as not encoding it at all? If there are 26 characters in the English alphabet and you 'rotate' to the character 26 ahead don't you end back right where you started from (it is a rotate and not a shift)? :huh:
--
Go away or I will replace you with a very small shell script.]]> http://www.dslreports.com/forum/remark,18575414 Wed, 27 Jun 2007 12:35:06 EDT Re: Stupid User Tricks: Password Selection - "WORD1" http://www.dslreports.com/forum/remark,18575278 ZOverLord : If everyone ran a bot for research, would there be any hackers?

Be careful, there are laws that say what your did was illegal, depending on where you were located, and a "Paris Hilton" defense these days, won't help much, and you did get real logons and passwords ;-)
--
Black, Grey and White Hats Unite here -> »testing.OnlyTheRightAnswers.com]]> http://www.dslreports.com/forum/remark,18575278 Wed, 27 Jun 2007 12:11:37 EDT Re: Stupid User Tricks: Password Selection - "WORD1" http://www.dslreports.com/forum/remark,18575104 caffeinator :

said by angussf

:

IIWY I would get some sort of encrypted password store instead of a text file. I use a Palm device, so I use YAPS with the YAPSviewer program on my desktop that allows me to cut-and-paste from the datastore. There are other packages, including OSS ones like KeePass Password Safe
»keepass.info/ so cost shouldn't be a concern here. That way you memorize ONE long complex password (to the password database) and look up all the rest, yet if someone steals your computer / laptop / PIM device, you haven't lost anything.

Yeah, that's true..I should try that at some time.

In my situation, it's not much of a risk, as nobody else is ever here, and it's only a couple passwords. Also, they're not easily identified as such, just a couple lines amongst 100's of lines of other text.

I know what line it is, but others wouldn't. ;)

Most all of my website passwords are kept in Opera's Wand.

(yeah, I know it's only MD5 hashed and can be recovered easy enough, but the chance of anyone getting to my computer three flights up in a locked security building is slim.)

Could my system be penetrated?
Maybe, but it hasn't happened yet in 15 years.

Besides, I have no money in the bank to take, no CC's, no credit, Nada. GL with stealing my identity..it'd be of no use to anyone. The only time I ever worried was when I got my wallet stolen awhile ago...much more bothersome than worrying over computer passwords IMO.

Simply put, I don't live like "normal" folks, so a lot of those rules aren't needed for me.

Thanks for mentioning it though. :)

-CaFF
--
"Only two things are infinite, the universe and human stupidity, and I'm not sure about the former." - A. Einstein

Need an Avatar? Check out Wafen's Avatar Pages]]> http://www.dslreports.com/forum/remark,18575104 Wed, 27 Jun 2007 11:39:11 EDT Re: Stupid User Tricks: Password Selection - "WORD1" http://www.dslreports.com/forum/remark,18575092 technick :

said by NetWatchMan

:

*I* was not running a phishing site...the malware, the botnet, and the miscreant were...I only allowed it to be active for a short period of time....the only reason I let it run for 12 hours was I thought it wasn't doing anything.

My goals are not "research" oriented...unfortunately, I can't elaborate on that point.

I agree that these tactics push the envelope but believe they are essential to countering cybercrime.

I couldn't agree more, the only way to be secure is to know all the possible angles of attack and how to counter them efficiently while moving forward.
--
"Our greatest glory consists not in never falling, but in rising everytime we fall." - Confucius

Bellsouth Free Since 10/05 - To Hell With Bellsouth
Advocatus Diaboli

Streamfire.net]]> http://www.dslreports.com/forum/remark,18575092 Wed, 27 Jun 2007 11:36:30 EDT Re: Stupid User Tricks: Password Selection - "WORD1" http://www.dslreports.com/forum/remark,18575069 technick :

said by David

:

Well if I may offer this little diblet this is the best password generator I have seen and seems to work rather well.

»www.pctools.com/guides/password/

Now there is no excuse as to why the myspace croud can't create a more complex password.

I use this on the fly for my users, works well and most of them are easy enough to remember.

At one point a few years ago before I found the above website, I used a program called pwgen, I believe it was in the debian apt repos.
--
"Our greatest glory consists not in never falling, but in rising everytime we fall." - Confucius

Bellsouth Free Since 10/05 - To Hell With Bellsouth
Advocatus Diaboli

Streamfire.net]]> http://www.dslreports.com/forum/remark,18575069 Wed, 27 Jun 2007 11:32:54 EDT Re: Stupid User Tricks: Password Selection - "WORD1" http://www.dslreports.com/forum/remark,18574928 technick :

said by Doctor Four

:

The MySpace crowd aren't really all that security savvy
to begin with. So encountering this is not surprising
in the least.

Well yea, you didn't get the memo? Facebook is where the smart people hang out at...
--
"Our greatest glory consists not in never falling, but in rising everytime we fall." - Confucius

Bellsouth Free Since 10/05 - To Hell With Bellsouth
Advocatus Diaboli

Streamfire.net]]> http://www.dslreports.com/forum/remark,18574928 Wed, 27 Jun 2007 11:08:37 EDT Re: Stupid User Tricks: Password Selection - "WORD1" http://www.dslreports.com/forum/remark,18574737 angussf :

said by caffeinator

:

I have a textfile for the really long ones like banking and Paypal.

IIWY I would get some sort of encrypted password store instead of a text file. I use a Palm device, so I use YAPS with the YAPSviewer program on my desktop that allows me to cut-and-paste from the datastore. There are other packages, including OSS ones like KeePass Password Safe
»keepass.info/ so cost shouldn't be a concern here. That way you memorize ONE long complex password (to the password database) and look up all the rest, yet if someone steals your computer / laptop / PIM device, you haven't lost anything.]]> http://www.dslreports.com/forum/remark,18574737 Wed, 27 Jun 2007 10:30:22 EDT Re: Stupid User Tricks: Password Selection - "WORD1" http://www.dslreports.com/forum/remark,18574645 Owlbet :

said by aaron8301

:

But it's VERY hard for a MySpace phishing bot to get the password from the yellow sticky note on the side of your monitor.

Silly move on my part but done out of convenience for another adult member of my household: I wrote the user name and password for our router on the top of the router.

I recently had DTV installed. The first thing I did after the installer left was change the password on the router and black out the information I had previously written on it.

The other adult member now carries a laminated business card in his wallet with the router information on it. ]]> http://www.dslreports.com/forum/remark,18574645 Wed, 27 Jun 2007 10:10:39 EDT Re: Stupid User Tricks: Password Selection - "WORD1" http://www.dslreports.com/forum/remark,18574642 natedj : To me passwords are a headache, but it is even more so if not used. So to simplify my passwords I use a line in a song, a favorite movie line or a bible verse.
E.g.. Movie quote "My name is Bond, James Bond" = password MNIBJB. If an alpha-numeric password is required, I'll add something pertinent to the phrase ... like 007
That way you can never forget it, its not found in the dictionary and it can be really long too, if you know the lyrics to a favorite song, or whatever you choose.
--
Good judgement comes with experience...Experience comes after bad judgements]]> http://www.dslreports.com/forum/remark,18574642 Wed, 27 Jun 2007 10:09:49 EDT Re: Stupid User Tricks: Password Selection - "WORD1" http://www.dslreports.com/forum/remark,18574638 Mele20 : Gee, mine are all in two different folders. One for banking and another for all other passwords. All passwords for the past more than 8 years are there...lots and lots of them. It is quite irritating to have to go look up a password every time I have login somewhere. The one for here is the only one I remember. I wish a fingerprint thingy worked with Fx...I think those still work only with IE.

I never have understood why I can't turn offthe hiding of the password I type. There is no one here to see it so why can't I turn that off? I should be able to do that. It should be turned off by default for home users seems to me.
--
"The same ferocity that our founders devoted to protect the freedom and independence of the press is now appropriate for our defense of the freedom of the internet. The stakes are the same: the survival of our Republic". Al Gore, The Assault on Reason]]> http://www.dslreports.com/forum/remark,18574638 Wed, 27 Jun 2007 10:08:51 EDT Re: Stupid User Tricks: Password Selection - "WORD1" http://www.dslreports.com/forum/remark,18574597 nwrickert :

The problem with long passwords, and especially all those numbers, is that you can't see what you are typing.

My most important passwords are, I hope, hard to guess but easy enough for me to remember. There are very few of these.

For the rest, the passwords are in an encrypted file (actually an encrypted email to myself). I can decrypt, then cut and paste, to be sure I type it in correctly. The encryption pass phrase is one of those "most important passwords."
--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 2.0.0.4]]> http://www.dslreports.com/forum/remark,18574597 Wed, 27 Jun 2007 09:58:24 EDT Re: Stupid User Tricks: Password Selection - "WORD1" http://www.dslreports.com/forum/remark,18574283 NetWatchMan :

said by C DM

:

So is it considered OK to run phishing sites and/or use botnets (even if they are for "research" purposes)?

*I* was not running a phishing site...the malware, the botnet, and the miscreant were...I only allowed it to be active for a short period of time....the only reason I let it run for 12 hours was I thought it wasn't doing anything.

My goals are not "research" oriented...unfortunately, I can't elaborate on that point.

I agree that these tactics push the envelope but believe they are essential to countering cybercrime.
--
Lawrence Baldwin
myNetWatchman
The Internet Neighborhood Watch]]> http://www.dslreports.com/forum/remark,18574283 Wed, 27 Jun 2007 08:29:25 EDT Re: Stupid User Tricks: Password Selection - "WORD1" http://www.dslreports.com/forum/remark,18574077 caffeinator : I use "normal" length and complexity passwords on the average sites, althought I don't use anything less than 8 chars and mixedcase with numbers.

I have a textfile for the really long ones like banking and Paypal.

Those ones are mixed-case alphanumeric with symbols and over 12 chars long. (one is over 32chars)

I Copy/Paste 'em, so no worries. :)

-CaFF
--
"Only two things are infinite, the universe and human stupidity, and I'm not sure about the former." - A. Einstein

Need an Avatar? Check out Wafen's Avatar Pages]]> http://www.dslreports.com/forum/remark,18574077 Wed, 27 Jun 2007 06:32:16 EDT Re: Stupid User Tricks: Password Selection - "WORD1" http://www.dslreports.com/forum/remark,18574010 RARPSL :

said by 8744675

:

Somewhere I heard that the most commonly used password is 'password', and I believe it.

There are two reasons. First it is easy to remember for those who use it. Second, and I think an even more important reason - The user is not that sophisticated/computer-literate and when the computer asks for the password (by saying "Enter Password"), the user thinks it is telling him/her to enter "PASSWORD" so they do :D.]]> http://www.dslreports.com/forum/remark,18574010 Wed, 27 Jun 2007 05:31:44 EDT Re: Stupid User Tricks: Password Selection - "WORD1" http://www.dslreports.com/forum/remark,18573998 Mele20 : The problem with long passwords, and especially all those numbers, is that you can't see what you are typing. Way too easy to transpose numbers. I'd probably type that a dozen times and never get it right and some sites only allow three attempts. I only use complex passwords for banking sites and didn't do it for them until recently.

There is no reason to x out passwords on the screen if the user isn't somewhere that others look over his shoulder or take photos from a distance. I always have wondered why that is done. That should be something that a user turns on if they need it otherwise what you are typing should show up on the screen. I'm always mistyping a password, even one that is not complicated and that I have typed many times, and it irritates me that I can't tell what I am typing.
--
"The same ferocity that our founders devoted to protect the freedom and independence of the press is now appropriate for our defense of the freedom of the internet. The stakes are the same: the survival of our Republic". Al Gore, The Assault on Reason]]> http://www.dslreports.com/forum/remark,18573998 Wed, 27 Jun 2007 05:09:54 EDT Re: Stupid User Tricks: Password Selection - "WORD1" http://www.dslreports.com/forum/remark,18573917 AB :

said by alanhdsl

:

Those may be good passwords, but now you're inviting a yellow sticky note with "3REfrure" written on it.

The challenge is that good passwords are hard to remember, so people either pick simple ones and/or write them down. I'm not sure there's a good solution.

Actually, the only challenge is to use something that's complicated, unique, and easy to remember-- or to discover if forgotten.
Sound tough? Not so! (Provided long passwords are allowed, at any rate.)

An example: #MoM:(555)893-12743215#

This is my mother's phone number (obviously not really) followed by her street address number.
All I have to remember, besides the phone number and street address, is that I use a lower case 'o' (or upper case 'm's) at the beginning along with a colon, and surround it with 'pound' signs.
Or I could put 'MoM' at the end instead of the beginning if I wanted to.
And of course my mother's phone number & street address are things that I'm likely to have memorized anyway. As well as that they are easily recovered should I forget them.

The point is that this is a very complicated password that's also not very difficult to remember, therefore negating any need to write it down.
All of my important passwords are structured similarly, and are written down nowhere-- certainly not as passwords, at any rate.
I've always found this to be a quite workable solution.

For stuff like logging into newspaper sites, it's 123 or whatever, because who cares?

Now, getting someone to actually spend the 5 or 10 minutes it takes to come up with a decent password is an issue of it's own. ;)]]> http://www.dslreports.com/forum/remark,18573917 Wed, 27 Jun 2007 03:28:47 EDT Re: Stupid User Tricks: Password Selection - "WORD1" http://www.dslreports.com/forum/remark,18573897 aaron8301 : But it's VERY hard for a MySpace phishing bot to get the password from the yellow sticky note on the side of your monitor. Or any hacker, for that matter. All you have to worry about is the FBI raiding your house, and your evil little sister...
--
A computer lets you make more mistakes faster than any other invention, with the possible exceptions of handguns and Tequilla. -- Mitch Ratcliffe]]> http://www.dslreports.com/forum/remark,18573897 Wed, 27 Jun 2007 03:10:21 EDT Re: Stupid User Tricks: Password Selection - "WORD1" http://www.dslreports.com/forum/remark,18573878 aaron8301 : You MUST be kidding... right?]]> http://www.dslreports.com/forum/remark,18573878 Wed, 27 Jun 2007 03:00:13 EDT Re: Stupid User Tricks: Password Selection - "WORD1" http://www.dslreports.com/forum/remark,18573848 alanhdsl : Those may be good passwords, but now you're inviting a yellow sticky note with "3REfrure" written on it.

The challenge is that good passwords are hard to remember, so people either pick simple ones and/or write them down. I'm not sure there's a good solution.]]> http://www.dslreports.com/forum/remark,18573848 Wed, 27 Jun 2007 02:32:04 EDT Re: Stupid User Tricks: Password Selection - "WORD1" http://www.dslreports.com/forum/remark,18573677 JRVS : Hey it ain't just MySpace. I'm a computer consultant to mid-sized businesses. You'd think adults with a business at stake would take passwords seriously.

But I actually guessed the CEO's password in one try. It was...you guessed it...the company name followed by a 1.

They have to change passwords every 90 days, and Windows is set to remember the last 10. His other passwords are CompanyName2, CompanyName3, etc., and he starts over with 1 once he gets to 10.

Similarly, before the company finally agreed to turn on the password filter in (at the time) Windows NT 4.0, his password was 9999.

He has access to the most sensitive data in the company. They are BEGGING to be hacked.]]> http://www.dslreports.com/forum/remark,18573677 Wed, 27 Jun 2007 01:13:55 EDT Re: Stupid User Tricks: Password Selection - "WORD1" http://www.dslreports.com/forum/remark,18572438 8744675 : Somewhere I heard that the most commonly used password is 'password', and I believe it.

A few years ago I accidentally accessed someone elses Verizon account on their website. I don't go there often and forgot my login info, so tried the one I normally used, and then clicked the "Forgot Your Password Link" to go through the validation steps to have them e-mail it.

The security question was "What is your favorite color?". That is about 6 possible colors to guess at for 90% of the population. I entered 'Blue" and it took me right to a screen to enter a new password. After that it took me right to the account, but when I went to check my bill it was somebody elses account! Name, address, and a place to hold credit card number for billing. I found the persons e-mail address and e-mailed the person to tell them what happened since I changed their password.

I also e-mailed Verizon with all the details and pointed out their poor security, and they never every replied.

I went back to the login screen and started trying common words for a user name to see how many I hit that used the favorite color question. Just about any word I entered was a valid user name, especially Verizon1, Verizon2 and it would only take a few guesses to access the account. ]]> http://www.dslreports.com/forum/remark,18572438 Tue, 26 Jun 2007 20:57:28 EDT Re: Stupid User Tricks: Password Selection - "WORD1" http://www.dslreports.com/forum/remark,18572188 JohnInSJ :

said by C DM

:

So is it considered OK to run phishing sites and/or use botnets (even if they are for "research" purposes)?

I think he looks like a white hat to me. Know your enemy and all that.
--
My place : »www.schettino.us]]> http://www.dslreports.com/forum/remark,18572188 Tue, 26 Jun 2007 20:10:12 EDT Re: Stupid User Tricks: Password Selection - "WORD1" http://www.dslreports.com/forum/remark,18572030 C DM : So is it considered OK to run phishing sites and/or use botnets (even if they are for "research" purposes)?]]> http://www.dslreports.com/forum/remark,18572030 Tue, 26 Jun 2007 19:46:14 EDT Re:what damage http://www.dslreports.com/forum/remark,18571997 EGeezer :

said by FiL

:

Its friggin' myspace tho...

How much damage can be done through that shitty ass service? Maybe PS a few pics, steal email addy, bla bla...most of the people that logon in my experience use throw away email addys.

Child molesters would love to be able to hijack a "trusted" kid's account - at least long enough to social engineer personal information from the kid's contacts or set one or more of them up for a meeting. It takes little imagination to think of ways to use or abuse a stolen online identity, or to cause trouble for or damage the reputation of the real owner.
--
The society which scorns excellence in plumbing as a humble activity and tolerates shoddiness in philosophy because it is an exalted activity will have neither good plumbing nor good philosophy: neither its pipes or its theories will hold water.
]]> http://www.dslreports.com/forum/remark,18571997 Tue, 26 Jun 2007 19:40:37 EDT My little thread hijack rant: http://www.dslreports.com/forum/remark,18571671 mr_slick : While I always try to use complex passwords for stuff that really matters, the thing that really tics me off is that there are so many sites of a financial nature (or other important stuff) that do not allow special characters or are limited to 8 characters! I have complained and even stopped doing business with these fools, but until enough joe surfers are hit where it hurts, nothing will change. Some kind of token key or bio-ident is the only way it will change...]]> http://www.dslreports.com/forum/remark,18571671 Tue, 26 Jun 2007 18:46:59 EDT Re: Stupid User Tricks: Password Selection - "WORD1" http://www.dslreports.com/forum/remark,18571623 FiL : Its friggin' myspace tho...

How much damage can be done through that shitty ass service? Maybe PS a few pics, steal email addy, bla bla...most of the people that logon in my experience use throw away email addys.]]> http://www.dslreports.com/forum/remark,18571623 Tue, 26 Jun 2007 18:38:55 EDT Re: Stupid User Tricks: Password Selection - "WORD1" http://www.dslreports.com/forum/remark,18571618 NY Tel : Personally, I prefer to use Password1, password or us3rnam3....]]> http://www.dslreports.com/forum/remark,18571618 Tue, 26 Jun 2007 18:38:12 EDT Re: Stupid User Tricks: Password Selection - "WORD1" http://www.dslreports.com/forum/remark,18571518 David : Well if I may offer this little diblet this is the best password generator I have seen and seems to work rather well.

»www.pctools.com/guides/password/

Now there is no excuse as to why the myspace croud can't create a more complex password.
--
If you have a topic in the direct forum please reply to it or a post of mine, I get a notification when you do this.
Koetting Ford, Granite City, illinois... YOU'RE FIRED!!
]]> http://www.dslreports.com/forum/remark,18571518 Tue, 26 Jun 2007 18:22:08 EDT Re: Stupid User Tricks: Password Selection - "WORD1" http://www.dslreports.com/forum/remark,18571508 MorpheusUK : Could it be that some of these users don't consider myspace a site worth securing? I personally operate grades of password from relatively weak but easy to remember for places where access to my account would in reality not be a significant issue (to me) to very strong for places which involve financial information. The reasoning behind this, if someone impersonates me on a forum about widgets as far as personal info goes they will get one of my spam catcher e-mails (easily disposable in case they get flooded) maybe my full name and some PM's which would be highly unlikely to contain any further info about me. and that's it everything else would be visible via my profile. OK they could make a prat of themeselves and get me banned before I spot something is up but the potential damage is low.

Now a site like myspace would qualify for a more secure password by virtue of the type of site it is and possible info it contains but I think password strength at times can be context sensitive. However i do tend to use different usernames and passwords between various sites unless there is a good reason to maintain the same persona in multiple places and even then the password changes on each.

Also if a site has insited on other info to register other than a valid e-mail address there is a high probability that all the info may not be correct further muddying the waters when trying to use it for anything else.
--
Just because you're paranoid, it doesn't mean they are not after you]]> http://www.dslreports.com/forum/remark,18571508 Tue, 26 Jun 2007 18:20:01 EDT Re: Stupid User Tricks: Password Selection - "WORD1" http://www.dslreports.com/forum/remark,18570832 av8r : While ROT-26 is certainly twice as secure as ROT-13, I have found that encoding once, and then encoding the encoded password is more effective. Double ROT-13 should be used as a minimum. I will admit, I have not yet tried Double ROT-26.
--
If I am not for myself, Who will be for me? If I am only for myself, What am I? If not now, When? -- Hillel]]> http://www.dslreports.com/forum/remark,18570832 Tue, 26 Jun 2007 16:11:17 EDT Re: Stupid User Tricks: Password Selection - "WORD1" http://www.dslreports.com/forum/remark,18570723 EGeezer : I'm thinking about using dictionary passwords, but encrypted in ROT-26. Twice as secure as ROT-13 ... ]]> http://www.dslreports.com/forum/remark,18570723 Tue, 26 Jun 2007 15:51:13 EDT Re: Stupid User Tricks: Password Selection - "WORD1" http://www.dslreports.com/forum/remark,18570521 Kilroy : This normally is cuased by web sites that require you to meet their "secure" password qualities. Sites need to suggest good security, but not force users to fit their passwords into their molds.
--
How hard does DRM have to bite before business abandon it?]]> http://www.dslreports.com/forum/remark,18570521 Tue, 26 Jun 2007 15:15:44 EDT Re: Stupid User Tricks: Password Selection - "WORD1" http://www.dslreports.com/forum/remark,18570099 astirusty :

said by NetWatchMan

:

Use dictionary words with a numeric suffix (preferable a "1")!

(Shakes head in disgust)

Not much of a surprise. We used to run a password cracking program on the Unix platforms back in the mid 1990s to detect poorly chosen user passwords. The program had its own database of commonly used passwords, along with its own instruction set (rules for creating passwords) to create the test passwords with.

For example one of the rules was to switch letters like "i" to "1" (numeric one) in the passwords of the database and possible passwords created from the user's account information. This first time it was run, a lot of passwords were broken. The commonly broken passwords were part of the users name or UID followed by the digits 1-12 (month of the year). Things got better after user education was tied to manager / job reviews. :D
--
Do yourself a favor, just say no to anything Windows.]]> http://www.dslreports.com/forum/remark,18570099 Tue, 26 Jun 2007 14:03:57 EDT Re: Stupid User Tricks: Password Selection - "WORD1" http://www.dslreports.com/forum/remark,18569137 mozerd :

said by NetWatchMan

:

Hey I know we have a global security problem, but this brings my impression of just how bad it is to an even lower low.

And WHY would that be a surprise ... in actual fact its a lot worse than anyone person actually believes especially in a western society where mostly everything is taken for granted due to inherent laziness and sublime ignorance.
--
David Mozer
IT-Expert on Call
Information Technology for Home and Business]]> http://www.dslreports.com/forum/remark,18569137 Tue, 26 Jun 2007 11:11:45 EDT Re: Stupid User Tricks: Password Selection - "WORD1" http://www.dslreports.com/forum/remark,18569119 Doctor Four : The MySpace crowd aren't really all that security savvy
to begin with. So encountering this is not surprising
in the least. ]]> http://www.dslreports.com/forum/remark,18569119 Tue, 26 Jun 2007 11:09:36 EDT Re: Stupid User Tricks: Password Selection - "WORD1" http://www.dslreports.com/forum/remark,18569117 JohnInSJ : It's bad. Especially with 'leet haxxor tools' downloadable to any 10 year old in Poland (so it seems, based on my logs anyway) everyone is jumping in on the hacking craze.

I've set up a few nice honeypots on my server and am merrily collecting IP addresses for these zombies and blocking them at the firewall automatically - I was adding about 10 IPs/sec at first, it's trailed down a bit now. Looks like I'da saved a lot of time by just IP banning most of eastern eruope, russia, china, africa, and apparently one town in Japan.

Dealing with the dumb dictionary attack on ssh is really simple. You don't allow logins, just preshared keys.

Personally, I'm sick of it. I can't even imagine the crap BBR has to filter out.

The Internet is Broken. I fear the cure as much as the disease, but it's sad that yet another good human creation turns into the same old crap.
--
My place : »www.schettino.us]]> http://www.dslreports.com/forum/remark,18569117 Tue, 26 Jun 2007 11:08:52 EDT Stupid User Tricks: Password Selection - "WORD1" http://www.dslreports.com/forum/remark,18569022 NetWatchMan : For about the last 12 hours I operated one node of a mySpace phishing botnet (serving up a fake login page). Each and every hour between 5 and 10 mySpace users surfed to my page (there were nearly 200 other systems in this botnet serving the same page!) and giving up their login credentials.

I initially thought the usernames/passwords that were being submitted were bogus as they all following an extremely similar pattern:

(ACTUAL passwords used):
sunshine1
baggy1
doctor1
etc...

Psloss then pointed me at the Washington Post article on work done by Bruce Scneier who had access to a slightly larger pool of passwords used for mySpace accounts:

»www.schneier.com/blog/archives/2···ure.html

Somehow, users have translated the password choosing best practices of:

* Don't just use dictionary words
* Use numerics

To:

Use dictionary words with a numeric suffix (preferable a "1")!

(Shakes head in disgust)

I found the stat by the password recovery company that they are able to recover the user's password in 100,000 guesses 25% of the time...simply by using 1000 dictionary words and 100 common suffixes.

I know that malware that does SSH and term service brute force attacks can easily to 25 login attempts/second...at that rate they could break into 25% of servers exposing these services (many do!) in less than 1 hour.

Let's hope that the folks choosing SSH and Windows Administrator passwords do a slightly better job than the pool of users using that password recovery company.

Hey I know we have a global security problem, but this brings my impression of just how bad it is to an even lower low.
--
Lawrence Baldwin
myNetWatchman
The Internet Neighborhood Watch]]> http://www.dslreports.com/forum/remark,18569022 Tue, 26 Jun 2007 10:51:06 EDT