Passwords That Should Never Be Used 239
The Original Yama writes "Strong passwords are your first step in securing your systems. If a password can be easily guessed or compromised using a simple dictionary attack, your systems will be vulnerable to hackers, worms, Trojans, and viruses. PCLinuxOnline provides an alphanumerical list of list of commonly used weak passwords that should never be used. If any of these passwords look hauntingly familiar and are being used, you should change the password immediately."
strong passwords = broken by design (Score:5, Insightful)
Any lame brained security system that depends on people choosing difficult to remember passwords and changing them every 3-6 months is broken by design.
Universal Passwords (Score:4, Insightful)
Now, they enforce basic password etiquette (minimum length, non-alpha character requirement, etc...), which helps the situation somewhat (aside from the office biddies who write them on post-it notes on their CRTs), but the situation is far from secure.
Students use their webmail (Exchange... I won't even get into that one...) and register for classes (telnet), and generally aren't careful with their passwords. I couldn't tell you how many times I've sat down at a public terminal to find someone else's account all set up for me to exploit. And since the password is universal, I can do anything I want.
Myself, I use a different password for everything I connect to, and thus don't have to worry about being wholly compromised in an instant. Then again, I'm a geek, so I'm not exactly the norm.
Does anyone else see this push toward universal logins/passwords as a problem?
Re:Universal Passwords (Score:4, Insightful)
Er, no? Most "password etiquette" schemes are a complete crock. Generally all they do is reduce the key space and therefore make the passwords easier to brute force attack.
You must have a password of at least 6 characters? Well, there goes everything 5 characters and less - don't have to check those.
Hmm, and while we're at it, most people are going to have a password between 6 and 9 characters, don't bother trying anything else until the second pass.
You have to have at least one non-alpha, well - I can reduce my attack to constrain my guesses around that requirement - just reduced the number of attempts necessary by 24%.
Any other rules you want to add to make attacking the password easier?
Re:Some pretty complex ones are there too... (Score:3, Insightful)
Re:Universal Passwords (Score:4, Insightful)
Assuming we take the example of the guy who had the 5 byte password that takes 18 days to crack, 1.9% still saves you 8 hours. Not an unuseful amount of time.
It's the daft "must include an non-alpha" and "must start with an alpha (or worse, a capital)" and other brain dead, crack smoking, glue sniffing password "rules" that are the real killers
PHBs seriously love "password" (Score:3, Insightful)
It's useless (Score:2, Insightful)
Re:Universal Passwords (Score:3, Insightful)
I agree that rules that restrict the keyspace *more* than they force users to increase entropy are pointless or even harmful. "Must start with a capital" is obviously in this category. "Must include some sign that is not a letter" is probably not, because, again, the rule excludes maybe 0.0005% of all passwords, but forces 10-30% of users, the ones which otherwise would choose "all alphas" to select a better password.
Re:Top 10 Passwords Not to be Used (Score:1, Insightful)
Nah, at least make it Mithrandir or Olorin.
Re:Password rules at IBM Watson Research (Score:1, Insightful)
similar to that. When trying to change a password,
one can expect to spend an hour just trying to figure
out a legal password. The only thing that saved
me when changing passwords was the system never
checked to see if you are using a different password.
Yes, its wrong, but then again, a system where its
almost impossible to create a new password is wrong too.
Re:strong passwords = broken by design (Score:3, Insightful)
> 4 digit pin & a magnetic card. If it's enough to
> protect their money...
But it isn't.
Re:Remember Demolition Man (Score:4, Insightful)
Here are some points to ponder regarding something you "are":
And here are some points regarding something you can have - a smart card:
What do these points mean? Biometric information can be copied at many levels, and presented as "real" data at many points in the security perimeter. A fake fingerprint can be made for under $20 and almost no skill is required. Mallory can hold up a photo in front of an unattended camera to convince a system that Alice is at the reader. A "fake" retinal scanner could be placed in front of a "real" retinal scanner at the bank's Eye-ATM machine ('retinal skimming' just sounds evil.) Or, the thumbprint reader at the Bada Bing's cash register might actually be a thumbprint/DNA recorder manned by Tony Soprano. You, the biometric holder, have no way of validating every reader. And in every case, a compromised biometric is of negative value to the owner. If your thumbprint data is stolen, copies of it can be made forever and you can never get it back. Your own thumbprint is now a liability, not an asset.
In contrast, a smart card does not divulge its secrets willingly. Smart cards do not require trust in the card reader nor in the merchant. The merchant issues a challenge to the card, collects the response, and ships both the challenge and response to the bank. The bank records the challenge, validates that the challenge was never authorized before, and then validates that the response matched the challenge according to the secret rules the bank placed inside the card at the time of issuance. If a card is lost, the bank marks it lost/stolen and never authorizes it again. If a duplicate challenge is made, the merchant presenting the duplicate can be immediately suspected of fraud.
A smart card is good security, but poor authentication. But a biometric datum is poor security, and not necessarily good authentication.