Thursday, October 21, 2010

HAHAHAHAHA

Via email from #1 Son.  The Security Snark is stong in him.

(sniff) I'm so proud.

And yes, that's exactly how it works.  It reminds me of the time (prolly back in '94 for all you young whippersnappers) when we were doing a security test.  One of the Unix servers we were testing showed as having "World readable filesystem".

"Hmmm," said I, "what file would be a good one to read?"  Presto - down came the password file, which we ran through crack.  Crack was the shiznit dictionary password cracker* back then, and it cracked something like 200 accounts on the system (most of which had never been set to anything other than the default).  The IT guy with me almost had a heart attack.

Good times, good times.

Original image here.

* Yes that's a technical term.  It basically ran the dictionary through the password encryption routine, and then did uber-fast lookups against the actual encrypted password entries.  Anyone who used a word as their password was pwned.  If you have a word (that's in a dictionary) as your password, go change it now.  Because you're probably pwned**.

** No, I'm not joking.  And "1337" is a really, really bad password.  Just sayin' ...

10 comments:

  1. And "leet" substitutions for letters in regular words aren't any good either.

    Neither is deafbeef. Or 11111111.

    Srsly.

    ReplyDelete
  2. asdf is particularly bad, as is qwerty.

    Duh.

    ReplyDelete
  3. Remember SATAN? I was working as a contractor for a well-known medical equipment mfr, and the IT manager spent a lot of time bragging about how undefeatable his security was.

    Out came SATAN. Broke *HIS* account in the first pass.

    Brought the password list to him, told him that it was "a good thing I'm a friend", and suggested he put a secure password policy in place immediately. He got VERY angry and made some threatening statements until I offered to give the same information to the division VP.

    My observation here: security methods are only as good as the IT manager who decides to implement them.

    ReplyDelete
  4. Why would anyone use 1337?

    ReplyDelete
  5. Buck, I'm assuming you're making a joke.

    For new readers, I'll point out "leetspak", where online users substitute numbers for lettere, i.i. l=1, 3=e, 7=t.

    If you're new to the game, don't do this.

    ReplyDelete
  6. Taping the password and id to the bottom of the keyboard is always a good security measure.

    ReplyDelete
  7. Yes, using "Borepatch" as my PW is bad. But I use "~B0r3Pa7ch_borE6@TcH!" Easy to remember.

    Dammit!

    Well, I did. BRB

    ReplyDelete
  8. But look at that PW! 4 numerals, 4 CAPITALS, 4 special characters, 8 lower case and I just typed your dictionary name twice.

    ReplyDelete
  9. There's a nifty little program for linux called apg, spits out random passswords, you can set it for as few or as many characters as you desire. Impossible to remember, something like hiajTojEjlej`, I have to write down all my passwords to various sites in a master file in case something happens to my browser and it loses the saved passwords.

    ReplyDelete
  10. I was expecting Gandalf to rattle off a list like this: Adanedhel, Adorn, Adrahil, Aduial, Adûnaic, etc.

    ReplyDelete

Remember your manners when you post. Anonymous comments are not allowed because of the plague of spam comments.