| Stupid User Tricks: Password Selection - "WORD1" For about the last 12 hours I operated one node of a mySpace phishing botnet (serving up a fake login page). Each and every hour between 5 and 10 mySpace users surfed to my page (there were nearly 200 other systems in this botnet serving the same page!) and giving up their login credentials.
I initially thought the usernames/passwords that were being submitted were bogus as they all following an extremely similar pattern:
(ACTUAL passwords used):
sunshine1
baggy1
doctor1
etc...
Psloss then pointed me at the Washington Post article on work done by Bruce Scneier who had access to a slightly larger pool of passwords used for mySpace accounts:
»www.schneier.com/blog/archives/2···ure.html
Somehow, users have translated the password choosing best practices of:
* Don't just use dictionary words
* Use numerics
To:
Use dictionary words with a numeric suffix (preferable a "1")!
(Shakes head in disgust)
I found the stat by the password recovery company that they are able to recover the user's password in 100,000 guesses 25% of the time...simply by using 1000 dictionary words and 100 common suffixes.
I know that malware that does SSH and term service brute force attacks can easily to 25 login attempts/second...at that rate they could break into 25% of servers exposing these services (many do!) in less than 1 hour.
Let's hope that the folks choosing SSH and Windows Administrator passwords do a slightly better job than the pool of users using that password recovery company.
Hey I know we have a global security problem, but this brings my impression of just how bad it is to an even lower low.
--
Lawrence Baldwin
myNetWatchman
The Internet Neighborhood Watch |
|
|
|
 JohnInSJPremium
join:2003-09-22
San Jose, CA
 ·PHONE POWER
 ·Comcast
| It's bad. Especially with 'leet haxxor tools' downloadable to any 10 year old in Poland (so it seems, based on my logs anyway) everyone is jumping in on the hacking craze.
I've set up a few nice honeypots on my server and am merrily collecting IP addresses for these zombies and blocking them at the firewall automatically - I was adding about 10 IPs/sec at first, it's trailed down a bit now. Looks like I'da saved a lot of time by just IP banning most of eastern eruope, russia, china, africa, and apparently one town in Japan.
Dealing with the dumb dictionary attack on ssh is really simple. You don't allow logins, just preshared keys.
Personally, I'm sick of it. I can't even imagine the crap BBR has to filter out.
The Internet is Broken. I fear the cure as much as the disease, but it's sad that yet another good human creation turns into the same old crap.
--
My place : »www.schettino.us |
|
 Doctor FourMy other vehicle is a TARDISPremium
join:2000-09-05
Dallas, TX | reply to NetWatchMan
The MySpace crowd aren't really all that security savvy
to begin with. So encountering this is not surprising
in the least. |
|
 mozerdLight Will Pierce The DarknessPremium,MVM
join:2004-04-23
Nepean, ON | reply to NetWatchMan
said by NetWatchMan:Hey I know we have a global security problem, but this brings my impression of just how bad it is to an even lower low. And WHY would that be a surprise ... in actual fact its a lot worse than anyone person actually believes especially in a western society where mostly everything is taken for granted due to inherent laziness and sublime ignorance.
--
David Mozer
IT-Expert on Call
Information Technology for Home and Business |
|
| reply to NetWatchMan
said by NetWatchMan:Use dictionary words with a numeric suffix (preferable a "1")! (Shakes head in disgust) Not much of a surprise. We used to run a password cracking program on the Unix platforms back in the mid 1990s to detect poorly chosen user passwords. The program had its own database of commonly used passwords, along with its own instruction set (rules for creating passwords) to create the test passwords with.
For example one of the rules was to switch letters like "i" to "1" (numeric one) in the passwords of the database and possible passwords created from the user's account information. This first time it was run, a lot of passwords were broken. The commonly broken passwords were part of the users name or UID followed by the digits 1-12 (month of the year). Things got better after user education was tied to manager / job reviews. 
--
Do yourself a favor, just say no to anything Windows. |
|
 KilroyPremium,MVM
join:2002-11-21
Ann Arbor, MI | reply to NetWatchMan
This normally is cuased by web sites that require you to meet their "secure" password qualities. Sites need to suggest good security, but not force users to fit their passwords into their molds.
--
How hard does DRM have to bite before business abandon it? |
|
 EGeezerGo CatsPremium
join:2002-08-04
Midwest
kudos:8 | reply to NetWatchMan
I'm thinking about using dictionary passwords, but encrypted in ROT-26. Twice as secure as ROT-13 ... |
|
 av8r7I'd Rather Be FlyingPremium
join:2002-06-14
Boca Raton, FL | While ROT-26 is certainly twice as secure as ROT-13, I have found that encoding once, and then encoding the encoded password is more effective. Double ROT-13 should be used as a minimum. I will admit, I have not yet tried Double ROT-26.
--
If I am not for myself, Who will be for me? If I am only for myself, What am I? If not now, When? -- Hillel |
|
| reply to NetWatchMan
Could it be that some of these users don't consider myspace a site worth securing? I personally operate grades of password from relatively weak but easy to remember for places where access to my account would in reality not be a significant issue (to me) to very strong for places which involve financial information. The reasoning behind this, if someone impersonates me on a forum about widgets as far as personal info goes they will get one of my spam catcher e-mails (easily disposable in case they get flooded) maybe my full name and some PM's which would be highly unlikely to contain any further info about me. and that's it everything else would be visible via my profile. OK they could make a prat of themeselves and get me banned before I spot something is up but the potential damage is low.
Now a site like myspace would qualify for a more secure password by virtue of the type of site it is and possible info it contains but I think password strength at times can be context sensitive. However i do tend to use different usernames and passwords between various sites unless there is a good reason to maintain the same persona in multiple places and even then the password changes on each.
Also if a site has insited on other info to register other than a valid e-mail address there is a high probability that all the info may not be correct further muddying the waters when trying to use it for anything else.
--
Just because you're paranoid, it doesn't mean they are not after you |
|
 DavidNow accepting new patientsPremium,VIP
join:2002-05-30
Granite City, IL
kudos:78
 ·DIRECTV
 ·AT&T Midwest
·magicjack.com
·Google Voice
·AT&T Southwest
| reply to av8r7
Well if I may offer this little diblet this is the best password generator I have seen and seems to work rather well.
»www.pctools.com/guides/password/
Now there is no excuse as to why the myspace croud can't create a more complex password.
--
If you have a topic in the direct forum please reply to it or a post of mine, I get a notification when you do this.
Koetting Ford, Granite City, illinois... YOU'RE FIRED!!
|
|
 NY TelPremium
join:2004-04-09
Smithtown, NY
kudos:3 | reply to Kilroy
Personally, I prefer to use Password1, password or us3rnam3.... |
|
 FiLPremium
join:2005-08-16
Silver Spring, MD | reply to NetWatchMan
Its friggin' myspace tho...
How much damage can be done through that shitty ass service? Maybe PS a few pics, steal email addy, bla bla...most of the people that logon in my experience use throw away email addys. |
|
Reviews:
 ·Frontier FiOS
| reply to NetWatchMan
My little thread hijack rant: While I always try to use complex passwords for stuff that really matters, the thing that really tics me off is that there are so many sites of a financial nature (or other important stuff) that do not allow special characters or are limited to 8 characters! I have complained and even stopped doing business with these fools, but until enough joe surfers are hit where it hurts, nothing will change. Some kind of token key or bio-ident is the only way it will change... |
|
EGeezerGo CatsPremium
join:2002-08-04
Midwest
kudos:8
1 edit | reply to FiL
Re:what damage said by FiL:Its friggin' myspace tho... How much damage can be done through that shitty ass service? Maybe PS a few pics, steal email addy, bla bla...most of the people that logon in my experience use throw away email addys. Child molesters would love to be able to hijack a "trusted" kid's account - at least long enough to social engineer personal information from the kid's contacts or set one or more of them up for a meeting. It takes little imagination to think of ways to use or abuse a stolen online identity, or to cause trouble for or damage the reputation of the real owner.
--
The society which scorns excellence in plumbing as a humble activity and tolerates shoddiness in philosophy because it is an exalted activity will have neither good plumbing nor good philosophy: neither its pipes or its theories will hold water.
|
|
1 edit | reply to NetWatchMan
Re: Stupid User Tricks: Password Selection - "WORD1" So is it considered OK to run phishing sites and/or use botnets (even if they are for "research" purposes)? |
|
JohnInSJPremium
join:2003-09-22
San Jose, CA Reviews:
·PHONE POWER
·Comcast
| said by C DM:So is it considered OK to run phishing sites and/or use botnets (even if they are for "research" purposes)? I think he looks like a white hat to me. Know your enemy and all that.
--
My place : »www.schettino.us |
|
| reply to NetWatchMan
Somewhere I heard that the most commonly used password is 'password', and I believe it.
A few years ago I accidentally accessed someone elses Verizon account on their website. I don't go there often and forgot my login info, so tried the one I normally used, and then clicked the "Forgot Your Password Link" to go through the validation steps to have them e-mail it.
The security question was "What is your favorite color?". That is about 6 possible colors to guess at for 90% of the population. I entered 'Blue" and it took me right to a screen to enter a new password. After that it took me right to the account, but when I went to check my bill it was somebody elses account! Name, address, and a place to hold credit card number for billing. I found the persons e-mail address and e-mailed the person to tell them what happened since I changed their password.
I also e-mailed Verizon with all the details and pointed out their poor security, and they never every replied.
I went back to the login screen and started trying common words for a user name to see how many I hit that used the favorite color question. Just about any word I entered was a valid user name, especially Verizon1, Verizon2 and it would only take a few guesses to access the account. |
|
JRVS
join:2001-06-01
Houston, TX | reply to NetWatchMan
Hey it ain't just MySpace. I'm a computer consultant to mid-sized businesses. You'd think adults with a business at stake would take passwords seriously.
But I actually guessed the CEO's password in one try. It was...you guessed it...the company name followed by a 1.
They have to change passwords every 90 days, and Windows is set to remember the last 10. His other passwords are CompanyName2, CompanyName3, etc., and he starts over with 1 once he gets to 10.
Similarly, before the company finally agreed to turn on the password filter in (at the time) Windows NT 4.0, his password was 9999.
He has access to the most sensitive data in the company. They are BEGGING to be hacked. |
|
 alanhdslPremium
join:1999-10-09
Phoenix, AZ | reply to David
Those may be good passwords, but now you're inviting a yellow sticky note with "3REfrure" written on it.
The challenge is that good passwords are hard to remember, so people either pick simple ones and/or write them down. I'm not sure there's a good solution. |
|
 PolarBear03The bear formerly known as aaron8301Premium
join:2005-01-03 | reply to NY Tel
You MUST be kidding... right? |
|
